Categories: Malware

Troj/Miner-ZL removal

The Troj/Miner-ZL is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Troj/Miner-ZL virus can do?

Executable code extraction
Injection (inter-process)
Injection (Process Hollowing)
Creates RWX memory
A process attempted to delay the analysis task.
Attempts to connect to a dead IP:Port (16 unique times)
Starts servers listening on 0.0.0.0:5183
Reads data out of its own binary image
A process created a hidden window
Drops a binary and executes it
Performs some HTTP requests
Unconventionial language used in binary resources: Spanish (Venezuela)
Uses Windows utilities for basic functionality
Enumerates services, possibly for anti-virtualization
Executed a process and injected code into it, probably while unpacking
Deletes its original binary from disk
Attempts to repeatedly call a single API many times in order to delay analysis time
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
Installs itself for autorun at Windows startup
A possible cryptomining command was executed
Attempts to interact with an Alternate Data Stream (ADS)
Anomalous binary characteristics

Related domains:

z.whorecord.xyz

a.tomx.xyz

microsoft-com.mail.protection.outlook.com

181.86.68.138.dnsbl.sorbs.net

181.86.68.138.bl.spamcop.net

181.86.68.138.zen.spamhaus.org

181.86.68.138.sbl-xbl.spamhaus.org

181.86.68.138.cbl.abuseat.org

msr.pool.gntl.co.uk

auth.hulu.com

How to determine Troj/Miner-ZL?


File Info:
crc32: C350EF11md5: 9e2fc4ee4e363a54caa3470bd08f8c8aname: 9E2FC4EE4E363A54CAA3470BD08F8C8A.mlwsha1: 699a1937a609d2fe44dfe14cd738743c3fdb7c36sha256: b0016d1310baded342528275cc776bcbb79098988b01d93eaa5e64fcbd911334sha512: 9d99b29612f86ac6183685c9df5a91bebef1c63d6021f14cfb3dce58862c5a163fb5b7b578735dcd3726e18b50bca22b3557ea28e255da60ec9506a49635bc96ssdeep: 98304:wtjvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv:wttype: PE32 executable (GUI) Intel 80386, for MS Windows
Version Info:
InternalName: wriheawtz.otsFileVers: 1.2.58Copyright: Copyrighd (C) 2020, gumkaTranslationUsi: 0x0421 0x0ccd

Troj/Miner-ZL also known as:

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.71114
FireEye	Generic.mg.9e2fc4ee4e363a54
McAfee	Packed-GCZ!9E2FC4EE4E36
Cylance	Unsafe
Sangfor	Malware
CrowdStrike	win/malicious_confidence_80% (D)
BitDefender	Trojan.GenericKDZ.71114
K7GW	Trojan ( 005721231 )
K7AntiVirus	Trojan ( 005721231 )
TrendMicro	Mal_Tofsee
Cyren	W32/Kryptik.CIR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
ClamAV	Win.Packed.Generickdz-9785340-0
Kaspersky	HEUR:Trojan.Win32.AntiAV.pef
Rising	Trojan.Kryptik!8.8 (TFE:4:oRf4PR72exP)
Ad-Aware	Trojan.GenericKDZ.71114
Sophos	Troj/Miner-ZL
F-Secure	Trojan.TR/ATRAPS.Gen2
DrWeb	Trojan.Siggen10.53735
Invincea	Troj/Miner-ZL
McAfee-GW-Edition	BehavesLike.Win32.Generic.vm
MaxSecure	Trojan.Malware.300983.susgen
Emsisoft	Trojan.GenericKDZ.71114 (B)
Jiangmin	Trojan.AntiAV.dps
Avira	TR/ATRAPS.Gen2
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Backdoor]/Win32.Tofsee
Microsoft	Trojan:Win32/Dofoil.STA
Arcabit	Trojan.Generic.D115CA
ZoneAlarm	HEUR:Trojan.Win32.AntiAV.pef
GData	Trojan.GenericKDZ.71114
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Glupteba.R354561
Acronis	suspicious
VBA32	BScope.Trojan.Wacatac
ALYac	Trojan.GenericKDZ.71114
Malwarebytes	Trojan.MalPack
ESET-NOD32	a variant of Win32/Kryptik.HHDD
TrendMicro-HouseCall	Mal_Tofsee
SentinelOne	Static AI – Malicious PE
Fortinet	W32/Kryptik.HHGA!tr
AVG	FileRepMalware
Cybereason	malicious.7a609d
Qihoo-360	HEUR/QVM20.1.44A7.Malware.Gen