What is “Rootkit.Win64.Necurs”?

Malware Removal

The Rootkit.Win64.Necurs is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day free trial available.

What Rootkit.Win64.Necurs virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Sample contains Overlay data
  • CAPE extracted potentially suspicious content
  • Unconventionial binary language: Chinese (Simplified)
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • The binary contains an unknown PE section name indicative of packing
  • The executable is likely packed with VMProtect
  • Authenticode signature is invalid
  • CAPE detected the embedded win api malware family
  • Attempts to modify proxy settings
  • Deletes executed files from disk
  • Anomalous binary characteristics
  • Yara detections observed in process dumps, payloads or dropped files

How to determine Rootkit.Win64.Necurs?

File Info:

name: C196099E75150F05F46E.mlw
path: /opt/CAPEv2/storage/binaries/80ba5133d45e7943215e994b32b5842f1b01f2c925bf96814bf2162303ca0266
crc32: CB87A132
md5: c196099e75150f05f46e78ed3396e972
sha1: 92745d474d9ab6c2e8db03c7f203d31d86351b49
sha256: 80ba5133d45e7943215e994b32b5842f1b01f2c925bf96814bf2162303ca0266
sha512: a2ab974e38dc2bb4d68da89c61c86cb0074fb8b543d86cd7a7132eedb8cb2d25035529a9aca3c327ecb9d500fb9a06268534ba5b53a86fa6896a5e514f40bd7f
ssdeep: 98304:nXC4MXE/Wm3uYONSR3zzuqXHqEi5oB2FGzCJjsy7/5e3TZfh9:XC44TNQSQHqEP6GzAHLs3lZ9
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T19A967D10FA568275C74B0B71496D937FC6364E502F19A2C3EF80FB1EA932AD1E436636
sha3_384: 39cc3eedc01a9618454afa1277a66e58458003fc3dada639cf0ba6a37404e82d3ab5326f6664ef953287a858a0aa333b
ep_bytes: 60e803000000e9eb045d4555c3e80100
timestamp: 2014-02-17 03:36:38

Version Info:

CompanyName: 腾讯计算机系统有限公司
FileDescription: 腾讯游戏登录程序
FileVersion: 3, 0, 3, 0
InternalName: 腾讯游戏登录程序
LegalCopyright: Copyright (C) Tencent 2009 - 2011
OriginalFilename: Client.exe
ProductName: 腾讯游戏统一登录系统
ProductVersion: 3, 0, 3, 0
Translation: 0x0804 0x04b0

Rootkit.Win64.Necurs also known as:

CrowdStrikewin/malicious_confidence_60% (D)

How to remove Rootkit.Win64.Necurs?

Rootkit.Win64.Necurs removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment