Trojan.Agent.KFZA
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Agent.KFZA |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
0e8794e5cc89ee2f940158cec962e0df
SHA1:
f9c113e23c1dd836bb9f0ea1f5805a99ba34d65b
SHA256:
C02DBE384A25E8E24F94A5EE6C38037F89B3F8B94E1A9BF312E67EB2EA832D38
File Size:
1.62 MB, 1616384 bytes
|
|
MD5:
dda2e9243d82623742ad7f5a541c298c
SHA1:
cd74e3de43337133c7f3f5ec01c4c1e98e523a96
SHA256:
9957C7609178A2711C45B7154FA98EBC4064D4C974CF2D97221E3F948D57D54A
File Size:
1.67 MB, 1674240 bytes
|
|
MD5:
99ef0ae852234fbae172d581edc1ac72
SHA1:
0667de718aceca69e1bf53a8353053b5469a6d50
SHA256:
DA425B73E339FC7C2275631D5EA67EE84D6F0D9BEED0A93F0BF985886A86FB96
File Size:
1.61 MB, 1614848 bytes
|
|
MD5:
40f8355b2fa7db6718a1243548a2e1e7
SHA1:
8ed5c200cc25dfb11a5eb5da27b64846af6af75c
SHA256:
12A58193F05E26CEB85C92CC1819DC51C5C62DD756B5C5081E2ED0AE562EB66D
File Size:
1.34 MB, 1336320 bytes
|
|
MD5:
ae67de50e18177d97017cb928d2e8aa7
SHA1:
68c73ae0adbbe2592d45698b3e5bd1d4ce073330
SHA256:
375EB7526770AF91590E804A4765AF3BD8C5DE3BA316C6A52D839EFC4EBECD91
File Size:
1.68 MB, 1678336 bytes
|
Show More
|
MD5:
fa7d7a8dfb69b74db9d867262ccfafa0
SHA1:
8436bd8cfe1c72bb4ec02a42d6e3fd579474a76c
SHA256:
A4A2878DCF6ACB188E4E45CDBE2FAFD64BE2978542476D542AC3A1B254B3D322
File Size:
1.33 MB, 1328128 bytes
|
|
MD5:
7d8382690a68f6a19336df037ed9a55e
SHA1:
8445c3367f096cd3c8c13a3f427eb0d47adc4f26
SHA256:
020B4455E0D11750397D6112D1E6F50BE9860E48BD5FE5286B5BE3BCADF61DE4
File Size:
1.67 MB, 1667072 bytes
|
|
MD5:
cef2acb7be91015fc27ca02d657869f9
SHA1:
fdb61d3e8cc76322fde64fc7e4f1741633262d7b
SHA256:
FDCBFDF7A1ACCB1C8C4DCCEAD40C38B5243838C6168B23AF7798A040B06FCEED
File Size:
1.39 MB, 1389568 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
File Traits
- dll
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 591 |
|---|---|
| Potentially Malicious Blocks: | 52 |
| Whitelisted Blocks: | 539 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
x
0
x
0
x
x
x
x
0
x
x
x
x
0
0
x
x
x
x
x
x
0
x
0
x
0
x
x
0
x
x
x
x
0
x
0
0
x
x
0
x
x
0
x
0
x
0
x
0
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.KFZA
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
