PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 601,68 KB
SHA-256 Hash: 7735D08C8D28D55D2E78E80ADDD21F3702299354C9C238A39106AA2083A07B37
SHA-1 Hash: 7CA927AEE6FD3D5E8AE6FC9F6797D4402DD11E83
MD5 Hash: 162F99DDBDB683EF44A5B1FF2CF0FF49
Imphash: 64734CDB1C07748BF4A02729548341AF
MajorOSVersion: 5
CheckSum: 0009B093
EntryPoint (rva): 68E6
SizeOfHeaders: 400
SizeOfImage: 15000
ImageBase: 400000
Architecture: x86
ImportTable: D16C
Characteristics: 102
TimeDateStamp: 67F7A695
Date: 10/04/2025 11:08:05
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .data, .idata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	B000	1000	AF0A
.data	C0000040 (Writeable)	B400	200	C000	70
.idata	40000040	B600	A00	D000	95C
.rsrc	40000040	C000	5E00	E000	5C01
.reloc	42000040	11E00	600	14000	458

Description:

OriginalFilename: launch_normal.exe
CompanyName: XLAB d.o.o.
LegalCopyright: XLAB d.o.o.
ProductName: launch_normal
FileVersion: 4.4.2447.14
FileDescription: launch_normal
ProductVersion: 4.4.2447.14
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Binder/Joiner/Crypter:

Dropper code detected (EOF) - 517,68 KB

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 5CE6
Code -> 6A00FF1508D140008BC8E9ADFCFFFFFF7424046A00FF15E0D0400050FF15DCD04000C3FF7424046A00FF15E0D0400050FF15
• PUSH 0
• CALL DWORD PTR [0X40D108]
• MOV ECX, EAX
• JMP 0XCBC
• PUSH DWORD PTR [ESP + 4]
• PUSH 0
• CALL DWORD PTR [0X40D0E0]
• PUSH EAX
• CALL DWORD PTR [0X40D0DC]
• RET
• PUSH DWORD PTR [ESP + 4]
• PUSH 0
• CALL DWORD PTR [0X40D0E0]
• PUSH EAX

Signatures:

CheckSum Integrity Problem:
• Header: 635027
• Calculated: 647864
Rich Signature Analyzer:
Code -> ADEF3C82E98E52D1E98E52D1E98E52D10DFE53D0E08E52D1E98E53D18A8E52D152FB56D0E28E52D1BBFB51D0E88E52D127FB57D0E08E52D127FB56D0ED8E52D127FBADD1E88E52D1E98EC5D1E88E52D127FB50D0E88E52D152696368E98E52D1
Footprint md5 Hash -> 12D49EA08092A005417BA6C17DFCA830
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct

Packer/Compiler:

Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE: linker: Microsoft Linker(14.29**)[EXE32,signed]
• Entropy: 7.92946

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	CopyFileA	Copies an existing file to a new file.
KERNEL32.DLL	CopyFileW	Copies an existing file to a new file.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
SHELL32.DLL	ShellExecuteExA	Performs a run operation on a specific file.
SHELL32.DLL	ShellExecuteExW	Performs a run operation on a specific file.

Windows REG:

Software\ISL Online\launch

File Access:

ISLNetworkStart.dll
ADVAPI32.dll
SHELL32.dll
USER32.dll
KERNEL32.dll
ole32.dll
psapi.dll
NTDLL.DLL
Temp
ProgramFiles
UserProfile

File Access (UNICODE):

launch_normal.exe

Interest's Words:

exec
attrib
start
ping
rundll
expand

URLs:

http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://www.digicert.com/CPS0
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (listen)
• Rule Text (Ascii): WinAPI Sockets (connect)
• Rule Text (Ascii): WinAPI Sockets (send)
• Rule Text (Ascii): Registry (RegOpenKeyEx)
• Rule Text (Ascii): File (CopyFile)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): Anti-Analysis VM (GetVersion)
• Rule Text (Ascii): Execution (CreateProcessA)
• Rule Text (Ascii): Execution (CreateProcessW)
• Rule Text (Ascii): Execution (ShellExecute)

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\RT_MAN\IDR_RT_M\1033	E2FE	25D	C2FE	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y
\ICON\1\0	E55B	128	C55B	2800000010000000200000000100040000000000800000000000000000000000100000001000000022222300B8710000BA75	(....... ...............................""..q...u
\ICON\2\0	E683	128	C683	2800000010000000200000000100040000000000800000000000000000000000100000001000000022222300B8710000BA75	(....... ...............................""..q...u
\ICON\3\0	E7AB	468	C7AB	2800000010000000200000000100200000000000000400000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\ICON\4\0	EC13	2E8	CC13	2800000020000000400000000100040000000000000200000000000000000000100000001000000022222300B8710000BC7A	(... ...@...............................""..q...z
\ICON\5\0	EEFB	2E8	CEFB	2800000020000000400000000100040000000000000200000000000000000000100000001000000022222300B8710000BC7A	(... ...@...............................""..q...z
\ICON\6\0	F1E3	10A8	D1E3	2800000020000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\7\0	1028B	668	E28B	280000003000000060000000010004000000000080040000000000000000000010000000100000002222230071717100B871	(...0.................................."".qqq..q
\ICON\8\0	108F3	668	E8F3	280000003000000060000000010004000000000080040000000000000000000010000000100000002222230071717100B871	(...0.................................."".qqq..q
\ICON\9\0	10F5B	25A8	EF5B	2800000030000000600000000100200000000000002400000000000000000000000000000000000000000000000000000000	(...0........ ......$............................
\ICON\10\0	13503	3BC	11503	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000003834944415478DAEDDDD16D834010	.PNG........IHDR.............\r.f....IDATx....m.@.
\GROUP_ICON\101\0	138BF	92	118BF	000001000A001010100001000400280100000100101010000100040028010000020010100000010020006804000003002020	..............(.............(........... .h.....
\VERSION\1\1033	13951	2B0	11951	B00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000400	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String:

• Kernel32.dll
• NTDLL.DLL
• psapi.dll
• ole32.dll
• \writeacc.dat
• writeacc.dat
• remove.dir
• runas
• E:\Builds\CL-NS132-BW32\b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb
• .bss
• KERNEL32.dll
• ADVAPI32.dll
• launch_normal.exe
• islwww.-*..com.net

Flow Anomalies:

Offset	RVA	Section	Description
12400	??	Overlay	124ECC070019E280FCEFFF5D0008803348173C62 \| .N.........]...3H.<b

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	413703	67,1465%
Null Byte Code	17641	2,8632%