home

winmgr.exe

SeaMonkey

Mozilla

The executable winmgr.exe has been detected as malware by 38 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Microsoft Windows Manager’. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download.
Publisher:
Mozilla

Product:
SeaMonkey

Version:
0.4.4.6

MD5:
ef4ef82a03e59ab31edb69baf694f664

SHA-1:
09b0d94112831771bbc3a74bd7c5ded57169ac42

SHA-256:
229434a2b96bfcef0320017408b01408bad56d2d395f20aa69d45a33da9793a5

Scanner detections:
38 / 68

Status:
File is infected by a Virus

Explanation:
The file is infected by a polymorphic file infector virus.

Analysis date:
4/24/2024 9:44:30 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Sality.3
-32

AegisLab AV Signature
Virus.W32.Sality!c
2.1.4+

AhnLab V3 Security
Win32/Kashu.E
3.8.3.16

Avira AntiVirus
W32/Sality.AT
8.3.3.4

Arcabit
Win32.Sality.3
1.0.0.795

avast!
Win32:Banker-MEP [Trj]
2014.9-170308

AVG
Win32/Sality
2018.0.2446

Baidu Antivirus
Win32.Virus.Sality
4.0.3.1738

Bitdefender
Win32.Sality.3
1.0.20.335

Bkav FE
W32.Sality.PE
1.3.0.8876

Comodo Security
Virus.Win32.Sality.gen
26713

Dr.Web
Win32.Sector.30
9.0.1.067

Emsisoft Anti-Malware
Win32.Sality
8.17.03.08.05

ESET NOD32
Win32/Sality.NBA
11.15044

Fortinet FortiGate
W32/CHRZ.BGA!tr
3/8/2017

F-Prot
W32/Sality.gen2
v6.4.7.1.166

F-Secure
Win32.Sality.3
11.2017-08-03_4

G Data
Win32.Sality
17.3.25

IKARUS anti.virus
Trojan.Win32.Injector
0.2.1.2

K7 AntiVirus
Virus
13.10.3.22630

Kaspersky
Virus.Win32.Sality
14.0.0.-1276

Malwarebytes
Trojan.Injector.DLL
v2017.03.08.05

McAfee
W32/Sality.gen.z
5600.6102

Microsoft Security Essentials
Virus:Win32/Sality.AU
1.1.13504.0

MicroWorld eScan
Win32.Sality.3
18.0.0.201

NANO AntiVirus
Virus.Win32.Sality.beygb
1.0.70.15657

nProtect
Virus/W32.Sality.D
17.03.07.01

Panda Antivirus
W32/Sality.AA
17.03.08.05

Qihoo 360 Security
Virus.Win32.Sality.I
1.0.0.1120

Quick Heal
W32.Sality.U
3.17.14.00

Rising Antivirus
Win32.KUKU.kt (classic)
23.00.65.17306

Sophos
Troj/Ransom-BGA
4.98

Total Defense
Win32/Sality.AA
37.1.62.1

Trend Micro
PE_SALITY.RL
10.465.08

Vba32 AntiVirus
Virus.Win32.Sality.bakb
3.12.26.4

VIPRE Antivirus
Virus.Win32.Sality.at
56462

ViRobot
Win32.Sality.Gen.A[h]
2014.3.20.0

Zillya! Antivirus
Virus.Sality.Win32.25
2.0.0.3222

File size:
259.4 KB (265,665 bytes)

Product version:
0.4.4.6

Copyright:
Mozilla

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\windows\m-50504520485014204056030508045\winmgr.exe

File PE Metadata
Compilation timestamp:
10/6/2014 9:40:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x3217

Entry point:
60, 3D, E4, FB, 00, 00, 77, 03, F2, 87, F9, 68, B0, 00, 85, 00, 68, 11, FC, 39, 00, 8A, E4, F6, C1, F6, 2B, E8, 4E, EB, 04, 8B, C9, 8A, EF, B3, B0, 86, F8, E8, 11, 00, 00, 00, 84, C6, B1, F6, 80, EE, 64, 0F, AF, D1, 8D, 33, 78, 03, 0F, AF, C1, 5D, FE, CA, 69, CE, 01, 9C, 1D, CD, BA, 72, 08, 17, B2, C7, C6, 76, 9B, 57, 80, 86, E3, FE, C6, 8A, CE, 40, 08, ED, 8D, 0D, EB, 3B, A3, 8C, 74, 08, C6, C0, B3, 0F, AF, CA, 88, D9, 76, 03, C6, C4, 77, 8D, 1D, 42, 03, 00, 00, B6, 7A, 81, C3, B6, 00, 00, 00, F3, EB, 0A...
 
[+]

Entropy:
6.7988

Code size:
23 KB (23,552 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Microsoft Windows Manager

Command:
C:\windows\m-50504520485014204056030508045\winmgr.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-184-168-221-34.ip.secureserver.net  (184.168.221.34:80)

TCP (HTTP):
Connects to HDRedirect-LB3-890977680.us-east-1.elb.amazonaws.com  (68.168.222.206:80)

TCP (HTTP):
Connects to 94-73-146-233.cizgi.net.tr  (94.73.146.233:80)

Remove winmgr.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.