PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 100,13 KB
SHA-256 Hash: F712C2A8B4ABF2E299A2B480020333DEB0F43364E9686CDA78B1243C62E4830D
SHA-1 Hash: DE0C8FBA8D7AC8F547C88B6E5F7F5CD422EC2903
MD5 Hash: 1EA7D59053D8BD45BEA95355B3D8D499
Imphash: 1AD7D70D7B6C16D05F66818C394CB860
MajorOSVersion: 5
MinorOSVersion: 2
CheckSum: 0001D5C3
EntryPoint (rva): 1208
SizeOfHeaders: 400
SizeOfImage: 1A000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 11C0C
IAT: C000
Characteristics: 22
TimeDateStamp: 64114320
Date: 15/03/2023 4:01:36
File Type: EXE
Number Of Sections: 6
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	400	AA00	1000	A86B	6.4364	287473.31
.rdata	0x40000040 Initialized Data Readable	AE00	6400	C000	6338	3.9416	1971218.52
.data	0xC0000040 Initialized Data Readable Writeable	11200	1600	13000	3A98	2.8931	709312.73
.pdata	0x40000040 Initialized Data Readable	12800	A00	17000	8A0	4.2716	165758.2
.rsrc	0x40000040 Initialized Data Readable	13200	600	18000	550	3.8593	96539.33
.reloc	0x42000040 Initialized Data GP-Relative Readable	13800	600	19000	528	5.0738	18928.33

Description

OriginalFilename: active_desktop_launcher.exe
CompanyName: wrPN
LegalCopyright: Copyright 2023 KuGou-Inc.All Rights Reserved
ProductName: KuGou
FileVersion: 1.0.0.50
FileDescription: active_desktop_launcher
ProductVersion: 1.0.0.50
Language: Chinese (People's Republic of China) (ID=0x804)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 608
Code -> 4883EC28E8B31400004883C428E936FEFFFFCCCC40534883EC20488BD9FF15F5AD0000B90100000089050A390100E8A91E00

Assembler

|SUB RSP, 0X28

|CALL 0X24BC

|ADD RSP, 0X28

|JMP 0XE48

|INT3

|PUSH RBX

|SUB RSP, 0X20

|MOV RBX, RCX

|CALL QWORD PTR [RIP + 0XADF5]

|MOV ECX, 1

|MOV DWORD PTR [RIP + 0X1390A], EAX

Signatures

Rich Signature Analyzer:
Code -> FC93676CB8F2093FB8F2093FB8F2093FFEA3E83FA0F2093FFEA3E93FD9F2093FFEA3D63FB0F2093F0D6CD43FBBF2093FB18A9A3FBAF2093FB8F2083FF7F2093F0D6CEC3FB9F2093FB5A0D23FB9F2093FB8F29E3FB9F2093F0D6CD73FB9F2093F52696368B8F2093F
Footprint md5 Hash -> 768489D09E28CE9F7F324F21041476F7
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct

Packer/Compiler

Compiler: Microsoft Visual Studio
Compiler: Microsoft Visual C ++
Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(2013)[-]
• PE+(64): linker: Microsoft Linker(12.0*)[-]
• PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 6.29424

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

File Access

KERNEL32.dll
active_desktop_render_x64.dll
@.dat

File Access (UNICODE)

active_desktop_launcher.exe
USER32.DLL
kernel32.dll
mscoree.dll
Temp

Interest's Words

exec
start
ping

URLs

http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
http://www.digicert.com/CPS0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt

IP Addresses

1.0.0.50

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Stealth (CloseHandle)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\2052	180A0	330	132A0	300334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	0.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	183D0	17D	135D0	3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779	<?xml version='1.0' encoding='UTF-8' standalone='y

Intelligent String

• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U
• active_desktop_launcher.exe
• 1.0.0.50
• mscoree.dll
• kernel32.dll
• USER32.DLL
• D:\buildbot\build1\desktop_screen\build\bin\active_desktop_launcher_x64.pdb

Flow Anomalies

Offset	RVA	Section	Description
404	N/A	.text	CALL QWORD PTR [RIP+0xB1EE]
40A	N/A	.text	CALL QWORD PTR [RIP+0xB1F0]
52E	N/A	.text	CALL QWORD PTR [RIP+0xAEE4]
625	N/A	.text	CALL QWORD PTR [RIP+0xADF5]
ABA	N/A	.text	CALL QWORD PTR [RIP+0xA970]
B06	N/A	.text	CALL QWORD PTR [RIP+0xA934]
B1E	N/A	.text	CALL QWORD PTR [RIP+0xA914]
C56	N/A	.text	CALL QWORD PTR [RIP+0xA7E4]
CB2	N/A	.text	CALL QWORD PTR [RIP+0xA7A8]
CC8	N/A	.text	CALL QWORD PTR [RIP+0xA79A]
CEF	N/A	.text	CALL QWORD PTR [RIP+0xA763]
D64	N/A	.text	CALL QWORD PTR [RIP+0xF94E]
DC8	N/A	.text	CALL QWORD PTR [RIP+0x150A2]
DEC	N/A	.text	CALL QWORD PTR [RIP+0xA656]
F40	N/A	.text	CALL QWORD PTR [RIP+0xA50A]
F5E	N/A	.text	CALL QWORD PTR [RIP+0xA4EC]
F8C	N/A	.text	CALL QWORD PTR [RIP+0xA4B6]
FA1	N/A	.text	CALL QWORD PTR [RIP+0xA4A9]
FAC	N/A	.text	CALL QWORD PTR [RIP+0xA496]
FBE	N/A	.text	CALL QWORD PTR [RIP+0xA48C]
FCE	N/A	.text	CALL QWORD PTR [RIP+0xA47C]
105A	N/A	.text	CALL QWORD PTR [RIP+0xA3F8]
108C	N/A	.text	CALL QWORD PTR [RIP+0xA3EE]
116B	N/A	.text	CALL QWORD PTR [RIP+0xA32F]
1264	N/A	.text	CALL QWORD PTR [RIP+0xA226]
1322	N/A	.text	CALL QWORD PTR [RIP+0xA160]
1338	N/A	.text	CALL QWORD PTR [RIP+0xA152]
13FF	N/A	.text	CALL QWORD PTR [RIP+0xA0A3]
18C4	N/A	.text	CALL QWORD PTR [RIP+0x9BDE]
1981	N/A	.text	CALL QWORD PTR [RIP+0x9B01]
19E1	N/A	.text	CALL QWORD PTR [RIP+0x9AC9]
1AF0	N/A	.text	CALL QWORD PTR [RIP+0x99D2]
1AFE	N/A	.text	CALL QWORD PTR [RIP+0x993C]
1B0A	N/A	.text	CALL QWORD PTR [RIP+0x99B0]
1B1A	N/A	.text	CALL QWORD PTR [RIP+0x9998]
1BF4	N/A	.text	CALL QWORD PTR [RIP+0x98D6]
1C44	N/A	.text	CALL QWORD PTR [RIP+0x988E]
1C71	N/A	.text	CALL QWORD PTR [RIP+0x9869]
1C89	N/A	.text	CALL QWORD PTR [RIP+0x9859]
1CC0	N/A	.text	CALL QWORD PTR [RIP+0x982A]
1CDF	N/A	.text	CALL QWORD PTR [RIP+0x97FB]
1CF9	N/A	.text	CALL QWORD PTR [RIP+0x97E9]
1D30	N/A	.text	CALL QWORD PTR [RIP+0x97BA]
1D5C	N/A	.text	JMP QWORD PTR [RIP+0x969E]
1D78	N/A	.text	JMP QWORD PTR [RIP+0x97BA]
1D94	N/A	.text	JMP QWORD PTR [RIP+0x978E]
1DB0	N/A	.text	JMP QWORD PTR [RIP+0x977A]
1DC4	N/A	.text	CALL QWORD PTR [RIP+0x96D6]
1DFF	N/A	.text	CALL QWORD PTR [RIP+0x9703]
1E69	N/A	.text	CALL QWORD PTR [RIP+0x96D1]
1E7C	N/A	.text	CALL QWORD PTR [RIP+0x95E6]
1E9A	N/A	.text	CALL QWORD PTR [RIP+0x95C8]
1EB8	N/A	.text	CALL QWORD PTR [RIP+0x95AA]
1ED6	N/A	.text	CALL QWORD PTR [RIP+0x958C]
1EF4	N/A	.text	CALL QWORD PTR [RIP+0x956E]
1F12	N/A	.text	CALL QWORD PTR [RIP+0x9550]
1F30	N/A	.text	CALL QWORD PTR [RIP+0x9532]
1F4E	N/A	.text	CALL QWORD PTR [RIP+0x9514]
1F6C	N/A	.text	CALL QWORD PTR [RIP+0x94F6]
1F8A	N/A	.text	CALL QWORD PTR [RIP+0x94D8]
1FA8	N/A	.text	CALL QWORD PTR [RIP+0x94BA]
1FC6	N/A	.text	CALL QWORD PTR [RIP+0x949C]
1FE4	N/A	.text	CALL QWORD PTR [RIP+0x947E]
2002	N/A	.text	CALL QWORD PTR [RIP+0x9460]
2020	N/A	.text	CALL QWORD PTR [RIP+0x9442]
203E	N/A	.text	CALL QWORD PTR [RIP+0x9424]
205C	N/A	.text	CALL QWORD PTR [RIP+0x9406]
207A	N/A	.text	CALL QWORD PTR [RIP+0x93E8]
2098	N/A	.text	CALL QWORD PTR [RIP+0x93CA]
20B6	N/A	.text	CALL QWORD PTR [RIP+0x93AC]
20D4	N/A	.text	CALL QWORD PTR [RIP+0x938E]
20F2	N/A	.text	CALL QWORD PTR [RIP+0x9370]
2110	N/A	.text	CALL QWORD PTR [RIP+0x9352]
212E	N/A	.text	CALL QWORD PTR [RIP+0x9334]
214C	N/A	.text	CALL QWORD PTR [RIP+0x9316]
216A	N/A	.text	CALL QWORD PTR [RIP+0x92F8]
2188	N/A	.text	CALL QWORD PTR [RIP+0x92DA]
21A6	N/A	.text	CALL QWORD PTR [RIP+0x92BC]
21C4	N/A	.text	CALL QWORD PTR [RIP+0x929E]
21E2	N/A	.text	CALL QWORD PTR [RIP+0x9280]
2200	N/A	.text	CALL QWORD PTR [RIP+0x9262]
221E	N/A	.text	CALL QWORD PTR [RIP+0x9244]
223C	N/A	.text	CALL QWORD PTR [RIP+0x9226]
2259	N/A	.text	JMP QWORD PTR [RIP+0x92A1]
2261	N/A	.text	JMP QWORD PTR [RIP+0x92A9]
2270	N/A	.text	CALL QWORD PTR [RIP+0x92A2]
2281	N/A	.text	JMP QWORD PTR [RIP+0x9299]
2293	N/A	.text	CALL QWORD PTR [RIP+0x9267]
22A2	N/A	.text	JMP QWORD PTR [RIP+0x9250]
23C4	N/A	.text	CALL QWORD PTR [RIP+0x1397E]
2402	N/A	.text	CALL QWORD PTR [RIP+0x9140]
2517	N/A	.text	CALL QWORD PTR [RIP+0x8F2B]
256A	N/A	.text	JMP QWORD PTR [RIP+0x8FE0]
25A3	N/A	.text	CALL QWORD PTR [RIP+0x8EEF]
25D3	N/A	.text	CALL QWORD PTR [RIP+0x8EBF]
269C	N/A	.text	CALL QWORD PTR [RIP+0x8EB6]
272E	N/A	.text	JMP QWORD PTR [RIP+0x8E24]
274A	N/A	.text	CALL QWORD PTR [RIP+0x8E10]
275C	N/A	.text	CALL QWORD PTR [RIP+0x8CCE]
2D92	N/A	.text	CALL QWORD PTR [RIP+0x87E0]
13E00	N/A	Overlay	88520000000202003082527806092A864886F70D \| .R......0.Rx..*.H...

Extra Analysis

Metric	Value	Percentage
Ascii Code	55002	53,6416%
Null Byte Code	26282	25,632%

PESCAN.IO - Analysis Report Basic