Spy Trojan

Trojan-Spy.Win32.Zbot.rtmr information

Malware Removal

The Trojan-Spy.Win32.Zbot.rtmr is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Trojan-Spy.Win32.Zbot.rtmr virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Loads a driver
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Expresses interest in specific running processes
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Code injection with CreateRemoteThread in a remote process
  • Attempts to restart the guest VM
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Injection with CreateRemoteThread in a remote process
  • Tries to unhook or modify Windows functions monitored by Cuckoo
  • Modifies boot configuration settings
  • Collects and encrypts information about the computer likely to send to C2 server
  • Installs itself for autorun at Windows startup
  • Installs itself for autorun at Windows startup
  • Creates a hidden or system file
  • Collects information to fingerprint the system
  • Uses suspicious command line tools or Windows utilities

How to determine Trojan-Spy.Win32.Zbot.rtmr?



File Info:

name: AE12474B13BEEA8FD984.mlw
path: /opt/CAPEv2/storage/binaries/39b5c513bf6c1280676e075e069763a1c7f1d8e74439d0b07661cbeed050a102
crc32: 02243490
md5: ae12474b13beea8fd9845da9d14534cd
sha1: 5a2ab9e0702f3591b2e274cd5153563c4b5ee414
sha256: 39b5c513bf6c1280676e075e069763a1c7f1d8e74439d0b07661cbeed050a102
sha512: eb4731ffb72700e1bf1e171393a3a32cd58c209d98058ef30fe2ed86554a8572a50d964d15fb7bc2577346ae7e115b74e7d5434959aba8fa2570797b8ffbded8
ssdeep: 12288:Fua7bZpbK4akBwY/73L0pOlziHxr+xd0tKlPgfVUknRLhp1:VVpO4TBwe770GWIq
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T19BE48CE87810A13FFB47293EA852DC5B164ABF4CAC94F6E73AE04F5B6C175038265478
sha3_384: 63f342cd8cbed63749e970be63d2c7645e4a92a4855993aeadddae2eee499a2025d560a67489587df754b3cb1d5c81c9
ep_bytes: e8f52c0000e917feffffcccccccccccc
timestamp: 2014-03-12 14:32:05


Version Info:

CompanyName: HEALTHCAREfirst
FileDescription: Mattertube
FileVersion: 2.7.430.643
InternalName: batindicate.exe
LegalCopyright: Copyright © 2010 HEALTHCAREfirst Corporation. All rights reserved.
OriginalFilename: batindicate.exe
ProductName: Mattertube HEALTHCAREfirst Are
Translation: 0x0409 0x04b0

Trojan-Spy.Win32.Zbot.rtmr also known as:

BkavW32.AIDetect.malware2
LionicTrojan.Win32.Zbot.l!c
Elasticmalicious (high confidence)
MicroWorld-eScanTrojan.GenericKD.1604082
FireEyeGeneric.mg.ae12474b13beea8f
CAT-QuickHealTrojan.Zbot.Y5
ALYacTrojan.GenericKD.1604082
CylanceUnsafe
VIPRETrojan.Win32.Zbot.j (v)
SangforTrojan.Win32.Save.a
K7AntiVirusRiskware ( 0040eff71 )
AlibabaTrojanSpy:Win32/Changeling.1ecdd229
K7GWRiskware ( 0040eff71 )
Cybereasonmalicious.b13bee
CyrenW32/Trojan.ZLCX-7777
SymantecML.Attribute.HighConfidence
ESET-NOD32Win32/Spy.Zbot.AAU
APEXMalicious
Paloaltogeneric.ml
ClamAVWin.Trojan.Zbot-59364
KasperskyTrojan-Spy.Win32.Zbot.rtmr
BitDefenderTrojan.GenericKD.1604082
NANO-AntivirusTrojan.Win32.Zbot.cuwbxp
AvastWin32:Trojan-gen
TencentMalware.Win32.Gencirc.10c6df33
Ad-AwareTrojan.GenericKD.1604082
TACHYONTrojan-Spy/W32.ZBot.699904.L
SophosMal/Generic-R + Troj/Agent-AGIS
ComodoMalware@#216ojejm9xa55
DrWebTrojan.PWS.Panda.5676
ZillyaTrojan.Zbot.Win32.154815
TrendMicroTROJ_FORUCON
McAfee-GW-EditionBehavesLike.Win32.CoinMiner.jh
EmsisoftTrojan.GenericKD.1604082 (B)
IkarusTrojan-Spy.Zbot
GDataWin32.Trojan.Agent.97EYBN
JiangminTrojanSpy.Zbot.edad
WebrootW32.InfoStealer.Zeus
AviraTR/Changeling.A.1268
Antiy-AVLTrojan/Generic.ASMalwS.8FC7FC
KingsoftWin32.Troj.Zbot.rt.(kcloud)
ArcabitTrojan.Generic.D1879F2
ViRobotTrojan.Win32.Agent.699904.A
MicrosoftPWS:Win32/Zbot
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win32.agent.C285705
Acronissuspicious
McAfeeGeneric.sp
MAXmalware (ai score=100)
VBA32TrojanSpy.Zbot
TrendMicro-HouseCallTROJ_FORUCON
RisingTrojan.Spy.Win32.Zbot.hix (CLASSIC)
YandexTrojanSpy.Zbot!YDnZtU3e/Jw
SentinelOneStatic AI – Malicious PE
eGambitUnsafe.AI_Score_98%
FortinetW32/Kryptik.BXXO!tr
BitDefenderThetaGen:NN.ZexaF.34084.Qu0@aedINOmi
AVGWin32:Trojan-gen
PandaTrj/WLT.A
CrowdStrikewin/malicious_confidence_100% (W)

How to remove Trojan-Spy.Win32.Zbot.rtmr?

Trojan-Spy.Win32.Zbot.rtmr removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment