PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 11,38 MB SHA-256 Hash: 2F6435C735DC6361121D8B675CC954E42DC53DD9EB64029BFEE9F53D3853073F SHA-1 Hash: 434F3378F2432160B3E53226ACFEFE15D0BFE167 MD5 Hash: 0281C3D124426B6BFCBB8A63AC68AAC9 Imphash: 89CBD0D03F658F7B76D6CFBF08BC6FA4 MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 00B6A76A EntryPoint (rva): 8B55C1 SizeOfHeaders: 400 SizeOfImage: AE8000 ImageBase: 65AC0000 Architecture: x86 ExportTable: 1BC000 ImportTable: 9FEFA8 IAT: 831000 Characteristics: 230E TimeDateStamp: 6A123596 Date: 23/05/2026 23:17:42 File Type: DLL Number Of Sections: 12 ASLR: Enabled Section Names (Optional Header): .text, .data, .rdata, .bss, .edata, .idata, .CRT, .tls, *unnamed*, *unnamed*, *unnamed*, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60500060 Code Initialized Data Executable Readable |
400 | E600 | 1000 | E454 |
|
|
| .data | 0xC0600040 Initialized Data Readable Writeable |
EA00 | 1A7E00 | 10000 | 1A7C80 |
|
|
| .rdata | 0x40600040 Initialized Data Readable |
1B6800 | 2400 | 1B8000 | 23A0 |
|
|
| .bss | 0xC0600080 Uninitialized Data Readable Writeable |
0 | 0 | 1BB000 | B30 |
|
|
| .edata | 0x40300040 Initialized Data Readable |
1B8C00 | 200 | 1BC000 | 5B |
|
|
| .idata | 0xC0300040 Initialized Data Readable Writeable |
1B8E00 | 800 | 1BD000 | 608 |
|
|
| .CRT | 0xC0300040 Initialized Data Readable Writeable |
1B9600 | 200 | 1BE000 | 2C |
|
|
| .tls | 0xC0300040 Initialized Data Readable Writeable |
1B9800 | 200 | 1BF000 | 8 |
|
|
| *unnamed* | 0x60000020 Code Executable Readable |
1B9A00 | 671000 | 1C0000 | 670E08 |
|
|
| *unnamed* | 0xC0000040 Initialized Data Readable Writeable |
82AA00 | 200 | 831000 | 2C |
|
|
| *unnamed* | 0x60000020 Code Executable Readable |
82AC00 | 20A000 | 832000 | 209FD0 |
|
|
| .reloc | 0x42300040 Initialized Data GP-Relative Readable |
A34C00 | ABE00 | A3C000 | ABC90 |
|
|
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 484,00 KB |
| Entry Point |
The section number (11) have the Entry Point Information -> EntryPoint (calculated) - 8AE1C1 Code -> 51B9B53A3F890FC90FC9E8875F030021AB0127425EB344ADB2064A3D74886E829A350766203F09EA077733A5FF1C505998B2 EP changed to another address -> (Address Of EntryPoint > Base Of Data) Assembler |PUSH ECX |MOV ECX, 0X893F3AB5 |BSWAP ECX |BSWAP ECX |CALL 0X36F96 |AND DWORD PTR [EBX + 0X5E422701], EBP |MOV BL, 0X44 |LODSD EAX, DWORD PTR [ESI] |MOV DL, 6 |DEC EDX |CMP EAX, 0X826E8874 |LCALL 0X93F:0X20660735 |LJMP 0X1CFF:0XA5337707 |PUSH EAX |POP ECX |CWDE |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Duplicate Sections |
| Section *unnamed* duplicate 3 times |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ Detect It Easy (die) • Entropy: 7.58198 |
| ET Functions (carving) |
| Original Name -> payload_5-23-2026_4-17-37 PM.dll PrintAt |
| Windows REG (UNICODE) |
| SOFTWARE\Classes Software\Classes\ |
| File Access |
| msvcrt.dll KERNEL32.dll USER32.DLL payload_5-23-2026_4-17-37 PM.dll .dat Temp |
| File Access (UNICODE) |
| CorExitProcessmscoree.dll KERNEL32.DLL msvcrt.dll |
| Interest's Words |
| Virus start ping |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Malware that monitors and collects user data (Spy) |
| Intelligent String |
| • @@.bss • .CRT • .tls • msvcrt.dll • KERNEL32.DLL • mscoree.dll • P6h] |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 457 | 65C7D160 | .text | CALL [static] | Indirect call to absolute memory address |
| B50 | 65C7D13C | .text | CALL [static] | Indirect call to absolute memory address |
| E6C | 65C7D154 | .text | CALL [static] | Indirect call to absolute memory address |
| EE0 | 65C7D154 | .text | CALL [static] | Indirect call to absolute memory address |
| F67 | 65C7D154 | .text | CALL [static] | Indirect call to absolute memory address |
| 14AC | 65C7D160 | .text | JMP [static] | Indirect jump to absolute memory address |
| 8D58 | 65C7D154 | .text | CALL [static] | Indirect call to absolute memory address |
| 8E17 | 65C7D154 | .text | CALL [static] | Indirect call to absolute memory address |
| 8F9D | 65C7D154 | .text | CALL [static] | Indirect call to absolute memory address |
| 9261 | 65C7D154 | .text | CALL [static] | Indirect call to absolute memory address |
| 92F9 | 65C7D154 | .text | CALL [static] | Indirect call to absolute memory address |
| A51E | 65C7D154 | .text | CALL [static] | Indirect call to absolute memory address |
| A640 | 65AD0064 | .text | JMP [static] | Indirect jump to absolute memory address |
| A955 | 65C7D160 | .text | CALL [static] | Indirect call to absolute memory address |
| CCF8 | 65AD0054 | .text | CALL [static] | Indirect call to absolute memory address |
| D0AF | 65AD0054 | .text | CALL [static] | Indirect call to absolute memory address |
| E3E1 | 65AD0054 | .text | CALL [static] | Indirect call to absolute memory address |
| E631 | 65C7D160 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C94C0 | 2FC7A1BF | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 1CCF97 | 65CA6084 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1CCFCF | 65CA6084 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1CD486 | 65CA6084 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1CD4C0 | 65CA6084 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1D5224 | 65CA6074 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1D5D51 | 65CA60F0 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1D5D72 | 65CA60F8 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1D5DA7 | 65CA60FC | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1D60C8 | 65CA60F8 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1D741A | 65CA77BC | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1D79EB | 65CA77BC | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1D91F0 | 65CB1030 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1D924B | 65CB1034 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1DA29F | 65CA6074 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1DA35C | 65CA6070 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1DA38D | 65CA6074 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1DBB36 | 65CA6074 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1DCFE7 | 65CA6084 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1DD055 | 65CA6084 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1DD17B | 65CA6070 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1DD2B8 | 65CA6070 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1F5A88 | 65CA6070 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1F947E | 65CA6070 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 1FB965 | 65CA6070 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 203294 | 65CA6070 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 20CF2E | 4EEBCC44 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 21A396 | 4EEBCC44 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 21D8A5 | 4EEBCC44 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 220C97 | 18005D94 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 225A5F | 18005D94 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 22B533 | 18005D94 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 2311B7 | 18005D94 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 23DF06 | 18005D94 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 24D05F | 1EB75252 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 24D715 | 7EC66B1A | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 24EE00 | 7EC66B1A | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 24F090 | 666DAEC4 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 25E450 | 38A3C84C | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 25EC2C | 38A3C84C | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 26073F | 38A3C84C | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 26A137 | 5B7A0AD1 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 2729BD | 5B7A0AD1 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 272F4F | 77958252 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 2761B6 | 77958252 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 2D0FFB | 38A6858E | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 2DF0AF | 2C2CBA4F | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 2E118B | 2C2CBA4F | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 2F3A07 | 3F710DAA | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 2F630F | 3F710DAA | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 2F94D5 | 3F710DAA | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 2FBB33 | 3F710DAA | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 308ED3 | 3F710DAA | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 30BDFD | 20E00E68 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 315A51 | 20E00E68 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 31DE79 | 6613EBB | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 3279A5 | 6613EBB | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 32829D | 3CD80854 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 32A467 | 3CD80854 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 33201F | A32B86 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 339923 | A32B86 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 357C6D | 29F3A1B0 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 36B05F | 28A4C6 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 36B289 | 3A1D84FB | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 37B0D5 | 3A1D84FB | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 37D011 | 1061EF0 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 397139 | D713C38 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 39D8DF | 394B9AEB | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 3AB029 | 19052A3F | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 3ABCBB | 19052A3F | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 3AF717 | 36F93B72 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 3AF9EB | 36F93B72 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 3C109B | 36F93B72 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 3C7099 | 2F960CF3 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 3E0E03 | 2F960CF3 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 3E8565 | 2F960CF3 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 3F0F53 | 11402C2F | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 3F22DD | BF20550 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 3F2B8F | 571B604 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 40244F | 571B604 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 411915 | 571B604 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 420ABF | 571B604 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 1BC441-1BC45F | N/A | *unnamed* | Unusual BP Cave, count: 31 |
| 1BD5C5-1BD75F | N/A | *unnamed* | Unusual BP Cave, count: 411 |
| 1BFE85-1BFEAF | N/A | *unnamed* | Unusual BP Cave, count: 43 |
| 1C5DF8-1C5E2F | N/A | *unnamed* | Unusual BP Cave, count: 56 |
| 1C8210-1C865F | N/A | *unnamed* | Unusual BP Cave, count: 1104 |
| 8A8260 | 9694AA | *unnamed* | TLS Callback | Pointer to 664294AA - 0x9620AA *unnamed* |
| 8A8264 | 1540 | *unnamed* | TLS Callback | Pointer to 65AC1540 - 0x940 .text |
| 8A8268 | 14F0 | *unnamed* | TLS Callback | Pointer to 65AC14F0 - 0x8F0 .text |
| 1B9A00-82A9FF | 1C0000 | *unnamed* | Executable section anomaly, first bytes: 558BEC538B5D0856 |
| AE0A00 | N/A | *Overlay* | 00000000C60000008D0000000000610000000000 | ..............a..... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 7005296 | 58,7119% |
| Null Byte Code | 913168 | 7,6533% |
| NOP Cave Found | 0x9090909090 | Block Count: 44 | Total: 0,0009% |
© 2026 All rights reserved.