PESCAN.IO - Analysis Report Valid Code
File Structure:
Analysis Image
Information:
Icon: Icon
Size: 1,13 MB
SHA-256 Hash: 754DB6298C3585BFD87E37874921EFC2C7521C60C4C325BF4C655062FD1DAE73
SHA-1 Hash: FFB017F238AD29AF62690CDF8FD0CDA5B57801B9
MD5 Hash: 056A24804EB461179D5BA23E0CAB23C5
Imphash: AFCDF79BE1557326C854B6E20CB900A7
MajorOSVersion: 5
CheckSum: 0012F6BA
EntryPoint (rva): 27DCD
SizeOfHeaders: 400
SizeOfImage: 129000
ImageBase: 400000
Architecture: x86
ImportTable: BA44C
Characteristics: 122
TimeDateStamp: 67E4F8D1
Date: 27/03/2025 7:05:53
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 8DE00 1000 8DCC4
.rdata 40000040 8E200 2E200 8F000 2E10E
.data C0000040 (Writeable) BC400 5200 BE000 8F74
.rsrc 40000040 C1600 59A00 C7000 59A00
.reloc 42000040 11B000 7200 121000 711C
Entry Point:
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 271CD
Code -> E8B5D00000E97FFEFFFFCCCCCCCCCCCCCCCCCC57568B7424108B4C24148B7C240C8BC18BD103C63BFE76083BF80F82680300
CALL 0XE0BA
JMP 0XE89
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
PUSH EDI
PUSH ESI
MOV ESI, DWORD PTR [ESP + 0X10]
MOV ECX, DWORD PTR [ESP + 0X14]
MOV EDI, DWORD PTR [ESP + 0XC]
MOV EAX, ECX
MOV EDX, ECX
ADD EAX, ESI
CMP EDI, ESI
JBE 0X1033
CMP EDI, EAX
Signatures:
Rich Signature Analyzer:
Code -> 361CADCF727DC39C727DC39C727DC39C342C229C707DC39CECDD049C737DC39C7F2F1C9C417DC39C7F2F239CC37DC39C7F2F229C477DC39C7B05409C7B7DC39C7B05509C577DC39C727DC29C527FC39C0F04299C227DC39C0F041C9C737DC39C7F2F189C737DC39C727D549C737DC39C0F041D9C737DC39C52696368727DC39C
Footprint md5 Hash -> F8E2C4C9B0283896D8E957FA68E23948
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler:
Compiler: Microsoft Visual C ++
Compiler: Microsoft Visual C ++ 6 DLL
Compiler: Autoit 3 - (You can use a decompiler for this...)
Detect It Easy (die)
PE: library: AutoIt(3.XX)[-]
PE: compiler: EP:Microsoft Visual C/C++(2013-2017)[EXE32]
PE: compiler: Microsoft Visual C/C++(2013)[-]
PE: linker: Microsoft Linker(12.0*)[EXE32]
Entropy: 7.16807
Suspicious Functions:
Library Function Description
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL CopyFileW Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL ReadProcessMemory Reads data from an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
USER32.DLL GetAsyncKeyState Retrieves the status of a virtual key asynchronously.
SHELL32.DLL ShellExecuteW Performs a run operation on a specific file.
SHELL32.DLL ShellExecuteExW Performs a run operation on a specific file.
Windows REG (UNICODE):
Software\AutoIt v3\AutoIt
SOFTWARE\Classes\
SYSTEM\CurrentControlSet\Control\Nls\Language
File Access:
OLEAUT32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
COMDLG32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
UxTheme.dll
USERENV.dll
IPHLPAPI.DLL
PSAPI.DLL
WININET.dll
MPR.dll
COMCTL32.dll
WINMM.dll
VERSION.dll
WSOCK32.dll
Temp
UserProfile
File Access (UNICODE):
BBbad allocationmscoree.dll
combase.dll
Temp
ProgramFiles
AppData
UserProfile
Interest's Words:
exec
attrib
start
shutdown
systeminfo
ping
replace
Interest's Words (UNICODE):
exec
attrib
start
pause
comspec
shutdown
ping
expand
replace
IP Addresses:
255.255.255.255
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): Registry (RegCreateKeyEx)
Rule Text (Ascii): Registry (RegOpenKeyEx)
Rule Text (Ascii): Registry (RegSetValueEx)
Rule Text (Ascii): Registry (RegDeleteKeyEx)
Rule Text (Ascii): File (GetTempPath)
Rule Text (Ascii): File (CopyFile)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
Rule Text (Ascii): Anti-Analysis VM (GlobalMemoryStatusEx)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot)
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Stealth (ReadProcessMemory)
Rule Text (Ascii): Execution (CreateProcessA)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Ascii): Execution (ShellExecute)
Rule Text (Ascii): Execution (ResumeThread)
Rule Text (Unicode): Privileges (SeAssignPrimaryTokenPrivilege)
Rule Text (Unicode): Privileges (SeBackupPrivilege)
Rule Text (Unicode): Privileges (SeDebugPrivilege)
Rule Text (Unicode): Privileges (SeIncreaseQuotaPrivilege)
Rule Text (Unicode): Privileges (SeRestorePrivilege)
Rule Text (Unicode): Privileges (SeShutdownPrivilege)
Rule Text (Unicode): Keyboard Key (ALTDOWN)
Rule Text (Unicode): Keyboard Key (ALTUP)
Rule Text (Unicode): Keyboard Key (SHIFTDOWN)
Rule Text (Unicode): Keyboard Key (SHIFTUP)
Rule Text (Unicode): Keyboard Key (CTRLDOWN)
Rule Text (Unicode): Keyboard Key (CTRLUP)
Rule Text (Unicode): Keyboard Key (LWINDOWN)
Rule Text (Unicode): Keyboard Key (LWINUP)
Rule Text (Unicode): Keyboard Key (RWINDOWN)
Rule Text (Unicode): Keyboard Key (RWINUP)
Rule Text (Unicode): Keyboard Key (LBUTTON)
Rule Text (Unicode): Keyboard Key (MBUTTON)
Rule Text (Unicode): Keyboard Key (RBUTTON)
Rule Text (Unicode): Keyboard Key (NUMPAD0)
Rule Text (Unicode): Keyboard Key (NUMPAD1)
Rule Text (Unicode): Keyboard Key (NUMPAD2)
Rule Text (Unicode): Keyboard Key (NUMPAD3)
Rule Text (Unicode): Keyboard Key (NUMPAD4)
Rule Text (Unicode): Keyboard Key (NUMPAD5)
Rule Text (Unicode): Keyboard Key (NUMPAD6)
Rule Text (Unicode): Keyboard Key (NUMPAD7)
Rule Text (Unicode): Keyboard Key (NUMPAD8)
Rule Text (Unicode): Keyboard Key (NUMPAD9)
Rule Text (Unicode): Keyboard Key (CapsLock)
Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
EP Rules: Microsoft Visual C++ 8
EP Rules: Microsoft Visual C++ 8
EP Rules: VC8 -> Microsoft Corporation
Resources:
Path DataRVA Size FileOffset CodeText
\ICON\1\2057 C75A8 128 C1BA8 2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F(....... ...................................z..y_
\ICON\2\2057 C76D0 128 C1CD0 28000000100000002000000001000400000000008000000000000000000000001000000010000000000000007A60EB00795F(....... ...................................z..y_
\ICON\3\2057 C77F8 128 C1DF8 2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F(....... ...................................z..y_
\ICON\4\2057 C7920 2E8 C1F20 2800000020000000400000000100040000000000000000000000000000000000000000000000000000000000000000000080(... ...@.........................................
\ICON\5\2057 C7C08 128 C2208 2800000010000000200000000100040000000000000000000000000000000000000000000000000000000000000000000080(....... .........................................
\ICON\6\2057 C7D30 EA8 C2330 28000000300000006000000001000800000000000000000000000000000000000000000000000000000000009F7747000000(...0.......................................wG...
\ICON\7\2057 C8BD8 8A8 C31D8 2800000020000000400000000100080000000000000000000000000000000000000000000000000000000000A06A3C00AB7E(... ...@....................................j<..~
\ICON\8\2057 C9480 568 C3A80 28000000100000002000000001000800000000000000000000000000000000000000000000000000000000009E6F3E009D72(....... ....................................o>..r
\ICON\9\2057 C99E8 25A8 C3FE8 2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000(...0........ ...................................
\ICON\10\2057 CBF90 10A8 C6590 2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000(... ...@..... ...................................
\ICON\11\2057 CD038 468 C7638 2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000(....... ..... ...................................
\MENU\166\2057 CD4A0 50 C7AA0 00000000900043006F006E007400650078007400310000000000A70053006300720069007000740020002600500061007500......C.o.n.t.e.x.t.1.......S.c.r.i.p.t. .&.P.a.u.
\STRING\7\2057 CD4F0 594 C7AF0 0000000000000000000009002800500061007500730065006400290020000C004100750074006F0049007400200045007200............(.P.a.u.s.e.d.). ...A.u.t.o.I.t. .E.r.
\STRING\8\2057 CDA84 68A C8084 300049006E0063006F007200720065006300740020006E0075006D0062006500720020006F006600200070006100720061000.I.n.c.o.r.r.e.c.t. .n.u.m.b.e.r. .o.f. .p.a.r.a.
\STRING\9\2057 CE110 490 C8710 30004500780070006500630074006500640020006100200022003D00220020006F00700065007200610074006F00720020000.E.x.p.e.c.t.e.d. .a. .".=.". .o.p.e.r.a.t.o.r. .
\STRING\10\2057 CE5A0 5FC C8BA0 1A0049006E00760061006C00690064002000660069006C0065002000660069006C0074006500720020006700690076006500..I.n.v.a.l.i.d. .f.i.l.e. .f.i.l.t.e.r. .g.i.v.e.
\STRING\11\2057 CEB9C 65C C919C 3E002200530065006C0065006300740022002000730074006100740065006D0065006E00740020006900730020006D006900>.".S.e.l.e.c.t.". .s.t.a.t.e.m.e.n.t. .i.s. .m.i.
\STRING\12\2057 CF1F8 466 C97F8 4800430061006E0020007000610073007300200063006F006E007300740061006E0074007300200062007900200072006500H.C.a.n. .p.a.s.s. .c.o.n.s.t.a.n.t.s. .b.y. .r.e.
\STRING\313\2057 CF660 158 C9C60 00000000000000000000000000000000150055006E00610062006C006500200074006F002000700061007200730065002000..................U.n.a.b.l.e. .t.o. .p.a.r.s.e. .
\RCDATA\SCRIPT\0 CF7B8 50CC5 C9DB8 A3484BBE986C4AA9994C530A86D6487D41553321454130364DA8FF7324A73CF67A12F167ACC193E76B43CA52A6AD0000E1BB.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R......
\GROUP_ICON\99\2057 120480 76 11AA80 0000010008002020100001000400E8020000040010101000010004002801000005003030000001000800A80E000006002020...... ....................(.....00............
\GROUP_ICON\162\2057 1204F8 14 11AAF8 0000010001001010100001000400280100000200000001000100101010000100040028010000010000000100010010101000..............(...................(...............
\GROUP_ICON\164\2057 12050C 14 11AB0C 00000100010010101000010004002801000001000000010001001010100001000400280100000300DC003400000056005300..............(...................(.......4...V.S.
\GROUP_ICON\169\2057 120520 14 11AB20 0000010001001010100001000400280100000300DC0034000000560053005F00560045005200530049004F004E005F004900..............(.......4...V.S._.V.E.R.S.I.O.N._.I.
\VERSION\1\2057 120534 DC 11AB34 DC0034000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\2057 120610 3EF 11AC10 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122<assembly xmlns="urn:schemas-microsoft-com:asm.v1"
Intelligent String:
• RUNAS
• RUNASWAIT
• mscoree.dll
• combase.dll
• !"$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]_abcdefghijklmnopqrstuvwxyz{|}~kernel32.dll
• USER32.DLL
• COMSPEC
• runas
• 0.0.0.0
• .lnk
• 255.255.255.255
• .icl
• .exe
• .dll
• COMCTL32.dll
• KERNEL32.dll
• USER32.dll
• COMDLG32.dll
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 712512 59,958%
Null Byte Code 158779 13,3613%
© 2025 All rights reserved.