home

nc.exe

The application nc.exe has been detected as a potentially unwanted program by 22 anti-malware scanners. This file is typically installed with the program MPlayer for Windows by The MPlayer Team. The file has been seen being downloaded from gamezlover.com and multiple other hosts.
MD5:
ab41b1e2db77cebd9e2779110ee3915d

SHA-1:
4122cf816aaa01e63cfb76cd151f2851bc055481

SHA-256:
7379c5f5989be9b790d071481ee4fdfaeeb0dc7c4566cad8363cb016acc8145e

Scanner detections:
22 / 68

Status:
Potentially unwanted

Analysis date:
11/6/2024 4:46:04 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win-AppCare/NTSniff_v111.61440
2014.01.10

Avira AntiVirus
SPR/NetCat.A
7.11.124.108

AVG
NetCat.A
2014.0.3613

Bkav FE
W32.Clode66.Trojan
1.3.0.4613

Comodo Security
ApplicUnsaf.Win32.RemoteAdmin.NetCat.A
17581

Dr.Web
Tool.Netcat.377
9.0.1.0360

ESET NOD32
Win32/RemoteAdmin.NetCat
7.9270

Fortinet FortiGate
Riskware/Nt110
12/26/2013

F-Prot
W32/Netcat
v6.4.7.1.166

F-Secure
Riskware:W32/NetCat
11.2013-26-12_5

Kaspersky
not-a-virus:RemoteAdmin.Win32.NetCat
14.0.0.4561

Malwarebytes
PUP.Netcat
v2013.12.26.09

McAfee
Tool-NetCat
5600.7269

MicroWorld eScan
SPR/NetCat.A
14.0.0.1080

NANO AntiVirus
Riskware.Win32.NetCat.ibcm
0.28.0.57029

Panda Antivirus
Hacktool/NetCat.B
13.12.26.09

Rising Antivirus
PE:Hack.NetCat.c!1073876285
23.00.65.131224

Sophos
NetCat
4.96

Trend Micro House Call
HKTL_NETCAT
7.2.360

Trend Micro
HKTL_NETCAT
10.465.26

VIPRE Antivirus
Trojan.Win32.Generic
25258

ViRobot
RemoteAdmin.NetCat.61440
2011.4.7.4223

File size:
60 KB (61,440 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Windows\System32\nc.exe

File PE Metadata
Compilation timestamp:
12/29/2004 8:07:16 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
7.10

CTPH (ssdeep):
1536:8LJg1OAEuxWhXTmNquG9L0RT/ADGRMlu:8LJlAEuxAWqu3ZMlu

Entry address:
0x4AC3

Entry point:
6A, 18, 68, 98, C0, 40, 00, E8, 69, 03, 00, 00, BF, 94, 00, 00, 00, 8B, C7, E8, 95, 2C, 00, 00, 89, 65, E8, 8B, F4, 89, 3E, 56, FF, 15, C0, B0, 40, 00, 8B, 4E, 10, 89, 0D, D8, E7, 40, 00, 8B, 46, 04, A3, E4, E7, 40, 00, 8B, 56, 08, 89, 15, E8, E7, 40, 00, 8B, 76, 0C, 81, E6, FF, 7F, 00, 00, 89, 35, DC, E7, 40, 00, 83, F9, 02, 74, 0C, 81, CE, 00, 80, 00, 00, 89, 35, DC, E7, 40, 00, C1, E0, 08, 03, C2, A3, E0, E7, 40, 00, 33, FF, 57, FF, 15, B4, B0, 40, 00, 66, 81, 38, 4D, 5A, 75, 1F, 8B, 48, 3C, 03, C8, 81...
 
[+]

Entropy:
5.8407

Developed / compiled with:
Microsoft Visual C++ v7.0

Code size:
40 KB (40,960 bytes)

The file nc.exe has been discovered within the following program.

MPlayer for Windows  by The MPlayer Team
mulder.at.gg
About 2% of users remove it
 
Powered by Should I Remove It?

The file nc.exe has been seen being distributed by the following 9 URLs.

http://gamezlover.com/wp-includes/.../3e2d22ef2.exe

http://freecache23-free.uloz.to/Ps;Hs;fid=34989468;cid=2097466172;rid=1328855991;up=1;uid=11631826;uip=109.81.208.34;tm=1470748951;ut=f;aff=ulozto.cz;did=ulozto-cz;He;ch=0f858b79ac7a7e2850cac867c423a344;Pe/.../netcat-exe?bD&u=11631826&c=2097466172&De&redirs=2

http://absoluterejuven.com/offerjk435/.../3e2d22ef2.exe

http://vpsprohostingssd.com/762trg22e2.exe

http://viveangular.com/kjmly/.../3e2d22ef2.exe

http://www.lookoutvalleydental.com/wp-admin/.../3e2d22ef2.exe

http://emmettsullivan.com/wp-includes/.../3e2d22ef2.exe

http://syc10.com/.../3476grb4f434r.exe

http://indyace.com/wp-includes/.../3e2d22ef2.exe

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to ip-172-18-112-166.ec2.internal  (172.18.112.166:2000)

TCP:
Connects to ip-172-16-1-1.ec2.internal  (172.16.1.1:55134)

TCP (HTTP):
Connects to bd1d5f69.virtua.com.br  (189.29.95.105:8080)

TCP (HTTP):
Connects to a104-112-227-49.deploy.static.akamaitechnologies.com  (104.112.227.49:80)

Remove nc.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.