× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 7379c5f5989be9b790d071481ee4fdfaeeb0dc7c4566cad8363cb016acc8145e
File name: nc.exe
Detection ratio: 28 / 43
Analysis date: 2011-08-07 18:46:46 UTC ( 2 years, 11 months ago ) View latest
Antivirus Result Update
AVG NetCat.A 20110807
AhnLab-V3 Win-AppCare/NTSniff_v111.61440 20110807
AntiVir SPR/NetCat.A 20110807
Antiy-AVL RemoteAdmin/Win32.NetCat.gen 20110806
ClamAV PUA.NetTool.Netcat-6 20110807
Commtouch W32/Netcat 20110806
Comodo ApplicUnsaf.Win32.RemoteAdmin.NetCat.g 20110807
DrWeb Tool.Netcat.125 20110807
Emsisoft Riskware.RemoteAdmin.Win32.NetCat!IK 20110807
F-Prot W32/Netcat 20110806
F-Secure Riskware:W32/NetCat 20110807
Fortinet HackerTool/Nt110 20110807
Ikarus not-a-virus:RemoteAdmin.Win32.NetCat 20110807
Jiangmin Trojan/VulnWatch.a 20110807
Kaspersky not-a-virus:RemoteAdmin.Win32.NetCat.a 20110807
McAfee Tool-NetCat 20110807
McAfee-GW-Edition Tool-NetCat 20110807
NOD32 Win32/RemoteAdmin.NetCat 20110807
PCTools SecurityRisk.NetCat 20110807
Panda Hacktool/NetCat.B 20110807
Rising Hack.NetCat.c 20110804
Sophos NetCat 20110807
Symantec NetCat 20110807
TheHacker Aplicacion/NetCat 20110806
VIPRE Netcat 20110807
ViRobot Not_a_virus:RemoteAdmin.NetCat.61440 20110807
eSafe Win32.Banker 20110807
nProtect Trojan/W32.Agent.61440.TR 20110807
Avast 20110807
Avast5 20110807
BitDefender 20110807
CAT-QuickHeal 20110807
GData 20110807
K7AntiVirus 20110802
Microsoft 20110807
Norman 20110807
Prevx 20110807
SUPERAntiSpyware 20110807
TrendMicro 20110807
TrendMicro-HouseCall 20110807
VBA32 20110806
VirusBuster 20110807
eTrust-Vet 20110805
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2004-12-29 18:07:16
Link date 7:07 PM 12/29/2004
Entry Point 0x00004AC3
Number of sections 3
PE sections
PE imports
PeekNamedPipe
GetLastError
FreeConsole
GetStdHandle
LoadLibraryA
LCMapStringW
SetHandleCount
GetSystemInfo
GetOEMCP
LCMapStringA
GetNumberOfConsoleInputEvents
ExitProcess
GetVersionExA
VirtualProtect
HeapFree
GetModuleFileNameA
RtlUnwind
DuplicateHandle
FreeEnvironmentStringsA
CreatePipe
GetCurrentProcess
GetEnvironmentStrings
GetLocaleInfoA
GetCurrentProcessId
CreateThread
UnhandledExceptionFilter
MultiByteToWideChar
HeapSize
GetTickCount
FreeEnvironmentStringsW
GetCommandLineA
WaitForMultipleObjects
TerminateThread
ExitThread
SetStdHandle
CompareStringW
GetCPInfo
GetStringTypeA
SetFilePointer
FlushFileBuffers
DisconnectNamedPipe
ReadFile
InterlockedExchange
WriteFile
GetStartupInfoA
CompareStringA
GetSystemTimeAsFileTime
PeekConsoleInputA
GetACP
HeapReAlloc
GetStringTypeW
GetProcAddress
SetEnvironmentVariableA
TerminateProcess
CreateProcessA
QueryPerformanceCounter
WideCharToMultiByte
HeapCreate
VirtualQuery
VirtualFree
GetEnvironmentStringsW
HeapDestroy
Sleep
GetFileType
SetEndOfFile
CreateFileA
HeapAlloc
GetCurrentThreadId
VirtualAlloc
GetModuleHandleA
CloseHandle
shutdown
accept
WSAStartup
connect
getsockname
htons
inet_ntoa
WSAGetLastError
recv
inet_addr
send
getservbyport
ntohs
select
gethostbyaddr
listen
__WSAFDIsSet
WSACleanup
gethostbyname
WSASetLastError
closesocket
setsockopt
socket
bind
recvfrom
getservbyname
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows command line

MachineType
Intel 386 or later, and compatibles

TimeStamp
2004:12:29 19:07:16+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
40960

LinkerVersion
7.1

FileAccessDate
2014:07:06 17:19:37+01:00

EntryPoint
0x4ac3

InitializedDataSize
20480

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

FileCreateDate
2014:07:06 17:19:37+01:00

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
PE resource-wise parents
Compressed bundles
PCAP parents
File identification
MD5 ab41b1e2db77cebd9e2779110ee3915d
SHA1 4122cf816aaa01e63cfb76cd151f2851bc055481
SHA256 7379c5f5989be9b790d071481ee4fdfaeeb0dc7c4566cad8363cb016acc8145e
ssdeep
1536:8LJg1OAEuxWhXTmNquG9L0RT/ADGRMlu:8LJlAEuxAWqu3ZMlu

imphash b47060fbcbd9d8ec9716eb4a0fdbc38f
File size 60.0 KB ( 61440 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.3%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe via-tor usb-autorun mz

VirusTotal metadata
First submission 2006-05-23 14:32:44 UTC ( 8 years, 1 month ago )
Last submission 2014-07-06 16:18:54 UTC ( 4 days, 23 hours ago )
File names malicious
ppt_ls.exe
svcnost.exe
ab41b1e2db77cebd9e2779110ee3915d.exe
ab41b1e2db77cebd9e2779110ee3915d
nc.dat
wupdate.exe
Gmail.exe
NoEsVirus.Es.Netcat.exe
nc.exe.VIR
nc.exe.pe
gigabite.exe
nc[1].exe
1.exe
netcat.exe
nc.exe.vir
java11.exe
CONFIG.txt
nc_win32.exe
nc - Copy.exe
nc(2).exe
Java.exe
svchost.exe
nc.exe
gatito.exe
Advanced heuristic and reputation engines
ClamAV PUA
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/index.php?s=pua&lang=en .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!