PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 1,97 MB
SHA-256 Hash: CBB320626C815D656949B9A27A60FC7D8303C86E2AF8E228BF245B1D8D0CE231
SHA-1 Hash: B7CAC4E4314BDBEAF89839EE85D2AB1F1FF31713
MD5 Hash: 19935ED14EF3D9A17DCF5DB547FFA2E3
Imphash: 1BCEE876DFAE5E68C3451C29F9217C72
MajorOSVersion: 4
CheckSum: 00202227
EntryPoint (rva): 170000
SizeOfHeaders: 350
SizeOfImage: 203120
ImageBase: 400000
Architecture: x86
ImportTable: 19C000
Characteristics: 102
TimeDateStamp: 66111AB3
Date: 06/04/2024 9:49:39
File Type: EXE
Number Of Sections: 12
ASLR: Disabled
Section Names: .text, .rdata, .data, .00cfg, .tls, .voltbl, .rsrc, .reloc, .text, .idata, .rsrc, .reloc
Number Of Executable Sections: 2
Subsystem: Windows GUI

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	C7200	1000	C718A
.rdata	40000040	C7600	39000	C9000	38EA4
.data	C0000040 (Writeable)	100600	C00	102000	40D8
.00cfg	40000040	101200	200	107000	8
.tls	C0000040 (Writeable)	101400	200	108000	9
.voltbl	0	101600	200	109000	92
.rsrc	40000040	101800	5AC00	10A000	5AB40
.reloc	42000040	15C400	A200	165000	A118
.text	E0000020 (Executable) (Writeable)	166600	2B800	170000	2B6B4
.idata	C2000040 (Writeable)	191E00	1E00	19C000	1D2F
.rsrc	40000040	193C00	5AC00	19E000	5AB14
.reloc	42000040	1EE800	A200	1F9000	A120

Description:

InternalName: PuTTY
OriginalFilename: PuTTY
CompanyName: Simon Tatham
LegalCopyright: Copyright 1997-2024 Simon Tatham.
ProductName: PuTTY suite
FileVersion: Release 0.81 (with embedded help)

Entry Point:

The section number (9) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 166600
Code -> 606831005700FF1530FE4F00683A00570050FF15A8FD4F008D15470057006A006A006A00526A006A00FFD061E9F500F3FF6B
• PUSHAD
• PUSH 0X570031
• CALL DWORD PTR [0X4FFE30]
• PUSH 0X57003A
• PUSH EAX
• CALL DWORD PTR [0X4FFDA8]
• LEA EDX, [0X570047]
• PUSH 0
• PUSH 0
• PUSH 0
• PUSH EDX
• PUSH 0
• PUSH 0
• CALL EAX
• POPAL
• JMP 0XFFF31126
EP changed to another address -> (Address Of EntryPoint > Base Of Data)

Signatures:

CheckSum Integrity Problem:
• Header: 2105895
• Calculated: 2106071
Certificate - Digital Signature Not Found:
• The file is not signed

Duplicate Sections:

Section .text duplicate 2 times
Section .rsrc duplicate 2 times
Section .reloc duplicate 2 times

Packer/Compiler:

Compiler: Microsoft Visual C ++
Detect It Easy (die)
• Entropy: 7.25851

Suspicious Functions:

Library	Function	Description
Ws2_32.DLL	socket \| Possible Call API By Name	Create a communication endpoint for networking applications.
Ws2_32.DLL	connect \| Possible Call API By Name	Establish a connection to a specified socket.
KERNEL32.DLL	CreateMutexA	Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL	CreateMutexW	Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	CreateToolhelp32Snapshot	Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL	CreateRemoteThread	Creates a thread in the address space of another process.
KERNEL32.DLL	WriteProcessMemory	Writes data to an area of memory in a specified process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
Ws2_32.DLL	socket	Create a communication endpoint for networking applications.
Ws2_32.DLL	connect	Establish a connection to a specified socket.
ADVAPI32.DLL	CryptEncrypt	Performs a cryptographic operation on data in a data block.
ADVAPI32.DLL	CryptDecrypt	Performs a cryptographic operation on data in a data block.
ADVAPI32.DLL	RegCreateKeyExA	Creates a new registry key or opens an existing one.
ADVAPI32.DLL	RegDeleteKeyA	Used to delete a subkey and its values from the Windows registry.
ADVAPI32.DLL	RegSetValueExA	Sets the data and type of a specified value under a registry key.
SHELL32.DLL	ShellExecuteA	Performs a run operation on a specific file.

Windows REG:

Software\SimonTatham\PuTTY\Jumplist
Software\SimonTatham\PuTTY\SshHostKeys
SOFTWARE\MIT\Kerberos
Software\SimonTatham\PuTTY\Sessions
Software\SimonTatham\PuTTY\SshHostCAs
Software\SimonTatham
Software\SimonTatham\PuTTY\CHMPath
Software\SimonTatham\PuTTY64\CHMPath
Software\SimonTatham\PuTTY

File Access:

PuTTYgen.exe
Pageant.exe
ADVAPI32.dll
COMDLG32.dll
SHELL32.dll
KERNEL32.dll
USER32.dll
ole32.dll
IMM32.dll
GDI32.dll
ntdll.dll
WINHTTP.dll
WININET.dll
CRYPT32.dll
WS2_32.dll
server.dll
*.dll
Dynamic Library Files (*.dll
Using GSSAPI from GSSAPI32.DLL
MIT Kerberos GSSAPI32.DLL
Microsoft SSPI SECUR32.DLL
Using SSPI from SECUR32.DLL
wsock32.dll
comctl32.dll
secur32.dll
wship6.dll
shcore.dll
sspicli.dll
dwmapi.dll
winmm.dll
spoolss.dll
Temp

File Access (UNICODE):

mscoree.dll
kernel32.dll
Temp

SQL Queries:

Select a colour from the list, and then click the Modify button to change its appearance.

Interest's Words:

Encrypt
Decrypt
Encryption
PassWord
exec
attrib
start
pause
cipher
hostname
sdelete
shutdown
ping
route

Interest's Words (UNICODE):

zombie
PassWord
start
cipher
ping

URLs:

http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings
https://www.chiark.greenend.org.uk/~sgtatham/putty/

Payloads:

Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)

IP Addresses:

192.168.178.90

PE Carving:

Start Offset Header	End Offset	Size (Bytes)
0	16664D	16664D
16664D	1F8A00	923B3

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (WSACleanup)
• Rule Text (Ascii): WinAPI Sockets (bind)
• Rule Text (Ascii): WinAPI Sockets (listen)
• Rule Text (Unicode): WinAPI Sockets (listen)
• Rule Text (Ascii): WinAPI Sockets (accept)
• Rule Text (Ascii): WinAPI Sockets (connect)
• Rule Text (Unicode): WinAPI Sockets (connect)
• Rule Text (Ascii): WinAPI Sockets (recv)
• Rule Text (Ascii): WinAPI Sockets (send)
• Rule Text (Unicode): WinAPI Sockets (send)
• Rule Text (Ascii): Registry (RegCreateKeyEx)
• Rule Text (Ascii): Registry (RegOpenKeyEx)
• Rule Text (Ascii): Registry (RegSetValueEx)
• Rule Text (Ascii): File (GetTempPath)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Encryption (Blowfish)
• Rule Text (Unicode): Encryption (Microsoft Enhanced Cryptographic Provider v1.0)
• Rule Text (Unicode): Encryption (Microsoft Enhanced RSA and AES Cryptographic Provider)
• Rule Text (Ascii): Encryption API (CryptAcquireContext)
• Rule Text (Ascii): Encryption API (CryptDecrypt)
• Rule Text (Ascii): Encryption API (CryptReleaseContext)
• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
• Rule Text (Ascii): Anti-Analysis VM (GetVersion)
• Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot)
• Rule Text (Ascii): Stealth (VirtualAlloc)
• Rule Text (Ascii): Stealth (VirtualProtect)
• Rule Text (Ascii): Stealth (CreateRemoteThread)
• Rule Text (Ascii): Execution (CreateProcessA)
• Rule Text (Ascii): Execution (ShellExecute)
• Rule Text (Ascii): Execution (ResumeThread)
• Rule Text (Ascii): Antivirus Software (f-prot)
• Rule Text (Unicode): Privileges (SeDebugPrivilege)
• Rule Text (Unicode): Privileges (SeSecurityPrivilege)
• Rule Text (Ascii): Keyboard Key (Alt+)
• Rule Text (Ascii): Keyboard Key (Scroll)
• Rule Text (Ascii): Keyboard Key (CapsLock)
• Rule Text (Ascii): Keyboard Key (Backspace)
• Rule Text (Ascii): Information used to authenticate a users identity (Credential)
• Rule Text (Ascii): Information used for user authentication (Credential)
• Rule Text (Ascii): Unauthorized movement of funds or data (Transfer)
• Rule Text (Ascii): Technique used to circumvent security measures (Bypass)
• EP Rules: dUP v2.x Patcher • www.diablo2oo2.cjb.net
• EP Rules: Gem VDI Image graphics file
• EP Rules: PE-Exe Executable Image

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1033	19E520	128	194120	2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080	(....... .........................................
\ICON\2\1033	19E648	2E8	194248	2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080	(... ...@.........................................
\ICON\3\1033	19E930	668	194530	2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080	(...0............................................
\ICON\4\1033	19EF98	B0	194B98	2800000010000000200000000100010000000000400000000000000000000000000000000000000000000000FFFFFF000000	(....... ...........@.............................
\ICON\5\1033	19F048	130	194C48	2800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFFFF000000	(... ...@.........................................
\ICON\6\1033	19F178	330	194D78	2800000030000000600000000100010000000000800100000000000000000000000000000000000000000000FFFFFF000000	(...0............................................
\ICON\7\1033	19F4A8	128	1950A8	2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080	(....... .........................................
\ICON\8\1033	19F5D0	2E8	1951D0	2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080	(... ...@.........................................
\ICON\9\1033	19F8B8	668	1954B8	2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080	(...0............................................
\ICON\10\1033	19FF20	B0	195B20	2800000010000000200000000100010000000000400000000000000000000000000000000000000000000000FFFFFF000000	(....... ...........@.............................
\ICON\11\1033	19FFD0	130	195BD0	2800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFFFF000000	(... ...@.........................................
\ICON\12\1033	1A0100	330	195D00	2800000030000000600000000100010000000000800100000000000000000000000000000000000000000000FFFFFF000000	(...0............................................
\DIALOG\102\1033	1A0430	76	196030	C000C880000000000000000000002C01FC0000005000750054005400590043006F006E0066006900670042006F0078000000	..............,.....P.u.T.T.Y.C.o.n.f.i.g.B.o.x...
\DIALOG\110\1033	1A04A6	BA	1960A6	C000C880000000000300640014002C017700000000005000750054005400590020004500760065006E00740020004C006F00	..........d...,.w.....P.u.T.T.Y. .E.v.e.n.t. .L.o.
\DIALOG\111\1033	1A0560	FA	196160	C000C8800000000004008C0028000E01880000000000410062006F0075007400200050007500540054005900000008004D00	............(.........A.b.o.u.t. .P.u.T.T.Y.....M.
\DIALOG\113\1033	1A065A	8A	19625A	C000C880000000000200320032004601EF00000000005000750054005400590020004C006900630065006E00630065000000	..........2.2.F.......P.u.T.T.Y. .L.i.c.e.n.c.e...
\DIALOG\114\1033	1A06E4	1AE	1962E4	C000C880000000000800320032005401F00000005000750054005400590048006F00730074004B0065007900440069006100	..........2.2.T.....P.u.T.T.Y.H.o.s.t.K.e.y.D.i.a.
\DIALOG\116\1033	1A0892	DE	196492	C000C8800000000001008C00280090012C0100005000750054005400590048006F00730074004B00650079004D006F007200	............(...,...P.u.T.T.Y.H.o.s.t.K.e.y.M.o.r.
\DIALOG\117\1033	1A0970	A8	196570	C000C880000000000000000000005E01040100005000750054005400590043006F006E0066006900670042006F0078000000	...................P.u.T.T.Y.C.o.n.f.i.g.B.o.x...
\GROUP_ICON\200\1033	1A0A18	5A	196618	00000100060010101000010004002801000001002020100001000400E8020000020030301000010004006806000003001010	..............(..... ............00......h.......
\GROUP_ICON\201\1033	1A0A72	5A	196672	00000100060010101000010004002801000007002020100001000400E8020000080030301000010004006806000009001010	..............(..... ............00......h.......
\VERSION\1\1033	1A0ACC	338	1966CC	380334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001005100	8.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............Q.
\24\1\1033	1A0E04	559	196A04	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y
\2000\2000\1033	1A135D	577B7	196F5D	49545346030000006000000001000000123456780908000010FD017CAA7BD0119E0C00A0C922E6EC11FD017CAA7BD0119E0C	ITSF............4Vx.......\|.{.......".....\|.{....

Intelligent String:

• ntdll.dll
• kernel32.dll
• xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">
• xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
• SSH, Telnet, Rlogin, and SUPDUP client
• contents.hhc
• mscoree.dll
• @.tls
• Version string did not have expected prefix
• Pageant.exePuTTYgen.exe
• part.ptr
• /home/simon/mem/.build/workdirs/bob-0_vdcidh/putty/ssh/login1.c
• ssh->gss_state.lib
• strncmp(pipename, "\\\\.\\pipe\\", 9) == 0
• server.dll
• WS2_32.dll
• KERNEL32.dll
• advapi32.dll
• tcp://192.168.178.90:8080

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	1314202	63,5819%
Null Byte Code	249023	12,0479%
NOP Cave Found	0x9090909090	Block Count: 1740 \| Total: 0,2105%