PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 1,58 MB
SHA-256 Hash: 94D43DA6EBCDA1155D346F2A4B40EA048D6DAA8D06557209DB02C6C1DCDF3F09
SHA-1 Hash: AF0AD79A6E07E80957AA96C496D75929E297C061
MD5 Hash: 0DD71E86C54D4B2462D9CDFFBBC2A65B
Imphash: 45D8E9853707108909A9E228201324DD
MajorOSVersion: 6
CheckSum: 00000000
EntryPoint (rva): 3FCB
SizeOfHeaders: 400
SizeOfImage: 19A000
ImageBase: 10000000
Architecture: x86
ExportTable: 59A00
ImportTable: 5BA58
Characteristics: 2102
TimeDateStamp: 689C8389
Date: 13/08/2025 12:22:33
File Type: DLL
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	4C800	1000	4C78D
.rdata	40000040	4CC00	E600	4E000	E446
.data	C0000040 (Writeable)	5B200	137400	5D000	138690
.rsrc	40000040	192600	200	196000	10
.reloc	42000040	192800	2E00	197000	2CDC

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 33CB
Code -> 558BEC837D0C017505E83F060000FF7510FF750CFF7508E8A5FEFFFF83C40C5DC20C00558BEC83610400836108008B450889
• PUSH EBP
• MOV EBP, ESP
• CMP DWORD PTR [EBP + 0XC], 1
• JNE 0X100E
• CALL 0X164D
• PUSH DWORD PTR [EBP + 0X10]
• PUSH DWORD PTR [EBP + 0XC]
• PUSH DWORD PTR [EBP + 8]
• CALL 0XEC1
• ADD ESP, 0XC
• POP EBP
• RET 0XC
• PUSH EBP
• MOV EBP, ESP
• AND DWORD PTR [ECX + 4], 0
• AND DWORD PTR [ECX + 8], 0
• MOV EAX, DWORD PTR [EBP + 8]

Signatures:

Rich Signature Analyzer:
Code -> 7CA8699C38C907CF38C907CF38C907CF73B104CE33C907CF73B102CEB3C907CF73B103CE2CC907CF294F04CE2DC907CF294F03CE28C907CF294F02CE1DC907CF73B106CE31C907CF38C906CF5FC907CFBB4F02CE3BC907CFBB4F07CE39C907CFBB4FF8CF39C907CFBB4F05CE39C907CF5269636838C907CF
Footprint md5 Hash -> 2EF2B3B2773CD1AF6CBD943A4CBBC88B
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual C ++
Detect It Easy (die)
• PE: linker: Microsoft Linker(14.42**)[DLL32,console]
• Entropy: 7.41466

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
ADVAPI32.DLL	RegSetValueExA	Sets the data and type of a specified value under a registry key.

Windows REG:

SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Ru8

File Access:

ole32.dll
ADVAPI32.dll
USER32.dll
KERNEL32.dll
Temp

File Access (UNICODE):

mscoree.dll

Interest's Words:

exec
start
shutdown
systeminfo

URLs:

https://www.baidu.com/
https://www.hao123.com/

IP Addresses:

134.122.128.15

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Registry (RegOpenKeyEx)
• Rule Text (Ascii): Registry (RegSetValueEx)
• Rule Text (Ascii): File (GetTempPath)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Hex: PEB AntiDebug (Flag BeingDebugged)
• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
• Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
• Rule Text (Ascii): Stealth (VirtualAlloc)
• Rule Text (Ascii): Stealth (VirtualProtect)

Intelligent String:

• mscoree.dll
• .tls
• .bss
• KERNEL32.dll
• USER32.dll
• ADVAPI32.dll
• 134.122.128.15

Flow Anomalies:

Offset	RVA	Section	Description
2314	??	.rdata	CALL DWORD PTR [ESI-18h] \| Displacement form
D171	??	.data	CALL DWORD PTR [EBX-18h] \| Displacement form
2E9DA	??	.text	CALL DWORD PTR [EAX+68h] \| Displacement form
2EA68	??	.data	CALL DWORD PTR [EAX-18h] \| Displacement form
2EB29	??	.data	CALL DWORD PTR [EAX-18h] \| Displacement form
2F267	??	.text	CALL DWORD PTR [EDI-18h] \| Displacement form
2F2C3	??	.text	CALL DWORD PTR [EAX+68h] \| Displacement form
2F40A	??	.text	CALL DWORD PTR [EAX+68h] \| Displacement form
31C42	??	.text	CALL DWORD PTR [EAX-18h] \| Displacement form
32A84	??	.text	CALL DWORD PTR [EAX+68h] \| Displacement form
338D0	??	.text	CALL DWORD PTR [ESI-17h] \| Displacement form
33A93	??	.data	CALL DWORD PTR [ESI-39h] \| Displacement form
33B3F	??	.text	CALL DWORD PTR [ESI-17h] \| Displacement form
33D1E	??	.data	CALL DWORD PTR [ESI-39h] \| Displacement form
3DC54	??	.text	CALL DWORD PTR [EAX-18h] \| Displacement form
3DDEB	??	.text	CALL DWORD PTR [EAX-18h] \| Displacement form
3E156	??	.text	CALL DWORD PTR [EAX+68h] \| Displacement form
3E6B8	??	.text	CALL DWORD PTR [EAX+68h] \| Displacement form
3E715	??	.text	CALL DWORD PTR [EAX+68h] \| Displacement form
3EB31	??	.text	CALL DWORD PTR [EAX+68h] \| Displacement form
3EC3F	??	.text	CALL DWORD PTR [EAX+68h] \| Displacement form
3EE43	??	.text	CALL DWORD PTR [EAX+68h] \| Displacement form
3EF16	??	.text	CALL DWORD PTR [EAX+68h] \| Displacement form
46CCD	??	.text	JMP DWORD PTR [EBX] \| Indirect jump via pointer at address in EBX

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	1092969	65,825%
Null Byte Code	55221	3,3257%

PESCAN.IO - Analysis Report Valid Code