winalert.exe

The application winalert.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘WindowMessenger’. While running, it connects to the Internet address ekiaiooqqo.c06.mtsvc.net on port 80 using the HTTP protocol.
MD5:
c31de00ab468e45f64b5c657988efc6a

SHA-1:
e82841e3f8329507aee7f6f27bc03815f34846a9

SHA-256:
42000f8b512e217d3d0e9876b76c0ff4b249929a481e04b7f8526c3119c7500b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 7:27:17 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WinAlert (M)
17.3.1.6

File size:
532 KB (544,768 bytes)

File type:
Executable application (Win32 EXE)

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

Entry address:
0x5581

Entry point:
60, D2, C9, 0F, BA, ED, 1D, 68, DE, EB, 79, 00, 51, 0F, BA, E1, F6, 15, C9, 4A, 14, 1F, 01, F0, C7, C3, 45, C6, 19, 7B, 84, C9, 1D, DA, D2, CD, C1, 88, CA, 0F, B6, C6, 02, DA, FF, CB, 0F, B6, E8, E8, 23, 00, 00, 00, 02, D8, 0F, BA, FE, 63, F7, C0, 32, BE, 39, 09, 0F, AF, D8, 88, E7, 81, E6, B8, 90, 85, 20, 0F, B6, FB, D0, F7, 81, EA, 21, 4B, 00, 00, 40, 0F, AF, CB, FF, C5, 0F, B6, D0, 89, F6, BB, 18, 43, 01, 00, 88, CD, 0F, AF, CD, 81, F3, A9, 49, 00, 00, 0F, C0, E9, 0F, A5, C6, 81, EB, C6, 0F, 00, 00, 5F...
 
[+]

Entropy:
5.3506

Code size:
20 KB (20,480 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WindowMessenger

Command:
C:\recycler\{random}\winsysapp.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.120:80)

TCP (HTTP):
Connects to mail.accu17.denver.wehostwebsites.com  (173.248.137.197:80)

TCP (HTTP):
Connects to ec2-52-55-207-183.compute-1.amazonaws.com  (52.55.207.183:80)

TCP (HTTP):
Connects to ec2-52-1-32-25.compute-1.amazonaws.com  (52.1.32.25:80)

TCP (HTTP):
Connects to ec2-52-204-129-22.compute-1.amazonaws.com  (52.204.129.22:80)

TCP (HTTP):
Connects to ekiaiooqqo.c06.mtsvc.net  (205.186.187.148:80)

Remove winalert.exe - Powered by Reason Core Security