» winlogon.exe
Overview
Analysis
File Details
Behaviors (2)
Programs (2)
Downloads (2)
Network (9)

winlogon.exe

The executable winlogon.exe has been detected as malware by 39 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Tok-Cirrhatus’. Additionally, the file is typically installed by a number of programs including AppsHat Mobile Apps by Somoto Ltd. and DriverPack Solution Updater by DriverPack Solution, both potentially unwanted software. While running, it connects to the Internet address ats.sbs.vip.dc11.lumsb.com on port 443.

File name:

winlogon.exe

MD5:

dadb62781676f69cc258893669038113

SHA-1:

231a5f70d46b54d8cc6108e876d8f4c17f72fd4b

SHA-256:

b93cb250ccc59ca8ef20fed10fcd1c952f1ea3d01f9f98aed84ddd18878d69ea

Scanner detections:

39 / 68

Status:

Malware

Analysis date:

4/26/2024 1:32:01 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Generic.442807

1119

Agnitum Outpost

I-Worm.Brontok.QJ

7.1.1

AhnLab V3 Security

Win-Trojan/Xema.variant

2014.01.10

Avira AntiVirus

Worm/Brontok.C

7.11.124.138

avast!

Win32:Brontok-BH [Wrm]

2014.9-140111

AVG

Worm/Brontok

2015.0.3597

Baidu Antivirus

Trojan.Win32.Agent

4.0.3.14111

Bitdefender

Win32.Generic.442807

1.0.20.55

Bkav FE

W32.BrontokQ

1.3.0.4613

Clam AntiVirus

Worm.Brontok.E

0.98/18155

Comodo Security

Packed.Win32.Packer.~GEN

17585

Dr.Web

Win32.Virut.5

9.0.1.011

Emsisoft Anti-Malware

Win32.Generic.442807

8.14.01.11.12

ESET NOD32

Win32/Brontok

8.9272

Fortinet FortiGate

W32/Brontok.C@mm

1/11/2014

F-Prot

W32/EmailWorm.OXI

v6.4.7.1.166

F-Secure

Win32.Generic.442807

11.2014-11-01_7

G Data

Win32.Generic.442807

14.1.22

IKARUS anti.virus

Email-Worm.Win32.Brontok

t3scan.2.2.29

K7 AntiVirus

EmailWorm

13.175.10794

Kaspersky

Email-Worm.Win32.Brontok

14.0.0.4482

Malwarebytes

Trojan.Dropper

v2014.01.11.12

McAfee

W32/Rontokbro.gen@MM

5600.7253

Microsoft Security Essentials

Worm:Win32/Brontok.R@mm

1.165.247.01

MicroWorld eScan

Win32.Generic.442807

15.0.0.33

NANO AntiVirus

Trojan.Win32.Brontok.bmcat

0.28.0.57029

Norman

Alman.E

11.20140111

nProtect

Trojan/W32.Genome.42713

14.01.09.01

Panda Antivirus

W32/Brontok.GS.worm

14.01.11.12

Quick Heal

W32.Brontok.Q

1.14.12.00

Rising Antivirus

PE:Trojan.Win32.Generic.12EAB5C7!317371847

23.00.65.14109

Sophos

W32/Brontok-G

4.96

SUPERAntiSpyware

Trojan.Agent/Gen-FakeSec

10852

Total Defense

Win32/Robknot.Z

37.0.10498

Trend Micro House Call

WORM_RONTOKBR.CO

7.2.11

Trend Micro

WORM_RONTOKBR.CO

10.465.11

Vba32 AntiVirus

Email-Worm.Brontok

3.12.24.3

VIPRE Antivirus

Email-Worm.Win32.Brontok.a

25278

ViRobot

I-Worm.Win32.Brontok.42713

2011.4.7.4223

File size:

41.7 KB (42,713 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Documents and Settings\{user}\Application data\winlogon.exe

File PE Metadata

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

5.12

CTPH (ssdeep):

768:l9N/z86spBgeaDipIJcpVE5uWe+bMH1KPa42BNvv35BMCs:Fz86spBu2pVE5uWe+gVKaxBB5Q

Entry address:

0x2F4C0

Entry point:

E9, 8F, 0C, FD, FF, 0C, 50, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 97, F4, 02, 00, 0C, 50, 02, 00... 
[+]

Entropy:

7.2803

Packer / compiler:

RLPack FullEdition V1.1X * Sign.By.fly

Code size:

512 Bytes (512 bytes)

Scheduled Task

Task name:

At1

Path:

C:\WINDOWS\Tasks\At1.job

Trigger:

Weekly (Runs weekly on Sundays at 05:08 م)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Tok-Cirrhatus

Command:

"C:\users\{user}\appdata\local\smss.exe"

The file winlogon.exe has been discovered within the following programs.

AppsHat Mobile Apps by Somoto Ltd.

AppsHat by Somoto is an ad-support software program that is typically co-bundled with various unwanted software by Somoto as well as various third party download managers. Its is designed to sync with Android mobile devices.

www.appshat.com

71% remove it

DriverPack Solution Updater by DriverPack Solution

DriverPack Solution Updater is the updater program which runs with Windows (in the background as a service) and automatically starts up when your computer boots. It checks for updates and automatically downloads and installs them if found based on the user's settings.

56% remove it

The file winlogon.exe has been seen being distributed by the following 2 URLs.

temp:_PAlbTN.exe

temp:My Music.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to ats.sbs.vip.dc11.lumsb.com (8.12.146.61:443)

TCP (HTTP SSL):

Connects to ir1.fp.vip.bf1.yahoo.com (98.139.180.149:443)

TCP (HTTP SSL):

Connects to media-router-fp1.prod.media.vip.ne1.yahoo.com (98.138.252.38:443)

TCP (HTTP):

Connects to clipart.geo.vip.bf1.yahoo.com (98.137.201.117:80)

TCP (HTTP SSL):

Connects to media-router-fp1.prod.media.vip.bf1.yahoo.com (98.139.180.180:443)

TCP (HTTP SSL):

Connects to e1.ycpi.vip.bra.yahoo.com (200.152.162.135:443)

TCP (HTTP SSL):

Connects to ir2.fp.vip.ir2.yahoo.com (46.228.47.114:443)

TCP (HTTP SSL):

Connects to ir2.fp.vip.bf1.yahoo.com (98.139.183.24:443)

TCP (HTTP SSL):

Connects to ir1.fp.vip.ir2.yahoo.com (46.228.47.115:443)

Remove winlogon.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.