» wininit.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

wininit.exe

Rahoz-SerKan

Koshy John

The executable wininit.exe has been detected as malware by 17 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler named ProxyUpdate triggered to execute each time a user logs in. While running, it connects to the Internet address 45.76.87.233.vultr.com on port 1314.

File name:

wininit.exe

Publisher:

Hewlett-Packard (signed by Koshy John)

Product:

Rahoz-SerKan

Version:

1.0.0.0

MD5:

f950699b1f671c483bca3bf66c83792c

SHA-1:

41ac1dee9168479ffd1e02fd11693e69ecf96a04

SHA-256:

65a460fa4f896266c30bf1d284c612a49738c946c61be93af3833c9a56566aef

Scanner detections:

17 / 68

Status:

Malware

Analysis date:

5/7/2024 3:10:12 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.MSILPerseus.33749

216

AegisLab AV Signature

Troj.W32.Gen.lZcY

2.1.4+

Arcabit

Trojan.MSILPerseus.D83D5

1.0.0.688

AVG

MSIL10

2017.0.2694

Bitdefender

Gen:Variant.MSILPerseus.33749

1.0.20.925

Emsisoft Anti-Malware

Gen:Variant.MSILPerseus.33749

8.16.07.03.09

ESET NOD32

MSIL/Injector.PIE (variant)

10.13546

Fortinet FortiGate

Generik.KWSAWEY!tr

7/3/2016

F-Secure

Gen:Variant.MSILPerseus.33749

11.2016-03-07_1

G Data

Gen:Variant.MSILPerseus.33749

16.7.25

IKARUS anti.virus

Trojan.SuspectCRC

t3scan.2.0.9.0

K7 AntiVirus

Trojan

13.226.19708

McAfee

Artemis!F950699B1F67

5600.6350

MicroWorld eScan

Gen:Variant.MSILPerseus.33749

17.0.0.555

Panda Antivirus

Trj/GdSda.A

16.07.03.09

Sophos

Mal/Generic-S

4.98

VIPRE Antivirus

Trojan.Win32.Generic

49636

File size:

222.2 KB (227,536 bytes)

Product version:

1.0.0.0

Original file name:

RahozSerKan.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\windows\prefetch\wininit.exe

Digital Signature

Signed by:

Koshy John

Authority:

COMODO CA Limited

Valid from:

3/22/2015 5:30:00 AM

Valid to:

3/22/2020 5:29:59 AM

Subject:

CN=Koshy John, O=Koshy John, STREET=14409 NE 37th Pl., STREET=J9, L=Bellevue, S=Washington, PostalCode=98007, C=US

Issuer:

CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00F0B9668B8F9B11A925E079E486F78DB1

File PE Metadata

Compilation timestamp:

5/15/2016 3:14:11 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

3072:MnJyFyqcwwcqDeLPvJR1LLJ+294tcNFlo1K4J7UjjHNC6W2B1+eEQcS/qIv5Kkf5:McjlPqW3J3tqtUU1LotCju1+2cSr

Entry address:

0x3761E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.8740

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

214 KB (219,136 bytes)

Scheduled Task

Task name:

ProxyUpdate

Path:

\Update\ProxyUpdate

Trigger:

Logon (Runs on logon)

The executing file has been seen to make the following network communications in live environments.

TCP:

Connects to WIN2012TEMPLATE (78.129.249.181:1314)

TCP:

Connects to 45.76.87.233.vultr.com (45.76.87.233:1314)

Remove wininit.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.