PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 12,00 KB
SHA-256 Hash: 92730427321A1C4CCFC0D0580834DAEF98121EFA9BB8963DA332BFD6CF1FDA8A
SHA-1 Hash: BE138820E72435043B065FBF3A786BE274B147AB
MD5 Hash: 1D8562C0ADCAEE734D63F7BAACA02F7C
Imphash: F2D1B81B70ADF3F2DCCC6D462AE64DC4
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 15F1
SizeOfHeaders: 400
SizeOfImage: 7000
ImageBase: 400000
Architecture: x86
ImportTable: 3834
IAT: 3000
Characteristics: 102
TimeDateStamp: 6133B6C0
Date: 04/09/2021 18:11:12
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60000020
Code
Executable
Readable
 400 1600 1000 15A1
6.506
41079.36
.rdata
0x40000040
Initialized Data
Readable
 1A00 1000 3000 F38
4.4232
206100.88
.data
0xC0000040
Initialized Data
Readable
Writeable
 2A00 200 4000 3A0
0.321
122018
.rsrc
0x40000040
Initialized Data
Readable
 2C00 200 5000 1E0
4.6961
9408
.reloc
0x42000040
Initialized Data
GP-Relative
Readable
 2E00 200 6000 1B8
5.8873
5625
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 9F1
Code -> E8C4030000E974FEFFFF558BEC6A00FF1534304000FF7508FF153030400068090400C0FF152830400050FF15243040005DC3
Assembler
|CALL 0X13C9
|JMP 0XE7E
|PUSH EBP
|MOV EBP, ESP
|PUSH 0
|CALL DWORD PTR [0X403034]
|PUSH DWORD PTR [EBP + 8]
|CALL DWORD PTR [0X403030]
|PUSH 0XC0000409
|CALL DWORD PTR [0X403028]
|PUSH EAX
|CALL DWORD PTR [0X403024]
|POP EBP
|RET
Signatures
Rich Signature Analyzer:
Code -> F470F621B0119872B0119872B0119872B9690B72BA1198720E609D73A41198720E609C73BC1198720E609B73B51198720E609973B4119872EB799973B9119872B01199728C11987226639173B111987226636772B111987226639A73B111987252696368B0119872
Footprint md5 Hash -> 6B8520B524769B2B68C5257A61FCA0E6
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32]
PE: compiler: Microsoft Visual C/C++(-)[-]
PE: linker: Microsoft Linker(14.28**)[-]
Entropy: 5.71925
Suspicious Functions
Library Function Description
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
URLMON.DLL URLDownloadToFileW Download a file from the internet and save it to a local file.
SHELL32.DLL ShellExecuteW Performs a run operation on a specific file.
File Access
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
VCRUNTIME140.dll
WININET.dll
urlmon.dll
MSVCP140.dll
SHELL32.dll
KERNEL32.dll
.dat
@.dat
File Access (UNICODE)
\Users\Public\Documents\CR433101.dat
dat.exe
cmd.exe
Exec - cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s"
Interest's Words
exec
Interest's Words (UNICODE)
at.exe
ping
URLs (UNICODE)
http://ssl-6582datamanager.helpdeskbros.local/favicon.ico
http://huskyhacks.dev
Known IP/Domains (UNICODE)
Cloudflare DNS - 1.1.1.1
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Stealth (CloseHandle)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (ShellExecute)
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern Microsoft Visual C++ v7.0
Entry Point Hex Pattern PE-Exe Executable Image
Entry Point Hex Pattern VC8 - Microsoft Corporation
Resources
Path DataRVA Size FileOffset CodeText
\24\1\1033 5060 17D 2C60 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String
• C:\Users\Public\Documents\CR433101.dat.exe
• cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s"
• http://ssl-6582datamanager.helpdeskbros.local/favicon.ico
• http://huskyhacks.dev
• C:\Users\Matt\source\repos\HuskyHacks\PMAT-maldev\src\DownloadFromURL\Release\DownloadFromURL.pdb
• .bss
• KERNEL32.dll
• MSVCP140.dll
• urlmon.dll
• jterminateapi-ms-win-crt-stdio-l1-1-0.dll
• api-ms-win-crt-runtime-l1-1-0.dll
• api-ms-win-crt-math-l1-1-0.dll
• api-ms-win-crt-locale-l1-1-0.dll
• api-ms-win-crt-heap-l1-1-0.dll
Flow Anomalies
Offset RVA Section Description
444 4030E8 .text CALL [static] | Indirect call to absolute memory address
4A7 403070 .text CALL [static] | Indirect call to absolute memory address
4D9 4030F4 .text CALL [static] | Indirect call to absolute memory address
4F6 403074 .text CALL [static] | Indirect call to absolute memory address
528 403054 .text CALL [static] | Indirect call to absolute memory address
566 403000 .text CALL [static] | Indirect call to absolute memory address
5AD 403008 .text CALL [static] | Indirect call to absolute memory address
5B7 403004 .text CALL [static] | Indirect call to absolute memory address
5C0 403004 .text CALL [static] | Indirect call to absolute memory address
5F6 403040 .text CALL [static] | Indirect call to absolute memory address
606 403048 .text CALL [static] | Indirect call to absolute memory address
678 403040 .text CALL [static] | Indirect call to absolute memory address
688 403048 .text CALL [static] | Indirect call to absolute memory address
6F8 40304C .text CALL [static] | Indirect call to absolute memory address
77A 403044 .text CALL [static] | Indirect call to absolute memory address
927 4030FC .text CALL [static] | Indirect call to absolute memory address
A00 403034 .text CALL [static] | Indirect call to absolute memory address
A09 403030 .text CALL [static] | Indirect call to absolute memory address
A14 403028 .text CALL [static] | Indirect call to absolute memory address
A1B 403024 .text CALL [static] | Indirect call to absolute memory address
D7F 403018 .text CALL [static] | Indirect call to absolute memory address
D8E 403010 .text CALL [static] | Indirect call to absolute memory address
D97 40300C .text CALL [static] | Indirect call to absolute memory address
DA4 403038 .text CALL [static] | Indirect call to absolute memory address
E17 40301C .text CALL [static] | Indirect call to absolute memory address
F57 403020 .text CALL [static] | Indirect call to absolute memory address
F77 403034 .text CALL [static] | Indirect call to absolute memory address
F81 403030 .text CALL [static] | Indirect call to absolute memory address
FA1 40302C .text CALL [static] | Indirect call to absolute memory address
FE7 403034 .text CALL [static] | Indirect call to absolute memory address
1065 4030FC .text CALL [static] | Indirect call to absolute memory address
1091 4030FC .text CALL [static] | Indirect call to absolute memory address
1313 40305C .text JMP [static] | Indirect jump to absolute memory address
1319 403060 .text JMP [static] | Indirect jump to absolute memory address
131F 403068 .text JMP [static] | Indirect jump to absolute memory address
1325 403064 .text JMP [static] | Indirect jump to absolute memory address
132B 403098 .text JMP [static] | Indirect jump to absolute memory address
1331 4030B0 .text JMP [static] | Indirect jump to absolute memory address
1337 40308C .text JMP [static] | Indirect jump to absolute memory address
133D 4030B4 .text JMP [static] | Indirect jump to absolute memory address
1343 4030DC .text JMP [static] | Indirect jump to absolute memory address
1349 4030D8 .text JMP [static] | Indirect jump to absolute memory address
134F 4030D4 .text JMP [static] | Indirect jump to absolute memory address
1355 4030D0 .text JMP [static] | Indirect jump to absolute memory address
135B 4030CC .text JMP [static] | Indirect jump to absolute memory address
1361 4030C8 .text JMP [static] | Indirect jump to absolute memory address
1367 4030EC .text JMP [static] | Indirect jump to absolute memory address
136D 4030C4 .text JMP [static] | Indirect jump to absolute memory address
1373 4030C0 .text JMP [static] | Indirect jump to absolute memory address
1379 4030BC .text JMP [static] | Indirect jump to absolute memory address
137F 403094 .text JMP [static] | Indirect jump to absolute memory address
1385 4030B8 .text JMP [static] | Indirect jump to absolute memory address
138B 403084 .text JMP [static] | Indirect jump to absolute memory address
1391 40307C .text JMP [static] | Indirect jump to absolute memory address
1397 4030E4 .text JMP [static] | Indirect jump to absolute memory address
139D 40309C .text JMP [static] | Indirect jump to absolute memory address
13A3 4030A0 .text JMP [static] | Indirect jump to absolute memory address
13A9 4030A4 .text JMP [static] | Indirect jump to absolute memory address
13AF 4030A8 .text JMP [static] | Indirect jump to absolute memory address
13B5 4030AC .text JMP [static] | Indirect jump to absolute memory address
13BB 403014 .text JMP [static] | Indirect jump to absolute memory address
Extra Analysis
Metric Value Percentage
Ascii Code 6652 54,1341%
Null Byte Code 4082 33,2194%
© 2026 All rights reserved.