WRSA.exe

Webroot SecureAnywhere

Webroot Inc.

This is a setup program which is used to install the application. It runs as a separate (within the context of its own process) windows Service named “WRSVC”. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WRSVC’. The file has been seen being downloaded from concept-pkg.sharefile.com and multiple other hosts.
Publisher:
Webroot  (signed by Webroot Inc.)

Product:
Webroot SecureAnywhere

Version:
8.0.4.42

MD5:
122e188772e902eefd08d8ffe898dc48

SHA-1:
f5dd589e35f6aa5e32b38766c2ca5d20cdf5db41

SHA-256:
83e68601d1397b93a2747a63620519e36cf7f6c72414a9742cc49380d5f3bd33

Scanner detections:
1 / 68

Status:
Clean  (1 probable false positive detection)

Explanation:
This is mosty likely a false positive detection, the file is probably clean.

Analysis date:
12/28/2024 2:54:00 PM UTC  (today)

Scan engine
Detection
Engine version

Rising Antivirus
PE:Stealer.Zbot!1.6524
23.00.65.131217

File size:
741.6 KB (759,392 bytes)

Product version:
8.0.4.42

Copyright:
(c) Webroot 2006-2013

Original file name:
WRSA.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\webroot\wrsa.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/9/2012 1:00:00 AM

Valid to:
1/10/2014 12:59:59 AM

Subject:
CN=Webroot Inc., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Webroot Inc., L=Broomfield, S=Colorado, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
1C4712357A8FBAFBB7F5B41ED147571F

File PE Metadata
Compilation timestamp:
12/4/2013 2:59:32 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:UYmfIGw+BVOuJwh2xFplwZ/GQHJe0tp1Mss/+IT2HITezZSsHs8k0OB84xMsMoSP:fmf1wesuqgxC0B0r1Mx/VT2h9ScsB0OE

Entry address:
0x20DDB0

Entry point:
60, BE, 00, E0, 15, 01, 8D, BE, 00, 30, EA, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, AA, BB, 20, 00, 57, 83, C3, 04, 53, 68, A8, FD, 0A, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 02, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Code size:
708 KB (724,992 bytes)

Service
Display name:
WRSVC

Description:
Webroot SecureAnywhere Endpoint Protection v8.0.4.42

Type:
Win32OwnProcess


Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WRSVC

Command:
"C:\Program Files\webroot\wrsa.exe" -ul


The file WRSA.exe has been seen being distributed by the following 5 URLs.

Scan WRSA.exe - Powered by Reason Core Security