PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 4,10 MB
SHA-256 Hash: 7F45C7BB13496284F54D0C070E7D12E3D29DECA2D7AAF0AAC58F4092546BDEE5
SHA-1 Hash: 951EE09163A9DACDA249EDF09650F7D8CC68FAFC
MD5 Hash: 116D274EFAA7331766BDFE6254962205
Imphash: 32B23EE7FE7AC3D201A7C03E1AECDB5F
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 0041D94F
EntryPoint (rva): 6E2058
SizeOfHeaders: 400
SizeOfImage: AA0000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: C9115
Characteristics: 22
TimeDateStamp: 680BAD72
Date: 25/04/2025 15:42:42
File Type: EXE
Number Of Sections: 12
ASLR: Disabled
Section Names (Optional Header): (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), .idata, .rsrc, .themida, .boot
Number Of Executable Sections: 3
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 6,52 MB Missing]

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	0x60000020 Code Executable Readable	400	20800	1000	59E85	7.9772	4324.89
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	0x40000040 Initialized Data Readable	20C00	A200	5B000	1ECF4	7.9593	2417.04
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	0xC0000040 Initialized Data Readable Writeable	2AE00	400	7A000	35B0	7.4041	3007
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	0x40000040 Initialized Data Readable	2B200	2800	7E000	48C0	7.6587	8754.85
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	0x40000040 Initialized Data Readable	2DA00	200	83000	15C	3.3862	53135
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	0x40000040 Initialized Data Readable	2DC00	16400	84000	1C8C8	7.9332	9007.62
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	0x40000040 Initialized Data Readable	44000	AE00	A1000	266BC	7.931	5373.7
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	0x42000040 Initialized Data GP-Relative Readable	4EE00	800	C8000	C68	7.524	2315.75
.idata	0xC0000040 Initialized Data Readable Writeable	4F600	400	C9000	1000	2.5898	121154.5
.rsrc	0x40000040 Initialized Data Readable	4FA00	A000	CA000	9F30	4.1457	1925989.5
.themida	0xE0000060 Code Initialized Data Executable Readable Writeable	59A00	0	D4000	60E000	N/A	N/A
.boot	0x60000060 Code Initialized Data Executable Readable	59A00	3BDC00	6E2000	3BDC00	7.9571	325998.69

Description

OriginalFilename: icarus_sfx
CompanyName: Gen Digital Inc.
LegalCopyright: Copyright 2025 Gen Digital Inc. All rights reserved.
ProductName: Avast Installer
FileVersion: 25.3.8935.0
FileDescription: Avast Self-Extract Package
ProductVersion: 25.3.8935.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (12) have the Entry Point
Information -> EntryPoint (calculated) - 59A58
Code -> E88201000041524989E24152498B7210498B7A20FCB2808A0648FFC6880748FFC7BB0200000000D275078A1648FFC610D273

Assembler

|CALL 0X1187

|PUSH R10

|MOV R10, RSP

|PUSH R10

|MOV RSI, QWORD PTR [R10 + 0X10]

|MOV RDI, QWORD PTR [R10 + 0X20]

|CLD

|MOV DL, 0X80

|MOV AL, BYTE PTR [RSI]

|INC RSI

|MOV BYTE PTR [RDI], AL

|INC RDI

|MOV EBX, 2

|ADD DL, DL

|JNE 0X1031

|MOV DL, BYTE PTR [RSI]

|INC RSI

|ADC DL, DL

Signatures

CheckSum Integrity Problem:
• Header: 4315471
• Calculated: 4341844
Rich Signature Analyzer:
Code -> 1BA3AB3D5FC2C56E5FC2C56E5FC2C56E8CB0C66F58C2C56E8CB0C06FC4C2C56E3DBAC16F4EC2C56E3DBAC66F56C2C56E3DBAC06F6DC2C56E8CB0C16F54C2C56E8CB0C46F48C2C56E5FC2C46ED1C2C56EDDBBCC6F5AC2C56EDDBB3A6E5EC2C56E5FC2526E5EC2C56EDDBBC76F5EC2C56E526963685FC2C56E
Footprint md5 Hash -> A65166EA8428E6D14665F0092D6C9440
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed but has been modified

Duplicate Sections

Section (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) duplicate 8 times

Packer/Compiler

Detect It Easy (die)
• PE+(64): linker: Microsoft Linker(14.31**)[-]
• PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 7.9544

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.

File Access

RPCRT4.dll
SHLWAPI.dll
ole32.dll
GDI32.dll
USER32.dll
d3d11.dll
d2d1.dll
DWrite.dll
dcomp.dll
kernel32.dll

Interest's Words

PADDINGX
exec
ping

URLs

http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://www.digicert.com/CPS0
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt
http://ocsp.sectigo.com
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
http://ocsp.usertrust.com
https://sectigo.com/CPS0

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Entry Point	Hex Pattern	Microsoft Visual C++ 8

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	CA238	1AC4	4FC38	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A86600001A8B4944415478DAED9D3D6C5C5776	.PNG........IHDR.............\r.f....IDATx...=l\Wv
\ICON\2\0	CBCFC	4228	516FC	2800000040000000800000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...@......... ...................................
\ICON\3\0	CFF24	25A8	55924	2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...0........ ...................................
\ICON\4\0	D24CC	10A8	57ECC	2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\5\0	D3574	468	58F74	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\7\1033	D39DC	80	593DC	000000000000000000000000000018004400690072006500630074004D0061006E006900700075006C006100740069006F00	................D.i.r.e.c.t.M.a.n.i.p.u.l.a.t.i.o.
\GROUP_ICON\1\0	D3A5C	4C	5945C	0000010005000000000000000000C41A0000010040400000000000002842000002003030000000000000A825000003002020000000000000A810000004001010000000000000680400000500	....................@@......(B....00.......%.... ....................h.....
\VERSION\1\1033	D3AA8	308	594A8	080334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000300	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	D3DB0	17D	597B0	3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779	<?xml version='1.0' encoding='UTF-8' standalone='y

Intelligent String

• kernel32.dll
• GetStockObjectole32.dll

Flow Anomalies

Offset	RVA	Section	Description
A2F8	N/A	(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	JMP QWORD PTR [RIP+0xA7166D2A]
1625C	N/A	(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	JMP QWORD PTR [RIP+0x3D7ACD4F]
18ED4	N/A	(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	CALL QWORD PTR [RIP+0x50D20AA0]
20103	N/A	(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	JMP QWORD PTR [RIP+0x9CA15C73]
20353	N/A	(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	JMP QWORD PTR [RIP+0xE712FCDC]
263B5	N/A	(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	CALL QWORD PTR [RIP+0xADF863AB]
30120	N/A	(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	CALL QWORD PTR [RIP+0x2A186352]
30DAB	N/A	(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	CALL QWORD PTR [RIP+0x9DC64EAA]
42248	N/A	(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	CALL QWORD PTR [RIP+0x29A1BB6E]
50D91	N/A	.rsrc	CALL QWORD PTR [RIP+0xB78F9544]
52BA7	N/A	.rsrc	JMP QWORD PTR [RIP+0xFFFF8C]
54A0E	IAT 0	.rsrc	JMP QWORD PTR [RIP+0x0]
57FD2	IAT 0	.rsrc	JMP QWORD PTR [RIP+0x0]
582FA	IAT 0	.rsrc	JMP QWORD PTR [RIP+0xFAFF7700]
58403	IAT 0	.rsrc	CALL QWORD PTR [RIP+0xFEFFFF83]
58AEE	IAT 0	.rsrc	JMP QWORD PTR [RIP+0x0]
58C66	IAT 0	.rsrc	JMP QWORD PTR [RIP+0x0]
58D0A	IAT 0	.rsrc	JMP QWORD PTR [RIP+0xD4FF7700]
58E16	IAT 0	.rsrc	JMP QWORD PTR [RIP+0x9EFF7700]
73C68	IAT 0	.boot	JMP QWORD PTR [RIP+0xBF6E9042]
74224	IAT 0	.boot	JMP QWORD PTR [RIP+0x27106D27]
80CAA	IAT 0	.boot	JMP QWORD PTR [RIP+0xB784967F]
82E7A	IAT 0	.boot	JMP QWORD PTR [RIP+0x99FE3EE4]
9415B	IAT 0	.boot	JMP QWORD PTR [RIP+0x27FBB4C1]
9AB53	IAT 0	.boot	CALL QWORD PTR [RIP+0xE861414]
A33A5	IAT 0	.boot	JMP QWORD PTR [RIP+0xC769B03E]
A688C	IAT 0	.boot	JMP QWORD PTR [RIP+0x44F3FBBE]
AA4E6	IAT 0	.boot	JMP QWORD PTR [RIP+0x718C8857]
AD06E	IAT 0	.boot	CALL QWORD PTR [RIP+0x252A35A6]
AFC3E	IAT 0	.boot	JMP QWORD PTR [RIP+0x9739EB96]
B18A8	IAT 0	.boot	JMP QWORD PTR [RIP+0x12314036]
B8ABF	IAT 0	.boot	CALL QWORD PTR [RIP+0xBEB6AB8D]
BAF11	IAT 0	.boot	JMP QWORD PTR [RIP+0xA2B1A814]
C4DC7	IAT 0	.boot	JMP QWORD PTR [RIP+0xABDEBEE5]
D046E	IAT 0	.boot	JMP QWORD PTR [RIP+0x451059FD]
D1106	IAT 0	.boot	JMP QWORD PTR [RIP+0xED2656D0]
D36FB	IAT 0	.boot	JMP QWORD PTR [RIP+0x9F39C67D]
D740B	IAT 0	.boot	JMP QWORD PTR [RIP+0x15D52F01]
E0DE9	IAT 0	.boot	JMP QWORD PTR [RIP+0x903D52EF]
EA582	IAT 0	.boot	JMP QWORD PTR [RIP+0x53C92D71]
EDB33	IAT 0	.boot	JMP QWORD PTR [RIP+0x51C6DFC5]
F023B	IAT 0	.boot	JMP QWORD PTR [RIP+0xDF7ED6F8]
F6B44	IAT 0	.boot	JMP QWORD PTR [RIP+0xB3B32E9E]
FCC88	IAT 0	.boot	JMP QWORD PTR [RIP+0xCABBC284]
FED5C	IAT 0	.boot	JMP QWORD PTR [RIP+0x4427861E]
10445A	IAT 0	.boot	JMP QWORD PTR [RIP+0xC1B538C6]
108C31	IAT 0	.boot	JMP QWORD PTR [RIP+0xA139AB28]
10DA1D	IAT 0	.boot	JMP QWORD PTR [RIP+0x7AD3D721]
10E8E7	IAT 0	.boot	JMP QWORD PTR [RIP+0xC2457EDB]
131C5E	IAT 0	.boot	JMP QWORD PTR [RIP+0x5CEB30FC]
13B720	IAT 0	.boot	JMP QWORD PTR [RIP+0x829102F0]
13CCDE	IAT 0	.boot	CALL QWORD PTR [RIP+0x587FCD10]
13E0D1	IAT 0	.boot	JMP QWORD PTR [RIP+0x84BE751]
153FA5	IAT 0	.boot	JMP QWORD PTR [RIP+0x982BBFC6]
155BED	IAT 0	.boot	CALL QWORD PTR [RIP+0x4ECA91F7]
1584A5	IAT 0	.boot	JMP QWORD PTR [RIP+0xF3AF15FE]
15ABAD	IAT 0	.boot	CALL QWORD PTR [RIP+0x8FF520F6]
15DA20	IAT 0	.boot	JMP QWORD PTR [RIP+0xCC996AED]
15F93C	IAT 0	.boot	JMP QWORD PTR [RIP+0x347D1C4]
163BAF	IAT 0	.boot	JMP QWORD PTR [RIP+0xAAD704A0]
179402	IAT 0	.boot	JMP QWORD PTR [RIP+0x29D23D32]
17A3AC	IAT 0	.boot	JMP QWORD PTR [RIP+0x4E69AD8F]
185758	IAT 0	.boot	CALL QWORD PTR [RIP+0x3B91E126]
1881B7	IAT 0	.boot	JMP QWORD PTR [RIP+0xE663FA4C]
18CBE4	IAT 0	.boot	JMP QWORD PTR [RIP+0xCFDDFE1A]
18D35C	IAT 0	.boot	JMP QWORD PTR [RIP+0x274CDBDC]
18EDAF	IAT 0	.boot	JMP QWORD PTR [RIP+0xBA773AB2]
19B7BE	IAT 0	.boot	JMP QWORD PTR [RIP+0xB29D1677]
19D9E8	IAT 0	.boot	CALL QWORD PTR [RIP+0x85D3D6DD]
1BB5ED	IAT 0	.boot	CALL QWORD PTR [RIP+0xDEFBA2EA]
1BC51F	IAT 0	.boot	JMP QWORD PTR [RIP+0xC3D5E903]
1BD68F	IAT 0	.boot	CALL QWORD PTR [RIP+0x5DC94BEB]
1D900F	IAT 0	.boot	CALL QWORD PTR [RIP+0xD4A1A587]
1F7181	IAT 0	.boot	JMP QWORD PTR [RIP+0x6532E084]
1FBE04	IAT 0	.boot	CALL QWORD PTR [RIP+0x34245C9E]
1FF79E	IAT 0	.boot	JMP QWORD PTR [RIP+0xB45BFBC0]
203C8D	IAT 0	.boot	JMP QWORD PTR [RIP+0x71AEA51]
20544D	IAT 0	.boot	CALL QWORD PTR [RIP+0xD8C58803]
20E349	IAT 0	.boot	JMP QWORD PTR [RIP+0xF2713A3B]
215199	IAT 0	.boot	CALL QWORD PTR [RIP+0xD674FFD]
21B509	IAT 0	.boot	JMP QWORD PTR [RIP+0xDBC8BF28]
21EA15	IAT 0	.boot	JMP QWORD PTR [RIP+0xED43B418]
225B97	IAT 0	.boot	JMP QWORD PTR [RIP+0x5F3FAE9]
22E6E2	IAT 0	.boot	CALL QWORD PTR [RIP+0xBD4B7BB3]
232639	IAT 0	.boot	CALL QWORD PTR [RIP+0x41880974]
23BE85	IAT 0	.boot	JMP QWORD PTR [RIP+0xE5C2028F]
2405C0	IAT 0	.boot	CALL QWORD PTR [RIP+0x1379AC70]
240C49	IAT 0	.boot	CALL QWORD PTR [RIP+0x8026A0F2]
245967	IAT 0	.boot	JMP QWORD PTR [RIP+0xD7008558]
24C956	IAT 0	.boot	JMP QWORD PTR [RIP+0x517B60]
25838D	IAT 0	.boot	JMP QWORD PTR [RIP+0x9C6867A2]
263C00	IAT 0	.boot	CALL QWORD PTR [RIP+0x1F9332D9]
267E0E	IAT 0	.boot	CALL QWORD PTR [RIP+0xC181A05F]
26F075	IAT 0	.boot	JMP QWORD PTR [RIP+0x314E2CB2]
27611D	IAT 0	.boot	CALL QWORD PTR [RIP+0x90E102F7]
27EA05	IAT 0	.boot	CALL QWORD PTR [RIP+0x3238FB80]
286783	IAT 0	.boot	JMP QWORD PTR [RIP+0x87827C67]
2887F4	IAT 0	.boot	JMP QWORD PTR [RIP+0x6CC71DE]
28BA6C	IAT 0	.boot	JMP QWORD PTR [RIP+0x7C014489]
290DE3	IAT 0	.boot	JMP QWORD PTR [RIP+0xF508B3BF]
17FB9B-17FBAB	N/A	.boot	Potential obfuscated jump sequence detected, count: 7
400-20BFF	1000	(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)	Executable section anomaly, first bytes: 6BE401728BD0E78A
59A00-4175FF	6E2000	.boot	Executable section anomaly, first bytes: 8F0866FA761E0966
417600	N/A	Overlay	902A00000002020030822A7F06092A864886F70D \| .......0....*.H...

Extra Analysis

Metric	Value	Percentage
Ascii Code	2941224	68,385%
Null Byte Code	84793	1,9715%

PESCAN.IO - Analysis Report Basic