winrar.exe

The executable winrar.exe, “Microsoft login provider” has been detected as malware by 33 anti-virus scanners. The file has been seen being downloaded from tau.rghost.ru.
Publisher:
Microsoft*  (Invalid match)

Product:
Microsoft

Description:
Microsoft login provider

Version:
1.0.0.0

MD5:
e2086ce690aff2b774366901e7dd941a

SHA-1:
9d9200b40785c19572b2d732381a12df65bcd605

Scanner detections:
33 / 68

Status:
Malware

Analysis date:
11/27/2024 5:04:27 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.MSILKrypt.6
213

AhnLab V3 Security
Trojan/Win32.Agent
2015.05.03

avast!
Win32:Malware-gen
2014.9-160706

AVG
BackDoor.Small.54.M
2017.0.2691

Baidu Antivirus
Trojan.MSIL.HarvBot
4.0.3.1676

Bitdefender
Gen:Variant.MSILKrypt.6
1.0.20.940

Comodo Security
UnclassifiedMalware
21975

Dr.Web
BackDoor.Cythosia.23
9.0.1.0188

Emsisoft Anti-Malware
Gen:Variant.MSILKrypt
8.16.07.06.10

ESET NOD32
MSIL/HarvBot (variant)
10.11565

Fortinet FortiGate
MSIL/Agent.SH!tr.pws
7/6/2016

F-Prot
W32/MSIL_Troj.BE.gen
v6.4.7.1.166

F-Secure
Gen:Variant.MSILKrypt.6
11.2016-06-07_4

G Data
Gen:Variant.MSILKrypt
16.7.25

IKARUS anti.virus
Virus.ILAgent
t3scan.1.8.9.0

K7 AntiVirus
Trojan
13.203.15784

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.-52

McAfee
RDN/Generic BackDoor!bc3
5600.6347

Microsoft Security Essentials
Backdoor:MSIL/Pontoeb.G
1.1.11602.0

MicroWorld eScan
Gen:Variant.MSILKrypt.6
17.0.0.564

NANO AntiVirus
Trojan.Win32.HarvBot.dchptq
0.30.24.1357

Norman
Pontoeb.E
11.20160706

nProtect
Trojan/W32.Jorik.27648.I
15.04.30.01

Panda Antivirus
Trj/CI.A
16.07.06.10

Qihoo 360 Security
Win32/Trojan.42b
1.0.0.1015

Quick Heal
Backdoor.Pontoeb.G3
7.16.14.00

Rising Antivirus
PE:Backdoor.Pontoeb!1.6637
23.00.65.16704

Sophos
Mal/Boom105-A
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-MSBot
9038

Trend Micro House Call
TROJ_FORUCON.BMC
7.2.188

Trend Micro
TROJ_FORUCON.BMC
10.465.06

VIPRE Antivirus
Trojan.Win32.Generic
39876

Zillya! Antivirus
Trojan.HarvBot.Win32.5
2.0.0.2164

File size:
27 KB (27,648 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Microsoft 2011

Original file name:
Microsoft.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Documents and Settings\{user}\My documents\downloads\winrar.exe

File PE Metadata
Compilation timestamp:
2/14/2015 2:08:01 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
768:cCgFgy4jO7Q80K+L0mNvjaRziDG/jDQjjmWTe+Hc9Fst/I:cnEyp/+L0mNvjaRziDG/jDQjjmW9Hc9h

Entry address:
0x81CE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 10, 00, 00, 00, 20, 00, 00, 80, 18, 00, 00, 00, 38, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 50, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 68, 00...
 
[+]

Entropy:
5.5357

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
24.5 KB (25,088 bytes)

The file winrar.exe has been seen being distributed by the following URL.

Remove winrar.exe - Powered by Reason Core Security