89d3d099b6d8731bd1b7f5a68b5bf17c

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2022-Nov-18 20:10:21
Detected languages English - United States
Debug artifacts C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb
FileVersion 23.8.5.8707
ProductVersion 23.8.5.8707
CompanyName
ProductName

Plugin Output

Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
  • LoadLibraryExW
 Can access the registry:
  • RegSetValueExW
  • RegCreateKeyW
  • RegOpenKeyW
 Interacts with services:
  • CreateServiceW
  • QueryServiceStatus
  • OpenSCManagerW
  • OpenServiceW
Info The PE is digitally signed. Signer: Connectwise
Issuer: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Suspicious VirusTotal score: 2/74 (Scanned on 2024-06-14 08:05:58) MaxSecure: Win.MxResIcn.Heur.Gen
Zillya: Trojan.Stealer.Win32.37991

Hashes

MD5 89d3d099b6d8731bd1b7f5a68b5bf17c
SHA1 c6aed886840aafd08796207e2646d8805d012b81
SHA256 bcaa3d8dcba6ba08bf20077eadd0b31f58a1334b7b9c629e475694c4eeafd924
SHA3 6cb3637f870a9505d02f4744450aac6d1a7161aea142f7855765b362ed91fa6c
SSDeep 1536:Jg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgIU0HMe7ox6:qhbNDxZGXfdHrX7rAc6myJkgIU0HNj
Imports Hash 5f510e22d141c137199e2ff4021a57be

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2022-Nov-18 20:10:21
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0xc000
SizeOfInitializedData 0x8800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000217F (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xd000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x18000
SizeOfHeaders 0x400
Checksum 0x17a59
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 4903141203ee15a88e0ec583d004b2e1
SHA1 6509116efd1ec01f0a261f832548bb2e2140eb1b
SHA256 4e092069512ea94df2eda4c44dfd35fc1f90432625bd0baa45d6b36d8d4e87dd
SHA3 fcc00236acbedbd1ce20eecb836fd7ab5d5fdd78f7082e7aa720345435be8fbd
VirtualSize 0xbf3a
VirtualAddress 0x1000
SizeOfRawData 0xc000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.57656

.rdata

MD5 d7ff5c28f3b91b07d0d4a0084e0c4027
SHA1 6d43d9100a4e595ecfa5f60a4217976f9ae256ab
SHA256 78d798a02a7aa580ad51990948a5fd085dfa3f194772289e2f878d6802b41158
SHA3 c6e79e6ce63b48c8c2dd3d916640763cb6954ec0de5ae2f3105d866327a62073
VirtualSize 0x66f2
VirtualAddress 0xd000
SizeOfRawData 0x6800
PointerToRawData 0xc400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.80461

.data

MD5 c1c9bc79d0134b5bbd10e2601a2f323e
SHA1 1f87830aa8b528356f2a437016dbaa8701eda276
SHA256 6d4e1954f718096a5bee8e20db5760129dd57b21c32ad999e94cd2b60efea428
SHA3 6837a45909f2b53ed334e54134460ff22bdbb609731cec525969c286164e8d9e
VirtualSize 0x1284
VirtualAddress 0x14000
SizeOfRawData 0xa00
PointerToRawData 0x12c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.14343

.rsrc

MD5 95f5ecb7c6a43682e09b1c9c3bc9bd51
SHA1 f98ce0fe9428d26be4cfe5a8b91809bb443a6d63
SHA256 e332bdac8b2062acc413a0b5623f28db9a8d5dde8cf6f2f8ea29163fc3e07ef4
SHA3 f6a917a8e6b7ef083bdeb518fd1c1fceace3a569d1ac8cafaf2885215c897d42
VirtualSize 0x450
VirtualAddress 0x16000
SizeOfRawData 0x600
PointerToRawData 0x13600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.694

.reloc

MD5 b8d6010afa6ab836c37551e6072726fe
SHA1 b1c4df2ab6bdfc101f399da4126d56c4dff852c0
SHA256 b7b424659e58cdf5c10cbc61a4691a475460c27f03943021f6f767478a66a428
SHA3 eebbb33015ef69e46b938f83d6d054cf873c72cd8ed43028381c5b99ecdd8622
VirtualSize 0xfc0
VirtualAddress 0x17000
SizeOfRawData 0x1000
PointerToRawData 0x13c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.51232

Imports

mscoree.dll CorBindToRuntimeEx
SHLWAPI.dll StrCatW
PathFindFileNameW
StrCpyW
PathRemoveExtensionW
KERNEL32.dll SetEvent
CloseHandle
LoadLibraryW
DecodePointer
GetProcAddress
GetLastError
GetCurrentProcessId
GetModuleHandleW
SetStdHandle
Sleep
CreateEventW
InitializeCriticalSectionAndSpinCount
GetModuleFileNameW
GetCommandLineW
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetFilePointerEx
WriteConsoleW
DeleteCriticalSection
RtlUnwind
GetFileType
GetProcessHeap
FreeEnvironmentStringsW
IsDebuggerPresent
OutputDebugStringW
RaiseException
EnterCriticalSection
LeaveCriticalSection
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
CreateFileW
SetLastError
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
WriteFile
GetACP
HeapFree
HeapSize
HeapReAlloc
LCMapStringW
HeapAlloc
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetEnvironmentStringsW
ADVAPI32.dll RegisterServiceCtrlHandlerExW
CreateServiceW
QueryServiceStatus
CloseServiceHandle
OpenSCManagerW
SetServiceStatus
RegSetValueExW
StartServiceW
RegCreateKeyW
StartServiceCtrlDispatcherW
OpenServiceW
RegOpenKeyW
OLEAUT32.dll VariantInit
SysFreeString
SysAllocString
SafeArrayPutElement
SafeArrayCreateVector
VariantClear

Delayed Imports

1

Type RT_VERSION
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x22c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.33403
MD5 cc456d941af2906b0b44ca654d21bc54
SHA1 c8a64e87c38cedc3d851cf0b13bd11b712eb7186
SHA256 361e38cb3c808e6c42b962c75ebd1e70069236cc38ac335a2b891e6255aa0ee5
SHA3 6e8ed8b193b5f132c52ecc51987b0bf750bd1ed8a2cbbff7f201996e3c491c40

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x184
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91862
MD5 3250787fdcd75aa2587529b89c7738b2
SHA1 622b5627941ecee9cfe6179c3017bbf7b43fffaa
SHA256 8b0de2e560d8476fb0013b44f1e10c2789ae71e0353866890dc5f9c57fb1f44a
SHA3 6bf4f0eaf6795c219d4d808caa895dcb53f7fe9c81e92ce03da1db7841bfcd3d

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 23.8.5.8707
ProductVersion 23.8.5.8707
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
FileVersion (#2) 23.8.5.8707
ProductVersion (#2) 23.8.5.8707
CompanyName
ProductName
Resource LangID UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2022-Nov-18 20:10:21
Version 0.0
SizeofData 110
AddressOfRawData 0x12438
PointerToRawData 0x11838
Referenced File C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2022-Nov-18 20:10:21
Version 0.0
SizeofData 20
AddressOfRawData 0x124a8
PointerToRawData 0x118a8

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2022-Nov-18 20:10:21
Version 0.0
SizeofData 812
AddressOfRawData 0x124bc
PointerToRawData 0x118bc

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2022-Nov-18 20:10:21
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0xc0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x414004
SEHandlerTable 0x412378
SEHandlerCount 8

RICH Header

XOR Key 0xf04671bc
Unmarked objects 0
241 (40116) 10
243 (40116) 122
242 (40116) 24
C objects (VS2022 Update 3 (17.3.0) compiler 31616) 17
ASM objects (VS2022 Update 3 (17.3.0) compiler 31616) 20
C++ objects (VS2022 Update 3 (17.3.0) compiler 31616) 42
Imports (VS2008 SP1 build 30729) 10
Imports (VS2008 build 21022) 3
Total imports 112
C++ objects (LTCG) (VS2022 Update 3 (17.3.4-6) compiler 31630) 1
Resource objects (VS2022 Update 3 (17.3.4-6) compiler 31630) 1
Linker (VS2022 Update 3 (17.3.4-6) compiler 31630) 1

Errors