Troj/Agent-ZMO
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 7,640 |
| Threat Level: | 90 % (High) |
| Infected Computers: | 216 |
| First Seen: | January 3, 2013 |
| Last Seen: | February 2, 2026 |
| OS(es) Affected: | Windows |
Troj/Agent-ZMO is a Trojan that is included in a spam malware campaign. Troj/Agent-ZMO circulates via a spam email carrying bikini screensavers. The unsolicited email states to come from Selma and offer season's greetings and photographs of a woman wearing a bikini. The subject of the fake email is 'HAPPY NEW YEAR'. The fake email may also declare to be a belated Christmas greeting with the subject 'Merry Christmas'. The fraudulent emails are written in Italian and English, but the content is the same - 'here are the photographs of me wearing a bikini that I promised you'. A harmful file called 'Bikini.zip' is attached to the malicious emails, which includes a dubious Windows screensaver - 'Bikini.scr', incorporating different encrypted strings. A screensaver (.SCR) file is executable, which means that if the program is executed, it can set your computer in danger.
Table of Contents
SpyHunter Detects & Remove Troj/Agent-ZMO
File System Details
Troj/Agent-ZMO may create the following file(s):
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | Bikini.scr | ||
| 2. | Bikini.zip | ||
| 3. | 6ec7654c71ea3e44339c2fdb40000925 | 6ec7654c71ea3e44339c2fdb40000925 | 0 |
System Messages
The following system messages may be associated with Troj/Agent-ZMO:
Subject: HAPPY NEW YEAR |
Analysis Report
General information
| Family Name: | Trojan.Dropper.Agent.D |
|---|---|
| Signature status: | Self Signed |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
4fb646f1d66b25d384f1605457c14987
SHA1:
9b3aa7e3e619323b59a10307076f9a580649d378
File Size:
5.08 MB, 5084520 bytes
|
|
MD5:
adecac8c30401cb9677098f355784f18
SHA1:
3fe5645b1acc0fb6bf19a51d2914aef2262886cd
File Size:
6.94 MB, 6935066 bytes
|
|
MD5:
eec0d3802d9f8148d66d3d0da7e46c61
SHA1:
9b762d3482b00575873805c70f2d38a6742bc500
File Size:
7.15 MB, 7153274 bytes
|
|
MD5:
3fc8f92198e0d800b2f9557277a5aa4a
SHA1:
af709c25307a7ceec5e06c5fb793cd5633751e24
File Size:
5.10 MB, 5104520 bytes
|
|
MD5:
c6fa08b368ede41f4130e128ebdc16f8
SHA1:
30a7c85c5cc8a284f37a3eb92d529542b7789615
SHA256:
5CC29E0C950CA65FE67D0D268876430C3BB3ED105D6B379E92193789AF0AA420
File Size:
6.30 MB, 6303112 bytes
|
Show More
|
MD5:
d8c4cb08c15f736e627fba35d1170fab
SHA1:
035a0fc4455dbb910492ec3d467bbc02684c8b70
SHA256:
A5945CA806FBC970DE84E4914A19478679A4F19CCD31915527158517CACB1A7D
File Size:
6.94 MB, 6935066 bytes
|
|
MD5:
3fecfd89713fec8cc93caad6ca5191c3
SHA1:
c521a23709ab254ddeb88b04f98fd13eeee9d0c6
SHA256:
EB6120D0A1A828E52CDAB39F90207A2104B5A8F4E99F42DC58E493259FD5755F
File Size:
6.07 MB, 6065896 bytes
|
|
MD5:
bf530238cfe257c962488046ff46fc1e
SHA1:
ac7e1d6adfcafe47c0337117e12614491ceca9dc
SHA256:
7CACE3D9ACC17A6998FEF3657BFD1837224023BDDE2EC8E6B829AFBF39AD0237
File Size:
7.11 MB, 7111606 bytes
|
|
MD5:
7ea7e2fdcfc3f01c6c93eca081bd454b
SHA1:
0e570ac6c10369a8f3b4743565acdd158c2d5b52
SHA256:
1102E7C4BC8DEADDB9D743F74A8BA1BD0A2207D46A75FE14489027B6210C05E8
File Size:
6.94 MB, 6935067 bytes
|
|
MD5:
46c3ce42a9edafcf2c8e3d04dc231bf8
SHA1:
dba714316627eca16be131494a1961b27234b6a1
SHA256:
C11290C44A156F6C4BDB4375A41D2E5E975EBB05EBF2DFECEA00157A100AC5E5
File Size:
7.25 MB, 7247285 bytes
|
|
MD5:
c1762aec95b2213d59eb18a769a2082f
SHA1:
b07547815cda46ad1c2e62c071d2b89e6aec7264
SHA256:
EAD68339779DC0752AA02489ADE75A00B9038FDD79618F6B4A8A2569257B7590
File Size:
5.05 MB, 5045072 bytes
|
|
MD5:
7b9a2acaaa886e127d0a8459e35abb5f
SHA1:
8fa19ebce98a6df9ac276328fc6acf7a88c3c364
SHA256:
1409A1DF7A5956F991B0870FDE9899551D31A51F8630D22954F2E2A6597BD1D2
File Size:
6.30 MB, 6304648 bytes
|
|
MD5:
7dcafafef5b0764cb29e709dc55d1035
SHA1:
978450eb795e42e44250ba6bfe9eebae3cbbb0f7
SHA256:
B957019849C722210BD47551EAE9A8D01BD26D31D80C3B60DCC371922FDBE2EF
File Size:
7.15 MB, 7153274 bytes
|
|
MD5:
6dc65bc21bd3cb7aef02cf5b94b121e0
SHA1:
db66a832e991147f68c536f8732e672b069bb63c
SHA256:
25EC48B188FBAF2A0420B363A2182C657D5AEF0E52F5C7D8609ACC6029789A8C
File Size:
5.07 MB, 5067664 bytes
|
|
MD5:
fbe63aa73f66b9d4081653362d06b02f
SHA1:
068fc2d9faff97e131083ffc24c61c76f0c751e0
SHA256:
60336F27C05AEC8739C413CE1BB0C04F251ABD9A484E715E97F19CFD5A91FE51
File Size:
5.06 MB, 5060464 bytes
|
|
MD5:
f1e4032eec5e8a77e1fbed545c5c0a1b
SHA1:
90cddb5e1fbbb2bb742333c8cc307dc96466acb0
SHA256:
EEC970984DB3B39475A653C75189DCA771872134A15AF75192D95B481FDE6D48
File Size:
7.11 MB, 7111606 bytes
|
|
MD5:
938c3aabeac066dde624b840bf98bae9
SHA1:
d1b4648151e9f10d4a37d36838a674c043bcc21b
SHA256:
0CD3444ACFBB6408EE5E717EFE2DF99AC2AA451D4084976D72DD8532BF877BDB
File Size:
5.08 MB, 5078936 bytes
|
|
MD5:
6204072af2f62d10a8f1fc81f5ece586
SHA1:
a8174d5ce34dc98e98f6b8a5139a079580057de1
SHA256:
1244081640C9933472091427D78A517DFAC15AFFA01FE4EB5ADFE76D3E29D294
File Size:
6.31 MB, 6310272 bytes
|
|
MD5:
90ea4b474f35614a39ad38f90d6fc1ae
SHA1:
a9e182d0fbc809cfe77688d2c4831c0e62e62daa
SHA256:
C4667B9265573DA7FB33EAD1FD954BA21F8A98EC03F45BCF3E8767EB8038EB07
File Size:
7.15 MB, 7153274 bytes
|
|
MD5:
dcd07e8e0f47c6a02f077027ecc43870
SHA1:
ab2e4e8c5b64b673a6e2c03a125aed683c4e5934
SHA256:
43413129C995AF34AA142C656CF6B9697C71BF1AC32BA6576E11356FF2D255CD
File Size:
7.11 MB, 7111606 bytes
|
|
MD5:
fae6632e6b1dd04efef742e028f179af
SHA1:
94eff691b3b3a9641aaafd5bdad0a54578b24e44
SHA256:
C42158D231A1486A2066C9815F1FFA7F711FB8AF7033B629EDE0E244F60A9BE1
File Size:
7.11 MB, 7111607 bytes
|
|
MD5:
bca764b36e491c06dfa0e85c8d1913ba
SHA1:
7e3f56172336cc9716e3ccd2134a0d174dccf12d
SHA256:
145BFF3073D48A98F54F005AEECE4FCA6858EABD511E0661413495E87D80F901
File Size:
6.03 MB, 6026064 bytes
|
|
MD5:
cfb110c455bb1df27c56ee8e9c1adfa1
SHA1:
567b7fe7a6d840ec9f0d63717f2bf3c520731d12
SHA256:
4ABA6A771313F1180B15F0970DA8C3D94530E0AF7A5ADFA1AC0EA0EEBA22E2BD
File Size:
6.29 MB, 6293880 bytes
|
|
MD5:
56ae1b1b100c26f6405c9ba7d7c63e46
SHA1:
392bc7f99c1a57b970dc84fbb497953641d96631
SHA256:
1227CC4B75A99685865477ABBF4DE9FA997875D200DA40981E85297758EF7B53
File Size:
7.15 MB, 7153274 bytes
|
|
MD5:
15ae48821ca6bc69b98f6ed0873fa68a
SHA1:
3143cab09e314efd5dfc242c7b0b1e5ca364744f
SHA256:
C9E847CDD447E0494850CFEA3958FA7FB9CE47F34C890F0A9DB56FE7A52225BE
File Size:
6.94 MB, 6935066 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name | 7z.sfx |
| Legal Copyright |
|
| Original Filename | 7z.sfx.exe |
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Confident Facilitate | (indoors) Glare | Self Signed |
| Battleground Identity Union | Battleground Identity Union | Self Signed |
| Crook Demolish | Digit Tangible | Self Signed |
| Make Compartment | Distribute Shout | Self Signed |
| Mess Facility | Illicit Carriage | Self Signed |
Show More
| Without Curl | Offer Beware | Self Signed |
| Withdraw Mint | Over Kind | Self Signed |
| Cost Masterpiece | Pull Lantern | Self Signed |
| Down Dangle | Threat Eliminate | Self Signed |
| Elevate Explain | Vein Beep | Self Signed |
File Traits
- 7-zip (In Overlay)
- 7-zip SFX
- big overlay
- dll
- HighEntropy
- x86
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\gmdasllogger | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs05761e7c\setup.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs05761e7c\setup.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs0663efdc\setup.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs0663efdc\setup.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs0d350da3\setup.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs0d350da3\setup.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs0df70744\setup.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs0df70744\setup.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs413ac847\setup.exe | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\temp\7zs413ac847\setup.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs4161aaa2\setup.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs4161aaa2\setup.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zs8a799410\setup.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zs8a799410\setup.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zsc961a34e\setup.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zsc961a34e\setup.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\7zscc580ada\setup.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7zscc580ada\setup.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsd11c.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsd11c.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsd11c.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsd11c.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsf225a.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsf225a.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsf225a.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsf225a.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsf6d1d.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsf6d1d.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsi26a6.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsi26a6.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsi2ad6.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsi2ad6.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsme523.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsme523.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsme523.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsme523.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsn4591.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsn4591.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsoac68.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsoac68.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsoac68.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsoac68.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsoed72.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsoed72.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsoed72.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsoed72.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq308e.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq308e.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsq308e.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq308e.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq4e60.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq4e60.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsq4e60.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq4e60.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsra535.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsra535.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nss2740.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nss2740.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nss2740.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nss2740.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nst4621.tmp\modern-wizard.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nst4621.tmp\modern-wizard.bmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nst4621.tmp\nsdialogs.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nst4621.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nstfec1.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nstfec1.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsxff67.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsxff67.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsy2158.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsy2158.tmp | Synchronize,Write Attributes |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Process Shell Execute |
|
| Anti Debug |
|
| User Data Access |
|
| Keyboard Access |
|
| Process Manipulation Evasion |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
.\setup.exe
|
