Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 6, 2024, 9:11 a.m.	Aug. 6, 2024, 9:14 a.m.

Size	30.0KB
Type	PE32 executable (console) Intel 80386, for MS Windows, PECompact2 compressed
MD5	`04915e73e6b6d161b573c86b8c3c030d`
SHA256	`3563add573f0ccd8fed5837e38eb6e889a99d2acf9a1eb0a9747ca46d2f5b6fa`
CRC32	`1E8EFB4F`
ssdeep	`768:mMBOqWS5cvgHEda3LqFwQjaWzCX4wHQWvOLTsLuOVojlR:xwSegHfLqWQBzi3HGdwa`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

nc.exe "C:\Users\test22\AppData\Local\Temp\nc.exe"
1256

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Aug. 6, 2024, 9:11 a.m.	buffer: Cmd line: console_handle: 0x0000000b	1	1	0

The executable uses a known packer (1 event)

packer

PECompact 2.xx --> BitSum Technologies

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 6, 2024, 9:11 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 94 f0 8c exception.symbol: nc+0x4c16 exception.instruction: mov dword ptr [eax], ecx exception.module: nc.exe exception.exception_code: 0xc0000005 exception.offset: 19478 exception.address: 0x404c16 registers.esp: 1638276 registers.edi: 0 registers.eax: 0 registers.ebp: 1638292 registers.edx: 4213760 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 6, 2024, 9:11 a.m.	process_identifier: 1256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:11 a.m.	process_identifier: 1256 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 9:11 a.m.	process_identifier: 1256 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00006c00', u'virtual_address': u'0x00001000', u'entropy': 7.869895118554312, u'name': u'.text', u'virtual_size': u'0x00012000'}

entropy

7.86989511855

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000a00', u'virtual_address': u'0x00013000', u'entropy': 7.4099896409801485, u'name': u'.rsrc', u'virtual_size': u'0x00001000'}

entropy

7.40998964098

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Lionic	Riskware.Win32.NetCat.1!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CMC	Generic.Win32.04915e73e6!CMCRadar
Skyhigh	BehavesLike.Win32.Generic.nc
ALYac	GenPack:Application.NetTool.A
Cylance	Unsafe
VIPRE	GenPack:Application.NetTool.A
Sangfor	Tool.Win32.Netcat.Vkba
BitDefender	GenPack:Application.NetTool.A
Cybereason	malicious.3e6b6d
Arcabit	GenPack:Application.NetTool.A
Symantec	NetCat
ESET-NOD32	a variant of Win32/RemoteAdmin.NetCat.AB potentially unsafe
APEX	Malicious
McAfee	Tool-NetCat.d
Avast	Win32:PUP-gen [PUP]
Kaspersky	not-a-virus:RemoteAdmin.Win32.NetCat.alj
NANO-Antivirus	Trojan.Win32.Ncx.eplb
MicroWorld-eScan	GenPack:Application.NetTool.A
Rising	Backdoor.Ncx.b (CLOUD)
Emsisoft	GenPack:Application.NetTool.A (B)
F-Secure	PrivacyRisk.SPR/RemoteAdmin.Net
DrWeb	Tool.Netcat
TrendMicro	HACKINGTOOLS_NETCAT
McAfeeD	ti!3563ADD573F0
Trapmine	malicious.high.ml.score
FireEye	GenPack:Application.NetTool.A
Sophos	NetCat (PUA)
SentinelOne	Static AI - Suspicious PE
Jiangmin	Backdoor.Ncx.f
Google	Detected
Avira	SPR/RemoteAdmin.Net
MAX	malware (ai score=76)
Antiy-AVL	Trojan[RemoteAdmin]/Win32.NetCat
Kingsoft	malware.kb.a.999
Gridinsoft	Risk.Win32.Heuristic.sa
Xcitium	ApplicUnsaf.Win32.RemoteAdmin@4i2o
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	not-a-virus:RemoteAdmin.Win32.NetCat.alj
GData	GenPack:Application.NetTool.A
Varist	W32/Threat-HLLIP-based!Maximus
DeepInstinct	MALICIOUS
Malwarebytes	Malware.Heuristic.2014
Ikarus	Packer.Win32.PolyCrypt
Panda	Trj/CI.A
TrendMicro-HouseCall	HACKINGTOOLS_NETCAT
Tencent	Malware.Win32.Gencirc.11b7031b
huorong	HackTool/NetCat
MaxSecure	Trojan.Malware.300983.susgen

nc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All