nc.exe

First submission 2024-10-16 20:04:02

File details

File type:	PE32 executable (console) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	1628.5 KB (1667584 bytes)
Compile time:	2011-06-30 22:47:55
MD5:	7e0df5efd2adfc7feefebe42c3a18d02
SHA1:	e52433b84341f1bec29dc818b48132c045311a1f
SHA256:	5e107ea10383110bd801fb7de11f59ee35f02b8e1defcadf34c0e3e769df9341
Import Hash :	6eefd92bffbfb27f378b81c09ca96786
Sections 6	.text .rdata .data .idata .rsrc .reloc
Directories 3	import resource relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	44/77 VT report date: 2024-10-16 13:02:17
Malware Type 3	trojan hacktool pua
Threat Type 3	netcat ncat hktl

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://154.216.20.170/nc.exe	154.216.20.170	2024-10-16 20:04:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x134804	1264128	6a3db773a33cfcccf48d1111993276cc7b0c8f34	20685f2ce1d981d5a3062e31151503f1
.rdata	0x136000	0x496db	301056	e8ee20d211570a015bfe2cadfc7fe4aa0e42b05c	0692b9a6ecb4f2810220ce7843b0334d
.data	0x180000	0xf6a4	40448	57ecfb1ed6965795d8b6b6816de3a326fee76686	4a7736628b37e67c489a713b0d6320bb
.idata	0x190000	0x15ad	5632	078dfe37840d361d9cada49a04c992534c4a0e16	7e873300c6def650e547a9062f389cf7
.rsrc	0x192000	0x459	1536	97b9669566ea531206c52419e126e1e2020849c0	9e743de7baf937fdbccd843a20b76b51
.reloc	0x193000	0xd196	53760	16d9c5d0647881f34c265e8478246c93ca622a21	b0f070bb5b968636ac11806e53a8f143

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x192170	406	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x192170

406

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 5

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

Bochs & QEmu CPUID Trick

Strings analysis - File found

Library
ADVAPI32.dll
WUSER32.DLL
KERNEL32.dll
mscoree.dll
WS2_32.dll
GDI32.dll
USER32.dll
%s.dll
NETAPI32.dll

Strings analysis - Possible URLs found 3

http://nmap.org/ncat/.
http://nmap.org/ncat
http://www.openssl.org/support/faq.html

Import functions

ADVAPI32.dll 6 KERNEL32.dll 120 WS2_32.dll 36 GDI32.dll 10 USER32.dll 4

Function	Address	Souspicious	Anti Debug
CryptReleaseContext	0x59049c
CryptAcquireContextA	0x5904a0
RegisterEventSourceA	0x5904a4
ReportEventA	0x5904a8
DeregisterEventSource	0x5904ac
CryptGenRandom	0x5904b0

Function	Address	Souspicious	Anti Debug
GetFileInformationByHandle	0x590540
GetFullPathNameA	0x590544
FlushFileBuffers	0x590548
GetEnvironmentStringsW	0x59054c
FreeEnvironmentStringsW	0x590550
SetFilePointer	0x590554
CreateFileW	0x590558
RtlUnwind	0x59055c
HeapSize	0x590560
GetLocaleInfoW	0x590564
GetCurrentDirectoryW	0x590568
DeleteCriticalSection	0x59056c
GetStartupInfoW	0x590570
SetHandleCount	0x590574
LoadLibraryW	0x590578
LCMapStringW	0x59057c
IsValidCodePage	0x590580
GetOEMCP	0x590584
GetACP	0x590588
SetCurrentDirectoryW	0x59058c
GetStringTypeW	0x590590
GetUserDefaultLCID	0x590594
GetLocaleInfoA	0x590598
GetCPInfo	0x59059c
HeapDestroy	0x5905a0
HeapCreate	0x5905a4
IsProcessorFeaturePresent	0x5905a8
IsDebuggerPresent	0x5905ac
EnumSystemLocalesA	0x5905b0
IsValidLocale	0x5905b4
CompareStringW	0x5905b8
SetEnvironmentVariableA	0x5905bc
SetEndOfFile	0x5905c0
GetProcessHeap	0x5905c4
GetDriveTypeW	0x5905c8
FindNextFileA	0x5905cc
FatalAppExitA	0x5905d0
GetVersion	0x5905d4
FreeLibrary	0x5905d8
GetProcAddress	0x5905dc
LoadLibraryA	0x5905e0
GetSystemDirectoryA	0x5905e4
ReleaseMutex	0x5905e8
WaitForSingleObject	0x5905ec
CreateMutexA	0x5905f0
CreateProcessA	0x5905f4
GetStdHandle	0x5905f8
SetHandleInformation	0x5905fc
CreateFileA	0x590600
CloseHandle	0x590604
CreateNamedPipeA	0x590608
GetLastError	0x59060c
CreatePipe	0x590610
TerminateProcess	0x590614
GetExitCodeProcess	0x590618
ExitProcess	0x59061c
GetOverlappedResult	0x590620
WriteFile	0x590624
ResetEvent	0x590628
WaitForMultipleObjects	0x59062c
ReadFile	0x590630
CreateThread	0x590634
GetModuleFileNameA	0x590638
GetModuleHandleA	0x59063c
FormatMessageA	0x590640
DuplicateHandle	0x590644
GetCurrentProcess	0x590648
Sleep	0x59064c
SetStdHandle	0x590650
PeekNamedPipe	0x590654
GetCurrentThreadId	0x590658
FindFirstFileA	0x59065c
GetFileType	0x590660
MultiByteToWideChar	0x590664
GetTickCount	0x590668
QueryPerformanceCounter	0x59066c
GetCurrentProcessId	0x590670
GlobalMemoryStatus	0x590674
GetVersionExA	0x590678
FlushConsoleInputBuffer	0x59067c
SetLastError	0x590680
HeapFree	0x590684
WriteConsoleW	0x590688
GetModuleFileNameW	0x59068c
EnterCriticalSection	0x590690
LeaveCriticalSection	0x590694
GetModuleHandleW	0x590698
DecodePointer	0x59069c
EncodePointer	0x5906a0
SetConsoleCtrlHandler	0x5906a4
HeapAlloc	0x5906a8
InterlockedExchange	0x5906ac
WideCharToMultiByte	0x5906b0
GetConsoleCP	0x5906b4
GetConsoleMode	0x5906b8
GetCommandLineA	0x5906bc
HeapSetInformation	0x5906c0
HeapReAlloc	0x5906c4
GetFileAttributesA	0x5906c8
FindClose	0x5906cc
FileTimeToSystemTime	0x5906d0
FileTimeToLocalFileTime	0x5906d4
GetDriveTypeA	0x5906d8
FindFirstFileExA	0x5906dc
GetTimeZoneInformation	0x5906e0
GetSystemTimeAsFileTime	0x5906e4
InitializeCriticalSectionAndSpinCount	0x5906e8
ReadConsoleInputA	0x5906ec
SetConsoleMode	0x5906f0
PeekConsoleInputA	0x5906f4
GetNumberOfConsoleInputEvents	0x5906f8
TlsAlloc	0x5906fc
TlsGetValue	0x590700
TlsSetValue	0x590704
TlsFree	0x590708
InterlockedIncrement	0x59070c
InterlockedDecrement	0x590710
GetCurrentThread	0x590714
UnhandledExceptionFilter	0x590718
SetUnhandledExceptionFilter	0x59071c

Function	Address	Souspicious	Anti Debug
ioctlsocket	0x5907e8
WSASocketA	0x5907ec
getsockopt	0x5907f0
sendto	0x5907f4
getsockname	0x5907f8
WSAStartup	0x5907fc
bind	0x590800
ntohl	0x590804
gethostname	0x590808
socket	0x59080c
setsockopt	0x590810
recvfrom	0x590814
listen	0x590818
connect	0x59081c
WSACreateEvent	0x590820
WSAEventSelect	0x590824
WSACloseEvent	0x590828
shutdown	0x59082c
select	0x590830
recv	0x590834
WSASetLastError	0x590838
ntohs	0x59083c
getservbyport	0x590840
gethostbyaddr	0x590844
htons	0x590848
getservbyname	0x59084c
htonl	0x590850
inet_ntoa	0x590854
gethostbyname	0x590858
WSAGetLastError	0x59085c
inet_addr	0x590860
send	0x590864
accept	0x590868
closesocket	0x59086c
__WSAFDIsSet	0x590870
getpeername	0x590874

Function	Address	Souspicious	Anti Debug
SelectObject	0x5904e4
CreateCompatibleBitmap	0x5904e8
BitBlt	0x5904ec
GetBitmapBits	0x5904f0
DeleteObject	0x5904f4
DeleteDC	0x5904f8
GetDeviceCaps	0x5904fc
CreateCompatibleDC	0x590500
GetObjectA	0x590504
CreateDCA	0x590508

Function	Address	Souspicious	Anti Debug
MessageBoxA	0x5907ac
GetDesktopWindow	0x5907b0
GetProcessWindowStation	0x5907b4
GetUserObjectInformationW	0x5907b8