home

commgr.exe

The executable commgr.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘WindowMessenger’. While running, it connects to the Internet address apache2-yak.zarniwoop.dreamhost.com on port 80 using the HTTP protocol.
MD5:
617daf8a7cbf133cce40c150fcb20c31

SHA-1:
18ae3faabc26fb7bbd8b56326082803f97b4941e

SHA-256:
9f72741d8254dd15f10ee15e493991485d4cf753a19e840aa671f6ecd5475fee

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/27/2024 5:19:03 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Threat.Trojan.WinAlert (H)
17.2.9.15

File size:
444 KB (454,656 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
Compilation timestamp:
2/14/2010 12:16:07 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

Entry address:
0x5581

Entry point:
60, 0F, BC, DB, 85, D2, 89, F0, C6, C4, 57, 0F, C1, D5, 23, E8, C7, C3, 36, 56, 5B, 52, 12, C5, 8D, 2D, 18, 2D, 6F, 69, 85, DF, 81, C6, EB, 7C, E9, 21, 85, F1, F6, DE, C7, C3, 2A, 3B, 12, BC, 81, E9, 7D, 58, 00, 00, F3, C7, C0, BC, 7D, F3, 18, F6, D4, 81, C1, AE, 0B, 00, 00, 0F, A4, C3, CB, 52, 55, EB, 0C, C7, C5, CB, 83, 5E, 1C, 69, C8, A4, 93, B9, 1B, F3, F7, D7, C7, C0, A4, A0, 65, 4E, 0F, C0, C4, 0F, B3, F7, 80, D7, 2C, E8, 00, 00, 00, 00, 5E, 0F, A5, F8, 69, EB, E8, 9A, D2, 4F, 81, DA, E7, 75, 97, E3...
 
[+]

Entropy:
5.9881

Code size:
20 KB (20,480 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WindowMessenger

Command:
C:\recycler\{random}\winsysapp.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to apache2-yak.zarniwoop.dreamhost.com  (173.236.154.78:80)

TCP (HTTP):
Connects to server123.managedns.org  (103.14.97.123:80)

TCP (HTTP):
Connects to neptune.corpservers.net  (63.247.87.162:80)

TCP (HTTP):
Connects to win04-host-kb.turkticaret.net  (31.186.8.104:80)

TCP (HTTP):
Connects to server250.net217.intbildns.org  (185.126.217.250:80)

TCP (HTTP):
Connects to 209-99-40-222.fwd.datafoundry.com  (209.99.40.222:80)

TCP (HTTP):
Connects to mail2.ic.cz  (88.86.100.180:80)

Remove commgr.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.