PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 86,51 KB SHA-256 Hash: 34736869D747AB6B823DCCB18775E9E87DCB2E25F2517AD2ACFA4EDB59C5A845 SHA-1 Hash: 6F443EC1A218D34E2AC859B1DAF7B9A2737052AC MD5 Hash: 049EE3C8C0FE9BA30DE8DFA8F1DA02AC Imphash: 757708CA9FD3F4D0B8BEF404D6AD71F1 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00012410 EntryPoint (rva): 1000 SizeOfHeaders: 400 SizeOfImage: 10000 ImageBase: 400000 Architecture: x86 ImportTable: F38C Characteristics: 10F TimeDateStamp: 4F2D3310 Date: 04/02/2012 13:30:56 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .nsp0, .nsp1, .nsp2 Number Of Executable Sections: 3 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .nsp0 | F0000060 (Code, Initialized Data, Discardable, Executable, Readable, Writeable) | 1000 | 9000 | 1000 | 9000 | 3,8033 | 3323534,14 |
| .nsp1 | E0000060 (Code, Initialized Data, Executable, Readable, Writeable) | A000 | 4000 | A000 | 4000 | 6,7832 | 252554,75 |
| .nsp2 | E0000060 (Code, Initialized Data, Executable, Readable, Writeable) | E000 | 2000 | E000 | 2000 | 0,8986 | 1716560,50 |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 22,51 KB |
| Entry Point |
| The section number (1) - (.nsp0) have the Entry Point Information -> EntryPoint (calculated) - 1000 Code -> 6AFF686146400064A100000000506489250000000081EC3006000053555657B94000000033C08DBC243D010000C684243C01 • PUSH -1 • PUSH 0X404661 • MOV EAX, DWORD PTR FS:[0] • PUSH EAX • MOV DWORD PTR FS:[0], ESP • SUB ESP, 0X630 • PUSH EBX • PUSH EBP • PUSH ESI • PUSH EDI • MOV ECX, 0X40 • XOR EAX, EAX • LEA EDI, [ESP + 0X13D] |
| Signatures |
| CheckSum Integrity Problem: • Header: 74768 • Calculated: 100713 Rich Signature Analyzer: Code -> CCF8F8A5889996F6889996F6889996F6BEBF9DF68E9996F6BEBF9CF6929996F60B8598F6869996F6889996F68F9996F64B96CBF68A9996F6889997F6C09996F6EA8685F68F9996F660869DF68B9996F652696368889996F6 Footprint md5 Hash -> 4157024834A7454F4076CF809EAF85D8 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ Detect It Easy (die) • PE: compiler: Microsoft Visual C/C++(6.0)[-] • PE: linker: Microsoft Linker(6.0)[-] • Entropy: 4.20314 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| SHELL32.DLL | ShellExecuteExA | Performs a run operation on a specific file. |
| Windows REG |
| Software\Microsoft\Windows\CurrentVersion\Run Software\motherFucker Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access |
| \Users\Bruno\Desktop\executable.exe \Users\Steve\AppData\Local\Temp\do_not_delete_03b826.exe \Users\Steve\AppData\Local\Temp\do_not_delete_0178e0.exe \WINDOWS\STUB.exe \Users\azure\Downloads\dttcodexgigas.456da0299259dceeeff8f1d40d7e23e8304878ae.exe \Users\Steve\AppData\Local\Temp\microsofthelp.exe \Users\Bruno\Desktop\software.exe \Users\azure\Downloads\53a5844f2ff71e8a36572610ffd4a09e.virus.exe \Users\azure\Downloads\570b423d153bf4c1dc21195df456db52.exe \Users\Steve\AppData\Local\Temp\do_not_delete_9385c0.exe \Users\Linky\AppData\Local\Temp\microsofthelp.exe \Users\Bruno\Desktop\file.exe \Users\Bruno\Desktop\microsofthelp.exe \Users\r.vult\AppData\Local\Temp\acb7049b9bf5be1991491685c7fddd1b.exe \Users\azure\Downloads\dttcodexgigas.91c3286f6d50c8570a3c2e7e94b8488f913d6cc3.exe \Users\Steve\AppData\Local\Temp\38i1nbsj.exe \Users\r.vult\AppData\Local\Temp\8926efa982fe086e04b35104865b5c03.exe \Users\azure\Downloads\dttcodexgigas.af6c6a9ad044947055cfb88888815e45f53e8b2c.exe \Users\azure\Downloads\microsofthelp.exe \XqmnAQHs.exe \x2GTFjdS.exe \Users\Steve\AppData\Local\Temp\do_not_delete_e1da86.exe \Users\John Doe\Desktop\26ou7b47s5.exe \sample.exe \vshsn.exe \runme.exe iexplore.exe \microsofthelp.exe USER32.DLL WININET.DLL IPHLPAPI.DLL ADVAPI32.DLL KERNEL32.DLL Shell32.dll HidePlugin.dll Temp AppData |
| Interest's Words |
| fuck - }:) Virus exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (IsBadReadPtr) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ShellExecute) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Nullsoft PiMP Stub - SFX |
| Intelligent String |
| • C:\Users\Steve\AppData\Local\Temp\microsofthelp.exe • C:\WINDOWS\STUB.exe • C:\Users\Linky\AppData\Local\Temp\microsofthelp.exe • C:\Users\r.vult\AppData\Local\Temp\acb7049b9bf5be1991491685c7fddd1b.exe • C:\Users\Bruno\Desktop\file.exe • C:\vshsn.exe • C:\runme.exe • \microsofthelp.exe • C:\Program Files\Internet Explorer • iexplore.exe • kernel32.dll • advapi32.dll • iphlpapi.dll • wininet.dll • user32.dll • C:\sample.exe • C:\Users\Admin\AppData\Local\Temp\ff025783fa3f6c6847a7b3db4fc86add1a5dd4f5551e7d77ceff968684df31e6.exe • C:\Users\John Doe\Desktop\26ou7b47s5.exe • C:\Users\Steve\AppData\Local\Temp\do_not_delete_e1da86.exe • C:\x2GTFjdS.exe • C:\Users\azure\Downloads\d3db879b14b83d8dd3c9d79e632d01dc3c0e9a45e7cf28f672dd38219d888ef4.exe • C:\XqmnAQHs.exe • C:\Users\azure\Downloads\81f328bf9d5ca5bed7206a22dac795ae41af0e9f64a8643bea284cb066fe2b11.exe • C:\Users\azure\Downloads\microsofthelp.exe • C:\Users\azure\Downloads\dttcodexgigas.af6c6a9ad044947055cfb88888815e45f53e8b2c.exe • C:\Users\Admin\AppData\Local\Temp\73faababfb3e912a07879bec73ce0d02277194f3b2361b0c4cfabecff149a99d.exe • C:\Users\Admin\AppData\Local\Temp\06ef4612aa5de0f757c883d238ef13392a4a8bc2bcdafcc85cf9bea35401e346.exe • C:\Users\r.vult\AppData\Local\Temp\8926efa982fe086e04b35104865b5c03.exe • C:\Users\Admin\AppData\Local\Temp\03dd268b1454b63ea718acb25728711325fb5e85dcfdcebdbb0dd95bc79700e8.exe • C:\Users\Steve\AppData\Local\Temp\38i1nbsj.exe • C:\Users\azure\Downloads\dttcodexgigas.91c3286f6d50c8570a3c2e7e94b8488f913d6cc3.exe • C:\Users\r.vult\AppData\Local\Temp\9a1ea77670cb0d155cbdfa01169c34e0.81b1db195839f6b609f5e445e01f68ef06d42542 • C:\Users\Bruno\Desktop\microsofthelp.exe • C:\Users\azure\Downloads\076ac7840be7e8845b88f4356d79fefffdae707597ae33c45ee662806335886a.exe • C:\Users\Steve\AppData\Local\Temp\do_not_delete_9385c0.exe • C:\Users\azure\Downloads\570b423d153bf4c1dc21195df456db52.exe • C:\Users\azure\Downloads\3b89ee988cfd4111b29141ab8bc51d8531a8a11a80c6b58a3ba836672d912c1c-dropped.bin.exe • C:\Users\azure\Downloads\53a5844f2ff71e8a36572610ffd4a09e.virus.exe • C:\Users\Bruno\Desktop\software.exe • C:\Users\azure\Downloads\dttcodexgigas.456da0299259dceeeff8f1d40d7e23e8304878ae.exe • C:\Users\Steve\AppData\Local\Temp\do_not_delete_0178e0.exe • C:\Users\Admin\AppData\Local\Temp\424d5f2542254fbdf9f209aab925a5090c2d2d6360e1899f9e27760c6728d4d0.exe • C:\Users\Admin\AppData\Local\Temp\c4b5ff04bb76b6460acf828f77c425bc2785c63ade3e2265b27e28f871d30b89.exe • C:\Users\Steve\AppData\Local\Temp\do_not_delete_03b826.exe • C:\Users\Bruno\Desktop\executable.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1049 | 405050 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 107F | 40504C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 10B6 | 405044 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 10FA | 405040 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 110A | 40503C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 111D | 405038 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 11AB | 405034 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 11F0 | 40504C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 11F7 | 405030 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 12BD | 40504C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 12DF | 405028 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 134F | 4050D0 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 13B3 | 40504C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1446 | 4050D0 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1463 | 405024 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 14AA | 40505C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 14B2 | 405058 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 14C0 | 405054 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 14C8 | 405034 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 15AD | 40503C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1619 | 405064 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1629 | 405060 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 171F | 40503C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1824 | 4050D8 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1847 | 4050DC | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1875 | 4050E0 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1898 | 4050E8 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 18C3 | 405044 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1906 | 405044 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1918 | 405068 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1949 | 4050E8 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1960 | 4050E4 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1968 | 4050E4 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1A68 | 40504C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1A89 | 405048 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1A90 | 40502C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1AA1 | 405048 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1AA8 | 40502C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1AB3 | 40504C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1AE4 | 405008 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1B74 | 405004 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1BA0 | 405000 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1BAB | 405014 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1BE1 | 40506C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1C9D | 405050 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1CE0 | 405074 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1CEC | 405070 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1D3A | 405044 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1D73 | 40502C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1D8E | 405064 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1D95 | 405060 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1DEB | 405024 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1DF8 | 405078 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1E20 | 405010 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1E3D | 40500C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1E86 | 40507C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 1F79 | 405080 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 2014 | 405084 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 2044 | 405088 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 2053 | 40508C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 206B | 405054 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 2085 | 405090 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 2090 | 4050F0 | .nsp0 | JMP [static] | Indirect jump to absolute memory address |
| 2250 | 4086F8 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 2DA0 | 408700 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 2DB3 | 4050B0 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 2DC5 | 4050B0 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 2DD8 | 4050B4 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 2DF4 | 4050B8 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 2E0C | 4050BC | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 32FD | 4050C0 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 3304 | 405078 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 337E | 405034 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 357F | 405050 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 3655 | 4050C4 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 365C | 405088 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 3677 | 405064 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 36E0 | 408778 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 39A3 | 4050A8 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 3B0E | 4050A0 | .nsp0 | JMP [static] | Indirect jump to absolute memory address |
| 3B23 | 4050A4 | .nsp0 | JMP [static] | Indirect jump to absolute memory address |
| 3BAE | 4050A8 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 4281 | 405020 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 429D | 405094 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 42E6 | 405094 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 431E | 40509C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 4376 | 40509C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 438C | 405020 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 43BF | 405020 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 4427 | 405020 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 444C | 4050C8 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 44CD | 405098 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 44E7 | 40501C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 451B | 40501C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 4553 | 40509C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 45A9 | 40509C | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 45BB | 405098 | .nsp0 | CALL [static] | Indirect call to absolute memory address |
| 4638 | 4050AC | .nsp0 | JMP [static] | Indirect jump to absolute memory address |
| A240-A2BF | N/A | .nsp1 | Unusual BP Cave, count: 128 |
| 10000 | N/A | *Overlay* | 50F042269EBEF7EBE17A6FC3E31CD102324A3F17 | P.B&.....zo.....2J?. |
| 1000-9FFF | 1000 | .nsp0 | Executable section anomaly, first bytes: 6AFF686146400064 |
| A000-DFFF | A000 | .nsp1 | Executable section anomaly, first bytes: 0609000000000000 |
| E000-FFFF | E000 | .nsp2 | Executable section anomaly, first bytes: 0000000000000000 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 27514 | 31,0584% |
| Null Byte Code | 51408 | 58,0304% |
| NOP Cave Found | 0x9090909090 | Block Count: 36 | Total: 0,1016% |
© 2026 All rights reserved.