Manalyze report for c4c22bb09756ad2f61ef29c148635985b9eb9b0f3d0612740d97cc4a20d03016

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2022-Nov-18 20:10:20
Detected languages	English - United States
Debug artifacts	C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C# v7.0 / Basic .NET` `.NET executable -> Microsoft`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: rundll32.exe` `Contains references to security software: rshell.exe` `May have dropper capabilities: CurrentControlSet\Services` `Contains another PE executable: This program cannot be run in DOS mode.` `Miscellaneous malware strings: cmd.exe` Contains domain names: cacerts.digicert.com crl3.digicert.com crl4.digicert.com digicert.com feedback.screenconnect.com http://cacerts.digicert.com http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C http://crl3.digicert.com http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 http://crl4.digicert.com http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0 http://ocsp.digicert.com0 http://ocsp.digicert.com0A http://ocsp.digicert.com0C http://ocsp.digicert.com0X http://ocsp.digicert.com0\ http://www.digicert.com http://www.digicert.com/CPS0 https://feedback.screenconnect.com https://feedback.screenconnect.com/Feedback.axd screenconnect.com www.digicert.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to SHA256`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryW GetProcAddress LoadLibraryExW`
Malicious	The PE is possibly a dropper.	`Resource SCREENCONNECT.CORE, VERSION=24.2.10.8991, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8 detected as a PE Executable.` `Resource SCREENCONNECT.WINDOWS, VERSION=24.2.10.8991, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8 detected as a PE Executable.` `Resource SCREENCONNECT.WINDOWSINSTALLER, VERSION=24.2.10.8991, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8 detected as a PE Executable.` `Resource _ENTRYPOINT detected as a PE Executable.` `Resource _RESOLVER detected as a PE Executable.` `Resources amount for 96.4347% of the executable.`
Info	The PE is digitally signed.	`Signer: Connectwise` `Issuer: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`e06654486e835aad7f55505918bbbfb6`
SHA1	`563d644ca81977047a2f0d222bee84b1204f9127`
SHA256	`c4c22bb09756ad2f61ef29c148635985b9eb9b0f3d0612740d97cc4a20d03016`
SHA3	`3135c3640c39abc9642c1329f399bcf221bc47b775a3ae85a1034f8961a03086`
SSDeep	`49152:IDex5xKkEJkGYYpT0+TFiH7efP0x58IJL+md3rHgDNMKLo8SsxG/XcW32gqkAfo:c4s6efPQ53JLbd3LINMLaGUW39f0`
Imports Hash	`9771ee6344923fa220489ab01239bdfd`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2022-Nov-18 20:10:20
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0xb200`
SizeOfInitializedData	`0x53ac00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000014AD (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xd000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x54b000`
SizeOfHeaders	`0x400`
Checksum	`0x54fd91`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d9fa6da0baf4b869720be833223490cb`
SHA1	`b6978a757f7342839347eaf585473da8660a6996`
SHA256	`eaba38650152f8688eed3ed2c4383cebe5ccde8a3b5b746c50d1d4813d951597`
SHA3	`1813170b5d81291e0815ca0320d5741c141846868d1e4893819edb5a5c39fa92`
VirtualSize	`0xb1af`
VirtualAddress	`0x1000`
SizeOfRawData	`0xb200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.59204`

.rdata

MD5	`8b45a1035c0de72f910a75db7749f735`
SHA1	`0642a66de21c204dda5ac19aacb0717068c12e72`
SHA256	`8d80004988f9a0ec5e1d00c2f0d1155bdbaf0fe0ee7c14237f572eace11dfa23`
SHA3	`111b251c78ec2250e45680281c5b13383a7e93e642cacfafe77f6f483d370006`
VirtualSize	`0x6078`
VirtualAddress	`0xd000`
SizeOfRawData	`0x6200`
PointerToRawData	`0xb600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.78662`

.data

MD5	`1f4cc86b6735a74429c9d1feb93e2871`
SHA1	`861fc35925471a609902d4fd925c68aad2a2d676`
SHA256	`84a7f490102ace5e46c847381c8d50860b646f72c6f6d454e9fd5943bf212ee6`
SHA3	`7a657ad1ea9679a4e12c24c5c173fddb959a56276907a6b55a2e227222d7b6ad`
VirtualSize	`0x11e4`
VirtualAddress	`0x14000`
SizeOfRawData	`0x800`
PointerToRawData	`0x11800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.26508`

.rsrc

MD5	`0cb59c276652808eb7200fdad38bae5b`
SHA1	`772ca7aed470ebcba53de58cd53f259155a65385`
SHA256	`67294fc4ef924643617f5755a61cd1540851dce3a66ce0b9313820105f52216a`
SHA3	`06516d8939552664a65ed95b73853c8855a7bec8149586c23213ce0e12dbce6a`
VirtualSize	`0x533080`
VirtualAddress	`0x16000`
SizeOfRawData	`0x533200`
PointerToRawData	`0x12000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.44504`

.reloc

MD5	`a93b0f39998e1e69e5944da8c5ff06b1`
SHA1	`dfde891879d0a61f960d47dcd6a9cc34c9ea70ba`
SHA256	`e98540b66036ea262721678c359478b46e58091f52b3dd902868763f629b7a2d`
SHA3	`af1d27a7c5c317da06a3cdaa8a7ee83d74ceb35ce0afdeb31b536d97ad6aa81d`
VirtualSize	`0xea8`
VirtualAddress	`0x54a000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x545200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.30149`

Imports

mscoree.dll	`CorBindToRuntimeEx`
KERNEL32.dll	`GetModuleFileNameA` `DecodePointer` `SizeofResource` `LockResource` `LoadLibraryW` `LoadResource` `FindResourceW` `GetProcAddress` `WriteConsoleW` `SetFilePointerEx` `GetConsoleMode` `GetConsoleCP` `FlushFileBuffers` `HeapReAlloc` `HeapSize` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `GetModuleHandleW` `RtlUnwind` `GetLastError` `SetLastError` `EncodePointer` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `LoadLibraryExW` `RaiseException` `GetStdHandle` `WriteFile` `CreateFileW` `MultiByteToWideChar` `WideCharToMultiByte` `ExitProcess` `GetModuleHandleExW` `GetACP` `CloseHandle` `HeapAlloc` `HeapFree` `FindClose` `FindFirstFileExA` `FindNextFileA` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetCommandLineA` `GetCommandLineW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `LCMapStringW` `SetStdHandle` `GetFileType` `GetStringTypeW` `GetProcessHeap`
OLEAUT32.dll	`VariantInit` `SafeArrayUnaccessData` `SafeArrayCreateVector` `SafeArrayDestroy` `VariantClear` `SafeArrayAccessData`

Delayed Imports

SCREENCONNECT.CORE, VERSION=24.2.10.8991, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8

Type	`FILES`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x86000`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.03125`
Detected Filetype	PE Executable
MD5	`16c4f1e36895a0fa2b4da3852085547a`
SHA1	`ab068a2f4ffd0509213455c79d311f169cd7cab8`
SHA256	`4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53`
SHA3	`3a1cb2881d8501c093e12f10dfcc109adbed7ee9f7d3df06a0db213f679055ec`

SCREENCONNECT.WINDOWS, VERSION=24.2.10.8991, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8

Type	`FILES`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1a4600`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.63914`
Detected Filetype	PE Executable
MD5	`9f823778701969823c5a01ef3ece57b7`
SHA1	`da733f482825ec2d91f9f1186a3f934a2ea21fa1`
SHA256	`abca7cf12937da14c9323c880ec490cc0e063d7a3eef2eac878cd25c84cf1660`
SHA3	`c97d0d8907bcea02f4bb697cf8b087cfa8ca2d170b5f4dd52007b2ef92e6b192`

SCREENCONNECT.WINDOWSINSTALLER, VERSION=24.2.10.8991, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8

Type	`FILES`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1ac00`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.96249`
Detected Filetype	PE Executable
MD5	`5fe7a9b6ce2c7a379ee6a9ccff85eb51`
SHA1	`2506a5fe1e61def362610057ba36ebca0a181dee`
SHA256	`ac7721f50829c6b569cdf6ef8d516c89f10a89165b38f9ddb608e8c7844b2108`
SHA3	`3edcea471b2533170ff789ef8bcea5319289614b548891c7e9c1ff6e5f48c1c3`

_ENTRYPOINT

Type	`FILES`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2ec320`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.85318`
Detected Filetype	PE Executable
MD5	`c4398ae411c72dbf451b8c0f12581e0f`
SHA1	`fcb0da2d4d79510ec1655fa19bdc59a93e9d58c9`
SHA256	`e2abe4cc4cbab86ff3aaaf68d24d88874019d62d9c62a51807d8333ef9e86b78`
SHA3	`bfa1b40a704270f723ba49e684f671119ac47eb0866788dc91af262bc4b0f7ad`

_RESOLVER

Type	`FILES`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1600`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.8513`
Detected Filetype	PE Executable
MD5	`5fb6074b08ac4709cf2f29fa5b49023e`
SHA1	`8bbb78a47c08867c50572f0bd2a27171f91e0454`
SHA256	`19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc`
SHA3	`eb83af41dc4d6892c7cc83fb60c611dba627b071327701d962d5e5922dd0d815`

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:20
Version	`0.0`
SizeofData	`103`
AddressOfRawData	`0x1214c`
PointerToRawData	`0x1074c`
Referenced File	C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:20
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x121b4`
PointerToRawData	`0x107b4`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:20
Version	`0.0`
SizeofData	`752`
AddressOfRawData	`0x121c8`
PointerToRawData	`0x107c8`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:20
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x414000`
SEHandlerTable	`0x41209c`
SEHandlerCount	`6`

RICH Header

XOR Key	`0xb6603e45`
Unmarked objects	`0`
241 (40116)	`10`
243 (40116)	`122`
242 (40116)	`24`
C++ objects (VS2022 Update 3 (17.3.0) compiler 31616)	`37`
C objects (VS2022 Update 3 (17.3.0) compiler 31616)	`17`
ASM objects (VS2022 Update 3 (17.3.0) compiler 31616)	`20`
Imports (VS2008 SP1 build 30729)	`4`
Imports (VS2008 build 21022)	`3`
Total imports	`96`
C++ objects (LTCG) (VS2022 Update 3 (17.3.4-6) compiler 31630)	`1`
Resource objects (VS2022 Update 3 (17.3.4-6) compiler 31630)	`1`
Linker (VS2022 Update 3 (17.3.4-6) compiler 31630)	`1`

Errors

Leave a comment

No comments yet.