winsys32.exe

The executable winsys32.exe has been detected as malware by 5 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in.
Version:
0.0.0.0

MD5:
e3437b58ed58e9dbc2afcb4a82eff628

SHA-1:
0e302176f76cd68b81a7c95c72f42f3ea743aefe

SHA-256:
3fcb5b873087605db1294aae0e614fc09e5e518c19e2fc2359e2c492a47cbbac

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
11/23/2024 8:25:49 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
160917-0

Dr.Web
Trojan.DownLoader22.58477
9.0.1.05190

ESET NOD32
MSIL/Agent.ADE trojan
6.3.12010.0

F-Secure
Variant.MSILPerseus.3430
5.15.154

Kaspersky
Trojan.Win32.Scar
15.0.2.529

File size:
589.5 KB (603,648 bytes)

Product version:
0.0.0.0

Original file name:
d.exe

File type:
Executable application (Win32 EXE)

Language:
Turkish (Turkey)

Common path:
C:\Program Files\client\winsys32.exe

File PE Metadata
Compilation timestamp:
10/6/2016 3:45:02 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:vHJ+5F1JKiFVl6t0MXg8uBHRvE/Y+m+De4/oxXlMmUy6Ej:01ZvMP2pItbDh/2XlMmtj

Entry address:
0x940AE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
584.5 KB (598,528 bytes)

Scheduled Task
Task name:
Windows System Services

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to a23-219-92-144.deploy.static.akamaitechnologies.com  (23.219.92.144:80)

TCP (HTTP):

TCP (HTTP):
Connects to a104-96-220-200.deploy.static.akamaitechnologies.com  (104.96.220.200:80)

TCP (HTTP):
Connects to a104-96-220-176.deploy.static.akamaitechnologies.com  (104.96.220.176:80)

TCP:
Connects to 46-198-19-103.adsl.cyta.gr  (46.198.19.103:1337)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to a23-219-93-210.deploy.static.akamaitechnologies.com  (23.219.93.210:80)

TCP (HTTP):
Connects to a23-219-92-177.deploy.static.akamaitechnologies.com  (23.219.92.177:80)

TCP (HTTP):
Connects to a23-219-92-136.deploy.static.akamaitechnologies.com  (23.219.92.136:80)

TCP (HTTP):
Connects to a23-204-138-163.deploy.static.akamaitechnologies.com  (23.204.138.163:80)

TCP (HTTP):
Connects to a23-204-138-152.deploy.static.akamaitechnologies.com  (23.204.138.152:80)

TCP:
Connects to 46-198-114-42.adsl.cyta.gr  (46.198.114.42:1337)

Remove winsys32.exe - Powered by Reason Core Security