» manager.exe
Overview
Analysis
File Details
Behaviors (1)

manager.exe

IS Security Service

Webroot Software, Inc.

The executable manager.exe has been detected as malware by 29 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘winsec’. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

manager.exe

Publisher:

Security Provider (signed by Webroot Software, Inc.)

Product:

IS Security Service

Version:

1.00

MD5:

599ecfcc4c71201c1c171cc723299dff

SHA-1:

f3b255ae2de09e652e8e33528a30bd8fd41ecb65

SHA-256:

c4a4c8f9e9b56cbf17076a319d31e2130a7e4b1c54bed21962385702dafc2936

Scanner detections:

29 / 68

Status:

Malware

Analysis date:

4/18/2024 4:31:05 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Backdoor.Bot

7.1.1

AhnLab V3 Security

Trojan/Win32.VBKrypt

2013.02.18

Avira AntiVirus

TR/VB.Inject.JD.196

7.11.61.126

AVG

Dropper.Generic7

2017.0.2833

Bitdefender

Backdoor.Bot.162637

1.0.20.225

Comodo Security

UnclassifiedMalware

15289

Dr.Web

Trojan.Inject1.15559

9.0.1.045

ESET NOD32

Win32/Injector.AAUY (variant)

10.8020

Fortinet FortiGate

W32/Injector.AAON!tr

2/14/2016

F-Secure

Backdoor.Bot.162637

11.2016-14-02_1

G Data

Backdoor.Bot.162637

16.2.22

IKARUS anti.virus

Backdoor.Win32.Bot

t3scan.2.0.0.0

K7 AntiVirus

Riskware

13.160.8224

Kaspersky

Trojan.Win32.Genome

14.0.0.662

McAfee

PWS-Zbot.gen.aru

5600.6489

Microsoft Security Essentials

VirTool:Win32/VBInject.gen!JD

1.163.1557.0

MicroWorld eScan

Backdoor.Bot.162637

17.0.0.135

NANO AntiVirus

Trojan.Win32.Genome.betxsg

0.22.8.50287

Norman

VBInject.HOQ

11.20160214

nProtect

Backdoor.Bot.162637

13.02.17.01

Panda Antivirus

Trj/CI.A

16.02.14.02

Quick Heal

Trojan.Genome.ajxcr

2.16.12.00

Rising Antivirus

Hack.VBInject!4B7A

23.00.65.16212

Sophos

Mal/Generic-S

4.86

SUPERAntiSpyware

Trojan.Agent/Gen-Frauder

9324

Trend Micro House Call

TROJ_GEN.R11Z2AA

7.2.45

Trend Micro

TROJ_GEN.R11Z2AA

10.465.14

Vba32 AntiVirus

BScope.Malware-Cryptor.Zbot.1412

3.12.20.2

VIPRE Antivirus

Trojan.Win32.Generic

15608

File size:

583.4 KB (597,408 bytes)

Product version:

1.00

Original file name:

secpr.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\windows\security\manager.exe

Digital Signature

Signed by:

Webroot Software, Inc.

Authority:

VeriSign, Inc.

Valid from:

12/8/2009 1:00:00 AM

Valid to:

1/21/2012 12:59:59 AM

Subject:

CN="Webroot Software, Inc.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Webroot Software, Inc.", L=Boulder, S=Colorado, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

769328F4A1AE00A21E71A04099615F01

File PE Metadata

Compilation timestamp:

12/19/2012 3:12:20 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

12288:/M7jKT5PeeaN8G9a/ttn6qNTkYXcXWEMy4CwNg92EegHD6XM:/M8daCGo6Ok5X/M1892EeY2XM

Entry address:

0x1614

Entry point:

68, 6C, 17, 40, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 18, 90, 58, 39, 74, 2C, A9, 42, 8F, 8C, E5, 80, 45, F4, CD, DD, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 28, 42, 79, 76, 61, 6C, 42, 65, 64, 73, 69, 64, 65, 73, 33, 00, 61, 6E, 74, 29, 20, 41, 00, 00, 00, 00, 01, 00, 05, 00, 10, 2A, 40, 00, 00, 00, 00, 00, FF, FF, FF, FF, FF, FF, FF, FF, 00, 00, 00, 00, 54, 2B, 40, 00, 6C, C0, 48, 00, 00, 00, 00, 00, E8, B6, 2A, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual Basic v5.0

Code size:

556 KB (569,344 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

winsec

Command:

C:\windows\security\manager.exe

Remove manager.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.