winnit.exe

Micro Net

The executable winnit.exe has been detected as malware by 34 anti-virus scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 15328 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host.
Product:
Micro Net

Version:
13.0.4.22

MD5:
9e0f941da600bb73757199abd6099a73

SHA-1:
01791eaa75d6816fc5612b6779b8ac45194d7ace

SHA-256:
8e091d99930d50a29f00c88d84037a6568e20d583192e16bff0a78bebfe2b35d

Scanner detections:
34 / 68

Status:
Malware

Analysis date:
11/27/2024 10:49:01 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Zusy.150564
321

Agnitum Outpost
Trojan.IRCbot
7.1.1

AhnLab V3 Security
Malware/Win32.Generic
2015.10.27

Avira AntiVirus
TR/Agent.2318336.42
8.3.2.2

Arcabit
Trojan.Zusy.D24C24
1.0.0.585

avast!
MSIL:Banker-AB [Trj]
2014.9-160319

AVG
Generic36
2017.0.2799

Baidu Antivirus
Trojan.Win32.IRCbot
4.0.3.16319

Bitdefender
Gen:Variant.Zusy.150564
1.0.20.395

Bkav FE
W32.Clodc61.Trojan
1.3.0.7383

Clam AntiVirus
Trojan.Gnarly-2
0.98/21511

Dr.Web
Trojan.DownLoader13.55942
9.0.1.079

Emsisoft Anti-Malware
Gen:Variant.Zusy.150564
8.16.03.19.10

ESET NOD32
MSIL/Spy.Banker.CR (variant)
10.12468

Fortinet FortiGate
W32/IRCBot.FSX!tr
3/19/2016

F-Secure
Gen:Variant.Zusy.150564
11.2016-19-03_7

G Data
Gen:Variant.Zusy.150564
16.3.25

IKARUS anti.virus
Trojan.Win32.IRCBot
t3scan.1.9.5.0

K7 AntiVirus
Riskware
13.212.17655

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.490

Malwarebytes
Backdoor.IRCBot.AAH
v2016.03.19.10

McAfee
Artemis!9E0F941DA600
5600.6455

Microsoft Security Essentials
TrojanProxy:MSIL/Mictanort.A
1.1.12205.0

MicroWorld eScan
Gen:Variant.Zusy.150564
17.0.0.237

NANO AntiVirus
Trojan.Win32.IRCbot.dsfgfz
0.30.26.3947

Panda Antivirus
Trj/CI.A
16.03.19.10

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Quick Heal
Trojan.IRCbot.g3
3.16.14.00

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TSPY_BANCOS.BMC
7.2.79

Trend Micro
TSPY_BANCOS.BMC
10.465.19

VIPRE Antivirus
Backdoor.IRCBot
44830

ViRobot
Trojan.Win32.A.IRCbot.2318336[h]
2014.3.20.0

Zillya! Antivirus
Trojan.IRCBot.Win32.7451
2.0.0.2476

File size:
2.2 MB (2,318,336 bytes)

Product version:
13.0.4.22

Original file name:
NNyyr.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\ProgramData\winnit.exe

File PE Metadata
Compilation timestamp:
5/12/2015 4:22:39 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
49152:gNWUENzNdV54hVCc56Chhkx3EX+YGkcAVpJ8VpJ:Pv54hM4TV4V

Entry address:
0x236D0E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
2.2 MB (2,313,728 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:15328/

Local host port:
15328

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to 201-0-216-211.dial-up.telesp.net.br  (201.0.216.211:443)

TCP (HTTP SSL):
Connects to vip0x054.map2.ssl.hwcdn.net  (209.197.3.84:443)

TCP (HTTP):
Connects to spitfire.x2n.com.br  (158.69.225.10:80)

TCP (HTTP SSL):
Connects to a104-88-114-230.deploy.static.akamaitechnologies.com  (104.88.114.230:443)

TCP (HTTP):
Connects to 201-0-217-32.dial-up.telesp.net.br  (201.0.217.32:80)

TCP (HTTP SSL):
Connects to 201-0-216-212.dial-up.telesp.net.br  (201.0.216.212:443)

TCP (HTTP):
Connects to ec2-23-21-73-213.compute-1.amazonaws.com  (23.21.73.213:80)

TCP (HTTP):
Connects to a23-76-250-171.deploy.static.akamaitechnologies.com  (23.76.250.171:80)

TCP (HTTP SSL):
Connects to ec2-52-41-20-47.us-west-2.compute.amazonaws.com  (52.41.20.47:443)

TCP (HTTP):

TCP (HTTP):
Connects to sh3srv1.babylon.com  (198.143.128.244:80)

TCP (HTTP):
Connects to LB2200.babylon.com  (69.175.64.72:80)

TCP (HTTP SSL):
Connects to ec2-52-88-20-213.us-west-2.compute.amazonaws.com  (52.88.20.213:443)

TCP (HTTP SSL):
Connects to ec2-52-73-184-179.compute-1.amazonaws.com  (52.73.184.179:443)

TCP (HTTP SSL):
Connects to ec2-52-20-145-210.compute-1.amazonaws.com  (52.20.145.210:443)

TCP (HTTP):
Connects to 46.c8.c0ad.ip4.static.sl-reverse.com  (173.192.200.70:80)

TCP (HTTP):
Connects to 201-0-217-56.dial-up.telesp.net.br  (201.0.217.56:80)

TCP (HTTP SSL):
Connects to 123-125-232-198.static.unitasglobal.net  (198.232.125.123:443)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (54.231.49.226:80)

TCP (HTTP SSL):
Connects to ipv4_1.cxl0.c148.mia003.ix.nflxvideo.net  (198.38.125.177:443)

Remove winnit.exe - Powered by Reason Core Security