Manalyze report for 47053694954604fc47e13a3e0ee912a572d188221410cfd5b91d532459065e70

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Jun-19 17:59:16
Detected languages	English - United States
Comments	username=pc_name;server=demo.echovnc.com;password=demo2010
CompanyName	Echogent Systems, Inc.
FileDescription	InstantVNC
FileVersion	`1, 42, 0, 0`
InternalName	InstantVNC
LegalCopyright	Copyright 2005-2010; Echogent Systems, Inc.
OriginalFilename	InstantVNC.exe
ProductName	InstantVNC
ProductVersion	`1, 42, 0, 0`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Info	Interesting strings found in the binary:	`Contains domain names: demo.echovnc.com echovnc.com`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Possibly launches other programs: CreateProcessA` `Enumerates local disk drives: GetDriveTypeA`
Suspicious	The PE is possibly a dropper.	`Resources amount for 80.009% of the executable.`
Suspicious	The file contains overlay data.	`4294 bytes of data starting at offset 0x9da00.` `The overlay data has an entropy of 7.518 and is possibly compressed or encrypted.`
Malicious	VirusTotal score: 5/72 (Scanned on 2025-09-29 14:17:13)	`APEX: Malicious` `Bkav: W32.AIDetectMalware` `CrowdStrike: win/malicious_confidence_70% (W)` `DeepInstinct: MALICIOUS` `Trapmine: malicious.moderate.ml.score`

Hashes

MD5	`95b7d48652729c0f0cf965bf79473408`
SHA1	`aeb771dd5a6ddc242dd865ac247ecc8c269b5cd9`
SHA256	`47053694954604fc47e13a3e0ee912a572d188221410cfd5b91d532459065e70`
SHA3	`c9ab885cf5a851e3abea71ce86f0a989cf3c7787a0e6eda2c9d09b59f0e0d968`
SSDeep	`12288:GklC5zJiZ0koH3dy4r4s1GKQiRO9m+XFA+dnXUUjJDaoFVVV5CwDsO5m2R:GEC5zJiZ0kUy4pG6MTVA+dXJD1P5CkmC`
Imports Hash	`e0d98dcf14095a0c3a4e5036ea5488ca`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2010-Jun-19 17:59:16
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x17400`
SizeOfInitializedData	`0x86200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000CEBD (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x19000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0xa2000`
SizeOfHeaders	`0x400`
Checksum	`0xa8988`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ffbf7def7961ff43b46537b2c7bdb79f`
SHA1	`54f4a1a2f1e5e3bf55746dfb464bb33b59b8446b`
SHA256	`edd5fab858c29da3ef88d028ff2d13c0e4a9262358e4913208a31939b5f75836`
SHA3	`4b79c9c9354f34d2bb0c79d853ac386d1fd92802f65f5f8bc22dfd752f56254a`
VirtualSize	`0x1720e`
VirtualAddress	`0x1000`
SizeOfRawData	`0x17400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.61584`

.rdata

MD5	`39004786f1aa41474f6d598d29c1e363`
SHA1	`1e9c298943ee071dbf79a525d0ed2fe10b380729`
SHA256	`54a5b191183aaffb55390828091161d5ab6b8eaafc09349984621b866bf2b919`
SHA3	`42594392b22cc569f0c065c4f3d2b4760a58ae73f74d1ff9fb75b6c5aa3dac1a`
VirtualSize	`0x54dc`
VirtualAddress	`0x19000`
SizeOfRawData	`0x5600`
PointerToRawData	`0x17800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.018`

.data

MD5	`52a01a716403359429d9763a5ea33fe0`
SHA1	`f4f702cecf319bc7c5fcdd8551d007136e76e9f0`
SHA256	`637866efc2d16eec07f02cfd4b42e137cb9717817349c8c8a540cccbb4e9ee1e`
SHA3	`37219d893b4de6e4c85eb01b9d8dfa65021005ca2b29f444dffaac447440d657`
VirtualSize	`0x2da0`
VirtualAddress	`0x1f000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x1ce00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.42685`

.rsrc

MD5	`b9e6abc3ffee19804320b0420fde2ef1`
SHA1	`e79804f486fe4d24b03ef5e9de7641578b31001c`
SHA256	`475e33f5d9ffb831f6605cc4ac96d2b8efe305bac801c356a3c7b9f8d9baa0c0`
SHA3	`67394dfc42ea9078aec8fe718f101ba464a385fa2e0993f44d98714623e4255c`
VirtualSize	`0x7f980`
VirtualAddress	`0x22000`
SizeOfRawData	`0x7fa00`
PointerToRawData	`0x1e000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.99157`

Imports

KERNEL32.dll	`WriteFile` `CreateFileA` `LockResource` `LoadResource` `SizeofResource` `FindResourceA` `GetLogicalDrives` `FindClose` `FindFirstFileA` `lstrcpyA` `lstrlenA` `SetFileAttributesA` `GetFileAttributesA` `GetModuleFileNameA` `GetFileSize` `GetVersionExA` `CreateDirectoryA` `WaitForSingleObject` `CreateProcessA` `GetProcAddress` `LoadLibraryA` `FreeLibrary` `CloseHandle` `SetFilePointer` `GetLastError` `GetComputerNameA` `SystemTimeToFileTime` `LocalFileTimeToFileTime` `GetCurrentDirectoryA` `SetFileTime` `Sleep` `DeleteFileA` `WritePrivateProfileStringA` `WritePrivateProfileSectionA` `GetStringTypeW` `GetStringTypeA` `WriteConsoleW` `ReadFile` `FreeResource` `GetConsoleOutputCP` `WriteConsoleA` `GetLocaleInfoA` `HeapFree` `HeapAlloc` `TerminateProcess` `GetCurrentProcess` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `IsDebuggerPresent` `RaiseException` `RtlUnwind` `HeapReAlloc` `FileTimeToSystemTime` `FileTimeToLocalFileTime` `GetDriveTypeA` `GetCommandLineA` `GetStartupInfoA` `HeapCreate` `VirtualFree` `DeleteCriticalSection` `LeaveCriticalSection` `EnterCriticalSection` `VirtualAlloc` `GetModuleHandleW` `ExitProcess` `GetStdHandle` `SetHandleCount` `GetFileType` `TlsGetValue` `TlsAlloc` `TlsSetValue` `TlsFree` `InterlockedIncrement` `SetLastError` `GetCurrentThreadId` `InterlockedDecrement` `HeapSize` `GetFullPathNameA` `WideCharToMultiByte` `FreeEnvironmentStringsA` `GetEnvironmentStrings` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `QueryPerformanceCounter` `GetTickCount` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `InitializeCriticalSectionAndSpinCount` `SetStdHandle` `GetConsoleCP` `GetConsoleMode` `FlushFileBuffers` `GetCPInfo` `GetACP` `GetOEMCP` `IsValidCodePage` `GetTimeZoneInformation` `LCMapStringA` `MultiByteToWideChar` `LCMapStringW` `CompareStringA` `CompareStringW` `SetEnvironmentVariableA`
USER32.dll	`MessageBoxA` `CharUpperA` `wsprintfA` `GetKeyState`
ADVAPI32.dll	`GetUserNameA`
SHELL32.dll	`ShellExecuteExA` `SHFileOperationA`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.40187`
MD5	`e1300990f72fab81e82e6e4e1c06e930`
SHA1	`77d263210444425e5b2fac14b123bd98fed82b6e`
SHA256	`965695cd517894111b8992aea12d7e1b793ea830bcb37527c6944a8fc2955ee8`
SHA3	`1d6abb777d9283efc4ce568f69926f1cea8a6e4642e8fa6b72cec5cc6a35da36`

100

Type	`RT_RCDATA`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x34ed6`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99614`
Detected Filetype	Zip Compressed Archive
MD5	`d171a69726fd4f76f8f105bd7c11fe97`
SHA1	`c035e27e303a454980ae9a0071ada0f122829967`
SHA256	`e9e6a389f9183b4d9cfb9bfaf1af1cd2b908ee7ce5cbae43e5c01b2dcd1eaa4e`
SHA3	`7f9cb3870cfea92ec8a1e087f80fb216f450c85b7f026697813245a5d69f6bc2`

101

Type	`RT_RCDATA`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x42ce9`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99591`
Detected Filetype	Zip Compressed Archive
MD5	`beee229fc92498e0330998b0eb37ff83`
SHA1	`bc9e81ab269396fca2197d80f182826d8e07cca8`
SHA256	`b575fb7c164f58b11d74c3d88feff1ae4279f7dbd25249026b8334ef9a0e451f`
SHA3	`514e8b47874c115b6ea4559f327bf7120eb7217fdc3bcc60ea9299ab419b4774`

102

Type	`RT_RCDATA`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x6a06`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.98878`
Detected Filetype	Zip Compressed Archive
MD5	`f14fc1e787ac7e6cebce219bc2547960`
SHA1	`f6b773fdac0c39bafd105b42971d5be550917a59`
SHA256	`1436664e037ee295c33e79ca64f1fa53c5f1717481046ece36c7cbdcc5bdfc65`
SHA3	`f020706e524dc5a80a1a34c5d140c9d95f4c511f34edc21970afe9c9fe5349eb`

103

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Icon file
MD5	`6f191f45d2ea96b2d22e9eafa1a55bd7`
SHA1	`aa9a0930cb6ae38dd9645dbd2e85cf3796ed2977`
SHA256	`f01c223e6cf0e0f5c1d990ad720488af398180adb1b92e61c2144cf11d3130f8`
SHA3	`ab7f66f51b1cb5a30df00c2674a3a04e8323578947f36708e2e82dd5d04f0416`

VS_VERSION_INFO

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x3a4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.40891`
MD5	`88a5978e5d9c1dacaa17b4fdb25a6474`
SHA1	`a860ec51013ca7c9389a5630e09eb68ff807a1f3`
SHA256	`5939055ee09e32966327e7435d31fbcfaee89c116b0902ce3831892bd09dd9ad`
SHA3	`158e7c892a92216b80f20b2575348fe12549f9aa37c8a6a02f7f0e27c20239d9`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.42.0.0
ProductVersion	1.42.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments	username=pc_name;server=demo.echovnc.com;password=demo2010
CompanyName	Echogent Systems, Inc.
FileDescription	InstantVNC
FileVersion (#2)	1, 42, 0, 0
InternalName	InstantVNC
LegalCopyright	Copyright 2005-2010; Echogent Systems, Inc.
OriginalFilename	InstantVNC.exe
ProductName	InstantVNC
ProductVersion (#2)	1, 42, 0, 0

Resource LangID	English - United States

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x41f100`
SEHandlerTable	`0x41cc40`
SEHandlerCount	`29`

RICH Header

XOR Key	`0x38da846c`
Unmarked objects	`0`
ASM objects (VS2008 SP1 build 30729)	`20`
C objects (VS2008 SP1 build 30729)	`121`
Imports (VS2012 build 50727 / VS2005 build 50727)	`9`
Total imports	`133`
C++ objects (VS2008 SP1 build 30729)	`58`
Linker (VS2008 SP1 build 30729)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

Errors

Leave a comment

No comments yet.