home

winlogon.exe

The executable winlogon.exe has been detected as malware by 7 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Tok-Cirrhatus-2157’. While running, it connects to the Internet address unknown.prolexic.com on port 80 using the HTTP protocol.
MD5:
8293ba24772dbcfd57ee19782669ec4f

SHA-1:
77fb2b7799bb2ac437e027dbc0b9ba255654a0a6

SHA-256:
9e3bd936f0605b85d5284b75f1412f3bfa435bb9becc7c4c8641091c13a9b01e

Scanner detections:
7 / 68

Status:
Malware

Analysis date:
5/22/2024 12:24:19 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
I-Worm/Brontok.X
2013.0.4477

Clam AntiVirus
Win.Worm.Brontok-15
0.98/22466

ESET NOD32
Win32/Brontok.EJ worm
6.3.12010.0

F-Prot
W32/EmailWorm.AEY
4.6.5.141

F-Secure
Win32.Worm.Brontok.BR
5.15.154

Kaspersky
Email-Worm.Win32.Brontok
15.0.2.529

Microsoft Security Essentials
Worm:Win32/Brontok.BI@mm
1.231.901.0

File size:
63.5 KB (65,024 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\winlogon.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:ibk/Jm3HmOwy5elWMSthN+H2QCM8QI6JbETCs1v35BMCoge:wcJm3/wLlWtaWozIYwGU5K

Entry address:
0x30F29

Entry point:
E9, 26, F2, FC, FF, 0C, 60, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0F, 03, 00, 0C, 60, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.6578

Packer / compiler:
MEW, 0x11 SE v1.2

Code size:
512 Bytes (512 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Tok-Cirrhatus-2157

Command:
"C:\users\{user}\appdata\local\br5337on.exe"


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.121:80)

Remove winlogon.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.