wintool.exe

Haitao Gu

The application wintool.exe by Haitao Gu has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address apache2-yak.zarniwoop.dreamhost.com on port 80 using the HTTP protocol.
Publisher:
Haitao Gu  (signed and verified)

MD5:
147f240589041c92d7052f8643041f6e

SHA-1:
ae1e8de1961b6cbab883fe423fe814a021f6ecf7

SHA-256:
5a6048704d58fb2160ec28d55704a7617e256e18efeca90fa1f14b062314df33

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/27/2024 5:16:03 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Elex.HG (M)
17.2.6.1

File size:
647.7 KB (663,248 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\ProgramData\wintools\wintool.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/11/2017 7:00:00 PM

Valid to:
8/18/2017 6:59:59 PM

Subject:
CN=Haitao Gu, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
7DFA9A2793C23E2B568C61ED310546B4

File PE Metadata
Compilation timestamp:
2/2/2017 10:00:46 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x50E30

Entry point:
E8, 48, DE, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, F1, 8B, 4D, 08, C6, 46, 0C, 00, 85, C9, 75, 66, 57, E8, 7C, C8, 00, 00, 8B, F8, 89, 7E, 08, 8B, 57, 6C, 89, 16, 8B, 4F, 68, 89, 4E, 04, 3B, 15, 34, FD, 48, 00, 74, 11, A1, F8, FD, 48, 00, 85, 47, 70, 75, 07, E8, 19, C6, 00, 00, 89, 06, 8B, 46, 04, 5F, 3B, 05, 2C, 02, 49, 00, 74, 15, 8B, 4E, 08, A1, F8, FD, 48, 00, 85, 41, 70, 75, 08, E8, 22, E2, 00, 00, 89, 46, 04, 8B, 4E, 08, 8B, 41, 70, A8, 02, 75, 16, 83, C8, 02, 89, 41, 70, C6, 46, 0C, 01, EB...
 
[+]

Code size:
431 KB (441,344 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to 61-91-16-89.static.asianet.co.th  (61.91.16.89:443)

TCP (HTTP SSL):
Connects to cache.google.com  (91.245.214.154:443)

TCP (HTTP SSL):
Connects to 61-90-179-104.static.asianet.co.th  (61.90.179.104:443)

TCP (HTTP SSL):
Connects to 61-90-179-241.static.asianet.co.th  (61.90.179.241:443)

TCP (HTTP):
Connects to tiki.trunkoz.com  (103.14.97.123:80)

TCP (HTTP):
Connects to apache2-yak.zarniwoop.dreamhost.com  (173.236.154.78:80)

TCP (HTTP):
Connects to win04-host-kb.turkticaret.net  (31.186.8.104:80)

TCP (HTTP):
Connects to server250.net217.intbildns.org  (185.126.217.250:80)

TCP (HTTP):
Connects to neptune.corpservers.net  (63.247.87.162:80)

TCP (HTTP):
Connects to 209-99-40-222.fwd.datafoundry.com  (209.99.40.222:80)

Remove wintool.exe - Powered by Reason Core Security