Analysis by: Paul Steven Nadera
ALIASES:

HackTool:Win32/LaZagne (Microsoft); Trojan.Python.Spy, Trojan.Python.Spy (Ikarus);

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 5,735,701 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 22 Jun 2020

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Hacking Tool does the following:

  • Supported software for different commands:
    • {browsers}
    • Windows:
      • 7Star
      • Amigo
      • BlackHawk
      • Brave
      • Centbrowser
      • Chedot
      • Chrome Canary
      • Chromium
      • Coccoc
      • Comodo Dragon
      • Comodo IceDragon
      • Cyberfox
      • Elements Browser
      • Epic Privacy Browser
      • Firefox
      • Google Chrome
      • Icecat
      • K-Meleon
      • Kometa
      • Opera
      • Orbitum
      • Sputnik
      • Torch
      • Uran
      • Vivaldi
    • Linux:
      • Brave
      • Chromium
      • Dissenter-Browser
      • Google Chrome
      • IceCat
      • Firefox
      • Opera
      • SlimJet
      • Vivaldi
      • WaterFox
    • Mac:
      • Chrome
      • Firefox
    • {chats}
    • Windows:
      • Pidgin
      • Psi
      • Skype
    • Linux:
      • Pidgin
      • Psi
    • {databases}
    • Windows:
      • DBVisualizer
      • Postgresql
      • Robomongo
      • Squirrel
      • SQLdeveloper
    • Linux:
      • DBVisualizer
      • Squirrel
      • SQLdevelopper
    • {games}
    • Windows:
      • GalconFusion
      • Kalypsomedia
      • RogueTale
      • Turba
    • {git}
    • Windows:
      • Git for Windows
    • {mails}
    • Windows:
      • Outlook
      • Thunderbird
    • Linux:
      • Clawsmail
      • Thunderbird
    • {maven}
    • Windows:
      • Maven Apache
    • {memory}
    • Windows:
      • Keepass
      • Mimikatz method
    • Linux:
      • System Password
    • {multimedia}
    • Windows:
      • EyeCON
    • {php}
    • Windows:
      • Composer
    • {svn}
    • Windows:
      • Tortoise
    • {sysadmin}
    • Windows:
      • Apache Directory Studio
      • CoreFTP
      • CyberDuck
      • FileZilla
      • FileZilla Server
      • FTPNavigator
      • OpenSSH
      • OpenVPN
      • KeePass Configuration Files (KeePass1, KeePass2)
      • PuttyCM
      • RDPManager
      • VNC
      • WinSCP
      • Windows Subsystem for Linux
    • Linux:
      • Apache Directory Studio
      • AWS
      • Docker
      • Environnement variable
      • FileZilla
      • gFTP
      • History files
      • Shares
      • SSH private keys
      • KeePass Configuration Files (KeePassX, KeePass2)
      • Grub
    • {wifi}
    • Windows:
      • Wireless Network
    • Linux:
      • Network Manager
      • WPA Supplicant
    • Internal mechanism passwords storage
    • Windows:
      • Autologon
      • MSCache
      • Credential Files
      • Credman
      • DPAPI Hash
      • Hashdump (LM/NT)
      • LSA secret
      • Vault Files
    • Linux:
      • GNOME Keyring
      • Kwallet
      • Hashdump
    • Mac:
      • Keychains
      • Hashdump

It accepts the following parameters:

  • Main Commands:
    • chats -> Run chats module
    • mails -> Run mails module
    • all -> Run all modules
    • git -> Run git module
    • svn -> Run svn module
    • windows -> Run windows module
    • wifi -> Run wifi module
    • maven -> Run maven module
    • sysadmin -> Run sysadmin module
    • browsers -> Run browsers module
    • games -> Run games module
    • multimedia -> Run multimedia module
    • memory -> Run memory module
    • databases -> Run databases module
    • php -> Run php module
  • optional arguments:
    • -h, --help show help message and exit
    • -version laZagne version
  • all -> Launch all modules
  • {command} -> Launch only a specific module
  • {command} -{supported software} -> Launch only a specific software script
  • all -oN -> Write all passwords found into a file (-oN for Normal txt, -oJ for Json, -oA for All)
  • all -oA -output {file path) -> Write all passwords found into a file (-oN for Normal txt, -oJ for Json, -oA for All)
  • -h -> Get help
  • {main command} -h -> Get help for specific command
  • all -vv -> Change verbosity mode (2 different levels)
  • all -quiet -oA -> Quiet mode (nothing will be printed on the standard output)
  • all -password {password} -> To decrypt domain credentials, it could be done specifying the user windows password. Otherwise it will try all passwords already found as windows passwords.
  • all --password {password} -> (for mac)
  • all -i -> interactive mode that will prompt a dialog box to the user until the password will be correct

  SOLUTION

Minimum Scan Engine: 9.800
SSAPI PATTERN File: 2.411.00
SSAPI PATTERN Date: 27 May 2021

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Scan your computer with your Trend Micro product to delete files detected as HackTool.Win64.Lazagne.ZTHC-A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.