winhlp32.exe

Malwarebytes Anti-Malware

ManySign Inc.

The executable winhlp32.exe has been detected as malware by 10 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘winhlp32.exe’. While running, it connects to the Internet address parkingpage.namecheap.com on port 80 using the HTTP protocol.
Publisher:
Malwarebytes   (signed by ManySign Inc.)

Product:
Malwarebytes Anti-Malware

Version:
2.2.0

MD5:
9e511d841078d1480fc1a8bb34c1b89f

SHA-1:
4a69e9f79a27ea8683a4f2a589744d7642513d5e

SHA-256:
ddfbe0c335f09ff43ca87e15087492e7e6be51f2031a15c6dd9e84b073746821

Scanner detections:
10 / 68

Status:
Malware

Analysis date:
12/23/2024 2:53:13 PM UTC  (today)

Scan engine
Detection
Engine version

AegisLab AV Signature
Uds.Dangerousobject.Multi!c
2.1.4+

AVG
MSIL9
2017.0.2811

ESET NOD32
MSIL/Injector.OJL (variant)
10.13138

G Data
Trojan.GenericKD.3086259
16.3.25

IKARUS anti.virus
Trojan.MSIL.Injector
t3scan.2.0.8.0

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.552

MicroWorld eScan
Trojan.GenericKD.3086259
17.0.0.201

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1120

Rising Antivirus
PE:Malware.Generic/QRS!1.9E2D [F]
23.00.65.16305

Sophos
Mal/Generic-S
4.98

File size:
257.3 KB (263,488 bytes)

Product version:
2.2.0

Copyright:
(c) Malwarebytes. All rights reserved.

Original file name:
rawrrawrrawr.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\owzcen323f\winhlp32.exe

Digital Signature
Signed by:

Authority:
ManySign Inc.

Valid from:
2/27/2016 10:36:13 AM

Valid to:
2/26/2017 10:36:13 AM

Subject:
E=contact@manysign.com, OU=ManySign Authority, O=ManySign Inc., L=Lansing, S=Michigan, C=US, CN=ManySign

Issuer:
E=contact@manysign.com, OU=ManySign Authority, O=ManySign Inc., L=Lansing, S=Michigan, C=US, CN=ManySign

Serial number:
00A9CE1EFF3DF92E00

File PE Metadata
Compilation timestamp:
3/6/2016 7:00:23 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
3072:QLQNFjF73kgQewLSRr5j1bKi6/N7d8TDLgREwAz+u11gH6wjCx5V2eGCjnlpgefy:WC39wer5RbKi617jEhzq61VjGCtu

Entry address:
0x3A10E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
228 KB (233,472 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
winhlp32.exe

Command:
C:\users\{user}\appdata\roaming\owzcen323f\winhlp32.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to parkingpage.namecheap.com  (198.54.117.212:80)

Remove winhlp32.exe - Powered by Reason Core Security