PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 4,18 MB
SHA-256 Hash: D53FEE1782461E435F1AE1B21C507188108BD43F4709F064EDFCB0D9F5772AEF
SHA-1 Hash: 26A16899F54ADB1703437F51701A0D039FD88AAB
MD5 Hash: 1CE1374F6B9364042471238D8567750D
Imphash: 9ACCC748A9D89A334D2FC419EC39655A
MajorOSVersion: 5
CheckSum: 00000000
EntryPoint (rva): 16478
SizeOfHeaders: 400
SizeOfImage: 2D000
ImageBase: 400000
Architecture: x86
ImportTable: 1E000
Characteristics: 818F
TimeDateStamp: 506A75C4
Date: 02/10/2012 5:04:04
File Type: EXE
Number Of Sections: 8
ASLR: Disabled
Section Names: .text, .itext, .data, .bss, .idata, .tls, .rdata, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows GUI
UAC Execution Level Manifest: requireAdministrator

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	14400	1000	143F8
.itext	60000020 (Executable)	14800	C00	16000	BE8
.data	C0000040 (Writeable)	15400	E00	17000	D9C
.bss	C0000000 (Writeable)	16200	0	18000	5750
.idata	C0000040 (Writeable)	16200	1000	1E000	F9E
.tls	C0000000 (Writeable)	17200	0	1F000	8
.rdata	40000040	17200	200	20000	18
.rsrc	40000040	17400	B200	21000	B200

Description:

LegalCopyright: FitGirl
ProductName: The Mortuary Assistant

Binder/Joiner/Crypter:

Dropper code detected (EOF) - 4,00 MB

Entry Point:

The section number (2) - (.itext) have the Entry Point
Information -> EntryPoint (calculated) - 14C78
Code -> 558BEC83C4A453565733C08945C48945C08945A48945D08945C88945CC8945D48945D88945ECB8B8524100E8AC03FFFF33C0
• PUSH EBP
• MOV EBP, ESP
• ADD ESP, -0X5C
• PUSH EBX
• PUSH ESI
• PUSH EDI
• XOR EAX, EAX
• MOV DWORD PTR [EBP - 0X3C], EAX
• MOV DWORD PTR [EBP - 0X40], EAX
• MOV DWORD PTR [EBP - 0X5C], EAX
• MOV DWORD PTR [EBP - 0X30], EAX
• MOV DWORD PTR [EBP - 0X38], EAX
• MOV DWORD PTR [EBP - 0X34], EAX
• MOV DWORD PTR [EBP - 0X2C], EAX
• MOV DWORD PTR [EBP - 0X28], EAX
• MOV DWORD PTR [EBP - 0X14], EAX
• MOV EAX, 0X4152B8
• CALL 0XFFFF13DC
• XOR EAX, EAX

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Borland Delphi 7
Detect It Easy (die)
• PE: installer: Inno Setup Module(5.5.0)[unicode]
• PE: compiler: Embarcadero Delphi(2009-2010)[-]
• PE: linker: Turbo Linker(2.25*,Delphi)[EXE32,admin]
• PE: overlay: Inno Setup Installer data(-)[-]
• Entropy: 7.98467

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).

Windows REG (UNICODE):

SOFTWARE\Borland\Delphi\RTL
Software\CodeGear\Locales
Software\Borland\Locales
Software\Borland\Delphi\Locales

File Access:

oleaut32.dll
advapi32.dll
kernel32.dll
comctl32.dll
user32.dll

File Access (UNICODE):

kernel32.dll
oleaut32.dll
shell32.dll
Temp
UserProfile

Interest's Words:

exec
attrib
start
systeminfo

Interest's Words (UNICODE):

shutdown

URLs:

http://schemas.microsoft.com/SMI/2005/WindowsSettings

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Registry (RegOpenKeyEx)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
• Rule Text (Ascii): Anti-Analysis VM (GetVersion)
• Rule Text (Ascii): Stealth (VirtualAlloc)
• Rule Text (Ascii): Stealth (VirtualProtect)
• Rule Text (Ascii): Execution (CreateProcessW)
• Rule Text (Unicode): Privileges (SeShutdownPrivilege)
• Rule Text (Ascii): Malware that monitors and collects user data (Spy)
• Rule Text (Unicode): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
• EP Rules: Borland Delphi 4.0
• EP Rules: fasm -> Tomasz Grysztar

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\2052	2141C	128	1781C	2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000008000008000	(....... .........................................
\ICON\2\2052	21544	568	17944	2800000010000000200000000100080000000000400100000000000000000000000000000000000000000000800000000080	(....... ...........@.............................
\ICON\3\2052	21AAC	2E8	17EAC	2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000008000008000	(... ...@.........................................
\ICON\4\2052	21D94	8A8	18194	2800000020000000400000000100080000000000800400000000000000000000000000000000000000000000800000000080	(... ...@.........................................
\STRING\4091\0	2263C	C4	18A3C	0300540068007500030046007200690003005300610074000600530075006E0064006100790006004D006F006E0064006100	..T.h.u...F.r.i...S.a.t...S.u.n.d.a.y...M.o.n.d.a.
\STRING\4092\0	22700	CC	18B00	07004A0061006E00750061007200790008004600650062007200750061007200790005004D00610072006300680005004100	..J.a.n.u.a.r.y...F.e.b.r.u.a.r.y...M.a.r.c.h...A.
\STRING\4093\0	227CC	174	18BCC	28004D006F006E00690074006F007200200073007500700070006F00720074002000660075006E006300740069006F006E00	(.M.o.n.i.t.o.r. .s.u.p.p.o.r.t. .f.u.n.c.t.i.o.n.
\STRING\4094\0	22940	39C	18D40	1F00560061007200690061006E00740020006F00720020007300610066006500200061007200720061007900200069007300	..V.a.r.i.a.n.t. .o.r. .s.a.f.e. .a.r.r.a.y. .i.s.
\STRING\4095\0	22CDC	34C	190DC	160049006E00760061006C0069006400200063006C0061007300730020007400790070006500630061007300740030004100	..I.n.v.a.l.i.d. .c.l.a.s.s. .t.y.p.e.c.a.s.t.0.A.
\STRING\4096\0	23028	294	19428	0D004F007500740020006F00660020006D0065006D006F00720079000C0049002F004F0020006500720072006F0072002000	..O.u.t. .o.f. .m.e.m.o.r.y...I./.O. .e.r.r.o.r. .
\RCDATA\CHARTABLE\1033	232BC	82E8	196BC	1800000018220000B82C0000C8420000C8640000E86800000000100020003000400050006000700080009000A000B000C000	....."...,...B...d...h...... .0.@.P..p...........
\RCDATA\DVCLAL\0	2B5A4	10	219A4	263D4F38C28237B8F3244203179B3A83	&=O8..7..$B...:.
\RCDATA\PACKAGEINFO\0	2B5B4	1B0	219B4	000010CC0000000027000000010553657475704C64725F44323030395F46756C6C56434C0010245661725574696C73000C4B	........'.....SetupLdr_D2009_FullVCL..$VarUtils..K
\RCDATA\11111\0	2B764	2C	21B64	72446C507453CDE6D77B0B2A0100000050D6420094B93B0000CA160012BE9DE400223A0000260200CB02A895	rDlPtS...{.*....P.B...;..........":..&......
\GROUP_ICON\MAINICON\2052	2B790	3E	21B90	000001000400101010000100040028010000010010100000010008006805000002002020100001000400E802000003002020000001000800A80800000400	..............(.............h..... ............ ............
\VERSION\1\1033	2B7D0	4B8	21BD0	B80434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	2BC88	560	22088	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String:

• kernel32.dll
• oleaut32.dll
• .tmp
• .bss
• .tls
• shell32.dll
• RegCloseKeyuser32.dll
• CharNextWkernel32.dll
• CloseHandlekernel32.dll
• user32.dll
• CloseHandleadvapi32.dll
• Sleepadvapi32.dll
• AdjustTokenPrivilegesoleaut32.dll
• <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
• R.qYC
• PPP0

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	2990213	68,266%
Null Byte Code	61455	1,403%