wrk.exe

The executable wrk.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Microsoft Windows Service’. While running, it connects to the Internet address 162-144-70-81.unifiedlayer.com on port 5050.
MD5:
de41c443e193448e0e41d5c3ebedd5ed

SHA-1:
af3c3f2e7245496d832a3d0de4f612df47760a91

SHA-256:
1adf058ce39c889105f85293aae7650ef41f57874f0fdfda66e9de8a4a404738

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
3/3/2017 6:30:33 PM UTC  (nine months ago)

Scan engine
Detection
Engine version

Dr.Web
probably DLOADER.IRC.Trojan
9.0.1.05190

ESET NOD32
Win32/AutoRun.IRCBot.JD worm
6.3.12010.0

File size:
39.5 KB (40,448 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\wrk.exe

File PE Metadata
Compilation timestamp:
3/3/2017 11:35:53 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x73F0

Entry point:
55, 8B, EC, 6A, FF, 68, 80, 97, 40, 00, 68, 70, 75, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, CC, 80, 40, 00, 59, 83, 0D, 14, CA, 40, 00, FF, 83, 0D, 18, CA, 40, 00, FF, FF, 15, D0, 80, 40, 00, 8B, 0D, 10, CA, 40, 00, 89, 08, FF, 15, D4, 80, 40, 00, 8B, 0D, 0C, CA, 40, 00, 89, 08, A1, D8, 80, 40, 00, 8B, 00, A3, 1C, CA, 40, 00, E8, 10, 01, 00, 00, 39, 1D, 50, B5, 40, 00, 75, 0C, 68, 6C, 75, 40, 00, FF, 15, E0, 80...
 
[+]

Entropy:
6.3074

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
25.5 KB (26,112 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Microsoft Windows Service

Command:
C:\windows\m-505058352910375970835056830\winsvc.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to 162-144-70-81.unifiedlayer.com  (162.144.70.81:5050)

TCP (SMTP):
Connects to vps6.icsmonline.co.uk  (51.254.130.109:25)

TCP:
Connects to vm4116.cloud.seeweb.it  (95.174.29.62:587)

TCP (SMTP):
Connects to syw0075.sync-intertainment.com  (93.93.112.95:25)

TCP (SMTP):
Connects to sub0000527931.hmk-temp.com  (153.122.27.228:25)

TCP (SMTP):
Connects to server-21-r31.ipv4.au.syrahost.com  (203.170.82.73:25)

TCP (SMTP):
Connects to server.presentationsontheweb.com  (209.140.16.111:25)

TCP (SMTP):
Connects to server.appitsystems.com  (173.249.152.53:25)

TCP (SMTP):
Connects to s178.coreserver.jp  (202.172.28.179:25)

TCP:
Connects to ip-77-104-139-71.siteground.com  (77.104.139.71:587)

TCP (SMTP):
Connects to ip-129-121-22-67.local  (129.121.22.67:25)

TCP (SMTP):
Connects to fwd0.hosts.co.uk  (85.233.160.22:25)

TCP (SMTP):
Connects to ec2-52-48-5-221.eu-west-1.compute.amazonaws.com  (52.48.5.221:25)

TCP (SMTP):
Connects to box721.bluehost.com  (66.147.244.221:25)

TCP (SMTP):
Connects to box105.bluehost.com  (69.89.22.105:25)

TCP (SMTP):
Connects to apache2-grog.telfair.dreamhost.com  (64.111.127.78:25)

TCP (SMTP):
Connects to ama226.rev.netart.pl  (85.128.183.226:25)

TCP (SMTP):

TCP (SMTP):
Connects to 162-144-109-250.unifiedlayer.com  (162.144.109.250:25)

TCP (SMTP):
Connects to web1.servers-1.net  (75.145.68.34:25)

Remove wrk.exe - Powered by Reason Core Security