winmgr.exe

The executable winmgr.exe has been detected as malware by 16 anti-virus scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Microsoft Windows Manager’. The file has been seen being downloaded from srv1400.ru and multiple other hosts.
MD5:
17f71169dd15401a6a482d5401ce794b

SHA-1:
895e86d8bb404a0c8eb4c828ac59480c308d1682

SHA-256:
8a235d79c876f702d05ce7fc3ff9c08a1e269126d7b410d8e6b3a652b42d105d

Scanner detections:
16 / 68

Status:
Malware

Analysis date:
11/5/2024 1:56:36 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/AD.Phorpiex.Y.40
8.3.2.2

avast!
Win32:Malware-gen
2014.9-151114

Baidu Antivirus
Trojan.Win32.Injector
4.0.3.151114

Emsisoft Anti-Malware
Trojan.Win32.Injector
8.15.11.14.01

ESET NOD32
Win32/Injector.CMHG (variant)
9.12560

IKARUS anti.virus
Trojan.Win32.Injector
t3scan.1.9.5.0

K7 AntiVirus
Trojan
13.212.17844

Kaspersky
Trojan.Win32.IRCbot
14.0.0.1122

Malwarebytes
Trojan.Downloader
v2015.11.14.01

McAfee
Artemis!17F71169DD15
5600.6581

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1077

Rising Antivirus
PE:Malware.Generic/QRS!1.9E2D [F]
23.00.65.151112

Sophos
Mal/Generic-S
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Dropper
9508

VIPRE Antivirus
Backdoor.IRCBot
45196

ViRobot
Trojan.Win32.A.IRCbot.107713[h]
2014.3.20.0

File size:
105.2 KB (107,713 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\hp\m-505047083064969075907480\winmgr.exe

File PE Metadata
Compilation timestamp:
10/7/2014 7:40:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:WAsj8MBX8s0oXJi45DZQYQwOaPNIgIdB042TgiMvl82:WAsBZM4dQjaSgyB04blZ

Entry address:
0x3217

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 09, A3, B8, 37, 42, 00, E8, C0, 2D, 00, 00, A3, 04, 37, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, B8, EC, 41, 00, FF, 15, 64, 71, 40, 00, 68, E4, 91, 40, 00, 68, 00, 2F, 42, 00, E8, 6A, 2A, 00, 00, FF, 15, B0, 70, 40, 00, BD, 00, 90, 42, 00, 50, 55, E8, 58, 2A...
 
[+]

Entropy:
7.4472

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Microsoft Windows Manager

Command:
C:\users\hp\m-505047083064969075907480\winmgr.exe


The file winmgr.exe has been seen being distributed by the following 2 URLs.

http://srv1400.ru/b.exe

Remove winmgr.exe - Powered by Reason Core Security