PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 1,01 MB
SHA-256 Hash: F6523F14FC35CA6C86E63EF98C8A0FE199D0BE3213400B22A8AFF54A5D98D429
SHA-1 Hash: 9DC98834CE4E1BFF437A05E5A43C18440A37FCA5
MD5 Hash: 1C947C450AB6F66EBD3551F9D900B1EA
Imphash: 69CA97FB5D686988321BAC50363255F0
MajorOSVersion: 5
CheckSum: 00000000
EntryPoint (rva): E474
SizeOfHeaders: 400
SizeOfImage: 10A000
ExportTable: EF980
ImportTable: EEE9C
Characteristics: 102
TimeDateStamp: 553760B2
Date: 22/04/2015 8:49:54
File Type: EXE
Number Of Sections: 4
ASLR: Enabled
Section Names: .text, .rdata, .data, .reloc
Number Of Executable Sections: 1
Subsystem: Unknown

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	B5A00	1000	B5992
.rdata	40000040	B5E00	38A00	B7000	389C4
.data	C0000040 (Writeable)	EE800	9C00	F0000	D9B8
.reloc	42000040	F8400	B400	FE000	B400

Signatures:

Rich Signature Analyzer:
Code -> 4A4A66980E2B08CB0E2B08CB0E2B08CB615D96CB3F2B08CB615DA2CB672908CB615DA3CB392B08CB07539BCB012B08CB0E2B09CB962B08CB615DA7CB0A2B08CB615D93CB0F2B08CB615D95CB0F2B08CB526963680E2B08CB
Footprint md5 Hash -> F34679B791EEF4F01951FEC9286F67FD
• The Rich header apparently has not been modified

Packer/Compiler:

Compiler: Microsoft Visual C ++
Detect It Easy (die)
• PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[EXE32]
• PE: compiler: Microsoft Visual C/C++(2010)[libcmt]
• PE: linker: Microsoft Linker(10.0)[EXE32]
• Entropy: 6.71248

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	CreateToolhelp32Snapshot	Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
Ws2_32.DLL	socket	Create a communication endpoint for networking applications.
Ws2_32.DLL	connect	Establish a connection to a specified socket.

File Access:

Xtunnel.exe
.exe
ADVAPI32.dll
USER32.dll
WINHTTP.dll
WS2_32.dll
SHELL32.dll
KERNEL32.dll
%s.dll
NETAPI32.DLL
.bat
Temp

File Access (UNICODE):

@CorExitProcessmscoree.dll
Temp

Interest's Words:

Encrypt
Decrypt
Encryption
PassWord
exec
attrib
start
cipher
hostname
shutdown
netstat
certreq
ping
expand
route

URLs:

http://www.openssl.org/support/faq.html

Payloads:

Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)

IP Addresses:

176.31.112.10
127.0.0.1

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (bind)
• Rule Text (Ascii): WinAPI Sockets (listen)
• Rule Text (Ascii): WinAPI Sockets (accept)
• Rule Text (Ascii): WinAPI Sockets (connect)
• Rule Text (Ascii): WinAPI Sockets (send)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Encryption (Blowfish)
• Rule Text (Unicode): Encryption (Intel Hardware Cryptographic Service Provider)
• Rule Text (Ascii): Encryption API (CryptAcquireContext)
• Rule Text (Ascii): Encryption API (CryptReleaseContext)
• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
• Rule Text (Ascii): Anti-Analysis VM (GetVersion)
• Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot)
• Rule Text (Ascii): Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
• Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)

Intelligent String:

• mscoree.dll
• O0OKERNEL32.DLL
• Microsoft Smartcardlogin
• msSmartcardLogin
• value.set
• @@.\crypto\rand\md_rand.cYou need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
• invalid cmd number
• invalid cmd name
• command takes inputcmd not executable
• NCONF_dump_fp
• NCONF_dump_bio
• CONF_dump_fp
• C:\Build-OpenSSL-VC-32/ssl/certs
• C:\Build-OpenSSL-VC-32/ssl/cert.pemSSL_CERT_DIR
• NETAPI32.DLL
• KERNEL32.DLL
• ADVAPI32.DLL
• d.ori
• d.crl
• value.bag
• %s.dll
• .com
• .bat
• .cmd
• .exe
• 176.31.112.10
• 127.0.0.1
• ADVAPI32.dll

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	655855	61,7036%
Null Byte Code	171419	16,1273%