Malware

PWS:Win32/Zbot!Q (file analysis)

Malware Removal

The PWS:Win32/Zbot!Q is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What PWS:Win32/Zbot!Q virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • At least one process apparently crashed during execution
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • CAPE extracted potentially suspicious content
  • Unconventionial language used in binary resources: Russian
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • The executable is compressed using UPX
  • Authenticode signature is invalid

How to determine PWS:Win32/Zbot!Q?



File Info:

name: 9124B06C5EE0523B5832.mlw
path: /opt/CAPEv2/storage/binaries/ec519a642ee9a1bb4d8dc0a2f25cf4784230677414ffffbee47d59bb230fc2c5
crc32: AAAC38BD
md5: 9124b06c5ee0523b5832ded7613ff250
sha1: 249d034dbae1e4b2dc15a36283605bc2fcc53956
sha256: ec519a642ee9a1bb4d8dc0a2f25cf4784230677414ffffbee47d59bb230fc2c5
sha512: 6336c9d955b935312a5883582f4be9708caa63ca0b5906f1892128e0b1cf721a20e3f0003c7ad470f26c5da29b082f4a02b37dc9cd9aed7737a1dd589cc69d29
ssdeep: 12288:+S6lbyIbd7/zwpB95iOX4nPoJN0jw+5zE2hCsPTca7+R9xAHak8c7lwIAe:Klby47wpB9zNJCthCsPwR9a6k77l2e
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T14AE4237199640EAFD22849744538303E23FEE507C6B4DDF3BDE805689A47721A1BBB1E
sha3_384: 226d6111462ee146f3aa0e165777829095ece6a4a918bdaee4077f0ff75a815fb1203e2cb1b12d86cb92affe3d92ae1b
ep_bytes: 60be003043008dbe00e0fcff5783cdff
timestamp: 2007-02-07 13:34:02


Version Info:

CompanyName: нПмаХчаавлвЙУцЧвДЧЯьща
FileDescription: ЫАцВЛГЖБишПОСоЦаЖнВмчвуц
FileVersion: 122.34.64.19
InternalName: СйЙЬеноХоШАФлмЬпфФИЮАакйЬеЛур
OriginalFilename: GPfu.exe
ProductName: кеаЗТЮшйЯаъБрТЮЫЩНШРмЕжЫНЮж
ProductVersion: 122.34.64.19
Translation: 0x04b0 0x0417

PWS:Win32/Zbot!Q also known as:

BkavW32.AIDetect.malware2
LionicHacktool.Win32.Krap.lx28
Elasticmalicious (high confidence)
MicroWorld-eScanGen:Heur.Krypt.29
FireEyeGeneric.mg.9124b06c5ee0523b
ALYacGen:Heur.Krypt.29
CylanceUnsafe
ZillyaTrojan.Kryptik.Win32.93304
SangforSuspicious.Win32.Save.a
K7AntiVirusTrojan ( 0055dd191 )
AlibabaTrojanPSW:Win32/Obfuscator.a960d3f3
K7GWTrojan ( 0055dd191 )
Cybereasonmalicious.c5ee05
VirITPacked.Win32.Katusha.J
CyrenW32/Trojan.EBRM-3511
SymantecML.Attribute.HighConfidence
ESET-NOD32a variant of Win32/Kryptik.EHC
APEXMalicious
Paloaltogeneric.ml
ClamAVWin.Trojan.Packed-530
KasperskyPacked.Win32.Krap.hm
BitDefenderGen:Heur.Krypt.29
NANO-AntivirusTrojan.Win32.Krap.cvqlid
AvastWin32:Dh-A [Heur]
TencentMalware.Win32.Gencirc.10b87c9b
Ad-AwareGen:Heur.Krypt.29
SophosML/PE-A + Mal/Qbot-B
ComodoMalCrypt.Indus!@1qrzi1
DrWebTrojan.Packed.20343
VIPRETrojan.Win32.Nedsym.f (v)
TrendMicroBKDR_QAKBOT.SMC
McAfee-GW-EditionBehavesLike.Win32.Generic.jc
EmsisoftGen:Heur.Krypt.29 (B)
IkarusPacker.Win32.Krap
GDataGen:Heur.Krypt.29
JiangminPacked.Katusha.idy
WebrootW32.Malware.Gen
AviraTR/Dropper.Gen
MAXmalware (ai score=100)
Antiy-AVLTrojan/Generic.ASMalwS.FD679
ArcabitTrojan.Krypt.29
ZoneAlarmPacked.Win32.Krap.hm
MicrosoftPWS:Win32/Zbot.gen!Q
CynetMalicious (score: 100)
McAfeeArtemis!9124B06C5EE0
TrendMicro-HouseCallBKDR_QAKBOT.SMC
RisingDropper.Generic!8.35E (CLOUD)
YandexTrojan.GenAsa!hKBlQ+uF2kM
SentinelOneStatic AI – Malicious PE
eGambitGeneric.PSW
FortinetW32/Generic.AC.2AA013!tr
BitDefenderThetaAI:Packer.30B9AAF41F
AVGWin32:Dh-A [Heur]
PandaTrj/Krapack.gen
CrowdStrikewin/malicious_confidence_90% (D)

How to remove PWS:Win32/Zbot!Q?

PWS:Win32/Zbot!Q removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment