How to Remove Zr89YEwgl7.exe "Zr89" Spyware/Malware [Trojan:Win32/Wacatac.B!ml]

We may receive a commission for purchases made through some ads/links on this page A new data-stealing malware is on the loose! First repor...

Tuesday, May 25, 2021

How to Remove Zr89YEwgl7.exe "Zr89" Spyware/Malware [Trojan:Win32/Wacatac.B!ml]

We may receive a commission for purchases made through some ads/links on this page

A new data-stealing malware is on the loose! First reported in May of this year, the software behind this virus can harvest your browser data as well as computer specifications. Read our analysis below to learn exactly how the malware works or skip directly to our removal guide if you believe your computer has been infected.

The malicious file discussed in this analysis, named “Zr89YEwgl7.exe” (or “Zr89” for short), is a simple yet dangerous spyware designed to run on Windows machines. This malware analysis will cover how it may be distributed by threat actors, how it behaves on an infected machine, and how it can steal data right from under your nose.

General Info: 

Filenames - Zr89YEwgl7.exe, f415405d413c1ad16b85c003f2ec6cda83d24518c4fb8a6e4aaaafc58dbb1254.exe

Target Machines - Intel

Filesize - 726,528 Bytes (Total)

File Hash:

SHA-256 - f415405d413c1ad16b85c003f2ec6cda83d24518c4fb8a6e4aaaafc58dbb1254

SHA-1 - 1ff795745683e6801fe689d2e566be7c25259d79

MD5 - aef64b80f75e200594408843bdb9bc83

Libraries Accessed (Windows) - ws2_32.dll, esent.dll, winhttp.dll

Test Sample Used - Malware Bazaar


This analysis covers the behavior of the test sample file linked above on a virtual machine. Depending on how the software was programmed, it may behave differently on other virtual machines or real computers. The authors behind the malware may also release newer variants in the future, which may prove to be more difficult to detect. That being said, our removal guide and antivirus tool will likely still work against future variants and reverse their effect on the file system. This post and our tool will be updated as new information about the software behind this malware is made publicly available. Subscribe to this blog to be notified of any updates made on this page.


Spyware viruses like Zr89YEwgl7.exe often target highly-selective information on infected computers before sending it back to their creators and going dormant. Distribution methods for this type of malware will therefore differ from those used by ransomware or other types. The “Zr89” sample file tested for this post is very selective about which data it swipes, making it perfect for targeted drive by downloads on compromised websites or bought ad spaces.

Compromised Websites - One of the most effective techniques attackers use to spread their malware is compromising a trusted website and replacing the software on that site with their own. If a targeted website happens to contain an unpatched vulnerability that allows hackers to control file transfer capabilities, they could replace apps, links, and more with malware. This can lead to millions (in some cases) of unsuspecting users accidentally downloading dangerous files and executing them on their computers. In one 2018 case, an elaborate cyber-attack scheme compromised thousands of websites to spread malware across the internet.

Emails - Sending spam emails with attached malware is perhaps the most preferred method of today’s malware distribution. SMTP spam services provide a cheap way to send malicious files in bulk across the internet and computer viruses are often hidden inside fake documents. Zr89YEwgl7.exe or Zr89 itself can be smuggled through compressed ZIP files or document macros. Always be sure to avoid downloading files or navigating links sent by suspicious emails.


Once the Zr89 virus executes on a Windows machine, it will immediately query volume information as well as other details about the computer it is running on. It will also test its environment for signs that it is running on a virtual machine, leading many to believe that it may act differently on a real, physical computer. After running these short scans, the malware will then proceed to check the Windows network adapter settings. Although it does not immediately change configurations, this behavior indicates that the virus will contact a C&C server after it has successfully stolen data. While monitoring network activities during the virtual machine testing of the malicious sample file, this may have been confirmed.



The next notable feature of Zr89YEwgl7.exe is how it steals information from infected computers. Similar to other spyware variants we covered on this blog, Zr89 opens the following folder to steal cookies from Chrome:

-C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies

Threat actors can use stolen cookies to access online accounts since they often store sensitive login data. Because of this, a Zr89 infection on your computer can leave everything from your email to your online bank account compromised. Removing such a spyware infection is critically important.

Zr89YEwgl7.exe also has file downloading capabilities, and made direct contact with a web server during our analysis of the sample. By masking its requests under common user agents such as Chrome and Firefox, it is able to stealthily connect to, a server commonly seen as a connection location for similar spyware. It is unclear whether this server is operated by threat actors or whether it is being connected to for other reasons. After contacting, Zr89 proceeds to drop two files into the directory it is executed on (see below).

It is not currently known what role these files play for the spyware, although one of the files (named “d.INTEG.RAW”) resembles the output of a diagnostic tool for the Microsoft Exchange Server. The Microsoft Exchange server is a mail server developed by Microsoft which can be directly accessed from Microsoft computers, making it possible that Zr89 uses the server to deploy or distribute copies of itself and/or the data it steals. 


Removing Zr89YEwgl7.exe or its other files and variants is done most easily with the malware removal tool built into our antivirus app, Malscope. Differing removal methods may exist but the following steps are our tested instructions for Zr89YEwgl7 malware removal:

1. Purchase or download the Malscope Antivirus from our webpage and unzip the installer. If you purchase a yearly plan, you can actually use the code “zr89” to get 30% off Malscope, an app that is equipped to detect hidden versions of Zr89YEwgl7.exe along with possible variants and highlight any malicious files it discovers. The discount code will expire in 30 days, so be sure to use it as soon as possible!

2. Run the “Malscope” app and enter the product key you received after your purchase (check your email). If you happen to already have a product key, you may skip the purchasing steps and enter it now.

3. Wait for Malscope to set up its environment. Once controls for the app are loaded, you can begin removing the Zr89 infection.

4. Click the drop-down box under “Virus Removal” on Malscope to select a malware type to remove. Click “Zr89YEwgl7.exe [Trojan:Win32/Wacatac.B!ml]” and then press remove. If the Zr89 virus is or was active on your computer, Malscope will automatically remove all associated files and reverse damages to your system’s settings and execution policies.

5. If you think you downloaded Zr89YEwgl7.exe by mistake, be sure to scan the directory you saved it to with the “Scan Directory” button. This will prompt you to select a folder which you can scan with a single click. Malscope will automatically mark suspicious files and print them onto the usage log for you to read. You may then choose to delete the files either manually or through Malscope’s “Scan File Now” data removal option.


Since Malscope Antivirus is equipped with the ability to detect Zr89 and variants of this virus, we recommend using the tool to prevent an infection as well as removing it. Downloaded executable files should be regularly scanned with Malscope to ensure their safety.

Additional Notes:

-Zr89YEwgl7.exe may attempt to evade antivirus detection and analysis by looping various Windows sleep functions before running its malicious data-stealing operation on infected computers. Looping harmless functions is a common tactic malware authors use to disguise and obfuscate dangerous code.

-Zr89 connects to the server mentioned above ( via two different ports: 80 (HTTP) and 49704.

-This malware also has the capability to read and store data from the CPU, a feature which may help Zr89 adjust processing priorities for its functions and web server connections.

-Despite being relatively simple compared to some of its competitors in the spyware world, Zr89YEwgl7.exe and its variants should be taken seriously. Spyware targeting local browser data can lead to the loss of online accounts as well as finances and should be removed as soon as possible using the best available tools.