Spy Trojan

About “Trojan-Spy.Win32.Zbot.zruy” infection

Malware Removal

The Trojan-Spy.Win32.Zbot.zruy is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day free trial available.

What Trojan-Spy.Win32.Zbot.zruy virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Sample contains Overlay data
  • Performs HTTP requests potentially not found in PCAP.
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • Executable file is packed/obfuscated with MPRESS
  • Authenticode signature is invalid
  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • CAPE detected the shellcode get eip malware family
  • Attempts to modify proxy settings
  • Anomalous binary characteristics
  • Yara detections observed in process dumps, payloads or dropped files

How to determine Trojan-Spy.Win32.Zbot.zruy?


File Info:

name: 452E996FC9448C8AB641.mlw
path: /opt/CAPEv2/storage/binaries/361ffda39b498fdef372660898901ce1c56d99f02cf423506920f29f97f8059c
crc32: 0EF48FFB
md5: 452e996fc9448c8ab6410dfe806b0966
sha1: 9cb42b9a6e2315e1556fb6f2996d06eb8f4a7842
sha256: 361ffda39b498fdef372660898901ce1c56d99f02cf423506920f29f97f8059c
sha512: cb164608081bc28636a21ff57dc169dab6d6f1d0b72479a7b295fb48f7019d6f251d67b9aa891bc73393b3f491c3775a3d7ab7a3af37aea29bd79e20ac4481cf
ssdeep: 384:UFguzjEChqLcBsMNQiviL//U8o/iYpDLQjQVf608rOpOyS:UFlAL+vW//p8iKxR8r+OyS
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1421373F92EC8AA7FE23BDAB5C8F540CAF92179223851480D50DA874A0C13B57BCED51D
sha3_384: 1e7721825e7659c2fc4af32eed62f925f9fd8b0ae9119c812b15c571fd7509a3659594be3d062fb42d3afc73c8a0186a
ep_bytes: 837c24120ae8b6ffffff29d101c1e889
timestamp: 2004-05-28 09:53:59

Version Info:

0: [No Data]

Trojan-Spy.Win32.Zbot.zruy also known as:

BkavW32.AIDetectMalware
LionicTrojan.Win32.Upatre.1j!c
Elasticmalicious (high confidence)
DrWebTrojan.DownLoader9.19947
MicroWorld-eScanGen:Variant.Zusy.542015
FireEyeGeneric.mg.452e996fc9448c8a
CAT-QuickHealTrojan.Upatre.ZZ4
SkyhighBehavesLike.Win32.PWSZbot.pz
McAfeePWSZbot-FMO!452E996FC944
Cylanceunsafe
ZillyaDownloader.Waski.Win32.10044
SangforSuspicious.Win32.Save.a
AlibabaMalware:Win32/km_2860e.None
K7GWTrojan ( 0052964f1 )
K7AntiVirusTrojan ( 0052964f1 )
BitDefenderThetaGen:NN.ZexaF.36804.cmX@aK!D1rci
Paloaltogeneric.ml
SymantecML.Attribute.HighConfidence
tehtrisGeneric.Malware
ESET-NOD32Win32/TrojanDownloader.Waski.B
ZonerTrojan.Win32.21026
APEXMalicious
AvastWin32:Waski-B [Cryp]
ClamAVWin.Downloader.Upatre-6804083-0
KasperskyTrojan-Spy.Win32.Zbot.zruy
BitDefenderGen:Variant.Zusy.542015
NANO-AntivirusTrojan.Win32.Vundo.fncedi
SUPERAntiSpywareTrojan.Agent/Gen-DownloaderUpatre
RisingDownloader.Waski!8.184 (TFE:4:qt4WwuaAStL)
EmsisoftGen:Variant.Zusy.542015 (B)
F-SecureTrojan.TR/Crypt.ASPM.Gen
BaiduWin32.Trojan-Downloader.Waski.a
VIPREGen:Variant.Zusy.542015
TrendMicroTROJ_UPATRE.SM5
Trapminemalicious.high.ml.score
SophosTroj/Zbot-HMB
SentinelOneStatic AI – Malicious PE
MAXmalware (ai score=88)
JiangminTrojan.Generic.blbek
GoogleDetected
AviraTR/Crypt.ASPM.Gen
VaristW32/S-552b2690!Eldorado
Antiy-AVLTrojan[Downloader]/Win32.Waski.b
KingsoftWin32.HeurC.KVM007.a
MicrosoftTrojanDownloader:Win32/Upatre!pz
ArcabitTrojan.Zusy.D8453F
ZoneAlarmTrojan-Spy.Win32.Zbot.zruy
GDataWin32.Trojan-Downloader.Upatre.BJ
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win.Upatre.R416937
Acronissuspicious
VBA32TrojanDownloader.Upatre
ALYacGen:Variant.Zusy.542015
MalwarebytesGeneric.Malware.AI.DDS
PandaTrj/Genetic.gen
TrendMicro-HouseCallTROJ_UPATRE.SM5
TencentTrojan-Downloader.Win32.Waski.16000151
YandexTrojan.GenAsa!G7HTEQf3zWI
IkarusTrojan-Spy.Zbot
MaxSecureTrojan.Upatre.Gen
FortinetW32/Kryptik.CF!tr
AVGWin32:Waski-B [Cryp]
DeepInstinctMALICIOUS
alibabacloudTrojan[spy]:Win/Waski.B

How to remove Trojan-Spy.Win32.Zbot.zruy?

Trojan-Spy.Win32.Zbot.zruy removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment