home

ntcontrolsvc.exe

Atom Security OOO

The application ntcontrolsvc.exe, “Network Maintenance Service” by Atom Security OOO has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “NtControlSvc”. While running, it connects to the Internet address 97-140.colo.sta.blacknight.ie on port 26002.
Publisher:
RapidLights, Inc.  (signed by Atom Security OOO)

Description:
Network Maintenance Service

Version:
2.2.4.6

MD5:
6f63b84c981c87defc57e202287a79df

SHA-1:
e47e4ee079cc24b5155fa5937e38be8da4ecc903

SHA-256:
660e92df4c2bf23dfed580aec1a2c98f0bc0fc189949b4ebc532de2069369dd6

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
4/27/2024 2:13:30 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.AtomSecu.Service
16.11.18.18

File size:
3.6 MB (3,727,440 bytes)

Product version:
2.2.4.6

Copyright:
Copyright (C) 2016 RapidLights, Inc.

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\syswow64\ltprx\ntcontrolsvc.exe

Digital Signature
Signed by:
Atom Security OOO

Authority:
COMODO CA Limited

Valid from:
6/4/2015 3:00:00 AM

Valid to:
6/4/2018 2:59:59 AM

Subject:
CN=Atom Security OOO, OU=development, O=Atom Security OOO, STREET="Academician Koptyuga Prospect, 4,office 158", L=Novosibirsk, S=nso, PostalCode=630090, C=RU

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
2F74D159839B911DB6F1DFF991E70893

File PE Metadata
Compilation timestamp:
11/3/2016 4:17:23 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:2Oto6JJfuqJAQX+OUGNI70OOw+TNdIyo7g35wPC2buEpVM2htnAWdTQSp/E2r:o6LfxV0cI70OheNdivLbhpVpb

Entry address:
0x142C16

Entry point:
E8, F7, ED, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 75, 0B, FF, 75, 0C, E8, 34, D3, FF, FF, 59, 5D, C3, 56, 8B, 75, 0C, 85, F6, 75, 0D, FF, 75, 08, E8, B5, D3, FF, FF, 59, 33, C0, EB, 4D, 57, EB, 30, 85, F6, 75, 01, 46, 56, FF, 75, 08, 6A, 00, FF, 35, 18, BE, 77, 00, FF, 15, 54, 0D, 78, 00, 8B, F8, 85, FF, 75, 5E, 39, 05, 1C, BE, 77, 00, 74, 40, 56, E8, A1, 18, 00, 00, 59, 85, C0, 74, 1D, 83, FE, E0, 76, CB, 56, E8, 91, 18, 00, 00, 59, E8, 75, EC, FF, FF, C7, 00, 0C, 00, 00, 00, 33...
 
[+]

Code size:
2.8 MB (2,942,464 bytes)

Service
Display name:
NtControlSvc

Description:
NtControlSvc's Redirector service

Type:
Win32OwnProcess

Depends on:
RPCSS


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to yandex.ru  (5.255.255.5:443)

TCP (HTTP):
Connects to download-cs.su  (193.124.177.131:80)

TCP (HTTP SSL):
Connects to client.fttb.2day.kz  (176.222.187.82:443)

TCP (HTTP SSL):
Connects to portal-xiva.yandex.net  (213.180.193.210:443)

TCP (HTTP SSL):
Connects to lr-in-f189.1e100.net  (209.85.233.189:443)

TCP (HTTP SSL):
Connects to api.browser.yandex.ru  (93.158.134.82:443)

TCP:
Connects to 97-140.colo.sta.blacknight.ie  (91.211.97.140:26002)

TCP (HTTP SSL):
Connects to csp.yandex.net  (93.158.134.242:443)

TCP (HTTP SSL):
Connects to ip5.23.odnoklassniki.ru  (5.61.23.5:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-lht6.facebook.com  (157.240.1.18:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-lht6.facebook.com  (157.240.1.35:443)

TCP (HTTP SSL):
Connects to ec2-52-50-209-154.eu-west-1.compute.amazonaws.com  (52.50.209.154:443)

TCP (HTTP SSL):
Connects to sba.search.yandex.net  (93.158.134.232:443)

TCP (HTTP SSL):
Connects to ec2-54-86-242-110.compute-1.amazonaws.com  (54.86.242.110:443)

TCP (HTTP):
Connects to bratok.mail.ru  (217.69.135.163:80)

TCP (HTTP SSL):
Connects to 91-239-26-116.flops.ru  (91.239.26.116:443)

TCP (HTTP SSL):
Connects to topf8.l.smailru.net  (217.69.133.145:443)

TCP (HTTP):
Connects to tags.expo9.exponential.com  (204.11.109.75:80)

TCP (HTTP SSL):
Connects to sw90.ua-hosting.company  (91.215.156.146:443)

TCP (HTTP SSL):
Connects to suggest.yandex.net  (93.158.134.63:443)

Remove ntcontrolsvc.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.