PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 80,00 KB
SHA-256 Hash: 5C7D41958EC61FF084BE0443AFD634DBC5CC3BAA15687BFC10DF1FFE88CAD084
SHA-1 Hash: E7184F81C23204F5A33E9AF01604A79A2E69BEC5
MD5 Hash: 203585B7A9F1315B457F2D1D034EB7B7
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 155CE
SizeOfHeaders: 200
SizeOfImage: 1A000
ImageBase: 400000
Architecture: x86
ImportTable: 15578
IAT: 2000
Characteristics: 22
TimeDateStamp: BF9AAD68
Date: 12/11/2071 20:19:52
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 200 13600 2000 135D45,55792148727,79
.rsrc 40000040 (Initialized Data, Readable) 13800 600 16000 4EC4,654342359,00
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 13E00 200 18000 C0,1019128015,00
Description
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 137CE
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
JMP DWORD PTR [0X402000]
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
Signatures
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: True
Version: v4.0
Detect It Easy (die)
PE: library: .NET(v4.0.30319)[-]
PE: linker: Microsoft Linker(48.0)[-]
Entropy: 5.52064
Suspicious Functions
Library Function Description
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetModuleHandle Retrieves a handle to the specified module.
Windows REG (UNICODE)
Software\Sentinel\WinLocker
Software\Sentinel\Note
Software\Microsoft\Windows\CurrentVersion\Run
Software\Sentinel
Software\Sentinel\Payload", "")
Software\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Policies\Microsoft\Windows\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\$SNRStager
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Active Setup\Installed Components\{9DE00001-1234-4321-9999-000000000001}!chcp 65001 > nul
SOFTWARE\$SNRStagerPayloadP
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - DisableRegistryTools
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - DisableTaskMgr
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - NoRun
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - DisableRegistryTools
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - DisableTaskMgr
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - NoRun
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System - EnableLUA
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System - DisableCMD
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run
File Access
SentinelClient.exe
mscoree.dll
ntdll.dll
user32.dll
kernel32.dll
Temp
File Access (UNICODE)
explorer.exe
\Windows\system32\userinit.exe
powershell.exe
wmi.Exe
schtasks.exe
cmd.exe
\msvcrt.dll
\apphelp.dll
\user32.dll
\ntdll.dll
\kernelbase.dll
\kernel32.dll
I node.Dat
Temp
SQL Queries
SELECT * FROM AntiVirusProduct
SELECT Caption, OSArchitecture FROM Win32_OperatingSystem
SELECT * FROM Win32_Processor
SELECT * FROM Win32_VideoController
SELECT Capacity FROM Win32_PhysicalMemory
SELECT * FROM Win32_PnPEntity
SELECT * FROM Win32_SoundDevice
Interest's Words
Virus
PADDINGX
Encrypt
Decrypt
RootKit
<main
wscript
exec
attrib
start
cipher
shutdown
systeminfo
ping
expand
replace
Interest's Words (UNICODE)
Virus
PassWord
wscript
exec
createobject
powershell
schtasks
start
cipher
cacls
icacls
schtask
Anti-VM/Sandbox/Debug Tricks (UNICODE)
LabTools - taskmgr
URLs (UNICODE)
http://ip-api.com/json/Unknown
AV Services (UNICODE)
Antivirus name extract - (SecurityCenter2)
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (connect)
Text Ascii WinAPI Sockets (send)
Text Ascii File (GetTempPath)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii Encryption (CipherMode)
Text Ascii Encryption (CreateDecryptor)
Text Ascii Encryption (CryptoStream)
Text Ascii Encryption (CryptoStreamMode)
Text Ascii Encryption (FromBase64String)
Text Ascii Encryption (ICryptoTransform)
Text Ascii Encryption (MD5CryptoServiceProvider)
Text Ascii Encryption (ToBase64String)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (NtWriteVirtualMemory)
Text Ascii Execution (ShellExecute)
Text Unicode Malicious code executed after exploiting a vulnerability (Payload)
Text Ascii Small piece of code used as the payload in an exploit (Shellcode)
Text Ascii Software designed to enable unauthorized access while hiding its presence (Rootkit)
Text Ascii Ability of malware to remain on a system after a reboot (Persistence)
Text Ascii Software that records user activity (Logger)
Entry Point Hex Pattern Anticrack Software Protector v1.09 (ACProtect)
Entry Point Hex Pattern Microsoft Visual C / Basic .NET
Entry Point Hex Pattern Microsoft Visual C v7.0 / Basic .NET
Entry Point Hex Pattern Microsoft Visual Studio .NET
Entry Point Hex Pattern .NET executable
Resources
Path DataRVA Size FileOffset CodeText
\VERSION\1\0 160A0 260 138A0 600234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0 16300 1EA 13B00 EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65...<?xml version="1.0" encoding="UTF-8" standalone
Intelligent String
• C:\Recovery\OEM
• cmd.exe
• runas
• schtasks.exe
• !" /RL HIGHEST /F
• !" /RL LIMITED /F
• .bat
• .vbs
• s:\\.\root\cimv2")
• .dat
• C:\Recovery\OEM\ResetConfig.XML
• .EXE
• .BAT
• powershell.exe
• \kernel32.dll
• \kernelbase.dll
• \ntdll.dll
• \user32.dll
• \apphelp.dll
• \msvcrt.dll
• .exe
• C:\Recovery
• C:\Windows\System32\config\SOFTWARE
• takeown /f "%TARGET_PARENT%" /r /d y
• icacls "%TARGET_PARENT%" /grant *S-1-5-18:F /t /c
• takeown /f "%TARGET_FOLDER%" /r /d y
• icacls "%TARGET_FOLDER%" /grant *S-1-5-18:F /t /c
• ResetConfig.xml
• C:\Windows\system32\userinit.exe
• explorer.exe
• 5(goto) 2>nul & del /f /q "
• _CorExeMainmscoree.dll
Flow Anomalies
Offset RVA Section Description
137CE 402000 .text JMP [static] | Indirect jump to absolute memory address
Extra Analysis
Metric Value Percentage
Ascii Code 46442 56,6919%
Null Byte Code 26866 32,7954%
© 2026 All rights reserved.