Download
Community
knowledgeBase
» winlogon.exe
Overview
Analysis
File Details
Behaviors (1)
Network (6)
winlogon.exe
The executable winlogon.exe has been detected as malware by 40 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler. While running, it connects to the Internet address clipart.geo.vip.bf1.yahoo.com on port 80 using the HTTP protocol.
File name:
winlogon.exe
MD5:
23561c28f612be9b00de7fffedf8bff2
SHA-1:
502bb1642ec0395dbfd21788e99380bd2f6319f5
SHA-256:
6e06771ba74fa5460a3430e9eeec008eec7104b25dc1394841eb98cb518c0943
Analysis
Scanner detections:
40 / 68
Status:
Malware
Analysis date:
5/2/2024 2:58:00 PM UTC
(today)
Scan engine
Detection
Engine version
Lavasoft Ad-Aware
Win32.Generic.497796
806
Agnitum Outpost
I-Worm.Brontok
7.1.1
AhnLab V3 Security
Win32/Brontok.worm.47347
2014.11.10
Avira AntiVirus
Worm/Brontok.C
7.11.183.220
avast!
Win32:Rontokbr-L [Wrm]
2014.9-141121
AVG
Worm/Brontok
2015.0.3284
Baidu Antivirus
Worm.Win32.Brontok
4.0.3.141121
Bitdefender
Win32.Generic.497796
1.0.20.1625
Bkav FE
W32.BrontokQ
1.3.0.4959
Clam AntiVirus
Worm.Brontok.E
0.98/21411
Comodo Security
Packed.Win32.Packer.~GEN
20037
Dr.Web
Win32.Virut.5
9.0.1.0325
Emsisoft Anti-Malware
Win32.Generic.497796
8.14.11.21.01
ESET NOD32
Win32/Brontok.EL
8.10697
Fortinet FortiGate
W32/Brontok.C@mm
11/21/2014
F-Prot
W32/Brontok.CK@mm
v6.4.7.1.166
F-Secure
Win32.Generic.497796
11.2014-21-11_6
G Data
Win32.Generic.497796
14.11.24
IKARUS anti.virus
Email-Worm.Win32.Brontok
t3scan.1.8.3.0
K7 AntiVirus
Trojan
13.185.13943
Kaspersky
Email-Worm.Win32.Brontok
14.0.0.2915
Malwarebytes
Trojan.Dropper
v2014.11.21.01
McAfee
W32/Rontokbro.worm
5600.6940
Microsoft Security Essentials
Worm:Win32/Brontok.S@mm
1.11104
MicroWorld eScan
Win32.Generic.497796
15.0.0.975
NANO AntiVirus
Trojan.Win32.Brontok.bmcat
0.28.6.62995
Norman
Alman.E
11.20141121
nProtect
Worm/W32.Brontok.42692
14.11.06.01
Qihoo 360 Security
Win32/Worm.Email-Worm.343
1.0.0.1015
Quick Heal
W32.Brontok.Q
11.14.14.00
Rising Antivirus
PE:Trojan.Win32.Generic.14383D0E!339229966
23.00.65.141119
Sophos
W32/Brontok-D
4.98
SUPERAntiSpyware
Trojan.Agent/Gen-FakeSec
10225
Total Defense
Win32/Robknot.BD
37.0.11271
Trend Micro House Call
WORM_BRONTOK.IP
7.2.325
Trend Micro
WORM_BRONTOK.IP
10.465.21
Vba32 AntiVirus
Email-Worm.Brontok
3.12.26.3
VIPRE Antivirus
Trojan.Win32.Generic!SB.0
34666
ViRobot
I-Worm.Win32.A.Brontok.42692
2011.4.7.4223
Zillya! Antivirus
Worm.Brontok.Win32.197
2.0.0.1977
File Details
File size:
41.7 KB (42,692 bytes)
File type:
Executable application (Win32 EXE)
Common path:
C:\users\{user}\appdata\local\winlogon.exe
File PE Metadata
OS version:
4.0
OS bitness:
Win32
Subsystem:
Windows GUI
Linker version:
5.12
CTPH (ssdeep):
768:YuY/s4FRXQxhjv2CgOOEuuxKfpUgcYl7CIwrd6hII3R0LVS1v35BMCn:KswRXQxhjv2jOJuuMpUrYycB0Vq5D
Entry address:
0x2F4AB
Entry point:
E9, A4, 0C, FD, FF, 0C, 50, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 82, F4, 02, 00, 0C, 50, 02, 00...
[+]
Entropy:
7.2771
Packer / compiler:
RLPack FullEdition V1.1X
Code size:
512 Bytes (512 bytes)
Behaviors
Scheduled Task
Task name:
At1
Trigger:
Weekly (Runs weekly on Fridays at 5:08 PM)
Network Communications
The executing file has been seen to make the following network communications in live environments.
TCP (HTTP SSL):
Connects to
ats.sbs.vip.dc11.lumsb.com
 (8.12.146.61:443)
TCP (HTTP SSL):
Connects to
media-router-fp1.prod.media.vip.tp2.yahoo.com
 (203.188.200.67:443)
TCP (HTTP SSL):
Connects to
ir1.fp.vip.sg3.yahoo.com
 (106.10.139.246:443)
TCP (HTTP):
Connects to
a23-46-107-27.deploy.static.akamaitechnologies.com
 (23.46.107.27:80)
TCP (HTTP):
Connects to
clipart.geo.vip.bf1.yahoo.com
 (98.137.201.117:80)
TCP (HTTP SSL):
Connects to
ats.sbs.vip.bf1.yahoo.com
 (72.30.202.139:443)
Remove winlogon.exe
- Powered by Reason Core Security
X