icuruokNH.exe
This report is generated from a file or URL submitted to this webservice on April 10th 2017 22:57:37 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 9/61 Antivirus vendors marked sample as malicious (14% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
General
-
The analysis spawned a process that was identified as malicious
- details
- 9/61 Antivirus vendors marked spawned process "<Input Sample>" (PID: 560) as malicious (classified as "Worm.f5d" with 14% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
-
Suspicious Indicators 8
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
-
")SMG Holdings LLC
C8FF77 (base 16)Dyson Limited
C03D46 (base 16)Shanghai Mochui Network Technology Co., Ltd
DCF110 (base 16)Nokia Corporation
54DF00 (base 16)Ulterius Technologies, LLC
4CF2BF (base 16)Cambridge Industries(Group) Co.,Ltd.
E01D38 (base 16)Beijing HuaqinWorld Technology Co.,Ltd
D80CCF (base 16)C.G.V. S.A.S.
143DF2 (base 16)Beijing Shidai Hongyuan Network Communication Co.,Ltd
B0D59D (base 16)Shenzhen Zowee Technology Co., Ltd
C4913A (base 16)Shenzhen Sanland Electronic Co., ltd.
60B617 (base 16)Fiberhome Telecommunication Tech.Co.,Ltd.
A46032 (base 16)MRV Communications (Networks) LTD
205A00 (base 16)Coval
5056BF (base 16)Samsung Electronics Co.,LTD
0C2026 (base 16)noax Technologies AG
240A11 (base 16)TCT Mobile Limited
880FB6 (base 16)Jabil Circuits India Pvt Ltd,-EHTP unit
C4626B (base 16)ZPT Vigantice
74F85D (base 16)Berkeley Nucleonics Corp
08D833 (base" (Indicator: "ntice") - source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"001BBD (base 16)FMC Kongsberg Subsea AS
001BB3 (base 16)Condalo GmbH
001BB8 (base 16)BLUEWAY ELECTRONIC CO;LTD
001BAC (base 16)Curtiss Wright Controls Embedded Computing
001BB1 (base 16)Wistron Neweb Corp.
001BB2 (base 16)Intellect International NV
001BA5 (base 16)MyungMin Systems, Inc.
001BA0 (base 16)Awox
001B99 (base 16)KS System GmbH
001C14 (base 16)VMware, Inc
001C1B (base 16)Hyperstone GmbH
001C0F (base 16)Cisco Systems, Inc
001C08 (base 16)Echo360, Inc.
001C02 (base 16)Pano Logic
001C01 (base 16)ABB Oy Drives
001C03 (base 16)Betty TV Technology AG
001B92 (base 16)l-acoustics
001B8D (base 16)Electronic Computer Systems, Inc.
001B88 (base 16)Divinet Access Technologies Ltd
001B83 (base 16)Finsoft Ltd
001B7C (base 16)A & R Cambridge
001B76 (base 16)Ripcode, Inc.
001B75 (base 16)Hypermedia Systems
001B70 (base 16)IRI Ubiteq, INC.
001A16" (Indicator: "vmware")
"rr GmbH
000B2A (base 16)HOWTEL Co., Ltd.
000B2C (base 16)Eiki Industrial Co. Ltd.
000C97 (base 16)NV ADB TTV Technologies SA
000C9C (base 16)Chongho information & communications
000C9E (base 16)MemoryLink Corp.
000C89 (base 16)AC Electric Vehicles, Ltd.
000C8B (base 16)Connect Tech Inc
000C90 (base 16)Octasic Inc.
000C84 (base 16)Eazix, Inc.
000C75 (base 16)Oriental integrated electronics. LTD
000C77 (base 16)Life Racing Ltd
000C7C (base 16)Internet Information Image Inc.
000C43 (base 16)Ralink Technology, Corp.
000C45 (base 16)Animation Technologies Inc.
000C29 (base 16)VMware, Inc.
000C3C (base 16)MediaChorus, Inc.
000C32 (base 16)Avionic Design Development GmbH
000C35 (base 16)KaVo Dental GmbH & Co. KG
000C2B (base 16)ELIAS Technology, Inc.
000C28 (base 16)RIFATRON
000C1C (base 16)MicroWeb Co., Ltd.
000C64 (base 16)X2 MSA Group
000C69 (base 16)Nat" (Indicator: "vmware")
"TECH, INC.
0050B3 (base 16)VOICEBOARD CORPORATION
0050B7 (base 16)BOSER TECHNOLOGY CO., LTD.
005056 (base 16)VMware, Inc.
00908D (base 16)VICKERS ELECTRONICS SYSTEMS
009042 (base 16)ECCS, Inc.
009051 (base 16)ULTIMATE TECHNOLOGY CORP.
0090F9 (base 16)LEITCH
0090FF (base 16)TELLUS TECHNOLOGY INC.
009018 (base 16)ITO ELECTRIC INDUSTRY CO, LTD.
009002 (base 16)ALLGON AB
009016 (base 16)ZAC
009005 (base 16)PROTECH SYSTEMS CO., LTD.
00901E (base 16)Selesta Ingegneria S.p.A.
009090 (base 16)I-BUS
0090AA (base 16)INDIGO ACTIVE VISION SYSTEMS LIMITED
00903A (base 16)NIHON MEDIA TOOL INC.
009055 (base 16)PARKER HANNIFIN CORPORATION COMPUMOTOR DIVISION
00909F (base 16)DIGI-DATA CORPORATION
0090E4 (base 16)NEC AMERICA, INC.
009013 (base 16)SAMSAN CORP.
0090CC (base 16)Planex Communications
0090FA (base 16)Emulex Corporation
009004 (base 16)3COM EUROPE LTD.
00" (Indicator: "vmware")
"5F1 (base 16)Vrcom, Inc.
0005FD (base 16)PacketLight Networks Ltd.
0005E2 (base 16)Creativ Network Technologies
0005DC (base 16)Cisco Systems, Inc
0005E1 (base 16)Trellis Photonics, Ltd.
0005D8 (base 16)Arescom, Inc.
0005D7 (base 16)Vista Imaging, Inc.
0005C5 (base 16)Flaga HF
0005D1 (base 16)Metavector Technologies
0005D2 (base 16)DAP Technologies
0005CB (base 16)ROIS Technologies, Inc.
00057F (base 16)Acqis Technology
000579 (base 16)Universal Control Solution Corp.
000575 (base 16)CDS-Electronics BV
00056F (base 16)Innomedia Technologies Pvt. Ltd.
000569 (base 16)VMware, Inc.
000568 (base 16)Piltofish Networks AB
000562 (base 16)Digital View Limited
00055C (base 16)Kowa Company, Ltd.
000556 (base 16)360 Systems
00054F (base 16)Private
000550 (base 16)Vcomms Connect Limited
000545 (base 16)Internet Photonics
00053F (base 16)VisionTek, Inc.
0" (Indicator: "vmware") - source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques using MAC address detection
- details
-
"TECH, INC.
0050B3 (base 16)VOICEBOARD CORPORATION
0050B7 (base 16)BOSER TECHNOLOGY CO., LTD.
005056 (base 16)VMware, Inc.
00908D (base 16)VICKERS ELECTRONICS SYSTEMS
009042 (base 16)ECCS, Inc.
009051 (base 16)ULTIMATE TECHNOLOGY CORP.
0090F9 (base 16)LEITCH
0090FF (base 16)TELLUS TECHNOLOGY INC.
009018 (base 16)ITO ELECTRIC INDUSTRY CO, LTD.
009002 (base 16)ALLGON AB
009016 (base 16)ZAC
009005 (base 16)PROTECH SYSTEMS CO., LTD.
00901E (base 16)Selesta Ingegneria S.p.A.
009090 (base 16)I-BUS
0090AA (base 16)INDIGO ACTIVE VISION SYSTEMS LIMITED
00903A (base 16)NIHON MEDIA TOOL INC.
009055 (base 16)PARKER HANNIFIN CORPORATION COMPUMOTOR DIVISION
00909F (base 16)DIGI-DATA CORPORATION
0090E4 (base 16)NEC AMERICA, INC.
009013 (base 16)SAMSAN CORP.
0090CC (base 16)Planex Communications
0090FA (base 16)Emulex Corporation
009004 (base 16)3COM EUROPE LTD.
00" (Indicator: "005056")
"NC.
02CF1C (base 16)COMMUNICATION MACHINERY CORP.
080040 (base 16)FERRANTI COMPUTER SYS. LIMITED
08003B (base 16)TORUS SYSTEMS LIMITED
08003D (base 16)CADNETIX CORPORATIONS
080039 (base 16)SPIDER SYSTEMS LIMITED
080030 (base 16)NETWORK RESEARCH CORPORATION
080027 (base 16)Cadmus Computer Systems
0270B3 (base 16)DATA RECALL LTD
00009B (base 16)INFORMATION INTERNATIONAL, INC
00DD0F (base 16)UNGERMANN-BASS INC.
000001 (base 16)XEROX CORPORATION
080021 (base 16)3M COMPANY
029D8E (base 16)CARDIAC RECORDERS INC.
AA0004 (base 16)DIGITAL EQUIPMENT CORPORATION
08000C (base 16)MIKLYN DEVELOPMENT CO.
00DD08 (base 16)UNGERMANN-BASS INC.
0000D8 (base 16)NOVELL, INC.
0000A0 (base 16)SANYO Electric Co., Ltd.
08007F (base 16)CARNEGIE-MELLON UNIVERSITY
080082 (base 16)VERITAS SOFTWARE
08007B (base 16)SANYO ELECTRIC CO. LTD.
00DD0C (base 16)UNGERMANN-BASS INC.
000005 (b" (Indicator: "080027")
"5F1 (base 16)Vrcom, Inc.
0005FD (base 16)PacketLight Networks Ltd.
0005E2 (base 16)Creativ Network Technologies
0005DC (base 16)Cisco Systems, Inc
0005E1 (base 16)Trellis Photonics, Ltd.
0005D8 (base 16)Arescom, Inc.
0005D7 (base 16)Vista Imaging, Inc.
0005C5 (base 16)Flaga HF
0005D1 (base 16)Metavector Technologies
0005D2 (base 16)DAP Technologies
0005CB (base 16)ROIS Technologies, Inc.
00057F (base 16)Acqis Technology
000579 (base 16)Universal Control Solution Corp.
000575 (base 16)CDS-Electronics BV
00056F (base 16)Innomedia Technologies Pvt. Ltd.
000569 (base 16)VMware, Inc.
000568 (base 16)Piltofish Networks AB
000562 (base 16)Digital View Limited
00055C (base 16)Kowa Company, Ltd.
000556 (base 16)360 Systems
00054F (base 16)Private
000550 (base 16)Vcomms Connect Limited
000545 (base 16)Internet Photonics
00053F (base 16)VisionTek, Inc.
0" (Indicator: "000569") - source
- File/Memory
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"255.255.255.255"
"255.255.0.0"
Heuristic match: "EHLO 127.0.0.1"
Heuristic match: "H*\\192.16.1.100\admin$" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "vnc:$auth$*%s*%s" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Contains indicators of bot communication commands
- details
- "&USER_LOGIN=" (Indicator: "login=")
- source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
RegDeleteValueA
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyA
RegEnumKeyExA
GetDriveTypeW
GetFileAttributesA
GetFileAttributesW
UnhandledExceptionFilter
GetTempPathA
FindResourceExW
OutputDebugStringA
OutputDebugStringW
GetModuleFileNameW
CopyFileA
GetVersionExA
GetModuleFileNameA
LoadLibraryExW
CreateThread
GetModuleHandleExW
LoadLibraryW
GetTickCount
VirtualProtect
LoadLibraryA
ExitThread
GetFileSize
CreateDirectoryA
DeleteFileA
GetStartupInfoW
CreateDirectoryW
GetProcAddress
WriteFile
GetFileSizeEx
FindFirstFileA
GetTempFileNameA
FindNextFileA
FindFirstFileExW
CreateFileW
CreateFileA
LockResource
IsDebuggerPresent
GetCommandLineA
GetModuleHandleA
GetModuleHandleW
GetFileAttributesExW
CreateProcessA
FindResourceW
Sleep
TerminateProcess
GetFileAttributesExA
FindResourceA
VirtualAlloc
ShellExecuteA
GetLastActivePopup
SetWindowsHookExA
GetWindowThreadProcessId
GetUpdateRect
accept (Ordinal #1)
WSAStartup (Ordinal #115)
bind (Ordinal #2)
closesocket (Ordinal #3)
recv (Ordinal #16)
socket (Ordinal #23)
connect (Ordinal #4)
send (Ordinal #19)
listen (Ordinal #13)
URLDownloadToFileA - source
- Static Parser
- relevance
- 1/10
-
The input sample contains an embedded RTF document
- details
- "icuruokNH.exe.bin" has an embedded RTF document (Line: 5170; Offset: 26)
- source
- Binary File
- relevance
- 10/10
-
Imports suspicious APIs
-
Informative 3
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "%d.%d.%d.%d.in-addr.arpa"
Pattern match: "www.openwall.com/john"
Pattern match: "http://%s"
Pattern match: "http://%s/%s"
Pattern match: "http://%s/"
Heuristic match: "ost: vk.com"
Pattern match: "http://%s:62222/"
Heuristic match: "api.vk.com"
Pattern match: "https://%s"
Heuristic match: "icloud.com"
Heuristic match: "instagram.com"
Pattern match: "http://hostname/link"
Pattern match: "http://sniff.su"
Pattern match: "http://www.openssl.org/support/faq.html"
Pattern match: "http://site.com/file.txt" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"e 16)BBK Electronics Corp., Ltd.,
0874F6 (base 16)Winterhalter Gastronom GmbH
FCC2DE (base 16)Murata Manufacturing Co., Ltd.
1C1CFD (base 16)Dalian Hi-Think Computer Technology, Corp
7062B8 (base 16)D-Link International
B875C0 (base 16)PayPal, Inc.
E47FB2 (base 16)FUJITSU LIMITED
38262B (base 16)UTran Technology
20ED74 (base 16)Ability enterprise co.,Ltd.
982F3C (base 16)Sichuan Changhong Electric Ltd.
7824AF (base 16)ASUSTek COMPUTER INC.
0CAC05 (base 16)Unitend Technologies Inc.
B4B859 (base 16)Texa Spa
3CA10D (base 16)Samsung Electronics Co.,Ltd
206E9C (base 16)Samsung Electronics Co.,Ltd
045C8E (base 16)gosund GROUP CO.,LTD
54B753 (base 16)Hunan Fenghui Yinjia Science And Technology Co.,Ltd
4826E8 (base 16)Tek-Air Systems, Inc.
14C126 (base 16)Nokia Corporation
A012DB (base 16)TABUCHI ELECTRIC CO.,LTD
ACB859 (base 16)Uniband Electronic Corp,
100F18 (base 16)" (Indicator: "paypal")
"g Inc.
000612 (base 16)Accusys, Inc.
000609 (base 16)Crossport Systems
0005C7 (base 16)I/F-COM A/S
0005CE (base 16)Prolink Microsystems Corporation
0005C1 (base 16)A-Kyung Motion, Inc.
0005BB (base 16)Myspace AB
00059B (base 16)Cisco Systems, Inc
0005A7 (base 16)Hyperchip, Inc.
0005B5 (base 16)Broadcom Technologies
00059A (base 16)Cisco Systems, Inc
0005A1 (base 16)Zenocom
0005AB (base 16)Cyber Fone, Inc.
000588 (base 16)Sensoria Corp.
000594 (base 16)HMS Technology Center Ravensburg GmbH
00058E (base 16)Flextronics International GmbH & Co. Nfg. KG
00053D (base 16)Agere Systems
000530 (base 16)Andiamo Systems, Inc.
000537 (base 16)Nets Technology Co., Ltd.
000536 (base 16)Danam Communications, Inc.
000524 (base 16)BTL System (HK) Limited
00052A (base 16)Ikegami Tsushinki Co., Ltd.
00051D (base 16)Airocon, Inc.
000517 (base 16)Shellcomm, Inc.
000513" (Indicator: "myspace") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "icuruokNH.exe.bin" was detected as "Microsoft visual C++ 8"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
icuruokNH.exe
- Filename
- icuruokNH.exe
- Size
- 5MiB (5267968 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 24e8ca111365cee279679ee18c7a4ca02662ade18cf68c16154dce186210199f
- MD5
- dd2408be7336ae7139c2e5258dde4353
- SHA1
- 77490288feda4cdb3aaabef604f02ce3807b3550
- ssdeep
- 98304:w5YtqVcXsPEcOTfSwZPEM5DaH3BZdW2i3mCLmH0xkzLfx:w5YkVcXX5EcSYPWCLmH0xkZ
- imphash
- 0bda7296f028eff51ea9d1dfb2fd70fe
- authentihash
- 18de679d0dd84d14a351ea9526a51ab8c8eea2e59cebce91b02f0332cd4a15bc
- Compiler/Packer
- Microsoft visual C++ 8
- PDB Pathway
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.5% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Exports
Name | Ordinal | Address |
---|---|---|
OPENSSL_Applink | #1 | 0x440ca0 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- icuruokNH.exe (PID: 560) 9/61
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)