SNOOKE~1 (119).EXE
This report is generated from a file or URL submitted to this webservice on March 15th 2016 23:21:24 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.40 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 7
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
GetVersion@KERNEL32.DLL from PID 00000176
GetVersion@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
GetVersion@KERNEL32.DLL from PID 00000176
GetVersion@KERNEL32.DLL from PID 00000176
GetVersion@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
GetVersion@KERNEL32.DLL from PID 00000176
GetVersion@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
GetVersion@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
GetVersion@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
GetVersion@KERNEL32.DLL from PID 00000176
GetVersion@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
GetVersion@KERNEL32.DLL from PID 00000176
GetVersion@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
GetVersion@KERNEL32.DLL from PID 00000176
GetVersion@KERNEL32.DLL from PID 00000176
GetVersion@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
GetVersion@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a branch decision directly after calling an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-38478-785-00426651")
which is directly followed by "cmp eax, 04h" and "jnc 00426691h". See related instructions: "...
+45 call 0043E6F1h ;GetVersion
+50 and eax, 000000FFh
+55 cmp eax, 04h
+58 jnc 00426691h" ... from PID 00000176
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-38478-946-0042AE23")
which is directly followed by "cmp eax, 04h" and "jnc 0042AE93h". See related instructions: "...
+93 call 0043E6F1h ;GetVersion
+98 and eax, 000000FFh
+103 cmp eax, 04h
+106 jnc 0042AE93h" ... from PID 00000176
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-38478-1029-0042DEC5")
which is directly followed by "cmp eax, 04h" and "jnc 0042DF05h". See related instructions: "...
+45 call 0043E6F1h ;GetVersion
+50 and eax, 000000FFh
+55 cmp eax, 04h
+58 jnc 0042DF05h" ... from PID 00000176
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-38478-1033-0042E3F5")
which is directly followed by "cmp eax, 04h" and "jc 0042E42Bh". See related instructions: "...
+20 call 00436E98h
+25 call 0043E6F1h ;GetVersion
+30 and eax, 000000FFh
+35 cmp eax, 04h
+38 jc 0042E42Bh" ... from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-38478-1069-0042F22F")
which is directly followed by "cmp eax, 04h" and "jnc 0042F30Ch". See related instructions: "...
+202 call 0043E6F1h ;GetVersion
+207 and eax, 000000FFh
+212 cmp eax, 04h
+215 jnc 0042F30Ch" ... from PID 00000176
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-38478-979-0042B9A2")
which is directly followed by "cmp dword ptr [00442E44h], 00000000h" and "je 0042B9F1h". See related instructions: "...
+21 inc byte ptr [00442E48h]
+27 call 0043E6F1h ;GetVersion
+32 mov esi, eax
+34 and esi, 80000000h
+40 mov dword ptr [00442E44h], esi
+46 cmp dword ptr [00442E44h], 00000000h
+53 je 0042B9F1h" ... from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-46178-948-0042AE23")
which is directly followed by "cmp eax, 04h" and "jnc 0042AE93h". See related instructions: "...
+93 call 0043E6F1h ;GetVersion
+98 and eax, 000000FFh
+103 cmp eax, 04h
+106 jnc 0042AE93h" ... from PID 00000176
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-46178-787-00426651")
which is directly followed by "cmp eax, 04h" and "jnc 00426691h". See related instructions: "...
+45 call 0043E6F1h ;GetVersion
+50 and eax, 000000FFh
+55 cmp eax, 04h
+58 jnc 00426691h" ... from PID 00000176
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-46178-1035-0042E3F5")
which is directly followed by "cmp eax, 04h" and "jc 0042E42Bh". See related instructions: "...
+20 call 00436E98h
+25 call 0043E6F1h ;GetVersion
+30 and eax, 000000FFh
+35 cmp eax, 04h
+38 jc 0042E42Bh" ... from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-46178-1031-0042DEC5")
which is directly followed by "cmp eax, 04h" and "jnc 0042DF05h". See related instructions: "...
+45 call 0043E6F1h ;GetVersion
+50 and eax, 000000FFh
+55 cmp eax, 04h
+58 jnc 0042DF05h" ... from PID 00000176
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-46178-1071-0042F22F")
which is directly followed by "cmp eax, 04h" and "jnc 0042F30Ch". See related instructions: "...
+202 call 0043E6F1h ;GetVersion
+207 and eax, 000000FFh
+212 cmp eax, 04h
+215 jnc 0042F30Ch" ... from PID 00000176
Found API call GetVersion@KERNEL32.DLL (Target: "SNOOKE_1_119_.EXE", Stream UID: "00135734-00000176-46178-981-0042B9A2")
which is directly followed by "cmp dword ptr [00442E44h], 00000000h" and "je 0042B9F1h". See related instructions: "...
+21 inc byte ptr [00442E48h]
+27 call 0043E6F1h ;GetVersion
+32 mov esi, eax
+34 and esi, 80000000h
+40 mov dword ptr [00442E44h], esi
+46 cmp dword ptr [00442E44h], 00000000h
+53 je 0042B9F1h" ... from SNOOKE_1_119_.EXE (PID: 176) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query the machine version
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
FindResourceA@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
LockResource@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
FindResourceA@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
FindResourceA@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
FindResourceA@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
FindResourceA@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
LockResource@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
FindResourceA@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
FindResourceA@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
FindResourceA@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
FindResourceA@KERNEL32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
DeleteFileA
LockResource
GetModuleHandleA
GetProcAddress
UnhandledExceptionFilter
GetStartupInfoA
WriteFile
GetModuleFileNameA
CreateThread
VirtualAlloc
GetCommandLineA
GetFileSize
GetFileAttributesA
CreateFileA
FindFirstFileA
FindNextFileA
LoadLibraryA
FindResourceA
GetWindowThreadProcessId
GetUpdateRgn
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Timestamp in PE header is very old or in the future
- details
- "SNOOKE_1_119_.EXE.bin" claims program is from Thu Oct 31 02:32:57 2047
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 5
-
Anti-Reverse Engineering
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
- Found reference to API DefWindowProcA@USER32.DLL from SNOOKE_1_119_.EXE (PID: 176) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.DLL from PID 00000176
GetLocalTime@KERNEL32.DLL from PID 00000176 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/56 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Loads modules at runtime
- details
-
"<Input Sample>" loaded module "CLBCATQ.DLL" at base 77900000
"<Input Sample>" loaded module "%WINDIR%\SYSTEM32\AUDIOSES.DLL" at base 6FE40000
"<Input Sample>" loaded module "CFGMGR32.DLL" at base 75BB0000
"<Input Sample>" loaded module "OLEAUT32.DLL" at base 77510000 - source
- API Call
- relevance
- 1/10
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"GetCatalogObject@CLBCatQ.DLL"
"GetCatalogObject2@CLBCatQ.DLL"
"DllGetClassObject@AUDIOSES.DLL"
"DllCanUnloadNow@AUDIOSES.DLL"
"DllGetClassObject@MMDevAPI.DLL"
"CMP_RegisterNotification@CFGMGR32.dll"
"CM_MapCrToWin32Err@CFGMGR32.dll"
"SetupDiGetClassDevsExW@SETUPAPI.dll"
"SetupDiEnumDeviceInfo@SETUPAPI.dll"
"CM_Get_DevNode_Status@SETUPAPI.dll"
"SetupDiEnumDeviceInterfaces@SETUPAPI.dll"
"SetupDiGetDeviceInterfaceDetailW@SETUPAPI.dll" - source
- API Call
- relevance
- 1/10
-
Loads modules at runtime
File Details
SNOOKE~1 (119).EXE
- Filename
- SNOOKE~1 (119).EXE
- Size
- 1.1MiB (1175552 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- b984c6fc3477e43de152254b316bc9796e9b7cd1a6aaf1efa2172671169fde06
- MD5
- 9dbcbf4df0b64a7ed7329de2b450d3ae
- SHA1
- 1899bd2b4254675fa4dc3461249ee4c63404e4e6
- ssdeep
- 12288:FKM9C0Vr6XUDvbS/LyV075qEVI31zPOlUgVvJYfoUjKaPIFHsbjrjOwJXtFjKX/0:F80Vwl8EVUwSXjImTjBJnKPAh
- imphash
- 37d9bc91b2c684902fc5202e50edecbd
- authentihash
- bfb4091f8e97a3bf84ec4fab8e77753b05a39b1d817c7c76ddefa7eed04470c8
- PDB Pathway
Classification (TrID)
- 60.4% (.EXE) DOS Executable Borland C++
- 20.9% (.EXE) Win32 Executable (generic)
- 9.3% (.EXE) Generic Win/DOS Executable
- 9.2% (.EXE) DOS Executable Generic
- 0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Exports
Name | Ordinal | Address |
---|---|---|
__GetExceptDLLinfo | #1 | 0x41006e |
@InitWndProc$qp6HWND__uiuil | #2 | 0x4299ce |
@StdDlgProc$qp6HWND__uiuil | #3 | 0x42f22f |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- SNOOKE_1_119_.EXE (PID: 176)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.