home

winplugin.exe

Atualização de Proteção ao Cliente.

The executable winplugin.exe, “Atualização de Segurança.” has been detected as malware by 7 anti-virus scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘WinPlugin’. The file has been seen being downloaded from www.milionariosnett.com.
Publisher:
Atualização de Proteção ao Cliente.

Description:
Atualização de Segurança.

Version:
1.0.0.1

MD5:
34e8e79034035ca8f0bb7839d1a1131a

SHA-1:
05638b1e80f2343b39b646d39d44e1e32152e2f9

SHA-256:
dd02eab38e91fafd3461928a23dd52fa779956c8c10dbb98637c5156287c5986

Scanner detections:
7 / 68

Status:
Malware

Analysis date:
11/15/2024 3:02:55 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
151228-1

Emsisoft Anti-Malware
Gen:Variant.Strictor.101650
10.0.0.5366

ESET NOD32
Win32/Spy.Banker.ABMV trojan
7.0.302.0

F-Secure
Gen:Variant.Strictor.101650
5.05.7110

Kaspersky
Trojan-Banker.Win32.BestaFera
15.0.0.562

Microsoft Security Essentials
Threat.Undefined
1.213.1863.0

Norman
Gen:Variant.Strictor.101650
05.01.2016 05:35:50

File size:
6.3 MB (6,561,064 bytes)

Product version:
1.0.0.1

Original file name:
Atualizador

File type:
Executable application (Win32 EXE)

Language:
Brazilian Portuguese

Common path:
C:\users\{user}\appdata\roaming\winplugin.exe

File PE Metadata
Compilation timestamp:
6/19/1992 7:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
98304:cbq/RZJIVJI3GweCDJMv4gb1H0Sxfe2e72iBUHl74e/GWoszoqbzG3vIQgzOkrVr:GaGweCU4G1je2e7jBcl74r3b3QFLsG

Entry address:
0x1000

Entry point:
68, 01, B0, 1A, 01, E8, 01, 00, 00, 00, C3, C3, 5D, 8C, 8B, 15, BD, 49, AF, 6B, C2, CC, 1B, D5, CD, CB, 68, 58, 14, D9, 92, E9, CB, B9, 3C, A8, 3F, 1F, 17, 8F, 09, 37, 3A, F5, D2, 4B, B3, 9F, A3, 01, EC, 08, 31, 4A, B3, 29, CF, 0A, 6D, 7F, 56, A9, 1D, 6E, C5, AB, D8, AE, 42, E2, 33, B1, A5, 9E, 67, 3C, C0, F9, E4, 91, 6B, 6D, 4C, 6C, 6B, 28, 88, 4E, 3A, 0D, 02, 32, CA, 47, 59, 3A, 19, D4, BB, 1D, 62, 92, ED, 00, 8F, 77, C8, 50, CA, 71, 67, EB, 3A, BC, 5B, 6F, 02, 7C, E5, 3B, 5A, 57, 9B, 71, D5, DE, 43, 34...
 
[+]

Packer / compiler:
ASProtect v1.2x (New Strain)

Code size:
1.2 MB (1,211,392 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WinPlugin

Command:
C:\users\{user}\appdata\roaming\winplugin.exe


The file winplugin.exe has been seen being distributed by the following URL.

http://www.milionariosnett.com/.../WinPlugin.exe

Remove winplugin.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.