× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 14508c8d6578c32a1407f9f716e20bb64e63c2619cd0c675602d8855d56649d2
File name: npicaN.dll
Detection ratio: 0 / 50
Analysis date: 2014-03-10 21:19:48 UTC ( 4 years, 8 months ago ) View latest
Antivirus Result Update
Ad-Aware 20140310
Yandex 20140310
AhnLab-V3 20140310
AntiVir 20140310
Antiy-AVL 20140310
Avast 20140310
AVG 20140309
Baidu-International 20140310
BitDefender 20140310
Bkav 20140310
ByteHero 20140310
CAT-QuickHeal 20140310
ClamAV 20140310
CMC 20140307
Commtouch 20140310
Comodo 20140310
DrWeb 20140310
Emsisoft 20140310
ESET-NOD32 20140310
F-Prot 20140310
F-Secure 20140310
Fortinet 20140310
GData 20140310
Ikarus 20140310
Jiangmin 20140310
K7AntiVirus 20140310
K7GW 20140310
Kaspersky 20140310
Kingsoft 20140310
Malwarebytes 20140310
McAfee 20140310
McAfee-GW-Edition 20140310
Microsoft 20140310
eScan 20140310
NANO-Antivirus 20140310
Norman 20140310
nProtect 20140310
Panda 20140310
Qihoo-360 20140310
Rising 20140310
Sophos AV 20140310
SUPERAntiSpyware 20140310
Symantec 20140310
TheHacker 20140309
TotalDefense 20140310
TrendMicro 20140310
TrendMicro-HouseCall 20140310
VBA32 20140310
VIPRE 20140310
ViRobot 20140310
The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (c) 1990-2010 Citrix Systems, Inc.

Product Citrix ICA Client
Original name NPICAN.DLL
Internal name NPICAN
File version 12.1.0.30
Description Citrix ICA Client Plugin (Win32)
Signature verification Signed file, verified signature
Signing date 11:16 PM 10/12/2010
Signers
[+] Citrix Systems, Inc.
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer VeriSign Class 3 Code Signing 2009-2 CA
Valid from 1:00 AM 3/16/2010
Valid to 12:59 AM 4/2/2011
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 2C0B062935E739E31350D8B33763533A42377260
Serial number 5D AF 72 BB AD 5E 01 6F B9 20 A5 76 9D C0 46 01
[+] VeriSign Class 3 Code Signing 2009-2 CA
Status Valid
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 5/21/2009
Valid to 12:59 AM 5/21/2019
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Serial number 65 52 26 E1 B2 2E 18 E1 59 0F 29 85 AC 22 E7 5C
[+] VeriSign Class 3 Public Primary CA
Status Valid
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 1/29/1996
Valid to 12:59 AM 8/2/2028
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm md2RSA
Thumbprint 742C3192E607E424EB4549542BE1BBC53E6174E2
Serial number 70 BA E4 1D 10 D9 29 34 B6 38 CA 7B 03 CC BA BF
Counter signers
[+] VeriSign Time Stamping Services Signer - G2
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 1:00 AM 6/15/2007
Valid to 12:59 AM 6/15/2012
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Serial number 38 25 D7 FA F8 61 AF 9E F4 90 E7 26 B5 D6 5A D5
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/4/2003
Valid to 12:59 AM 12/4/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-10-12 22:16:50
Entry Point 0x0000CE2B
Number of sections 5
PE sections
Overlays
MD5 f72723fd427d26fab11cfa58f79104cd
File type data
Offset 479232
Size 5536
Entropy 7.21
PE imports
GetTokenInformation
GetSidSubAuthorityCount
RegEnumValueW
GetSidSubAuthority
RegCloseKey
OpenProcessToken
GetUserNameA
UnregisterTraceGuids
RegQueryInfoKeyW
RegQueryValueExA
RegOpenKeyExW
GetTraceEnableLevel
RegisterTraceGuidsA
GetTraceEnableFlags
RegOpenKeyExA
TraceEvent
RegQueryValueExW
GetTraceLoggerHandle
CCMWindowSE_GetDesktopInfo
CCMPrivateSE_ReleaseEngineEvents
CCMLaunchApplication
CCMPrivateSE_PostMessage
CCMKBSE_GetInputState
CCMPrivateSE_SetPlugInWindow
CCMMouseSE_GetInputState
CCMWindowSE_ResizeApp
CCMPrivateSE_GetEngineData
CCMHLSE_SetSecurityFlags
CCMVCSE_GetChannelDataType
CCMVCSE_SetChannelFlags
CCMWindowSE_ShowWindow
CCMVCSE_GetMaxChannelWrite
CCMVCSE_GetChannelFlags
CCMFreeICASession
CCMVCSE_GetMaxChannelRead
CCMGetUnmarshalledHeadlessInterface
CCMVCSE_GetChannelCount
CCMScaleSE_ScaleDown
CCMSubscribePrivateICOEvents
CCMVCSE_GetChannelName
CCMScaleSE_ScalePercent
CCMWindowSE_GetEngineMainWindow
CCMLogoffSession
CCMSubscribeSessionErrorEvents
CCMKBSE_SetInputState
CCMSubscribeVirtualChannelEvents
CCMGetSessionInfo
CCMScaleSE_ScaleUp
CCMVCSE_GetChannelDataSize
CCMMouseSE_SetInputState
CCMVCSE_GetMaxChannelCount
CCMGetMyConnectionID
CCMFreeMemory
CCMHLSE_GetSecurityFlags
CCMVCSE_GetChannelNumber
CCMVCSE_GetChannelData
CCMInitialize
CCMPrivateSE_SetEngineData
CCMVCSE_CreateChannelPipe
CCMVCSE_GetGlobalChannelNumber
CCMVCSE_SendChannelData
CCMVCSE_GetGlobalChannelCount
CCMUninitialize
CCMScaleSE_ScaleSize
CCMLaunchPublishedApplication
CCMPrivateSE_GetSecuritySettings
CCMWindowSE_SetResolution
CCMScaleSE_ScaleDisable
CCMVCSE_GetGlobalChannelName
CCMPrivateSE_SetSecuritySettings
CCMWindowSE_SetWindowPosition
CCMDisconnectSession
CCMScaleSE_ScaleToFit
CCMScaleSE_ScaleDialog
CCMSubscribeSessionStateEvents
CCMEnumerateSessions
CCMSubscribeSessionSharingEvents
CCMScaleSE_ScaleEnable
CgpCoreLoad
GetDeviceCaps
GetBkColor
GetWindowExtEx
GetWindowOrgEx
SelectObject
CreatePen
GetStockObject
CreateBrushIndirect
SetBkColor
GetTextColor
Polyline
LPtoDP
GetMapMode
GetViewportExtEx
GetViewportOrgEx
DeleteObject
SetTextColor
FileTimeToDosDateTime
ReleaseMutex
CreateFileMappingA
GetFileAttributesA
SetEvent
DebugBreak
GetLocalTime
DeleteCriticalSection
GetCurrentProcess
LocalAlloc
OpenFileMappingA
SetErrorMode
GetLogicalDrives
VirtualLock
GetFileTime
IsDBCSLeadByteEx
GetTempPathA
WideCharToMultiByte
InterlockedExchange
WriteFile
WaitForSingleObject
GetSystemTimeAsFileTime
GetDiskFreeSpaceA
GetFullPathNameA
FreeLibrary
LocalFree
GetEnvironmentVariableA
OutputDebugStringW
FindClose
OutputDebugStringA
SetLastError
GetSystemTime
InitializeCriticalSection
TryEnterCriticalSection
IsDebuggerPresent
HeapAlloc
GetModuleFileNameA
GetVolumeInformationA
GetPrivateProfileStringA
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
CreateMutexA
GetModuleHandleA
CreateThread
GetSystemDirectoryW
SetUnhandledExceptionFilter
GetSystemDirectoryA
TerminateProcess
GlobalAlloc
GetCurrentThreadId
LeaveCriticalSection
SetCurrentDirectoryA
HeapFree
EnterCriticalSection
LoadLibraryW
GetOEMCP
QueryPerformanceCounter
GetTickCount
DisableThreadLibraryCalls
GetVersionExA
LoadLibraryA
GetFileSize
OpenProcess
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
WaitForMultipleObjects
GetProcessHeap
FindFirstFileA
ResetEvent
GetTempFileNameA
GetComputerNameA
GlobalMemoryStatus
lstrcmpW
GetProcAddress
GetTimeZoneInformation
CreateEventA
CopyFileA
CreateFileA
GlobalGetAtomNameA
InterlockedIncrement
GetLastError
GlobalFree
GetProcessTimes
GetShortPathNameA
WritePrivateProfileStringA
GetCurrentProcessId
ProcessIdToSessionId
GetCurrentDirectoryA
InterlockedCompareExchange
OpenMutexA
lstrcpynW
QueryPerformanceFrequency
MapViewOfFile
SetFilePointer
ReadFile
CloseHandle
lstrcpynA
GetACP
GetVersion
UnmapViewOfFile
VirtualFree
Sleep
IsBadReadPtr
VirtualAlloc
_i64toa_s
fseek
strncpy_s
fclose
_snwprintf
wcsncpy_s
strtoul
fflush
_getpid
_mbsrchr
strtok
fwrite
_environ
_strdup
_filelength
isspace
_close
strcat_s
_mbsnbicmp
??3@YAXPAX@Z
_strupr
_mbschr
_write
memcpy
strnlen
strstr
memmove
_encoded_null
_mbscmp
strcmp
memchr
strncmp
_access
fgetc
memset
_wcsnicmp
_stricmp
_vsnprintf_s
fgets
__clean_type_info_names_internal
strchr
fopen
?_type_info_dtor_internal_method@type_info@@QAEXXZ
??2@YAPAXI@Z
isxdigit
_strlwr
sprintf
strrchr
strcpy_s
_initterm_e
_crt_debugger_hook
free
ungetc
_except_handler4_common
sprintf_s
_read
_initterm
_malloc_crt
realloc
__dllonexit
_lseek
toupper
printf
_wfullpath
_commit
strncpy
wcsnlen
qsort
_itoa_s
_open
_onexit
wcslen
isalpha
_snprintf
_mbsicmp
strncat_s
getenv
atoi
atol
_purecall
_mbslwr
_mbsrev
wcscpy
strspn
_strnicmp
_snprintf_s
malloc
wprintf
strtok_s
fprintf
isdigit
towupper
strlen
strncat
?terminate@@YAXXZ
_ismbcspace
_lock
_encode_pointer
towlower
_decode_pointer
_amsg_exit
_wcsicmp
tolower
_unlock
_adjust_fdiv
strpbrk
_mbsstr
calloc
memcpy_s
wcsncat_s
__CppXcptFilter
wcsstr
_wtol
GetModuleFileNameExA
UuidCreate
SHGetFileInfoA
ExtractIconA
SHGetSpecialFolderLocation
SHGetPathFromIDListA
SHGetMalloc
ShellExecuteA
TcpProxyServiceLoad
SetFocus
MapVirtualKeyA
GetMessagePos
GetParent
DrawTextA
SetPropA
EndDialog
RegisterWindowMessageA
EnumWindows
KillTimer
BeginPaint
GetScrollRange
ShowWindow
DefWindowProcA
GetForegroundWindow
SetClassLongA
GetPropA
SetWindowPos
RemoveMenu
GetWindowThreadProcessId
GetSystemMetrics
PeekMessageA
IsWindow
GetWindowRect
DispatchMessageA
ClientToScreen
UnhookWindowsHookEx
UnregisterClassA
PostMessageA
EnumChildWindows
GetDlgItemTextA
IntersectRect
MessageBoxA
GetSystemMenu
SetWindowLongA
GetQueueStatus
GetMessageTime
GetWindow
CallNextHookEx
SetActiveWindow
GetDC
GetCursorPos
ReleaseDC
RemovePropA
GetClassInfoA
DestroyIcon
LoadStringA
FindWindowA
SetParent
TranslateMessage
EndPaint
IsWindowVisible
SendMessageA
LoadStringW
GetClientRect
SetTimer
IsIconic
ScreenToClient
SetRect
InvalidateRect
InsertMenuA
GetWindowLongA
FindWindowExA
CreateWindowExA
LoadCursorA
LoadIconA
SetWindowsHookExA
GetMenuItemCount
RegisterClassA
AdjustWindowRect
AttachThreadInput
GetDesktopWindow
CallWindowProcA
GetClassNameA
GetFocus
FillRect
GetUpdateRect
DialogBoxIndirectParamA
DestroyWindow
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
WinHttpOpen
WinHttpCloseHandle
WinHttpGetProxyForUrl
DetectAutoProxyUrl
WSAStartup
gethostbyname
inet_ntoa
gethostname
WSACleanup
htonl
ioctlsocket
connect
getsockname
htons
WSASetLastError
WSAGetLastError
recv
ntohl
send
getservbyport
ntohs
select
gethostbyaddr
inet_ntoa
closesocket
setsockopt
socket
bind
recvfrom
sendto
getservbyname
g_CGPconfig
CGPGetBrPort
ConfigurationManager_SetString
ConfigurationManager_destroy
ConfigurationManager_GetString
ConfigurationManager_SetTrustEvidence
ConfigurationManager_new
ConfigurationManager_SetConfigurationDirectory
CTXMUI_MessageBoxA
CTXMUI_LoadResourceLibraryW
CTXMUI_LoadResourceLibraryA
CTXMUI_GetResourceHandleA
ICAFile_Serialize
ICAFile_ReadParameter
ICAFile_destroy
ICAFile_create
ICAFile_EnumerateSections
ICAFile_Deserialize
ICAFile_EnumerateKeys
ICAFile_SerializeRawData
ICAFile_FreeSerializeData
CreateICALogonDlgA
ICALOGONINFOSetPwSecret
FreeICALogonInfo
StringFromIID
CoTaskMemFree
URLDownloadToFileA
CoInternetCreateZoneManager
CoInternetCreateSecurityManager
PE exports
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 2
PE resources
Debug information
ExifTool file metadata
LegalTrademarks
Copyright (c) 1990-2010 Citrix Systems, Inc.

SubsystemVersion
4.0

LinkerVersion
8.0

ImageVersion
0.0

ProductName
Citrix ICA Client

FileVersionNumber
12.1.0.30

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
Executable, 32-bit, DLL

CharacterSet
Windows, Latin1

InitializedDataSize
106496

FileTypeExtension
dll

OriginalFileName
NPICAN.DLL

MIMEType
application/x-ica

Subsystem
Windows GUI

FileExtents
ica

PEType
PE32

FileVersion
12.1.0.30

TimeStamp
2010:10:12 23:16:50+01:00

FileType
Win32 DLL

FileOpenName
Citrix ICA (*.ica)

InternalName
NPICAN

ProductVersion
12.1.0

FileDescription
Citrix ICA Client Plugin (Win32)

OSVersion
4.0

FileOS
Win32

LegalCopyright
Copyright (c) 1990-2010 Citrix Systems, Inc.

MachineType
Intel 386 or later, and compatibles

CompanyName
Citrix Systems, Inc.

CodeSize
368640

FileSubtype
0

ProductVersionNumber
12.1.0.30

EntryPoint
0xce2b

ObjectFileType
Dynamic link library

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
Compressed bundles
File identification
MD5 783f2c4232ced8829f1bbe9434cf5546
SHA1 9f975e43d98830411e5ff310284b258161641c4c
SHA256 14508c8d6578c32a1407f9f716e20bb64e63c2619cd0c675602d8855d56649d2
ssdeep
12288:Zyv8sLbi5UZ11xi+rm5LzpRadII01Er2Q34H:ZyFZ110+rm5XfaGIoK4H

authentihash 8ff25e4b47f6ed544e84b5b2b9757e9c94641efff652af309bf32330bec9db78
imphash a2e4ad082b55046ede7004d6539ebded
File size 473.4 KB ( 484768 bytes )
File type Win32 DLL
Magic literal
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
pedll signed overlay

VirusTotal metadata
First submission 2010-10-28 15:01:26 UTC ( 8 years ago )
Last submission 2017-04-18 09:17:46 UTC ( 1 year, 7 months ago )
File names NPICAN
NPICAN.DLL
prf3087.tmp
npicaN.dll
npicaN.dll
npican.dll.827545c6_7013_4de1_8e6c_daee4c57f54a
npicaN.dll
npicaN.dll
npicaN.dll
npicaN.dll
1C1D46ACA00B0F6D65D1072AE91014007DF60D5B.dll
npicaN.dll
npicaN.dll
npicaN.dll
npican.dll
npican.dll
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!