winlogoon.exe

The executable winlogoon.exe has been detected as malware by 28 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to run every month at a specified time. According to AVG, this software downloads additional adware offers during setup. While running, it connects to the Internet address freeplaynow.com on port 80 using the HTTP protocol.
MD5:
1fb4b335404e7dc1f8baa8e94bac3238

SHA-1:
70f7d90998de0c17fb88b90f3d486ddc198659f7

SHA-256:
e0358e93ca68d83e7373e33f68799bd28c7fbe32e1052f7d935c1ddc9758983a

Scanner detections:
28 / 68

Status:
Malware

Analysis date:
12/26/2024 4:16:13 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win-Trojan/Cyrel.11776.CX
2010.09.24

Avira AntiVirus
TR/Downloader.Gen
7.10.12.29

avast!
Win32:Wali
2014.9-170131

AVG
Downloader.Generic9
2018.0.2482

Bitdefender
Trojan.Generic.4427883
1.0.20.155

Clam AntiVirus
Trojan.Downloader-93567
0.98/17211

Comodo Security
UnclassifiedMalware
6188

Dr.Web
Trojan.DownLoader1.16517
9.0.1.031

Emsisoft Anti-Malware
Trojan-Downloader.Win32.Cyrel!IK
8.17.01.31.09

ESET NOD32
Win32/TrojanDownloader.Agent.PRS
11.5476

F-Prot
W32/Trojan2.MNZA
v6.4.6.2.117

F-Secure
Trojan.Generic.4427883
11.2017-31-01_3

G Data
Trojan.Generic.4427883
17.1.21

IKARUS anti.virus
Trojan-Downloader.Win32.Cyrel
t3scan.1.1.88.0

K7 AntiVirus
Trojan
13.63.2600

Kaspersky
Trojan-Downloader.Win32.Cyrel
14.0.0.-1097

McAfee
Generic Downloader.x!ead
5600.6138

Microsoft Security Essentials
TrojanDownloader:Win32/Troxen!rts
1.163.1557.0

Norman
W32/Suspicious_Gen2.BNDBJ
11.20170131

nProtect
Trojan/W32.Small.11776.AX
10.09.24.02

Panda Antivirus
Trj/CI.A
17.01.31.09

Prevx
Medium Risk Malware
3.0

Quick Heal
TrojanDownloader.Small.aqfx
1.17.11.00

Rising Antivirus
Trojan.DL.Win32.Nodef.atz
23.00.65.17129

Sophos
Mal/TDSS-J
4.58

Trend Micro House Call
TROJ_GEN.R47E1GG
7.2.31

Trend Micro
TROJ_GEN.R47E1GG
10.465.31

Vba32 AntiVirus
Win32.TrojanDownloader.Agent.PRS
3.12.14.1

File size:
11.5 KB (11,776 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Windows\System32\winlogoon.exe

File PE Metadata
Compilation timestamp:
3/21/2010 7:45:50 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.0

Entry address:
0x1190

Entry point:
81, EC, 58, 02, 00, 00, 33, C0, 33, C9, 89, 44, 24, 42, 89, 8C, 24, 92, 00, 00, 00, 89, 44, 24, 46, 89, 8C, 24, 96, 00, 00, 00, 89, 44, 24, 4A, 89, 8C, 24, 9A, 00, 00, 00, 33, D2, 66, 89, 44, 24, 4E, 66, 89, 8C, 24, 9E, 00, 00, 00, 89, 54, 24, 72, 89, 84, 24, 82, 00, 00, 00, 89, 4C, 24, 62, 53, 33, DB, 89, 54, 24, 7A, 89, 84, 24, 8A, 00, 00, 00, 89, 4C, 24, 6A, 56, 89, 94, 24, 82, 00, 00, 00, 89, 84, 24, 92, 00, 00, 00, 89, 4C, 24, 72, 57, 89, 5C, 24, 60, 89, 5C, 24, 64, 89, 5C, 24, 68, 89, 5C, 24, 34, 89...
 
[+]

Code size:
7 KB (7,168 bytes)

Scheduled Task
Task name:
At1

Trigger:
Monthly (Runs monthly on Wednesdays at 10:57)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to apache2-dap.sandy.dreamhost.com  (64.90.40.147:80)

TCP (HTTP):
Connects to apache2-heavy.flivver.dreamhost.com  (173.236.177.241:80)

TCP (HTTP):
Connects to ec2-52-0-7-30.compute-1.amazonaws.com  (52.0.7.30:80)

TCP (HTTP):
Connects to apache2-quack.mcminnville.dreamhost.com  (69.163.161.255:80)

TCP (HTTP):
Connects to freeplaynow.com  (162.210.196.84:80)

TCP (HTTP):
Connects to li267-114.members.linode.com  (178.79.147.114:80)

TCP (HTTP):
Connects to apache2-cabo.appomattox.dreamhost.com  (208.113.153.44:80)

TCP (HTTP):
Connects to apache2-grog.sublimity.dreamhost.com  (64.90.49.156:80)

Remove winlogoon.exe - Powered by Reason Core Security