Manalyze report for 6cc5703654eaf3147b4c42b91f96b5a5b8a2107409c4db55368b988739d11ac7

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2022-Nov-18 20:10:20
Detected languages	English - United States
Debug artifacts	C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C# v7.0 / Basic .NET` `.NET executable -> Microsoft`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: rundll32.exe` `Contains references to security software: rshell.exe` `May have dropper capabilities: CurrentControlSet\Services` `Contains another PE executable: This program cannot be run in DOS mode.` `Miscellaneous malware strings: cmd.exe` Contains domain names: Client.de Client.resourcesClient.de cacerts.digicert.com check.screenconnect.com crl3.digicert.com crl4.digicert.com digicert.com feedback.screenconnect.com http://cacerts.digicert.com http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt0_ http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C http://crl3.digicert.com http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl0 http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 http://crl4.digicert.com http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0 http://ocsp.digicert.com0 http://ocsp.digicert.com0A http://ocsp.digicert.com0C http://ocsp.digicert.com0\ http://www.digicert.com http://www.digicert.com/CPS0 https://check.screenconnect.com https://check.screenconnect.com/InstallerOriginInfo.axd https://feedback.screenconnect.com https://feedback.screenconnect.com/Feedback.axd instance-woc1gx-relay.screenconnect.com relay.screenconnect.com resourcesClient.de screenconnect.com woc1gx-relay.screenconnect.com www.digicert.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to SHA256`
Info	The PE contains common functions which appear in legitimate applications.	`[!] The program may be hiding some of its imports: LoadLibraryW GetProcAddress LoadLibraryExW`
Malicious	The PE is possibly a dropper.	`Resource SCREENCONNECT.CORE, VERSION=26.1.24.9579, CULTURE=NEUTRAL, PUBLICKEYTOKEN=420D02D3849B7992 detected as a PE Executable.` `Resource SCREENCONNECT.WINDOWS, VERSION=26.1.24.9579, CULTURE=NEUTRAL, PUBLICKEYTOKEN=420D02D3849B7992 detected as a PE Executable.` `Resource SCREENCONNECT.WINDOWSINSTALLER, VERSION=26.1.24.9579, CULTURE=NEUTRAL, PUBLICKEYTOKEN=420D02D3849B7992 detected as a PE Executable.` `Resource _ENTRYPOINT detected as a PE Executable.` `Resource _RESOLVER detected as a PE Executable.` `Resource SC_PAYLOAD is possibly compressed or encrypted.` `Resources amount for 99.437% of the executable.`
Info	The PE is digitally signed.	`Signer: ConnectWise` `Issuer: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`5fe6a2cd36f00ac12e68852ab042c459`
SHA1	`34ae06a8e6731bf18cf34f399287184995096813`
SHA256	`6cc5703654eaf3147b4c42b91f96b5a5b8a2107409c4db55368b988739d11ac7`
SHA3	`0f4f436b07458be66d5dc1ea31726870455e1eb34e327567df8e39c0796e3c07`
SSDeep	`393216:UCXvI5MvHxDJwCXvI5MvHxiCXvI5MvHx4CXvI5MvHxVCXvI5MvHxk:UZ6HxeZ6HxiZ6Hx4Z6HxVZ6Hxk`
Imports Hash	`9771ee6344923fa220489ab01239bdfd`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2022-Nov-18 20:10:20
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0xb200`
SizeOfInitializedData	`0xe54000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000014AD (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xd000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0xe64000`
SizeOfHeaders	`0x400`
Checksum	`0xe6304f`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`d9fa6da0baf4b869720be833223490cb`
SHA1	`b6978a757f7342839347eaf585473da8660a6996`
SHA256	`eaba38650152f8688eed3ed2c4383cebe5ccde8a3b5b746c50d1d4813d951597`
SHA3	`1813170b5d81291e0815ca0320d5741c141846868d1e4893819edb5a5c39fa92`
VirtualSize	`0xb1af`
VirtualAddress	`0x1000`
SizeOfRawData	`0xb200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.59204`

.rdata

MD5	`8b45a1035c0de72f910a75db7749f735`
SHA1	`0642a66de21c204dda5ac19aacb0717068c12e72`
SHA256	`8d80004988f9a0ec5e1d00c2f0d1155bdbaf0fe0ee7c14237f572eace11dfa23`
SHA3	`111b251c78ec2250e45680281c5b13383a7e93e642cacfafe77f6f483d370006`
VirtualSize	`0x6078`
VirtualAddress	`0xd000`
SizeOfRawData	`0x6200`
PointerToRawData	`0xb600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.78662`

.data

MD5	`1f4cc86b6735a74429c9d1feb93e2871`
SHA1	`861fc35925471a609902d4fd925c68aad2a2d676`
SHA256	`84a7f490102ace5e46c847381c8d50860b646f72c6f6d454e9fd5943bf212ee6`
SHA3	`7a657ad1ea9679a4e12c24c5c173fddb959a56276907a6b55a2e227222d7b6ad`
VirtualSize	`0x11e4`
VirtualAddress	`0x14000`
SizeOfRawData	`0x800`
PointerToRawData	`0x11800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.26508`

.rsrc

MD5	`773dc20195bebb163afc6f84c580e876`
SHA1	`0f193e53e8cd7a4e1dadac85d062ca42c9fe84ca`
SHA256	`f351f95cc5cbc2bc3f85578d2b849c58e03bfaa8e6d9e478c9419873da91a392`
SHA3	`8c119890fa5300b6fbff8f0b4db95a24bfed5c07115cefadb8de146b990e57ca`
VirtualSize	`0xe4c4dc`
VirtualAddress	`0x16000`
SizeOfRawData	`0xe4c600`
PointerToRawData	`0x12000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.82706`

.reloc

MD5	`a93b0f39998e1e69e5944da8c5ff06b1`
SHA1	`dfde891879d0a61f960d47dcd6a9cc34c9ea70ba`
SHA256	`e98540b66036ea262721678c359478b46e58091f52b3dd902868763f629b7a2d`
SHA3	`af1d27a7c5c317da06a3cdaa8a7ee83d74ceb35ce0afdeb31b536d97ad6aa81d`
VirtualSize	`0xea8`
VirtualAddress	`0xe63000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xe5e600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.30149`

Imports

mscoree.dll	`CorBindToRuntimeEx`
KERNEL32.dll	`GetModuleFileNameA` `DecodePointer` `SizeofResource` `LockResource` `LoadLibraryW` `LoadResource` `FindResourceW` `GetProcAddress` `WriteConsoleW` `SetFilePointerEx` `GetConsoleMode` `GetConsoleCP` `FlushFileBuffers` `HeapReAlloc` `HeapSize` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentProcess` `TerminateProcess` `IsProcessorFeaturePresent` `QueryPerformanceCounter` `GetCurrentProcessId` `GetCurrentThreadId` `GetSystemTimeAsFileTime` `InitializeSListHead` `IsDebuggerPresent` `GetStartupInfoW` `GetModuleHandleW` `RtlUnwind` `GetLastError` `SetLastError` `EncodePointer` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `InitializeCriticalSectionAndSpinCount` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `FreeLibrary` `LoadLibraryExW` `RaiseException` `GetStdHandle` `WriteFile` `CreateFileW` `MultiByteToWideChar` `WideCharToMultiByte` `ExitProcess` `GetModuleHandleExW` `GetACP` `CloseHandle` `HeapAlloc` `HeapFree` `FindClose` `FindFirstFileExA` `FindNextFileA` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetCommandLineA` `GetCommandLineW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `LCMapStringW` `SetStdHandle` `GetFileType` `GetStringTypeW` `GetProcessHeap`
OLEAUT32.dll	`VariantInit` `SafeArrayUnaccessData` `SafeArrayCreateVector` `SafeArrayDestroy` `VariantClear` `SafeArrayAccessData`

Delayed Imports

SCREENCONNECT.CORE, VERSION=26.1.24.9579, CULTURE=NEUTRAL, PUBLICKEYTOKEN=420D02D3849B7992

Type	`FILES`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x8ca00`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.06491`
Detected Filetype	PE Executable
MD5	`d9ef4f245159eb7374677f603e18b9ec`
SHA1	`e7aa0b8bce504d31323d10dd987fa2d517649191`
SHA256	`c51a2b5cb5054ec0136e332bf290c8af3392d7936b5137a07423df08ab33d264`
SHA3	`a68ff026b7ebf4981dbb96871de320c48304c75b031db6e3661a62208d96d369`

SCREENCONNECT.WINDOWS, VERSION=26.1.24.9579, CULTURE=NEUTRAL, PUBLICKEYTOKEN=420D02D3849B7992

Type	`FILES`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1a9e00`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.65406`
Detected Filetype	PE Executable
MD5	`c261e034df63aca035d7914d354b9dca`
SHA1	`50e59350f4b524e55eec1a7ee0531bf9ad33a33b`
SHA256	`10933424536d53e397f651915f862c933199c50722943c236b020787b2e8f147`
SHA3	`3505ee79d43dcfebe2248246ef8942deea2784aed343ac5b11ace68b31cb6e9c`

SCREENCONNECT.WINDOWSINSTALLER, VERSION=26.1.24.9579, CULTURE=NEUTRAL, PUBLICKEYTOKEN=420D02D3849B7992

Type	`FILES`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x22400`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.09624`
Detected Filetype	PE Executable
MD5	`dc1e764763d65555086850eba51af5c4`
SHA1	`66043dbac97f3b86c019c218e5b127bb7e4441b8`
SHA256	`528242c7745783b3b4ae72fec13bb9bd49b17b0e00f60c027351147f21fdd359`
SHA3	`d46e44f2340b41c6eaca9b4f5818906f0294eb19d99571298ebc384ef9240570`

_ENTRYPOINT

Type	`FILES`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x4c00`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.23038`
Detected Filetype	PE Executable
MD5	`d6c08447040e5e6b591483c4780dbd7a`
SHA1	`a10af25f44a08afe10821d009b71e55e756ae5b4`
SHA256	`4e8de6683206a607d12bc32f2c4316cb37992ffcfade7f2ae3a84fb5cf492a9a`
SHA3	`e634aee437058b06517fa5b5e06b1fc86d25f701efc40e7ca2397655f84171d8`

_RESOLVER

Type	`FILES`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x1600`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.8513`
Detected Filetype	PE Executable
MD5	`5fb6074b08ac4709cf2f29fa5b49023e`
SHA1	`8bbb78a47c08867c50572f0bd2a27171f91e0454`
SHA256	`19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc`
SHA3	`eb83af41dc4d6892c7cc83fb60c611dba627b071327701d962d5e5922dd0d815`

SC_PAYLOAD

Type	`RT_RCDATA`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xbed11c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.94443`
MD5	`4d6a62e9d03f466d7d214eb3c3f9bb97`
SHA1	`6afe940781079f03fc77318fc63916ca5e46eac2`
SHA256	`08193a2fd99e68ea0dbe7d8ffe1503598e9caac64292ed77af23a9b7c094b170`
SHA3	`0201523b46a03f024868a76cbfee75c8186772f419cedd469176b35711f7d172`

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x188`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89623`
MD5	`b8e76ddb52d0eb41e972599ff3ca431b`
SHA1	`fc12d7ad112ddabfcd8f82f290d84e637a4d62f8`
SHA256	`165c5c883fd4fd36758bcba6baf2faffb77d2f4872ffd5ee918a16f91de5a8a8`
SHA3	`37f83338b28cb102b1b14f27280ba1aa3fffb17f7bf165cb7b675b7e8eb7cddd`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:20
Version	`0.0`
SizeofData	`103`
AddressOfRawData	`0x1214c`
PointerToRawData	`0x1074c`
Referenced File	C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:20
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x121b4`
PointerToRawData	`0x107b4`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:20
Version	`0.0`
SizeofData	`752`
AddressOfRawData	`0x121c8`
PointerToRawData	`0x107c8`

IMAGE_DEBUG_TYPE_ILTCG

Characteristics	`0`
TimeDateStamp	2022-Nov-18 20:10:20
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x414000`
SEHandlerTable	`0x41209c`
SEHandlerCount	`6`

RICH Header

XOR Key	`0xb6603e45`
Unmarked objects	`0`
241 (40116)	`10`
243 (40116)	`122`
242 (40116)	`24`
C++ objects (VS2022 Update 3 (17.3.0) compiler 31616)	`37`
C objects (VS2022 Update 3 (17.3.0) compiler 31616)	`17`
ASM objects (VS2022 Update 3 (17.3.0) compiler 31616)	`20`
Imports (VS2008 SP1 build 30729)	`4`
Imports (VS2008 build 21022)	`3`
Total imports	`96`
C++ objects (LTCG) (VS2022 Update 3 (17.3.4-6) compiler 31630)	`1`
Resource objects (VS2022 Update 3 (17.3.4-6) compiler 31630)	`1`
Linker (VS2022 Update 3 (17.3.4-6) compiler 31630)	`1`

Errors

Leave a comment

No comments yet.