Adware Reports malware removal guides and threat research Updated security instructions for Windows users
Home/Spy
Threat report

About “Trojan-Spy.MSIL.Stealer” infection

Published Nov 28, 2019 Spy category 3 min read
Report context

What to verify before removal

About “Trojan-Spy.MSIL.Stealer” infection deserves a credential-safety review because this spy label can overlap with remote access, browser data theft, or persistence after reboot. Cleanup should include scanning the file, removing the persistence point, and rotating exposed passwords from a clean device.

The technical section is meant to connect the detection name with observable evidence such as credential theft, browser data access, remote-control activity, and persistence after reboot. Compare the identifiers here with the local file before deleting anything, then use the cleanup workflow to scan, quarantine, and verify the system state.

  • Confirm the detection name matches About “Trojan-Spy.MSIL.Stealer” infection before removing related files.
  • Review the report for credential theft, browser data access, remote-control activity, and persistence after reboot so the cleanup is based on observed behavior, not only the label.
  • After cleanup, rotate passwords from a clean device and review browser sessions or saved credentials.

The Trojan-Spy.MSIL.Stealer detection points to behavior that can expose private data or keep unauthorized access open. Prioritize persistence cleanup, network review, and account hardening after the scan. The notes below include hashes, external file references, and behavior notes so you can compare the detection with the affected file before removal.

What Trojan-Spy.MSIL.Stealer virus can do?

  • Executable code extraction
  • Injection (inter-process)
  • Injection (Process Hollowing)
  • Injection with CreateRemoteThread in a remote process
  • Creates RWX memory
  • A process attempted to delay the analysis task.
  • A process created a hidden window
  • The binary likely contains encrypted or compressed data.
  • Executed a process and injected code into it, probably while unpacking
  • Attempts to remove evidence of file being downloaded from the Internet
  • Sniffs keystrokes
  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • Steals private information from local Internet browsers
  • Installs itself for autorun at Windows startup
  • Checks the CPU name from registry, possibly for anti-virtualization
  • Creates a copy of itself
  • Harvests credentials from local FTP client softwares
  • Harvests information related to installed mail clients
  • Makes SMTP requests, possibly sending spam or exfiltrating data.
  • Collects information to fingerprint the system

Related domains:

z.whorecord.xyz
a.tomx.xyz
us2.smtp.mailhostbox.com

How to determine Trojan-Spy.MSIL.Stealer?



File Info:

crc32: 6DF93176
md5: 688eeac27cb044e0fcd0c570b252fe0d
name: sunnyz.exe
sha1: d34ac5a96466330ab8a4b3bc2c47b868067c2744
sha256: b19c3595551681f800d91571357b86e048138d6d3b8b54ae607fe55cc876b3af
sha512: c5e8852c716fc3ceb15c95132ab1ad45262fd7d33b623bd38fc0d3a9472c51713f8c314dc70f8dacf88d89349cfcecde0ea43deb952b052b767ca0162d17899f
ssdeep: 12288:BNML1v2ExEdbNGI5BP7jbm2OeR/JyZ1NywEnBYVLNdm:Wv/xYII/7jbm2DQcwGBsD
type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows


Version Info:

Translation: 0x0000 0x04b0
LegalCopyright: Copyright xa9  2019
Assembly Version: 1.1.8.0
InternalName: SimpleSharp.exe
FileVersion: 1.1.8
CompanyName: 
LegalTrademarks: 
Comments: 
ProductName: SimpleSharp
ProductVersion: 1.1.8
FileDescription: SimpleSharp
OriginalFilename: SimpleSharp.exe

Trojan-Spy.MSIL.Stealer also known as:

DrWeb Trojan.PWS.Stealer.27520
FireEye Generic.mg.688eeac27cb044e0
Cylance Unsafe
CrowdStrike win/malicious_confidence_80% (W)
BitDefenderTheta Gen:NN.ZemsilF.32515.Fm0@auyTqSn
Cyren W32/Trojan.SW.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Kryptik.TWN
APEX Malicious
Kaspersky HEUR:Trojan-Spy.MSIL.Stealer.gen
Invincea heuristic
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
Trapmine malicious.high.ml.score
Ikarus Trojan.MSIL.Krypt
F-Prot W32/Trojan.SW.gen!Eldorado
Webroot W32.Trojan.Gen
Endgame malicious (high confidence)
ZoneAlarm HEUR:Trojan-Spy.MSIL.Stealer.gen
Acronis suspicious
Malwarebytes Trojan.MalPack
SentinelOne DFI – Malicious PE
Cybereason malicious.964663
Qihoo-360 Win32/Trojan.Spy.67f

How to remove Trojan-Spy.MSIL.Stealer?

Recommended second-opinion scan

Verify the infection before changing system settings

Use GridinSoft Anti-Malware to run a full scan, review detected persistence entries, and quarantine confirmed threats before restarting Windows.

Download GridinSoft Anti-Malware
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.