PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 11,27 MB
SHA-256 Hash: 597396ECACE126BB5F698641E80147E2D76AEC61D046BDE99F661BD0BBCDE104
SHA-1 Hash: 799615CD84BE23ACF485922384C3C0B9412B2FE7
MD5 Hash: 08DB8C1FF0CFA96F30E52B3C82A3C4BB
Imphash: 965E162FE6366EE377AA9BC80BDD5C65
MajorOSVersion: 6
CheckSum: 00B504E9
EntryPoint (rva): CE30
SizeOfHeaders: 400
SizeOfImage: 4E000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 3DD7C
Characteristics: 22
TimeDateStamp: 68069609
Date: 21/04/2025 19:01:29
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .fptable, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	2A600	1000	2A4E0
.rdata	40000040	2AA00	12E00	2C000	12DB0
.data	C0000040 (Writeable)	3D800	E00	3F000	5350
.pdata	40000040	3E600	2400	45000	228C
.fptable	C0000040 (Writeable)	40A00	200	48000	100
.rsrc	40000040	40C00	3800	49000	3668
.reloc	42000040	44400	800	4D000	764

Description:

InternalName: Windows.WARP.JITService.exe
OriginalFilename: Windows.WARP.JITService.exe
CompanyName: Microsoft Corporation
LegalCopyright: Microsoft Corporation. All rights reserved.
ProductName: Microsoft Windows Operating System
FileVersion: 10.0.22621.3672 (WinBuild.160101.0800)

Binder/Joiner/Crypter:

Dropper code detected (EOF) - 10,96 MB

Entry Point:

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - C230
Code -> 4883EC28E8570200004883C428E97AFEFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCC4883EC28E82306000085C0742165488B0425
• SUB RSP, 0X28
• CALL 0X1260
• ADD RSP, 0X28
• JMP 0XE8C
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• SUB RSP, 0X28
• CALL 0X164C
• TEST EAX, EAX
• JE 0X104E

Signatures:

CheckSum Integrity Problem:
• Header: 11863273
• Calculated: 11845589
Rich Signature Analyzer:
Code -> C9A8F5FF8DC99BAC8DC99BAC8DC99BACF9489EAD3AC99BACF9489FAD81C99BACF94898AD85C99BAC9C4F66AC8EC99BAC9C4F98AD84C99BAC9C4F9FAD9CC99BAC9C4F9EADA5C99BACF9489AAD86C99BAC8DC99AAC13C99BAC754E9FAD94C99BAC754E99AD8CC99BAC526963688DC99BAC
Footprint md5 Hash -> 29F47DFBAAC01D2564822BAD05BC33F3
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed but has been modified

Packer/Compiler:

Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(-)[-]
• PE+(64): linker: Microsoft Linker(14.43**)[EXE64,signed]
• PE+(64): overlay: zlib archive(-)[-]
• Entropy: 7.99627

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetProcAddress \| Possible Call API By Name	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

File Access:

brar.exe
%s%c%s.exe
9python313.dll
bucrtbase.dll
bsqlite3.dll
bpython313.dll
blibssl-3.dll
blibffi-8.dll
blibcrypto-3.dll
bapi-ms-win-crt-utility-l1-1-0.dll
bapi-ms-win-crt-time-l1-1-0.dll
bapi-ms-win-crt-string-l1-1-0.dll
bapi-ms-win-crt-stdio-l1-1-0.dll
bapi-ms-win-crt-runtime-l1-1-0.dll
bapi-ms-win-crt-process-l1-1-0.dll
bapi-ms-win-crt-math-l1-1-0.dll
bapi-ms-win-crt-locale-l1-1-0.dll
bapi-ms-win-crt-heap-l1-1-0.dll
bapi-ms-win-crt-filesystem-l1-1-0.dll
bapi-ms-win-crt-environment-l1-1-0.dll
bapi-ms-win-crt-convert-l1-1-0.dll
bapi-ms-win-crt-conio-l1-1-0.dll
bapi-ms-win-core-util-l1-1-0.dll
bapi-ms-win-core-timezone-l1-1-0.dll
bapi-ms-win-core-sysinfo-l1-1-0.dll
bapi-ms-win-core-synch-l1-2-0.dll
bapi-ms-win-core-synch-l1-1-0.dll
bapi-ms-win-core-string-l1-1-0.dll
bapi-ms-win-core-rtlsupport-l1-1-0.dll
bapi-ms-win-core-profile-l1-1-0.dll
bapi-ms-win-core-processthreads-l1-1-1.dll
bapi-ms-win-core-processthreads-l1-1-0.dll
bapi-ms-win-core-processenvironment-l1-1-0.dll
bapi-ms-win-core-namedpipe-l1-1-0.dll
bapi-ms-win-core-memory-l1-1-0.dll
bapi-ms-win-core-localization-l1-2-0.dll
bapi-ms-win-core-libraryloader-l1-1-0.dll
bapi-ms-win-core-interlocked-l1-1-0.dll
bapi-ms-win-core-heap-l1-1-0.dll
bapi-ms-win-core-handle-l1-1-0.dll
bapi-ms-win-core-file-l2-1-0.dll
bapi-ms-win-core-file-l1-2-0.dll
bapi-ms-win-core-file-l1-1-0.dll
bapi-ms-win-core-fibers-l1-1-0.dll
bapi-ms-win-core-errorhandling-l1-1-0.dll
bapi-ms-win-core-debug-l1-1-0.dll
bapi-ms-win-core-datetime-l1-1-0.dll
bapi-ms-win-core-console-l1-1-0.dll
bVCRUNTIME140_1.dll
bVCRUNTIME140.dll
GDI32.dll
ADVAPI32.dll
KERNEL32.dll
COMCTL32.dll
USER32.dll
Path of ucrtbase.dll
ucrtbase.dll
.scR
setuptools._distutils.sys
setuptools._vendor.jar
setuptools._vendor.jar
!setuptools._vendor.jar
setuptools._vendor.jar
bwheel-0.45.1.dist-info\entry_points.txt
bwheel-0.45.1.dist-info\LICENSE.txt
bsetuptools\_vendor\jaraco\text\Lorem ipsum.txt
bsetuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt
Temp

File Access (UNICODE):

VCRUNTIME140.dll
VCRUNTIME140_1.dll
mscoree.dll
JITService.exe
Not enough memory to complete call to strerror..exe
arp j
Temp

Interest's Words:

PADDINGX
exec
attrib
start
hostname
shutdown
ping
expand
replace

Interest's Words (UNICODE):

<form
exec
expand

URLs:

http://schemas.microsoft.com/SMI/2016/WindowsSettings
http://crl.comodoca.com/AAACertificateServices.crl
http://ocsp.comodoca.com
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0
http://ocsp.sectigo.com
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt
http://s.symcd.com
http://s.symcb.com/universal-root.crl
http://ts-crl.ws.symantec.com/sha256-tss-ca.crl
http://ts-ocsp.ws.symantec.com
http://ts-aia.ws.symantec.com/sha256-tss-ca.cer
https://sectigo.com/CPS0
https://d.symcb.com/cps0%
https://d.symcb.com/rpa0.
https://d.symcb.com/rpa0@

Payloads:

Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (connect)
• Rule Text (Ascii): WinAPI Sockets (send)
• Rule Text (Ascii): File (GetTempPath)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
• Rule Text (Ascii): Stealth (VirtualProtect)
• Rule Text (Ascii): Execution (CreateProcessW)
• Rule Text (Unicode): Execution (CreateProcessW)
• Rule Text (Ascii): Antivirus Software (comodo)
• Rule Text (Ascii): Antivirus Software (Symantec)
• Rule Text (Ascii): Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
• Rule Text (Ascii): Malware that monitors and collects user data (Spy)
• EP Rules: Microsoft Visual C++ 8.0 (DLL)
• EP Rules: Microsoft Visual C++ 8.0
• EP Rules: PE-Exe Executable Image

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	491F0	2AC	40DF0	89504E470D0A1A0A0000000D49484452000000100000001008060000001FF3FF610000027349444154789C9553BF6B1A511C	.PNG........IHDR................a...sIDATx..S.k.Q.
\ICON\2\0	4949C	496	4109C	89504E470D0A1A0A0000000D4948445200000018000000180806000000E0773DF80000045D49444154789CAD564D482B5714	.PNG........IHDR..............w=....]IDATx..VMH+W.
\ICON\3\0	49934	6B8	41534	89504E470D0A1A0A0000000D4948445200000020000000200806000000737A7AF40000067F49444154789CBD576F4C535714	.PNG........IHDR... ... .....szz.....IDATx..WoLSW.
\ICON\4\0	49FEC	BA5	41BEC	89504E470D0A1A0A0000000D49484452000000300000003008060000005702F98700000B6C49444154789CED596B6C54651A	.PNG........IHDR...0...0.....W......lIDATx..YklTe.
\ICON\5\0	4AB94	11A4	42794	89504E470D0A1A0A0000000D4948445200000040000000400806000000AA6971DE0000116B49444154789CED9B0970556596	.PNG........IHDR...@...@......iq....kIDATx....pUe.
\GROUP_ICON\1\0	4BD38	4C	43938	0000010005001010000000002000AC020000010018180000000020009604000002002020000000002000B806000003003030	............ ............. ....... .... .......00
\VERSION\1\0	4BD84	3D4	43984	D40334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	4C158	50D	43D58	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String:

• Windows.WARP.JITService.exe
• VCRUNTIME140.dll
• VCRUNTIME140_1.dll
• %s%c%s.pkg
• %s%c%s.exe
• devbase_library.zip
• ucrtbase.dll
• status_texttk.tcl
• Visual C++ CRT: Not enough memory to complete call to strerror..exe
• .cmd
• .bat
• .com
• mscoree.dll
• .bss
• COMCTL32.dll
• ADVAPI32.dll
• GDI32.dll
• <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware>
• vJrRH
• )sqlite3.dump)r
• b_asyncio.pyd
• b_bz2.pyd
• b_ctypes.pyd
• b_decimal.pyd
• b_hashlib.pyd
• b_lzma.pyd
• b_multiprocessing.pyd
• b_overlapped.pyd
• b_queue.pyd
• b_socket.pyd
• b_sqlite3.pyd
• b_ssl.pyd
• b_wmi.pyd
• bapi-ms-win-core-console-l1-1-0.dll
• bapi-ms-win-core-datetime-l1-1-0.dll
• bapi-ms-win-core-debug-l1-1-0.dll
• bapi-ms-win-core-errorhandling-l1-1-0.dll
• bapi-ms-win-core-fibers-l1-1-0.dll
• bapi-ms-win-core-file-l1-1-0.dll
• bapi-ms-win-core-file-l1-2-0.dll
• bapi-ms-win-core-file-l2-1-0.dll
• bapi-ms-win-core-handle-l1-1-0.dll
• bapi-ms-win-core-heap-l1-1-0.dll
• bapi-ms-win-core-interlocked-l1-1-0.dll
• bapi-ms-win-core-libraryloader-l1-1-0.dll
• bapi-ms-win-core-localization-l1-2-0.dll
• bapi-ms-win-core-memory-l1-1-0.dll
• bapi-ms-win-core-namedpipe-l1-1-0.dll
• bapi-ms-win-core-processenvironment-l1-1-0.dll
• bapi-ms-win-core-processthreads-l1-1-0.dll
• bapi-ms-win-core-processthreads-l1-1-1.dll
• bapi-ms-win-core-profile-l1-1-0.dll
• bapi-ms-win-core-rtlsupport-l1-1-0.dll
• bapi-ms-win-core-string-l1-1-0.dll
• bapi-ms-win-core-synch-l1-1-0.dll
• bapi-ms-win-core-synch-l1-2-0.dll
• bapi-ms-win-core-sysinfo-l1-1-0.dll
• bapi-ms-win-core-timezone-l1-1-0.dll
• bapi-ms-win-core-util-l1-1-0.dll
• bapi-ms-win-crt-conio-l1-1-0.dll
• bapi-ms-win-crt-convert-l1-1-0.dll
• bapi-ms-win-crt-environment-l1-1-0.dll
• bapi-ms-win-crt-filesystem-l1-1-0.dll
• bapi-ms-win-crt-heap-l1-1-0.dll
• bapi-ms-win-crt-locale-l1-1-0.dll
• bapi-ms-win-crt-math-l1-1-0.dll
• bapi-ms-win-crt-process-l1-1-0.dll
• bapi-ms-win-crt-runtime-l1-1-0.dll
• bapi-ms-win-crt-stdio-l1-1-0.dll
• bapi-ms-win-crt-string-l1-1-0.dll
• bapi-ms-win-crt-time-l1-1-0.dll
• bapi-ms-win-crt-utility-l1-1-0.dll
• bbase_library.zip
• bblank.aes
• blibcrypto-3.dll
• blibffi-8.dll
• blibssl-3.dll
• bpyexpat.pyd
• bpython313.dll
• brar.exe
• brarreg.key
• bselect.pyd
• bsetuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt
• bsetuptools\_vendor\jaraco\text\Lorem ipsum.txt
• bsqlite3.dll
• bucrtbase.dll
• bunicodedata.pyd
• bwheel-0.45.1.dist-info\LICENSE.txt
• bwheel-0.45.1.dist-info\entry_points.txt
• nG7AtAtzPYZ.pyz
• 9python313.dll
• +0U 00U 0g0KUD0B0@><:http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0{+o0m0F+0:http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0+0http://ocsp.sectigo.com0*H_6rZ-9JZBJ

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	8086594	68,4539%
Null Byte Code	102549	0,8681%

PESCAN.IO - Analysis Report Valid Code