PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 5,23 MB SHA-256 Hash: C744E505F5A6B60213226304170444BF8FAB9488F959741644B3B4E64A445EDE SHA-1 Hash: D072E1E36847E558041D481CB7C3D57475017891 MD5 Hash: 0587DACBAB8800D96D243A7A2D332B94 Imphash: DE0DF3E9F1C8ED210CB1EE25C7CFB977 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 13CAEEA SizeOfHeaders: 400 SizeOfImage: 1714000 ImageBase: 10000000 Architecture: x86 ExportTable: 1426590 ImportTable: 13BE9A0 IAT: 167F000 Characteristics: 2102 TimeDateStamp: 6346E89D Date: 12/10/2022 16:17:33 File Type: DLL Number Of Sections: 12 ASLR: Enabled Section Names: .textbss, .text, .rdata, .data, .idata, .msvcjmc, .tls, .00cfg, .vmp0, .vmp1, .reloc, .rsrc Number Of Executable Sections: 4 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker [Incomplete Binary or Compressor Packer - 17,85 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .textbss | 0xE00000A0 Code Uninitialized Data Executable Readable Writeable |
0 | 0 | 1000 | 3BD3F9 |
|
|
| .text | 0x60000020 Code Executable Readable |
0 | 0 | 3BF000 | 7CA83E |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
0 | 0 | B8A000 | F08DD |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
0 | 0 | C7B000 | 17C4B8 |
|
|
| .idata | 0x40000040 Initialized Data Readable |
0 | 0 | DF8000 | 7CD1 |
|
|
| .msvcjmc | 0xC0000040 Initialized Data Readable Writeable |
0 | 0 | E00000 | 5E1 |
|
|
| .tls | 0xC0000040 Initialized Data Readable Writeable |
400 | 400 | E01000 | 309 |
|
|
| .00cfg | 0x40000040 Initialized Data Readable |
0 | 0 | E02000 | 109 |
|
|
| .vmp0 | 0xE0000020 Code Executable Readable Writeable |
0 | 0 | E03000 | 347E94 |
|
|
| .vmp1 | 0xE0000060 Code Initialized Data Executable Readable Writeable |
800 | 539000 | 114B000 | 538E04 |
|
|
| .reloc | 0x40000040 Initialized Data Readable |
539800 | 400 | 1684000 | 208 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
539C00 | 600 | 1685000 | 8EF06 |
|
|
| Entry Point |
The section number (10) - (.vmp1) have the Entry Point Information -> EntryPoint (calculated) - 2806EA Code -> 68F4BDD64F9CC7442404CFDA775E6837DE19D49CE91A42FFFFA3518DE9D9757557B6142A1B8C939626C006B8FEB81EA82EA8 EP changed to another address -> (Address Of EntryPoint > Base Of Data) Assembler |PUSH 0X4FD6BDF4 |PUSHFD |MOV DWORD PTR [ESP + 4], 0X5E77DACF |PUSH 0XD419DE37 |PUSHFD |JMP 0XFFFF5233 |MOV DWORD PTR [0XD9E98D51], EAX |JNE 0X1095 |PUSH EDI |MOV DH, 0X14 |SUB BL, BYTE PTR [EBX] |MOV WORD PTR [EBX + 0X6C02696], SS |MOV EAX, 0XA81EB8FE |
| Signatures |
| Rich Signature Analyzer: Code -> 6C0BB8F7286AD6A4286AD6A4286AD6A43C01D5A5096AD6A43C01D2A50D6AD6A43C01D3A5C76AD6A43C01D0A5296AD6A43C01D7A50C6AD6A47A1FD2A5386AD6A47A1FD5A5316AD6A47A1FD3A5B46BD6A47E1FD7A52A6AD6A42D668BA42B6AD6A4286AD7A4C669D6A47E1FD3A53D6AD6A47E1FD6A5296AD6A47E1F29A4296AD6A4286A41A4296AD6A47E1FD4A5296AD6A452696368286AD6A4 Footprint md5 Hash -> AEE2FC677D05141F76C94CFE616EFC7B • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: linker: Microsoft Linker(14.29**)[-] • Entropy: 7.98866 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| ET Functions (carving) |
| Original Name -> mylib.dll wrA TiU ExitProcess |
| File Access |
| y]hVSHLWAPI.dll mylib.dll KERNEL32.dll DUSER32.dll UxTheme.dll Y34user32.dll LuaPlus.dll oledlg.dll MSIMG32.dll gdiplus.dll OLEACC.dll OgreMain.dll SHELL32.dll qpfYaGDI32.dll IMM32.dll Svole32.dll WINMM.dll WS2_32.dll OLEAUT32.dll ADVAPI32.dll Z|IPHLPAPI.DLL @.dat |
| Interest's Words |
| fuck - }:) exec start |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Entry Point | Hex Pattern | Windows or OS/2 Graphics format |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \RESTXT\122\2052 | 16854E4 | B070 | 53A0E4 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \RESTXT\123\2052 | 1690554 | D670 | 545154 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \RESTXT\124\2052 | 169DBC4 | 553E | 5527C4 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \RESTXT\125\2052 | 16A3104 | 3661 | 557D04 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \RESTXT\126\2052 | 16A6768 | C59 | 55B368 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \RESTXT\127\2052 | 16A73C4 | 2080 | 55BFC4 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \RESTXT\128\2052 | 16A9444 | 5574C | 55E044 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \RESTXT\129\2052 | 16FEB90 | CA9 | 5B3790 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \RESTXT\130\2052 | 16FF83C | 1814 | 5B443C | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \RESTXT\131\2052 | 1701050 | 11B0 | 5B5C50 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \RESTXT\132\2052 | 1702200 | 4C86 | 5B6E00 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \RESTXT\133\2052 | 1706E88 | D07E | 5BBA88 | 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | .................................................. |
| \24\2\1033 | 16852C0 | 224 | 539EC0 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • .tls • /:\:p::$<<$=GD • mylib.dll • <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly> |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 40D0 | 16852C0 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 10185 | 16852C0 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 11B04 | 16852C0 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 26D42 | 16852C0 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 2C16E | 77816CE1 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 30045 | 77816CE1 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 497AA | 578145AD | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 4ECA6 | 578145AD | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 55DA2 | 52966407 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 5B471 | 52966407 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 5EEF8 | 52966407 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 66EDF | 52966407 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 69E47 | 52966407 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 70E40 | 24A410EA | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 75635 | 24A410EA | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 7B0D9 | 1167F0B0 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 807FB | 1167F0B0 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 81463 | 1167F0B0 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 8711F | D358CBC | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 8A538 | 50C86237 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 8DE88 | 77F0A67F | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 92151 | 77F0A67F | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 93511 | 77F0A67F | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 9AC6A | 77F0A67F | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| A317E | 77F0A67F | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| A6CF3 | D1261B4 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| A8515 | D1261B4 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| BA18F | 5D0B089F | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| BC741 | A9D2303 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| C855A | A9D2303 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| E005F | 50261A3 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| EE450 | 50261A3 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| F8716 | 1EA4B290 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1020E8 | 2914037D | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 103A3E | 2914037D | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 12AB6B | 57037D34 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 12C778 | 251A19B8 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 130653 | 61D63477 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 13A78B | 73C29746 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 13DA28 | 73C29746 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1425A0 | 73C29746 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1564A1 | 73C29746 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 16526C | 219BF63 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 16B03C | 219BF63 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 16CB67 | 26C7E4CE | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 17D0DD | 26C7E4CE | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1871E0 | 26C7E4CE | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1877C5 | 30017DD0 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 188B76 | 32CDC7C5 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 18E574 | 32CDC7C5 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1ACC48 | 32CDC7C5 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1B8855 | 32CDC7C5 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 1B8FF4 | 32CDC7C5 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1C3CE4 | 5441D883 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 1C82C0 | 2E1E47CB | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1CD296 | 2E1E47CB | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 1D1470 | 2E1E47CB | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 1D7029 | 2E1E47CB | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1DB190 | 2E1E47CB | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1DD511 | 15B8281F | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 1E1A36 | 761A6F42 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 1F7127 | 761A6F42 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 1FB23F | 761A6F42 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 204546 | 761A6F42 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 2053AE | 761A6F42 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 21305A | 761A6F42 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 214F4F | 69F34467 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 216300 | 69F34467 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 227748 | 69F34467 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 22B26A | 69F34467 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 231CE5 | 69F34467 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 233DFC | 69F34467 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 237F63 | D8E848 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 239FD2 | D8E848 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 24114A | 648E56A0 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 2433D8 | 648E56A0 | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 243EAA | 7B1CB226 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 25280C | 7B1CB226 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 25A3D7 | 7B1CB226 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 265F0F | 1D3C7A4F | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 26CC4E | 294BDA4B | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 27183B | 294BDA4B | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 271F82 | 4DC140EC | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 27C374 | 4DC140EC | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 27D484 | 4DC140EC | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 2F67B5 | 4DC140EC | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 2FFAEA | 4DC140EC | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 3009A9 | 4DC140EC | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 3026E5 | 4DC140EC | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 303250 | 4DC140EC | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 3041B5 | 291E26EB | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 30D45B | 291E26EB | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 31D388 | 291E26EB | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 327326 | 291E26EB | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 32C906 | 291E26EB | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 32D5B6 | 291E26EB | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 32E75D | 7737910B | .vmp1 | CALL [static] | Indirect call to absolute memory address |
| 332A44 | 5448B388 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 3442C6 | D393421 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 345B8E | 292DA931 | .vmp1 | JMP [static] | Indirect jump to absolute memory address |
| 7985C | 167B4F4 | .vmp1 | TLS Callback | Pointer to 1167B4F4 - 0x530CF4 .vmp1 |
| 800-5397FF | 114B000 | .vmp1 | Executable section anomaly, first bytes: 89B8C4CD3C44F94A |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3793544 | 69,2131% |
| Null Byte Code | 46261 | 0,844% |
© 2026 All rights reserved.