PESCAN.IO - Analysis Report |
|||||
| File Structure: | |||||
|
|||||
| Information: |
| Size: 20,50 KB SHA-256 Hash: D6003249A929BD1234F1F9EF709441DA1B20975860FC1CFAA406551008CA53FE SHA-1 Hash: 919AEFEA5011DDCB9EF365846CB9BAB09112A078 MD5 Hash: 000508F8A5F3E25E03C1C0221D18D026 Imphash: 3918BE224DD8D00A55923C4F5C66C1C1 MajorOSVersion: 4 CheckSum: 0000D670 EntryPoint (rva): 1330 SizeOfHeaders: 400 SizeOfImage: F000 ImageBase: 000000033E150000 Architecture: x64 ExportTable: A000 ImportTable: B000 Characteristics: 222E TimeDateStamp: 67EA6ADE Date: 31/03/2025 10:13:50 File Type: DLL Number Of Sections: 12 ASLR: Disabled Section Names (Optional Header): .text, .data, .rdata, .eh_fram, .pdata, .xdata, .bss, .edata, .idata, .CRT, .tls, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000060 (Executable) | 400 | 2600 | 1000 | 2508 |
| .data | C0000040 (Writeable) | 2A00 | 200 | 4000 | F0 |
| .rdata | 40000040 | 2C00 | C00 | 5000 | B80 |
| .eh_fram | C0000040 (Writeable) | 3800 | 200 | 6000 | 4 |
| .pdata | 40000040 | 3A00 | 400 | 7000 | 270 |
| .xdata | 40000040 | 3E00 | 200 | 8000 | 1D4 |
| .bss | C0000080 (Writeable) | 0 | 0 | 9000 | 190 |
| .edata | 40000040 | 4000 | 200 | A000 | 53 |
| .idata | C0000040 (Writeable) | 4200 | A00 | B000 | 948 |
| .CRT | C0000040 (Writeable) | 4C00 | 200 | C000 | 58 |
| .tls | C0000040 (Writeable) | 4E00 | 200 | D000 | 10 |
| .reloc | 42000040 | 5000 | 200 | E000 | 78 |
| Entry Point: |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 730 Code -> 488B0539450000C70000000000E98EFEFFFF66662E0F1F8400000000000F1F004889CA488D0DA67C0000E94920000090C366 • MOV RAX, QWORD PTR [RIP + 0X4539] • MOV DWORD PTR [RAX], 0 • JMP 0XEA0 • NOP WORD PTR CS:[RAX + RAX] • NOP DWORD PTR [RAX] • MOV RDX, RCX • LEA RCX, [RIP + 0X7CA6] • JMP 0X3078 • NOP • RET |
| Signatures: |
| CheckSum Integrity Problem: • Header: 54896 • Calculated: 55786 Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler: |
| Detect It Easy (die) • Entropy: 4.86868 |
| Suspicious Functions: |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| ET Functions (carving): |
| Original Name -> loader.dll EPoint meow |
| File Access: |
| USER32.dll api-ms-win-crt-time-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-private-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-environment-l1-1-0.dll KERNEL32.dll loader.dll libgcc_s_dw2-1.dll |
| Interest's Words: |
| exec |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Ascii): Stealth (VirtualProtect) • EP Rules: Microsoft Visual C++ 8.0 (DLL) |
| Intelligent String: |
| • @.bss • .CRT • .tls • KERNEL32.dll • api-ms-win-crt-environment-l1-1-0.dll • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-private-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll • api-ms-win-crt-time-l1-1-0.dll • USER32.dll |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 8065 | 38,4194% |
| Null Byte Code | 9118 | 43,4356% |
| NOP Cave Found | 0x9090909090 | Block Count: 18 | Total: 0,2144% |
© 2025 All rights reserved.