winlogon.exe

The executable winlogon.exe has been detected as malware by 45 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Tok-Cirrhatus’. Additionally, the file is typically installed by a number of programs including AppsHat Mobile Apps by Somoto Ltd. and DriverPack Solution Updater by DriverPack Solution, both potentially unwanted software. While running, it connects to the Internet address ats.sbs.vip.dc11.lumsb.com on port 443.
MD5:
dadb62781676f69cc258893669038113

SHA-1:
231a5f70d46b54d8cc6108e876d8f4c17f72fd4b

SHA-256:
b93cb250ccc59ca8ef20fed10fcd1c952f1ea3d01f9f98aed84ddd18878d69ea

Scanner detections:
45 / 68

Status:
Malware

Analysis date:
11/20/2017 6:08:19 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Generic.442807
1119

Agnitum Outpost
I-Worm.Brontok.QJ
7.1.1

AhnLab V3 Security
Win-Trojan/Xema.variant
2014.01.10

Avira AntiVirus
Worm/Brontok.C
7.11.124.138

Antiy Labs AVL
Worm/Win32.Brontok
2.0.3.7

avast!
Win32:Brontok-BH [Wrm]
2014.9-140111

AVG
Worm/Brontok
2015.0.3597

Baidu Antivirus
Trojan.Win32.Agent
4.0.3.14111

Bitdefender
Win32.Generic.442807
1.0.20.55

Bkav FE
W32.BrontokQ
1.3.0.4613

Clam AntiVirus
Worm.Brontok.E
0.98/18155

Commtouch SDK
W32/Worm.KLUF-8224
5.4.1.7

Comodo Security
Packed.Win32.Packer.~GEN
17585

Dr.Web
Win32.Virut.5
9.0.1.011

Emsisoft Anti-Malware
Win32.Generic.442807
8.14.01.11.12

ESET NOD32
Win32/Brontok
8.9272

Fortinet FortiGate
W32/Brontok.C@mm
1/11/2014

F-Prot
W32/EmailWorm.OXI
v6.4.7.1.166

F-Secure
Win32.Generic.442807
11.2014-11-01_7

G Data
Win32.Generic.442807
14.1.22

IKARUS anti.virus
Email-Worm.Win32.Brontok
t3scan.2.2.29

Jiangmin
Worm/Brontok.ww
KV140111

K7 AntiVirus
EmailWorm
13.175.10794

K7 Gateway Antivirus
Riskware
13.175.10794

Kaspersky
Email-Worm.Win32.Brontok
14.0.0.4482

Malwarebytes
Trojan.Dropper
v2014.01.11.12

McAfee
W32/Rontokbro.gen@MM
5600.7253

McAfee Web Gateway
Heuristic.BehavesLike.Win32.Suspicious-BAY.K
7.7253

Microsoft Security Essentials
Worm:Win32/Brontok.R@mm
1.165.247.01

MicroWorld eScan
Win32.Generic.442807
15.0.0.33

NANO AntiVirus
Trojan.Win32.Brontok.bmcat
0.28.0.57029

Norman
Alman.E
11.20140111

nProtect
Trojan/W32.Genome.42713
14.01.09.01

Panda Antivirus
W32/Brontok.GS.worm
14.01.11.12

Quick Heal
W32.Brontok.Q
1.14.12.00

Rising Antivirus
PE:Trojan.Win32.Generic.12EAB5C7!317371847
23.00.65.14109

Sophos
W32/Brontok-G
4.96

SUPERAntiSpyware
Trojan.Agent/Gen-FakeSec
10852

The Hacker
W32/Brontok.q
6.8.0.5.390

Total Defense
Win32/Robknot.Z
37.0.10498

Trend Micro House Call
WORM_RONTOKBR.CO
7.2.11

Trend Micro
WORM_RONTOKBR.CO
10.465.11

Vba32 AntiVirus
Email-Worm.Brontok
3.12.24.3

VIPRE Antivirus
Email-Worm.Win32.Brontok.a
25278

ViRobot
I-Worm.Win32.Brontok.42713
2011.4.7.4223

File size:
41.7 KB (42,713 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Application data\winlogon.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:l9N/z86spBgeaDipIJcpVE5uWe+bMH1KPa42BNvv35BMCs:Fz86spBu2pVE5uWe+gVKaxBB5Q

Entry address:
0x2F4C0

Entry point:
E9, 8F, 0C, FD, FF, 0C, 50, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 97, F4, 02, 00, 0C, 50, 02, 00...
 
[+]

Entropy:
7.2803

Packer / compiler:
RLPack FullEdition V1.1X * Sign.By.fly

Code size:
512 Bytes (512 bytes)

Scheduled Task
Task name:
At1

Path:
C:\WINDOWS\Tasks\At1.job

Trigger:
Weekly (Runs weekly on Sundays at 05:08 م)


Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Tok-Cirrhatus

Command:
"C:\users\{user}\appdata\local\smss.exe"


The file winlogon.exe has been discovered within the following programs.

AppsHat Mobile Apps  by Somoto Ltd.
AppsHat by Somoto is an ad-support software program that is typically co-bundled with various unwanted software by Somoto as well as various third party download managers. Its is designed to sync with Android mobile devices.
www.appshat.com
71% remove it
DriverPack Solution Updater  by DriverPack Solution
DriverPack Solution Updater is the updater program which runs with Windows (in the background as a service) and automatically starts up when your computer boots. It checks for updates and automatically downloads and installs them if found based on the user's settings.
56% remove it
 
Powered by Should I Remove It?

The file winlogon.exe has been seen being distributed by the following 2 URLs.

temp:_PAlbTN.exe

temp:My Music.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ats.sbs.vip.dc11.lumsb.com  (8.12.146.61:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.bf1.yahoo.com  (98.139.180.149:443)

TCP (HTTP SSL):
Connects to media-router-fp1.prod.media.vip.ne1.yahoo.com  (98.138.252.38:443)

TCP (HTTP):
Connects to clipart.geo.vip.bf1.yahoo.com  (98.137.201.117:80)

TCP (HTTP SSL):
Connects to media-router-fp1.prod.media.vip.bf1.yahoo.com  (98.139.180.180:443)

TCP (HTTP SSL):
Connects to e1.ycpi.vip.bra.yahoo.com  (200.152.162.135:443)

TCP (HTTP SSL):
Connects to ir2.fp.vip.ir2.yahoo.com  (46.228.47.114:443)

TCP (HTTP SSL):
Connects to ir2.fp.vip.bf1.yahoo.com  (98.139.183.24:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.ir2.yahoo.com  (46.228.47.115:443)

Remove winlogon.exe - Powered by Reason Core Security