nuocebipcotn.exe

The executable nuocebipcotn.exe has been detected as malware by 38 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘nuocebipcotn’. While running, it connects to the Internet address static.194.33.251.148.clients.your-server.de on port 80 using the HTTP protocol.
MD5:
401738e057601031b7fd1e3d1966efad

SHA-1:
a442bea7dff936eb9bf22018ce68e2b1a9dc0822

SHA-256:
db05a9e2cb7ae58d7dd828385f006c7683673d120459569d0eb9391053c3f620

Scanner detections:
38 / 68

Status:
Malware

Analysis date:
11/5/2024 9:54:19 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2801302
358

AegisLab AV Signature
Troj.W32.Yakes!c
2.1.4+

Agnitum Outpost
Trojan.Yakes
7.1.1

AhnLab V3 Security
Trojan/Win32.Injector
2016.02.02

Avira AntiVirus
TR/Crypt.ZPACK.188445
8.3.2.4

Arcabit
Trojan.Generic.D2ABE96
1.0.0.653

avast!
Win32:Crypt-SKT [Trj]
2014.9-160211

AVG
Inject3
2017.0.2836

Baidu Antivirus
Trojan.Win32.Injector
4.0.3.16211

Bitdefender
Trojan.GenericKD.2801302
1.0.20.210

Bkav FE
W32.PigsagixG.Trojan
1.3.0.7400

Comodo Security
UnclassifiedMalware
24064

Dr.Web
Trojan.DownLoad.64914
9.0.1.042

Emsisoft Anti-Malware
Trojan.GenericKD.2801302
8.16.02.11.07

ESET NOD32
Win32/Injector.CKJF (variant)
10.12962

Fortinet FortiGate
W32/Injector.CMZS!tr
2/11/2016

F-Prot
W32/Yakes.AL
v6.4.7.1.166

F-Secure
Trojan.GenericKD.2801302
11.2016-11-02_5

G Data
Trojan.GenericKD.2801302
16.2.25

IKARUS anti.virus
Trojan.Win32.Injector
t3scan.2.0.4.0

K7 AntiVirus
Trojan
13.213.18607

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.676

McAfee
RDN/Generic.dx
5600.6492

Microsoft Security Essentials
Trojan:Win32/Bulta!rfn
1.1.12400.0

MicroWorld eScan
Trojan.GenericKD.2801302
17.0.0.126

NANO AntiVirus
Trojan.Win32.DownLoad.dxwleh
1.0.14.5798

nProtect
Trojan.GenericKD.2801302
16.02.01.01

Panda Antivirus
Generic Suspicious
16.02.11.07

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1077

Quick Heal
TrojanDropper.Cutwail.r4
2.16.14.00

Rising Antivirus
PE:Malware.Generic/QRS!1.9E2D [F]
23.00.65.16209

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_CUTWAIL.C
7.2.42

Trend Micro
TROJ_CUTWAIL.C
10.465.11

Vba32 AntiVirus
Heur.Malware-Cryptor.Filecoder
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
46912

ViRobot
Trojan.Win32.Agent.211206[h]
2014.3.20.0

Zillya! Antivirus
Trojan.Yakes.Win32.40890
2.0.0.2642

File size:
206.3 KB (211,206 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\dell\nuocebipcotn.exe

File PE Metadata
Compilation timestamp:
10/13/2015 5:20:02 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:9qXj49x8OaSu9+X+jhuE4BkGJe+q18LhxvBRT4f77wIoFst18uE:R054Bke7q83077wIoyt1bE

Entry address:
0x1007D

Entry point:
E8, 51, 2C, 00, 00, E9, 89, FE, FF, FF, A1, 80, E5, 41, 00, 56, 6A, 14, 5E, 85, C0, 75, 07, B8, 00, 02, 00, 00, EB, 06, 3B, C6, 7D, 07, 8B, C6, A3, 80, E5, 41, 00, 6A, 04, 50, E8, 05, 2D, 00, 00, 59, 59, A3, 78, D5, 41, 00, 85, C0, 75, 1E, 6A, 04, 56, 89, 35, 80, E5, 41, 00, E8, EC, 2C, 00, 00, 59, 59, A3, 78, D5, 41, 00, 85, C0, 75, 05, 6A, 1A, 58, 5E, C3, 33, D2, B9, F0, B3, 41, 00, EB, 05, A1, 78, D5, 41, 00, 89, 0C, 02, 83, C1, 20, 83, C2, 04, 81, F9, 70, B6, 41, 00, 7C, EA, 6A, FE, 5E, 33, D2, B9, 00...
 
[+]

Entropy:
7.3789

Code size:
103.5 KB (105,984 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
nuocebipcotn

Command:
C:\users\dell\nuocebipcotn.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static.194.33.251.148.clients.your-server.de  (148.251.33.194:80)

TCP (HTTP):
Connects to ns69.kreativmedia.ch  (80.74.154.6:80)

TCP (HTTP):
Connects to en821.mirohost.net  (89.184.79.3:80)

TCP (HTTP):
Connects to 66-232-103-8.static.hvvc.us  (66.232.103.8:80)

TCP (HTTP):
Connects to 157-7-107-101.virt.lolipop.jp  (157.7.107.101:80)

TCP (HTTP):
Connects to ec2-34-199-151-163.compute-1.amazonaws.com  (34.199.151.163:80)

TCP (HTTP):
Connects to 231.http-proxy2.cloudns.net  (174.128.248.231:80)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.120:80)

TCP (HTTP):
Connects to ostego.snhdns.com  (198.38.77.142:80)

TCP (HTTP):
Connects to ip39.ip-149-56-147.net  (149.56.147.39:80)

TCP (HTTP):
Connects to ip-23-229-142-38.ip.secureserver.net  (23.229.142.38:80)

TCP (HTTP):
Connects to finally.doneit.fi  (87.108.33.30:80)

TCP (HTTP):
Connects to evcpa.com  (207.32.48.112:80)

TCP (HTTP):
Connects to cluster005.ovh.net  (213.186.33.16:80)

TCP (HTTP):
Connects to ams93-rev.netart.pl  (85.128.201.93:80)

TCP (HTTP):
Connects to sv803.xserver.jp  (157.112.176.4:80)

TCP (HTTP):
Connects to server2016.italmarket.com  (95.141.36.94:80)

TCP (HTTP):
Connects to rs101.nsresponse.com  (204.93.177.101:80)

TCP (HTTP):
Connects to myhost.net.pl  (195.149.225.101:80)

TCP (HTTP):
Connects to ec2-52-204-129-22.compute-1.amazonaws.com  (52.204.129.22:80)

Remove nuocebipcotn.exe - Powered by Reason Core Security