PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 2,16 MB SHA-256 Hash: 14460F49CE47C51935A5B966AC458FB42558CAA9E406DEC6FD5120B6CDCFB54D SHA-1 Hash: CA86A8CA2B5B8BF6053D444DB0298BB0F78D2AC6 MD5 Hash: 01F0B10802D9B22B92040C092D57F5C1 Imphash: 4035D2883E01D64F3E7A9DCCB1D63AF5 MajorOSVersion: 6 MinorOSVersion: 1 CheckSum: 00000000 EntryPoint (rva): 67B20 SizeOfHeaders: 600 SizeOfImage: 279000 ImageBase: 0000000000400000 Architecture: x64 ImportTable: 253000 IAT: 16A020 Characteristics: 222 TimeDateStamp: 0 Date: 01/01/1970 File Type: EXE Number Of Sections: 13 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, /4, /19, /32, /46, /65, /78, /90, .idata, .reloc, .symtab Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000060 (Code, Initialized Data, Executable, Readable) | 600 | B3E00 | 1000 | B3C8A | 5,9292 | 7939698,77 |
| .rdata | 40000040 (Initialized Data, Readable) | B4400 | B5000 | B5000 | B4E28 | 5,2202 | 26110594,68 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 169400 | 15600 | 16A000 | 5EEF0 | 4,0322 | 6738352,73 |
| /4 | 42000000 (GP-Relative, Readable) | 17EA00 | 200 | 1C9000 | 119 | 4,8292 | 28570,00 |
| /19 | 42000000 (GP-Relative, Readable) | 17EC00 | 1F200 | 1CA000 | 1F154 | 7,9929 | 1251,79 |
| /32 | 42000000 (GP-Relative, Readable) | 19DE00 | 6000 | 1EA000 | 5E42 | 7,9061 | 4068,10 |
| /46 | 42000000 (GP-Relative, Readable) | 1A3E00 | 200 | 1F0000 | 30 | 0,8557 | 107659,00 |
| /65 | 42000000 (GP-Relative, Readable) | 1A4000 | 3B600 | 1F1000 | 3B5E8 | 7,9972 | 941,70 |
| /78 | 42000000 (GP-Relative, Readable) | 1DF600 | 1A600 | 22D000 | 1A501 | 7,9930 | 1090,55 |
| /90 | 42000000 (GP-Relative, Readable) | 1F9C00 | AC00 | 248000 | AB61 | 7,8178 | 12404,37 |
| .idata | C0000040 (Initialized Data, Readable, Writeable) | 204800 | 600 | 253000 | 476 | 3,5641 | 101452,00 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 204E00 | 7200 | 254000 | 7114 | 5,4348 | 163662,49 |
| .symtab | 42000000 (GP-Relative, Readable) | 20C000 | 1D000 | 25C000 | 1CF20 | 5,1922 | 2111215,22 |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 67120 Code -> E99BC8FFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC9C4883EC7048897C2450488974244848896C • JMP 0XFFFFFFFFFFFFD8A0 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • PUSHFQ • SUB RSP, 0X70 • MOV QWORD PTR [RSP + 0X50], RDI • MOV QWORD PTR [RSP + 0X48], RSI |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE+(64): compiler: Go(1.15.0-X.XX.X) • Entropy: 6.64937 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetModuleHandle | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | ReadProcessMemory | Reads data from an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| USER32.DLL | GetAsyncKeyState | Retrieves the status of a virtual key asynchronously. |
| Ws2_32.DLL | socket | Create a communication endpoint for networking applications. |
| Ws2_32.DLL | connect | Establish a connection to a specified socket. |
| File Access |
| os.Exe internal/poll.exe kernel32.dll t happencas64 failedchan receivecomctl32.dllcomdlg32.dll t happencas64 failedchan receivecomctl32.dll p scheddetailsecur32.dllshell32.dllshort writetracealloc(unreachableuserenv.dll p scheddetailsecur32.dllshell32.dll p scheddetailsecur32.dll unknown pcuser32.dllws2_32.dll unknown pcuser32.dll 0debugLockfuncargs(gdi32.dll rof.dll _32.dll i32.dll l32.dll unicode.Scr go.itab.sys unicode.Bat reflect.name.dat internal/reflectlite.name.dat @.dat unicode.Log internal/poll.log internal/poll.ini github.com/TheTitanrain/w32.ini os.ini internal/syscall/windows.ini io/fs.ini path.ini time.ini internal/syscall/windows/registry.ini internal/syscall/windows/sysdll.ini internal/oserror.ini reflect.ini unicode.ini sync.ini strconv.ini math.ini errors.ini internal/bytealg.ini internal/cpu.Ini fmt.ini io.ini Temp SysDir UserProfile |
| Interest's Words |
| zombie exec powershell netsh attrib start shutdown systeminfo ping expand replace route |
| Anti-VM/Sandbox/Debug Tricks |
| LabTools - procexp LabTools - procmon |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (WSACleanup) |
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (listen) |
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | WinAPI Sockets (recv) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Registry (RegGetValue) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Service (OpenSCManager) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (SetThreadContext) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (MapViewOfFile) |
| Text | Ascii | Stealth (CreateFileMappingW) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (ReadProcessMemory) |
| Text | Ascii | Stealth (CreateRemoteThread) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateEventA) |
| Hex | Hex Pattern | Metasploit Shellcode 2 (Reverse TCP x86 - FCE88200000060) |
| Intelligent String |
| • github.com/TheTitanrain/w32 • 152587890625762939453125AllocConsoleBidi_ControlCoInitializeDeleteObjectEnableWindowExtCreatePenExtractIconWGetAddrInfoWGetConsoleCPGetCursorPosGetLastErrorGetLengthSidGetStdHandleGetTempPathWGlobalUnlockJoin_ControlLoadLibraryWLoadResourceLockResourceMeetei_MayekOpenServiceWPahawh_HmongPeekMessageWPostMessageWReadConsoleWRedrawWindowRegGetValueWResumeThreadRevertToSelfSelectObjectSendMessageWSetCursorPosSetEndOfFileSetRectEmptySetTextColorSetWindowPosSora_SompengSubtractRectSyloti_NagriSysStringLenTransmitFileUnlockFileExUpdateWindowabi mismatchadvapi32.dllbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivecomctl32.dllcomdlg32.dlldumping heapend tracegc • C:\Program Files\Go • kernel32.dll • io.EOF |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| C7F7 | N/A | .text | CALL QWORD PTR [RIP+0xB60F4600] |
| 202F8 | N/A | .text | CALL QWORD PTR [RIP+0x4894800] |
| 20308 | N/A | .text | CALL QWORD PTR [RIP+0x48900100] |
| 2031C | N/A | .text | CALL QWORD PTR [RIP+0x4C894800] |
| 20353 | N/A | .text | CALL QWORD PTR [RIP+0x57C5E800] |
| 63139 | N/A | .text | CALL QWORD PTR [RIP+0xEF0F6600] |
| 63141 | N/A | .text | CALL QWORD PTR [RIP+0xEF0F6600] |
| C9B07 | N/A | .rdata | JMP QWORD PTR [RIP+0xE000001A] |
| CFDD7 | N/A | .rdata | JMP QWORD PTR [RIP+0xE000001A] |
| D8177 | N/A | .rdata | CALL QWORD PTR [RIP+0xFF000018] |
| D86D7 | N/A | .rdata | CALL QWORD PTR [RIP+0xFF000018] |
| 16D618 | N/A | .data | JMP QWORD PTR [RIP+0x266F0001] |
| 1807CD | N/A | /19 | CALL QWORD PTR [RIP+0x9F12121C] |
| 19FB69 | N/A | /32 | JMP QWORD PTR [RIP+0x9FBC939D] |
| 1A55A8 | N/A | /65 | CALL QWORD PTR [RIP+0xF662C31B] |
| 1A9168 | N/A | /65 | CALL QWORD PTR [RIP+0xEB3EF2D1] |
| 1BC16C | N/A | /65 | CALL QWORD PTR [RIP+0x21023C75] |
| 1C52EE | N/A | /65 | CALL QWORD PTR [RIP+0x27CFAFE8] |
| 1C7006 | N/A | /65 | CALL QWORD PTR [RIP+0x5F4CBAE8] |
| 1CDA1F | N/A | /65 | JMP QWORD PTR [RIP+0x97CEBB03] |
| 1CDC2F | N/A | /65 | CALL QWORD PTR [RIP+0xA474CF8D] |
| 1D231C | N/A | /65 | CALL QWORD PTR [RIP+0x6A8CE438] |
| 1E118A | N/A | /78 | CALL QWORD PTR [RIP+0x98CC9097] |
| 1FCE10 | N/A | /90 | JMP QWORD PTR [RIP+0x6EBF1EEE] |
| 1FF544 | N/A | /90 | CALL QWORD PTR [RIP+0x3CA4F42F] |
| 201807 | N/A | /90 | JMP QWORD PTR [RIP+0x773F9D9E] |
| 201C6D | N/A | /90 | JMP QWORD PTR [RIP+0x6876D5EF] |
| 202D91 | N/A | /90 | JMP QWORD PTR [RIP+0x2CF03D74] |
| 1562-157F | N/A | .text | Unusual BP Cave, count: 30 |
| 1B42-1B5F | N/A | .text | Unusual BP Cave, count: 30 |
| 29E2-29FF | N/A | .text | Unusual BP Cave, count: 30 |
| 5C02-5C1F | N/A | .text | Unusual BP Cave, count: 30 |
| 5E42-5E5F | N/A | .text | Unusual BP Cave, count: 30 |
| 9401-941F | N/A | .text | Unusual BP Cave, count: 31 |
| 12102-1211F | N/A | .text | Unusual BP Cave, count: 30 |
| 13501-1351F | N/A | .text | Unusual BP Cave, count: 31 |
| 15362-1537F | N/A | .text | Unusual BP Cave, count: 30 |
| 2E1E1-2E1FF | N/A | .text | Unusual BP Cave, count: 31 |
| 3A921-3A93F | N/A | .text | Unusual BP Cave, count: 31 |
| 52B21-52B3F | N/A | .text | Unusual BP Cave, count: 31 |
| 59761-5977F | N/A | .text | Unusual BP Cave, count: 31 |
| 5EA22-5EA3F | N/A | .text | Unusual BP Cave, count: 30 |
| 5F442-5F45F | N/A | .text | Unusual BP Cave, count: 30 |
| 63B41-63B5F | N/A | .text | Unusual BP Cave, count: 31 |
| 63B61-63B7F | N/A | .text | Unusual BP Cave, count: 31 |
| 63C61-63C7F | N/A | .text | Unusual BP Cave, count: 31 |
| 65661-6567F | N/A | .text | Unusual BP Cave, count: 31 |
| 659A2-659BF | N/A | .text | Unusual BP Cave, count: 30 |
| 65A41-65A5F | N/A | .text | Unusual BP Cave, count: 31 |
| 65AA2-65ABF | N/A | .text | Unusual BP Cave, count: 30 |
| 665E1-665FF | N/A | .text | Unusual BP Cave, count: 31 |
| 66881-6689F | N/A | .text | Unusual BP Cave, count: 31 |
| 67F22-67F3F | N/A | .text | Unusual BP Cave, count: 30 |
| 688E2-688FF | N/A | .text | Unusual BP Cave, count: 30 |
| 69442-6945F | N/A | .text | Unusual BP Cave, count: 30 |
| 8B8C2-8B8DF | N/A | .text | Unusual BP Cave, count: 30 |
| 9F1A1-9F1BF | N/A | .text | Unusual BP Cave, count: 31 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1297368 | 57,2767% |
| Null Byte Code | 455891 | 20,1269% |
| NOP Cave Found | 0x9090909090 | Block Count: 6 | Total: 0,0007% |
© 2026 All rights reserved.