wmz.exe

The application wmz.exe has been detected as a potentially unwanted program by 33 anti-malware scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Windows XP’. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from lovetunisia.com.
MD5:
1966a17a60011bb07790b9221dfbb12a

SHA-1:
5c3d092a3d5baf2acf511c19e2bb51d24c51f1ad

SHA-256:
3f96d19a3e376550676e679df3943da1c737d8cd3beadb7af4236be78101898b

Scanner detections:
33 / 68

Status:
Potentially unwanted

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
12/25/2024 2:24:24 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Zusy.58097
339

Agnitum Outpost
Riskware.BitCoinMiner
7.1.1

AhnLab V3 Security
Downloader/Win32.Dapato
2015.03.06

Avira AntiVirus
TR/Graftor.35867.261
7.11.214.42

avast!
Win32:BitCoinMiner-E [PUP]
2014.9-160301

AVG
Generic33
2017.0.2817

Baidu Antivirus
Trojan.Win32.CoinMiner
4.0.3.1631

Bitdefender
Gen:Variant.Zusy.58097
1.0.20.305

Comodo Security
TrojWare.Win32.Downloader.Dapato.AB
21311

Dr.Web
Trojan.DownLoader9.44238
9.0.1.061

Emsisoft Anti-Malware
Gen:Variant.Zusy.58097
8.16.03.01.05

ESET NOD32
Win32/CoinMiner.CI (variant)
10.11277

Fortinet FortiGate
W32/CoinMiner.AB!tr
3/1/2016

F-Prot
W32/S-31563cf5
v6.4.7.1.166

F-Secure
Gen:Variant.Zusy.58097
11.2016-01-03_3

G Data
Gen:Variant.Zusy.58097
16.3.25

IKARUS anti.virus
Trojan.SuspectCRC
t3scan.1.8.6.0

K7 AntiVirus
Backdoor
13.200.15179

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.581

Malwarebytes
Trojan.BitcoinMiner
v2016.03.01.05

McAfee
Artemis!1966A17A6001
5600.6473

Microsoft Security Essentials
Trojan:Win32/Sisron!gmb
1.1.11400.0

MicroWorld eScan
Gen:Variant.Zusy.58097
17.0.0.183

NANO AntiVirus
Trojan.Win32.Graftor.cvzdqc
0.30.0.296

Norman
Troj_Generic.MFFKS
11.20160301

Panda Antivirus
Trj/Genetic.gen
16.03.01.05

Qihoo 360 Security
Win32/Trojan.e6d
1.0.0.1015

Quick Heal
Trojan.Sisron.r5
3.16.14.00

Rising Antivirus
PE:Trojan.Win32.Generic.159342C3!361972419
23.00.65.16228

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_SPNR.15GB13
7.2.61

Trend Micro
TROJ_SPNR.15GB13
10.465.01

VIPRE Antivirus
Trojan.Win32.Generic
38168

File size:
440.5 KB (451,072 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\wmz.exe

File PE Metadata
Compilation timestamp:
6/21/2013 11:49:56 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
10.0

CTPH (ssdeep):
12288:ebKeabSTiR/sUCfui5tBwvx0gGdY31ir3rWsL9:sKeaiiR0UCRBexUK31AbWsL

Entry address:
0x3F208

Entry point:
E8, FD, AC, 00, 00, E9, 95, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 4C, A1, 18, 76, 46, 00, 33, C5, 89, 45, FC, 53, 33, DB, 56, 8B, 75, 08, 57, 89, 5D, D4, 89, 5D, E4, 89, 5D, E0, 89, 5D, D8, 89, 5D, DC, 89, 75, B4, 89, 5D, B8, 39, 5E, 14, 0F, 84, 19, 03, 00, 00, 8D, 46, 04, 39, 18, 75, 20, 50, 0F, B7, 46, 30, 68, 04, 10, 00, 00, 50, 8D, 45, B4, 53, 50, E8, E4, 6E, 00, 00, 83, C4, 14, 85, C0, 0F, 85, CA, 02, 00, 00, 6A, 04, E8, 96, 3A, 00, 00, 6A, 02, BF, 80, 01, 00, 00, 57, 89, 45, D4, E8, CB, 3A, 00, 00...
 
[+]

Code size:
339 KB (347,136 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Windows XP

Command:
"C:\users\{user}\appdata\roaming\wmz.exe"


The file wmz.exe has been seen being distributed by the following URL.

Remove wmz.exe - Powered by Reason Core Security