home

winlogon.exe

The executable winlogon.exe has been detected as malware by 40 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler. While running, it connects to the Internet address clipart.geo.vip.bf1.yahoo.com on port 80 using the HTTP protocol.
MD5:
23561c28f612be9b00de7fffedf8bff2

SHA-1:
502bb1642ec0395dbfd21788e99380bd2f6319f5

SHA-256:
6e06771ba74fa5460a3430e9eeec008eec7104b25dc1394841eb98cb518c0943

Scanner detections:
40 / 68

Status:
Malware

Analysis date:
5/2/2024 2:58:00 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Generic.497796
806

Agnitum Outpost
I-Worm.Brontok
7.1.1

AhnLab V3 Security
Win32/Brontok.worm.47347
2014.11.10

Avira AntiVirus
Worm/Brontok.C
7.11.183.220

avast!
Win32:Rontokbr-L [Wrm]
2014.9-141121

AVG
Worm/Brontok
2015.0.3284

Baidu Antivirus
Worm.Win32.Brontok
4.0.3.141121

Bitdefender
Win32.Generic.497796
1.0.20.1625

Bkav FE
W32.BrontokQ
1.3.0.4959

Clam AntiVirus
Worm.Brontok.E
0.98/21411

Comodo Security
Packed.Win32.Packer.~GEN
20037

Dr.Web
Win32.Virut.5
9.0.1.0325

Emsisoft Anti-Malware
Win32.Generic.497796
8.14.11.21.01

ESET NOD32
Win32/Brontok.EL
8.10697

Fortinet FortiGate
W32/Brontok.C@mm
11/21/2014

F-Prot
W32/Brontok.CK@mm
v6.4.7.1.166

F-Secure
Win32.Generic.497796
11.2014-21-11_6

G Data
Win32.Generic.497796
14.11.24

IKARUS anti.virus
Email-Worm.Win32.Brontok
t3scan.1.8.3.0

K7 AntiVirus
Trojan
13.185.13943

Kaspersky
Email-Worm.Win32.Brontok
14.0.0.2915

Malwarebytes
Trojan.Dropper
v2014.11.21.01

McAfee
W32/Rontokbro.worm
5600.6940

Microsoft Security Essentials
Worm:Win32/Brontok.S@mm
1.11104

MicroWorld eScan
Win32.Generic.497796
15.0.0.975

NANO AntiVirus
Trojan.Win32.Brontok.bmcat
0.28.6.62995

Norman
Alman.E
11.20141121

nProtect
Worm/W32.Brontok.42692
14.11.06.01

Qihoo 360 Security
Win32/Worm.Email-Worm.343
1.0.0.1015

Quick Heal
W32.Brontok.Q
11.14.14.00

Rising Antivirus
PE:Trojan.Win32.Generic.14383D0E!339229966
23.00.65.141119

Sophos
W32/Brontok-D
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-FakeSec
10225

Total Defense
Win32/Robknot.BD
37.0.11271

Trend Micro House Call
WORM_BRONTOK.IP
7.2.325

Trend Micro
WORM_BRONTOK.IP
10.465.21

Vba32 AntiVirus
Email-Worm.Brontok
3.12.26.3

VIPRE Antivirus
Trojan.Win32.Generic!SB.0
34666

ViRobot
I-Worm.Win32.A.Brontok.42692
2011.4.7.4223

Zillya! Antivirus
Worm.Brontok.Win32.197
2.0.0.1977

File size:
41.7 KB (42,692 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\winlogon.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:YuY/s4FRXQxhjv2CgOOEuuxKfpUgcYl7CIwrd6hII3R0LVS1v35BMCn:KswRXQxhjv2jOJuuMpUrYycB0Vq5D

Entry address:
0x2F4AB

Entry point:
E9, A4, 0C, FD, FF, 0C, 50, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 82, F4, 02, 00, 0C, 50, 02, 00...
 
[+]

Entropy:
7.2771

Packer / compiler:
RLPack FullEdition V1.1X

Code size:
512 Bytes (512 bytes)

Scheduled Task
Task name:
At1

Trigger:
Weekly (Runs weekly on Fridays at 5:08 PM)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ats.sbs.vip.dc11.lumsb.com  (8.12.146.61:443)

TCP (HTTP SSL):
Connects to media-router-fp1.prod.media.vip.tp2.yahoo.com  (203.188.200.67:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.sg3.yahoo.com  (106.10.139.246:443)

TCP (HTTP):
Connects to a23-46-107-27.deploy.static.akamaitechnologies.com  (23.46.107.27:80)

TCP (HTTP):
Connects to clipart.geo.vip.bf1.yahoo.com  (98.137.201.117:80)

TCP (HTTP SSL):
Connects to ats.sbs.vip.bf1.yahoo.com  (72.30.202.139:443)

Remove winlogon.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.