BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

How to analyze Trojan with ANY.RUN

Top malware of this type

Trend changes
Tasks overall
  • 2

    Agent Tesla

  • 3


  • 4


  • 5


  • 6


  • 7


  • 8


  • 9


  • 10


  • 11


  • Last Seen at

    Recent blog posts

    post image
    What Are the 3 Types of Threat Intelligence D...
    watchers 148
    comments 0
    post image
    Expert Q&A: Aaron Fillmore on his Cyberse...
    watchers 158
    comments 0
    post image
    Malware Trends Report: Q2, 2024 
    watchers 1628
    comments 0

    What is a trojan malware?

    According to the standard trojan malware definition, it is malicious software that pretends to be legitimate in order to deceive victims into downloading and executing it.

    However, attackers now frequently distribute trojans via loaders, and as a result, advanced disguises are unnecessary and may not go beyond simply mimicking the name of a legitimate process. Additionally, trojan attacks often make use of social engineering tactics, spoofing, and phishing to persuade the user to take the desired action.

    The most common purpose for these malicious programs is to gain unauthorized access to a user's computer and extract sensitive files and data, including credit card information and private email addresses. Trojans are often used to distribute other types of threats, including ransomware that encrypts users’ files and demanding payment for their decryption.

    Get started today for free

    Easily analyze emerging malware with ANY.RUN interactive online sandbox

    Register for free

    What can a trojan do to a computer?

    The core functionality of such malware can vary significantly depending on its type (e.g., remote access trojan or trojan spyware). However, the most common features include:

    • Data theft: Steals sensitive data from the infected computer, such as passwords, credit card numbers, and social security numbers.
    • Keylogging: Records all keystrokes typed on the infected computer.
    • Remote access: Lets attackers to remotely control the infected computer.
    • Downloading and installing other malware: Drops extra payloads on the infected computer.
    • Modifying system files: Modifies system files to disable security software, create backdoors, and perform other malicious activities.
    • Spreading through network connections: Spreads to other computers on the same network.

    Some types of this computer virus can target specific spheres. For instance, banking trojan malware is designed to steal banking credentials and other sensitive financial information, such as credit card and social security numbers. They can also be used to take over a user's online banking account and perform fraudulent transactions.

    How do trojans spread?

    Attackers have devised a variety of methods for infiltrating computers to deploy a trojan virus, including email attachments, infected websites, and file sharing platforms. When a user interacts with these sources by downloading and executing a malicious file, the trojan can be installed on their device without their knowledge.

    Email phishing campaigns remain the most common vector of infection. Social engineering plays a significant part in how criminals manage to carry out successful attacks involving trojans.

    Their tactics may include sending out thousands of spam emails on the part of a trusted entity, such as an actual brand or government organization, or using intimidation to scare the victim and persuade them to perform harmful actions.

    For instance, criminals behind one of the phishing campaigns aimed at spreading the STRRAT trojan targeted individuals on behalf of the MAERSK shipping corporation.

    How can a trojan gain access to a computer?

    A typical trojan malware infection chain follows these steps:

    1. Initial access: Typically, an unknowing user downloads a trojan as an email attachment or a file from a website.
    2. Execution: Once the trojan is delivered to the victim's computer, it typically installs itself by exploiting a vulnerability in the operating system or in other software applications.
    3. Persistence: Once installed, the trojan tries to persist on the system to continue running even after the victim reboots their computer. This may be done by modifying the system registry or by installing itself as a system service.
    4. Privilege escalation and lateral movement: The malware then attempts to gain higher permissions on an infected system by exploiting security gaps. In many cases, the malicious program manages to disseminate across the entire network through lateral movement.
    5. Collection and exfiltration: In this stage, the trojan gathers the information from targeted systems and exfiltrates it to a remote server called the command-and-control center (C2). It may also communicate with the C2 to download additional malware or receive commands.
    6. Impact: Some trojans may disrupt organizations’ operations by tampering with data and interrupting internal processes. For instance, ransomware trojans can encrypt files and, thus, prevent a targeted company from functioning.

    Remcos process tree Execution processes of Remcos displayed by the ANY.RUN malware sandbox

    Using the Remcos trojan as an example, we can trace this entire process in action by uploading a sample of this malware to the ANY.RUN interactive malware sandbox.

    The Remcos trojan can be delivered in different forms. In our case, the entire infection chain starts with an executable file, which, once launched, initiates a VBS script that runs a command line and drops an executable file. This file is the main payload, which carries out malicious activities such as stealing information, changing the autorun value in the registry, and connecting to the C2 server.

    What are examples of the most persistent trojans today?

    The threat landscape is changing by the hour and the popular trojans today may be gone forever tomorrow. To stay in the know about the latest trends in malware, as well as collect fresh indicators of compromise and samples, use ANY.RUN’s Tracker.

    Here are some of the most active trojan families according to the service:

    • RedLine: This trojan poses a significant threat to users by collecting their private information and distributing various damaging programs. The versatility of the software means that it can cause considerable harm to both personal and enterprise devices, leading to financial loss and data breaches.
    • NjRAT: One of the most readily available RATs in current operation. There are plenty of educational resources providing guidance to aspiring attackers on how to use it.
    • Agent Tesla: It is a program that is marketed as legitimate software but is actually a trojan spyware that collects sensitive information about its victims. It records users’ keystrokes and interactions to obtain personal data without their knowledge.

    How can I detect a trojan?

    Despite the prevalence of trojan viruses, detecting them can be extremely challenging. They often use sophisticated techniques to evade detection from antivirus programs, making them a serious threat to cybersecurity.

    Yet, uploading any suspicious file or link to the ANY.RUN malware sandbox can help you quickly discover if the sample under inspection is a trojan, another type of malware, or a completely safe file. The service also shows the entire execution path of the sample and displays its network traffic activity.

    Additionally, ANY.RUN enables you to interact with files, links, and the infected system in a safe VM environment like you would on a normal computer.

    You can also use the sandbox to gain the information needed to ensure timely malware trojan removal.

    Try ANY.RUN for free – request a demo!


    Adwind screenshot
    adwind trojan
    Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
    Read More
    Agent Tesla screenshot
    Agent Tesla
    agenttesla trojan rat stealer
    Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
    Read More
    Crimson RAT screenshot
    Crimson RAT
    crimson rat trojan
    Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
    Read More
    Danabot screenshot
    danabot trojan stealer
    Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
    Read More
    Dridex screenshot
    dridex trojan banker
    Dridex is a very evasive and technically complex banking trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
    Read More
    Emotet screenshot
    emotet trojan loader banker
    Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.
    Read More

    Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy