PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 236,00 KBSHA-256 Hash: 1C706E5F5DE4960D70351A59C11C20AB16B7BEB12FAB3FA76CE7BB142F18D935 SHA-1 Hash: 0E33488517916D87FA4BC754220D2B92EDD952CE MD5 Hash: 0A1A5EBE83765039871C2B853E74C061 Imphash: 484E7DF8B6121F3F4425063FC1F56150 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): C0EA SizeOfHeaders: 1000 SizeOfImage: 3F000 ImageBase: 400000 Architecture: x86 ImportTable: 2D690 IAT: 26000 Characteristics: 10F TimeDateStamp: 4DCE2C93 Date: 14/05/2011 7:17:39 File Type: EXE Number Of Sections: 4 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
1000 | 25000 | 1000 | 24DFB |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
26000 | A000 | 26000 | 9590 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
30000 | 5000 | 30000 | 8588 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
35000 | 6000 | 39000 | 50E8 |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - C0EA Code -> 558BEC6AFF68008E420068080E410064A100000000506489250000000083EC585356578965E8FF152862420033D28AD48915 Assembler |PUSH EBP |MOV EBP, ESP |PUSH -1 |PUSH 0X428E00 |PUSH 0X410E08 |MOV EAX, DWORD PTR FS:[0] |PUSH EAX |MOV DWORD PTR FS:[0], ESP |SUB ESP, 0X58 |PUSH EBX |PUSH ESI |PUSH EDI |MOV DWORD PTR [EBP - 0X18], ESP |CALL DWORD PTR [0X426228] |XOR EDX, EDX |MOV DL, AH |
| Signatures |
| Rich Signature Analyzer: Code -> 404CC3CF042DAD9C042DAD9C042DAD9CFE0EB49C062DAD9C5232BE9C212DAD9C6632BE9C102DAD9C042DAC9CE72CAD9C8731A39C1F2DAD9C320BA79C8E2DAD9C320BA69C5E2DAD9C042DAD9C322DAD9CEC32A69C022DAD9CC32BAB9C052DAD9C52696368042DAD9C Footprint md5 Hash -> 0936E1F1B9D5F31A8746CADD204CF3E4 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(6.0 (1720-9782))[EXE32] • PE: compiler: Microsoft Visual C/C++(6.0)[libcmt] • PE: linker: Microsoft Linker(6.0*)[-] • Entropy: 6.00892 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| USER32.DLL | CallWindowProcA | Invokes the window procedure for the specified window and messages. |
| ADVAPI32.DLL | RegCreateKeyExA | Creates a new registry key or opens an existing one. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| ADVAPI32.DLL | RegDeleteValueA | Removes a named value from the specified registry key. Note that value names are not case sensitive. |
| Windows REG |
| Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access |
| KERNEL32.DLL HID.DLL SETUPAPI.dll OLEAUT32.dll OLEPRO32.DLL ole32.dll oledlg.dll COMCTL32.dll SHELL32.dll ADVAPI32.dll comdlg32.dll GDI32.dll USER32.dll SHLWAPI.dll @.dat .ini Temp |
| Interest's Words |
| attrib start |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (IsBadReadPtr) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateEventA) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 5.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v6.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v6.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \CURSOR\6\2052 | 3CB50 | 134 | 38B50 | 020002002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\7\2052 | 3CC88 | B4 | 38C88 | 010001002800000010000000200000000100010000000000800000000000000000000000000000000000000000000000FFFF | ....(....... ..................................... |
| \BITMAP\26567\2052 | 3CD68 | 5E4 | 38D68 | 28000000460000002700000001000400000000007C0500000000000000000000000000000000000000000000000080000080 | (...F...'...........|............................. |
| \BITMAP\30994\2052 | 3D438 | B8 | 39438 | 280000000C0000000A0000000100040000000000500000000000000000000000000000000000000000000000000080000080 | (...................P............................. |
| \BITMAP\30995\2052 | 3D4F0 | 16C | 394F0 | 28000000270000000D0000000100040000000000040100000000000000000000000000000000000000000000000080000080 | (...'............................................. |
| \BITMAP\30996\2052 | 3D660 | 144 | 39660 | 28000000210000000B0000000100040000000000DC0000000000000000000000000000000000000000000000000080000080 | (...!............................................. |
| \ICON\1\2052 | 39720 | 1628 | 35720 | 2800000040000000800000000100080000000000001200000000000000000000000100000000000000000000FFFFFF00FEFD | (...@............................................. |
| \ICON\2\2052 | 3AD60 | 568 | 36D60 | 2800000010000000200000000100080000000000400100000000000000000000000100000000000000000000FFFFFF00F9F7 | (....... ...........@............................. |
| \ICON\3\2052 | 3B2E0 | 568 | 372E0 | 2800000010000000200000000100080000000000400100000000000000000000000100000000000000000000FFFFFF00FEFD | (....... ...........@............................. |
| \ICON\4\2052 | 3B860 | 568 | 37860 | 2800000010000000200000000100080000000000400100000000000000000000000100000000000000000000FFFFFF00413E | (....... ...........@...........................A> |
| \ICON\5\2052 | 3BDE0 | A00 | 37DE0 | 2800000023000000440000000100080000000000D80500000000000000000000000000000000000000000000522010004A20 | (......D...................................R ..J |
| \DIALOG\100\2052 | 3C7F8 | DE | 387F8 | C000C88000000000040000000000EB0037000000000073518E4E200055005300420053006800610072006500000009008B5B | ................7.....sQ.N .U.S.B.S.h.a.r.e......[ |
| \DIALOG\102\2052 | 3C8D8 | 84 | 388D8 | 0100FFFF0000000000000400C000C8900200000000004001C800000000005500530042005300680061007200650000000900 | ......................@.......U.S.B.S.h.a.r.e..... |
| \DIALOG\129\2052 | 3C960 | C4 | 38960 | C0000080000000000300000000006000290000000000000008004D0053002000530065007200690066000000010001500000 | ...............).........M.S. .S.e.r.i.f......P.. |
| \DIALOG\130\2052 | 3CA28 | 122 | 38A28 | C0000080000000000500000000006E00360000000000000008004D0053002000530065007200690066000000000001500000 | ..............n.6.........M.S. .S.e.r.i.f......P.. |
| \DIALOG\30721\2052 | 3D350 | E2 | 39350 | C400C88000000000050009001A00B700460000000000B065FA5E000008004D00530020005300680065006C006C0020004400 | ................F......e.....M.S. .S.h.e.l.l. .D. |
| \STRING\7\2052 | 3D7A8 | 44 | 397A8 | 00000000000000000000120073518E4E20005500530042005300680061007200650028002600410029002E002E002E000000000000000000000000000000000000000000 | ............sQ.N .U.S.B.S.h.a.r.e.(.&.A.)........................... |
| \STRING\3841\2052 | 3D7F0 | 50 | 397F0 | 02005362005F0300DD4F585B3A4E0A00406209678765F64E200028002A002E002A0029000300E06507689898000000000600004E2A677D540D548765F64E000000000000000000000000000000000000 | ..Sb._...OX[:N..@b.g.e.N .(.*...*.)....e.h.........N*g}T.T.e.N.................. |
| \STRING\3842\2052 | 3D840 | 2C | 39840 | 000006009096CF85280026004800290000000000000000000000000000000000000000000000000000000000 | ........(.&.H.)............................. |
| \STRING\3843\2052 | 3D870 | 78 | 39870 | 0800975F0D4E3052FA511995E14F6F6002300D00D58BFE5667624C88FB7CDF7E0D4E2F6501638476CD645C4F02300A00C55F | ..._.N0R.Q...Oo.0.....VgbL..|.~.N/e.c.v.d\O.0..._ |
| \STRING\3857\2052 | 3D8E8 | 1C4 | 398E8 | 0700E065486584768765F64E0D54023007005362005F876563683159258D02300700DD4F585B876563683159258D02300A00 | ...eHe.v.e.N.T.0..Sb._.ech1Y%..0...OX[.ech1Y%..0.. |
| \STRING\3858\2052 | 3DC38 | 12A | 39C38 | 0800F78B2E956551004E2A4E7465706502300700F78B2E956551004E2A4E7065023013001C20F78B6B586551004E2A4E2857 | ......eQ.N*Ntepe.0......eQ.N*Npe.0... ..kXeQ.N*N(W |
| \STRING\3859\2052 | 3DAF0 | 146 | 39AF0 | 09005E9784981F6784768765F64E3C680F5F02301A00E065D56C7E623052E58B8765F64E02300A00F78B8C9AC18BD97EFA51 | ......g.v.e.N<h._.0...e.l~b0R...e.N.0.........~.Q |
| \STRING\3865\2052 | 3DAB0 | 40 | 39AB0 | 0000000000000000000000000000000000000000000000000800E065D56CFB8BEA5399517972276002300800E065D56C9951EA53FB8B79722760023000000000 | ...........................e.l...S.Qyr'.0...e.l.Q.S..yr'.0.... |
| \STRING\3866\2052 | 3E058 | 64 | 3A058 | 0B00E065D56CC5886551AE90F64EFB7CDF7E2F65F46302300C00AE90F64EFB7CDF7E200044004C004C002000E06548650230 | ...e.l..eQ...N.|.~/e.c.0.....N.|.~ .D.L.L. ..eHe.0 |
| \STRING\3867\2052 | 3DD68 | 1D8 | 39D68 | 0600E0651995EF8BD1531F75023015002857F95B2000250031002000DB8F4C88BF8BEE95F665D1531F75864E004E2A4E0D4E | ...e.....S.u.0..(W.[ .%.1. ...L......e.S.u.N.N*N.N |
| \STRING\3868\2052 | 3DF40 | 114 | 39F40 | 0600E0651995EF8BD1531F75023015002857F95B2000250031002000DB8F4C88BF8BEE95F665D1531F75864E004E2A4E0D4E | ...e.....S.u.0..(W.[ .%.1. ...L......e.S.u.N.N*N.N |
| \STRING\3869\2052 | 3E0C0 | 24 | 3A0C0 | 0200618C207D000000000000000000000000000000000000000000000000000000000000 | ..a. }.............................. |
| \GROUP_CURSOR\30977\2052 | 3CD40 | 22 | 38D40 | 00000200020020004000010001003401000006001000200001000100B40000000700 | ...... .@.....4....... ........... |
| \GROUP_ICON\128\2052 | 3AD48 | 14 | 36D48 | 0000010001004040000001000800281600000100 | ......@@......(..... |
| \GROUP_ICON\131\2052 | 3B2C8 | 14 | 372C8 | 0000010001001010000001000800680500000200 | ..............h..... |
| \GROUP_ICON\132\2052 | 3B848 | 14 | 37848 | 0000010001001010000001000800680500000300 | ..............h..... |
| \GROUP_ICON\133\2052 | 3BDC8 | 14 | 37DC8 | 0000010001001010000001000800680500000400 | ..............h..... |
| \GROUP_ICON\135\2052 | 3C7E0 | 14 | 387E0 | 0000010001002322000001000800000A00000500 | ......"............ |
| Intelligent String |
| • COMCTL32.DLL • BB'BLB]BMSWHEEL_ROLLMSG.INI • .HLP • CLSID\%1\InprocHandler32ole32.dll • DestroyWindowLCreateDialogIndirectParamA • USER32.dll • WINSPOOL.DRV • oledlg.dll • OLEAUT32.dll • SETUPAPI.dll • \USBShare.lnk • .ini • .PAX • KERNEL32.DLL |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1147 | 42649C | .text | CALL [static] | Indirect call to absolute memory address |
| 1199 | 426424 | .text | CALL [static] | Indirect call to absolute memory address |
| 11F6 | 4260CC | .text | CALL [static] | Indirect call to absolute memory address |
| 1212 | 426420 | .text | CALL [static] | Indirect call to absolute memory address |
| 12A7 | 4264A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 12F7 | 4264A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1314 | 4264A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1320 | 4264A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1359 | 4264A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 13F3 | 42649C | .text | CALL [static] | Indirect call to absolute memory address |
| 1402 | 4260B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1417 | 4260B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 147A | 4260B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1696 | 4264AC | .text | CALL [static] | Indirect call to absolute memory address |
| 16A6 | 4264AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1802 | 4264B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1843 | 4264B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 18E3 | 42618C | .text | CALL [static] | Indirect call to absolute memory address |
| 18EE | 426330 | .text | CALL [static] | Indirect call to absolute memory address |
| 18F6 | 426188 | .text | CALL [static] | Indirect call to absolute memory address |
| 197A | 4264CC | .text | CALL [static] | Indirect call to absolute memory address |
| 19EB | 4264C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 19F9 | 4264C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A0C | 4264BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1A16 | 4264B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A35 | 4264B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B1E | 426330 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CF4 | 426190 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D00 | 426188 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D8A | 426198 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EF0 | 4261BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1F01 | 4261B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F17 | 4261B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F1E | 42618C | .text | CALL [static] | Indirect call to absolute memory address |
| 1F3C | 42619C | .text | CALL [static] | Indirect call to absolute memory address |
| 1F64 | 426198 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F6E | 4261B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F8B | 4261B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1FA5 | 4261B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1FBB | 4261AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1FDD | 426198 | .text | CALL [static] | Indirect call to absolute memory address |
| 1FE9 | 4261B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2012 | 4261C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2035 | 426014 | .text | CALL [static] | Indirect call to absolute memory address |
| 2044 | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2075 | 426004 | .text | CALL [static] | Indirect call to absolute memory address |
| 2085 | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2099 | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 20C2 | 4261C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 20E5 | 426014 | .text | CALL [static] | Indirect call to absolute memory address |
| 20F4 | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 210D | 426010 | .text | CALL [static] | Indirect call to absolute memory address |
| 211C | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2130 | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2177 | 4261C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 222B | 4265AC | .text | CALL [static] | Indirect call to absolute memory address |
| 22AB | 4261C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 22ED | 426334 | .text | CALL [static] | Indirect call to absolute memory address |
| 2335 | 4261C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2355 | 426014 | .text | CALL [static] | Indirect call to absolute memory address |
| 2364 | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 239E | 42600C | .text | CALL [static] | Indirect call to absolute memory address |
| 23AD | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 23EE | 4265A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 240B | 4265A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2416 | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 243F | 4261CC | .text | CALL [static] | Indirect call to absolute memory address |
| 2473 | 426334 | .text | CALL [static] | Indirect call to absolute memory address |
| 24A5 | 426014 | .text | CALL [static] | Indirect call to absolute memory address |
| 24B4 | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 24EE | 42600C | .text | CALL [static] | Indirect call to absolute memory address |
| 24FD | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 253E | 4265A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2551 | 4265A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 255C | 426018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2668 | 426328 | .text | CALL [static] | Indirect call to absolute memory address |
| 268D | 42618C | .text | CALL [static] | Indirect call to absolute memory address |
| 26B8 | 42631C | .text | CALL [static] | Indirect call to absolute memory address |
| 2724 | 4261A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2747 | 426198 | .text | CALL [static] | Indirect call to absolute memory address |
| 27CA | 4264D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 27E9 | 426198 | .text | CALL [static] | Indirect call to absolute memory address |
| 2808 | 426198 | .text | CALL [static] | Indirect call to absolute memory address |
| 2829 | 426324 | .text | CALL [static] | Indirect call to absolute memory address |
| 2863 | 4261D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 28B2 | 4261DC | .text | CALL [static] | Indirect call to absolute memory address |
| 292F | 4261B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2955 | 4261D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2964 | 4261B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 29BF | 4261AC | .text | CALL [static] | Indirect call to absolute memory address |
| 2A24 | 4261B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A2E | 4261BC | .text | CALL [static] | Indirect call to absolute memory address |
| 2A5E | 4261D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A67 | 4261B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A98 | 4261B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2AB0 | 4261AC | .text | CALL [static] | Indirect call to absolute memory address |
| 2AD8 | 4261D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2B54 | 4261D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2BAC | 4261D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2BF4 | 4261D4 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 124826 | 51,6527% |
| Null Byte Code | 65866 | 27,2552% |
| NOP Cave Found | 0x9090909090 | Block Count: 104 | Total: 0,1076% |
© 2026 All rights reserved.