PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 44,00 KBSHA-256 Hash: A6DB899A96564FF736B98833EB3A2ECDE21D00D5B4EF171881F24B6E8B831645 SHA-1 Hash: 1CCD7D404259C474C54458E0FD9A79AD77F8E92E MD5 Hash: 1780B5DD98978F374813452E953E59C8 Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): BA4E SizeOfHeaders: 200 SizeOfImage: 10000 ImageBase: 400000 Architecture: x86 ImportTable: B9F8 IAT: 2000 Characteristics: 102 TimeDateStamp: 69DD4E43 Date: 13/04/2026 20:12:51 File Type: EXE Number Of Sections: 3 ASLR: Enabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker [Incomplete Binary or Compressor Packer - 20,00 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
200 | 9C00 | 2000 | 9A54 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
9E00 | 1000 | C000 | 1000 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
AE00 | 200 | E000 | C |
|
|
| Description |
| OriginalFilename: Stub.exe FileVersion: 0.0.0.0 ProductVersion: 0.0.0.0 Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 9C4E Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 EP changed to another address -> (Address Of EntryPoint > Base Of Data) Assembler |JMP DWORD PTR [0X402000] |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: False • Version: v4.0 Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: compiler: VB.NET(-)[-] • PE: linker: Microsoft Linker(8.0)[-] • Entropy: 5.47862 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| USER32.DLL | GetAsyncKeyState | Retrieves the status of a virtual key asynchronously. |
| Windows REG (UNICODE) |
| Software\Microsoft\Windows\CurrentVersion\Run Software\Classes\ Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access |
| Stub.exe mscoree.dll kernel32.dll user32.dll avicap32.dll Temp |
| File Access (UNICODE) |
| Stub.exe 3cmd.exe cmd.exe Explorer.exe Exec - cmd.exe /k ping 0 & del " Temp |
| Interest's Words |
| exec createobject attrib start systeminfo replace |
| Interest's Words (UNICODE) |
| wscript exec netsh start ping replace |
| IP Addresses |
| 10.0.2.33 10.0.0.0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Unicode | WinAPI Sockets (connect) |
| Text | Ascii | Encryption (FromBase64String) |
| Text | Ascii | Encryption (ToBase64String) |
| Text | Unicode | Execution (ShellExecute) |
| Text | Unicode | Keyboard Key ([ENTER]) |
| Text | Unicode | Keyboard Key (CapsLock) |
| Text | Unicode | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C v7.0 / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual Studio .NET |
| Entry Point | Hex Pattern | .NET executable |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\2\0 | C370 | 8A8 | A170 | 2800000020000000400000000100080000000000800400000000000000000000000100000000000000000000000080000080 | (... ...@......................................... |
| \GROUP_ICON\32512\0 | CC18 | 14 | AA18 | 0000010001002020000001000800A80800000200 | ...... ............ |
| \VERSION\1\0 | C130 | 23C | 9F30 | 3C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | <.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | CC30 | 1EA | AA30 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • 0.0.0.0 • Stub.exe • Explorer.exe • .exe • cmd.exe • Mnetsh firewall delete allowedprogram " • 3cmd.exe /k ping 0 & del " • Gnetsh firewall add allowedprogram " • .tmp • .lnk • _CorExeMainmscoree.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 4487 | 2628 | .text | JMP [static] | Indirect jump to absolute memory address |
| 44A0 | 2628 | .text | JMP [static] | Indirect jump to absolute memory address |
| 562B | 2628 | .text | JMP [static] | Indirect jump to absolute memory address |
| 9C4E | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 25257 | 56,0569% |
| Null Byte Code | 13753 | 30,5242% |
© 2026 All rights reserved.