PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 7,50 KB SHA-256 Hash: 0E4D7C9394131D203CCA3B419477C0F39D0A7C73A2F7F2B9D46FAEFF8E7C03EB SHA-1 Hash: 5F214DAAE1E9CE9D086144C01B9EF3EF78108FD3 MD5 Hash: 061DFC33162330E07965B7F02F6CA913 Imphash: C2D02FC98F1D75D7B9457468EC75DA0E MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 0000FB62 EntryPoint (rva): 5000 SizeOfHeaders: 298 SizeOfImage: 5228 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 51C8 IAT: 2000 Characteristics: 22 TimeDateStamp: 68B0CCEF Date: 28/08/2025 21:41:03 File Type: EXE Number Of Sections: 5 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .wxzh Number Of Executable Sections: 2 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 200 | 1000 | 32 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
600 | 200 | 2000 | 198 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
800 | 1000 | 3000 | 1000 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
1800 | 200 | 4000 | C |
|
|
| .wxzh | 0xE0000020 Code Executable Readable Writeable |
1A00 | 400 | 5000 | 228 |
|
|
| Entry Point |
The section number (5) have the Entry Point Information -> EntryPoint (calculated) - 1A00 Code -> FC4883E4F0E8CC00000041514150524831D265488B5260488B52185156488B5220488B7250480FB74A4A4D31C94831C0AC3C Assembler |CLD |AND RSP, 0XFFFFFFFFFFFFFFF0 |CALL 0X10D6 |PUSH R9 |PUSH R8 |PUSH RDX |XOR RDX, RDX |MOV RDX, QWORD PTR GS:[RDX + 0X60] |MOV RDX, QWORD PTR [RDX + 0X18] |PUSH RCX |PUSH RSI |MOV RDX, QWORD PTR [RDX + 0X20] |MOV RSI, QWORD PTR [RDX + 0X50] |MOVZX RCX, WORD PTR [RDX + 0X4A] |XOR R9, R9 |XOR RAX, RAX |LODSB AL, BYTE PTR [RSI] |
| Signatures |
| CheckSum Integrity Problem: • Header: 64354 • Calculated: 64714 Rich Signature Analyzer: Code -> 990405C7DD656B94DD656B94DD656B94A9E46A95DE656B94DD656A94DC656B945AEC6F95DC656B945AEC6995DC656B9452696368DD656B94 Footprint md5 Hash -> F863E6EB600C28E474C539D7F45FF7C4 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE+(64): linker: Microsoft Linker(1.0*)[-] • Entropy: 1.34705 |
| File Access |
| KERNEL32.dll .dat @.dat |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Stealth (VirtualProtect) |
| Hex | Hex Pattern | Metasploit Shellcode 1 (Reverse TCP x64 - FC4883E4F0) |
| Entry Point | Hex Pattern | Metasploit Shellcode - Reverse TCP x64 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | NE-Exe Executable Image |
| Entry Point | Hex Pattern | TrueVision Targa Graphics format |
| Intelligent String |
| • KERNEL32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 41B | N/A | .text | CALL QWORD PTR [RIP+0xFDF] |
| 1A00 | N/A | .wxzh | Rule match: FC4883E4F0E8 - Cobalt Strike shellcode start (CobaltStrike) |
| 1A00-1DFF | 5000 | .wxzh | Executable section anomaly, first bytes: FC4883E4F0E8CC00 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 772 | 10,0521% |
| Null Byte Code | 6743 | 87,7995% |
© 2026 All rights reserved.