PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 124,50 KBSHA-256 Hash: 809986F41751398323423D33268DF54F9BFD5115B44D9E5188AC779B12384184 SHA-1 Hash: 5AF0491ED300ADD8F680928BF3B7EDBB8D6C2070 MD5 Hash: 0BEFAC260F4EB1EC63BA7BE826849D8B Imphash: DC73A9BD8DE0FD640549C85AC4089B87 MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 0000ECDD EntryPoint (rva): 102B SizeOfHeaders: 400 SizeOfImage: 24000 ImageBase: 400000 Architecture: x86 ImportTable: 2050 IAT: 2000 Characteristics: 102 TimeDateStamp: 50D4CDC2 Date: 21/12/2012 20:59:46 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 200 | 1000 | 1F6 | 5,0641 | 9409,00 |
| .rdata | 40000040 (Initialized Data, Readable) | 600 | 200 | 2000 | 1D8 | 4,2706 | 20286,00 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 800 | 200 | 3000 | 34 | 0,5690 | 115202,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | A00 | 1E600 | 4000 | 1E4E8 | 6,7399 | 1264281,19 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 1F000 | 200 | 23000 | 52 | 0,7360 | 109178,00 |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 42B Code -> E8070000006A00E805010000558BEC81C4F4FBFFFF5657536A00E804010000A330304000C745F8000000006A0A6800304000 • CALL 0X100C • PUSH 0 • CALL 0X1111 • PUSH EBP • MOV EBP, ESP • ADD ESP, 0XFFFFFBF4 • PUSH ESI • PUSH EDI • PUSH EBX • PUSH 0 • CALL 0X1123 • MOV DWORD PTR [0X403030], EAX • MOV DWORD PTR [EBP - 8], 0 • PUSH 0XA • PUSH 0X403000 |
| Signatures |
| CheckSum Integrity Problem: • Header: 60637 • Calculated: 153847 Rich Signature Analyzer: Code -> 69916DC22DF003912DF003912DF00391D1D011912CF0039142869F912EF003912DF002913CF0039142869D912CF00391428699912CF0039142869E912CF00391526963682DF00391 Footprint md5 Hash -> 57C4CF2498F70CE022452597E1647082 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: patcher: dUP diablo2oo2's Universal Patcher(2.0)[-] • PE: compiler: Microsoft Visual C/C++(2010)[-] • PE: linker: Microsoft Linker(10.0)[-] • Entropy: 6.70875 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | RtlMoveMemory | Moves a block of memory to another location. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| File Access |
| \dup2patcher.dll kernel32.dll @.dat Temp |
| Interest's Words |
| PADDINGX exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Entry Point | Hex Pattern | Borland Delphi 4.0 |
| Entry Point | Hex Pattern | MASM/TASM - sig1(h) |
| Entry Point | Hex Pattern | MASM/TASM - sig4 (h) |
| Entry Point | Hex Pattern | Metasploit Shellcode - Reverse TCP x86 |
| Entry Point | Hex Pattern | PE Diminisher v0.1 |
| Entry Point | Hex Pattern | TrueVision Targa Graphics format |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 4378 | 2E8 | D78 | 2800000020000000400000000100040000000000800200000000000000000000100000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\2\0 | 4660 | 128 | 1060 | 2800000010000000200000000100040000000000C00000000000000000000000100000000000000000000000000080000080 | (....... ......................................... |
| \ICON\3\0 | 4788 | EA8 | 1188 | 2800000030000000600000000100080000000000800A00000000000000000000000100000000000000000000171717001817 | (...0............................................ |
| \ICON\4\0 | 5630 | 8A8 | 2030 | 2800000020000000400000000100080000000000800400000000000000000000000100000000000000000000171717001817 | (... ...@......................................... |
| \ICON\5\0 | 5ED8 | 568 | 28D8 | 2800000010000000200000000100080000000000400100000000000000000000000100000000000000000000171717001818 | (....... ...........@............................. |
| \ICON\6\0 | 6440 | 10DE | 2E40 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000010A54944415478DAEDDD4F6C1CD51D | .PNG........IHDR.............\r.f....IDATx...Ol... |
| \ICON\7\0 | 7520 | 4228 | 3F20 | 2800000040000000800000000100200000000000004200000000000000000000000000000000000000000000000000000000 | (...@......... ......B............................ |
| \ICON\8\0 | B748 | 25A8 | 8148 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\9\0 | DCF0 | 1A68 | A6F0 | 2800000028000000500000000100200000000000401A00000000000000000000000000000000000000000000000000000000 | (...(...P..... .....@............................. |
| \ICON\10\0 | F758 | 10A8 | C158 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\11\0 | 10800 | 988 | D200 | 2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000041515 | (.......0..... .................................. |
| \ICON\12\0 | 11188 | 6B8 | DB88 | 28000000140000002800000001002000000000009006000000000000000000000000000000000000000000001B1B1B1C1717 | (.......(..... ................................... |
| \ICON\13\0 | 11840 | 468 | E240 | 2800000010000000200000000100200000000000400400000000000000000000000000000000000024242407161616591717 | (....... ..... .....@...................$$$....Y.. |
| \RCDATA\DLL\0 | 11CA8 | 10400 | E6A8 | A28FF44460CD262FB565CE9FBA73A8EEB2A763C00D773796068D3211FE65BAC90E69BCC0FD5F4B48453F77A2C80053CC7B16 | ...D.&/.e...s....c..w7...2..e...i..._KHE?w...S.{. |
| \GROUP_ICON\500\0 | 220A8 | BC | 1EAA8 | 000001000D002020100001000400E8020000010010101000010004002801000002003030000001000800A80E000003002020 | ...... ....................(.....00............ |
| \24\1\0 | 22164 | 382 | 1EB64 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • kernel32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 536 | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| 53C | 402004 | .text | JMP [static] | Indirect jump to absolute memory address |
| 542 | 402008 | .text | JMP [static] | Indirect jump to absolute memory address |
| 548 | 40200C | .text | JMP [static] | Indirect jump to absolute memory address |
| 54E | 402010 | .text | JMP [static] | Indirect jump to absolute memory address |
| 554 | 402014 | .text | JMP [static] | Indirect jump to absolute memory address |
| 55A | 402018 | .text | JMP [static] | Indirect jump to absolute memory address |
| 560 | 40201C | .text | JMP [static] | Indirect jump to absolute memory address |
| 566 | 402020 | .text | JMP [static] | Indirect jump to absolute memory address |
| 56C | 402024 | .text | JMP [static] | Indirect jump to absolute memory address |
| 572 | 402028 | .text | JMP [static] | Indirect jump to absolute memory address |
| 578 | 40202C | .text | JMP [static] | Indirect jump to absolute memory address |
| 57E | 402030 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5DE | 402034 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5E4 | 402038 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5EA | 40203C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F0 | 402040 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5DF3 | 402040 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 8C57 | 25FF191F | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 8C5B | 35FF1A1F | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| B497 | 6CFF1A1F | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| C9BB | 17FF191F | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| D563 | 17FF191F | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| DEF7 | 1EFF1A1F | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| FABF | 1EFF1A1F | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 1384F | 65D1FA05 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 15445 | 65D1FA05 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 15C8D | 65D1FA05 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 59185 | 46,424% |
| Null Byte Code | 8676 | 6,8053% |
© 2026 All rights reserved.