PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 14,50 KB SHA-256 Hash: 3361545F3F475F0467D249DB6511046B5F9717E7AA80D736C16065E267045150 SHA-1 Hash: C826D177CF65FEE52B4D0ADC4A2A330106DB54AD MD5 Hash: 2629D4EDAFE5CBD84DC3EC22865D52D5 Imphash: 6B17DA9F8DDA6C0A63F02B463D6A725E MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 18D0 SizeOfHeaders: 400 SizeOfImage: 9000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 3D98 IAT: 3000 Characteristics: 22 TimeDateStamp: 67519283 Date: 05/12/2024 11:46:11 File Type: EXE Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 1400 | 1000 | 13FC |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
1800 | 1800 | 3000 | 1690 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
3000 | 200 | 5000 | 678 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
3200 | 400 | 6000 | 204 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
3600 | 200 | 7000 | 1E0 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
3800 | 200 | 8000 | 30 |
|
|
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - CD0 Code -> 4883EC28E8C70300004883C428E972FEFFFFCCCC40534883EC20488BD933C9FF157B170000488BCBFF156A170000FF157417 Assembler |SUB RSP, 0X28 |CALL 0X13D0 |ADD RSP, 0X28 |JMP 0XE84 |INT3 |INT3 |PUSH RBX |SUB RSP, 0X20 |MOV RBX, RCX |XOR ECX, ECX |CALL QWORD PTR [RIP + 0X177B] |MOV RCX, RBX |CALL QWORD PTR [RIP + 0X176A] |
| Signatures |
| Rich Signature Analyzer: Code -> D073C5499412AB1A9412AB1A9412AB1A9D6A381A9812AB1A5693AA1B9612AB1A5693AE1B8712AB1A5693AF1B9E12AB1A5693A81B9012AB1ADF6AAA1B9112AB1A9412AA1AD212AB1A6790A21B9512AB1A6790541A9512AB1A6790A91B9512AB1A526963689412AB1A Footprint md5 Hash -> E0495D386C03C1C862FDF549E2F380EA • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.39**)[-] • Entropy: 5.05651 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateRemoteThread | Creates a thread in the address space of another process. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll VCRUNTIME140.dll USER32.dll KERNEL32.dll penis.dll Failed to get handle to kernel32.dll .dat @.dat |
| Interest's Words |
| exec attrib pause |
| URLs |
| https://github.com/JohnXina-spec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (CreateRemoteThread) |
| Text | Ascii | Technique used to insert malicious code into legitimate processes (Inject) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\1\1033 | 7060 | 17D | 3660 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • api-ms-win-crt-string-l1-1-0.dll • <_register_onexit_function_crt_atexitgterminateapi-ms-win-crt-stdio-l1-1-0.dll • kernel32.dll • [!] Github: https://github.com/JohnXina-spec • penis.dll • .bss • KERNEL32.dll • USER32.dll • VCRUNTIME140.dll • api-ms-win-crt-runtime-l1-1-0.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-locale-l1-1-0.dll • api-ms-win-crt-heap-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 448 | N/A | .text | CALL QWORD PTR [RIP+0x21C2] |
| 467 | N/A | .text | CALL QWORD PTR [RIP+0x21B3] |
| 4A5 | N/A | .text | CALL QWORD PTR [RIP+0x2165] |
| 4C8 | N/A | .text | CALL QWORD PTR [RIP+0x214A] |
| 510 | N/A | .text | CALL QWORD PTR [RIP+0x1FD2] |
| 555 | N/A | .text | CALL QWORD PTR [RIP+0x1F85] |
| 567 | N/A | .text | CALL QWORD PTR [RIP+0x1F83] |
| 59A | N/A | .text | CALL QWORD PTR [RIP+0x20A0] |
| 5E8 | N/A | .text | CALL QWORD PTR [RIP+0x1E22] |
| 606 | N/A | .text | CALL QWORD PTR [RIP+0x1E3C] |
| 637 | N/A | .text | JMP QWORD PTR [RIP+0x1F63] |
| 64F | N/A | .text | CALL QWORD PTR [RIP+0x1DBB] |
| 66C | N/A | .text | CALL QWORD PTR [RIP+0x1D96] |
| 692 | N/A | .text | CALL QWORD PTR [RIP+0x1D80] |
| 6B3 | N/A | .text | CALL QWORD PTR [RIP+0x1D87] |
| 6FD | N/A | .text | CALL QWORD PTR [RIP+0x1D4D] |
| 726 | N/A | .text | CALL QWORD PTR [RIP+0x1D0C] |
| 72F | N/A | .text | CALL QWORD PTR [RIP+0x1D03] |
| 74A | N/A | .text | JMP QWORD PTR [RIP+0x1CD8] |
| 7B1 | N/A | .text | CALL QWORD PTR [RIP+0x1C49] |
| 7C2 | N/A | .text | CALL QWORD PTR [RIP+0x1D58] |
| 7E4 | N/A | .text | CALL QWORD PTR [RIP+0x1E4E] |
| 7F2 | N/A | .text | CALL QWORD PTR [RIP+0x1C38] |
| 839 | N/A | .text | CALL QWORD PTR [RIP+0x1C99] |
| 8E3 | N/A | .text | CALL QWORD PTR [RIP+0x1B37] |
| 903 | N/A | .text | CALL QWORD PTR [RIP+0x1C97] |
| 96E | N/A | .text | CALL QWORD PTR [RIP+0x1AAC] |
| A03 | N/A | .text | CALL QWORD PTR [RIP+0x1B97] |
| A26 | N/A | .text | CALL QWORD PTR [RIP+0x1B74] |
| C16 | N/A | .text | CALL QWORD PTR [RIP+0x1A44] |
| CEF | N/A | .text | CALL QWORD PTR [RIP+0x177B] |
| CF8 | N/A | .text | CALL QWORD PTR [RIP+0x176A] |
| CFE | N/A | .text | CALL QWORD PTR [RIP+0x1774] |
| D12 | N/A | .text | JMP QWORD PTR [RIP+0x1768] |
| D26 | N/A | .text | CALL QWORD PTR [RIP+0x175C] |
| DF7 | N/A | .text | CALL QWORD PTR [RIP+0x169B] |
| E11 | N/A | .text | CALL QWORD PTR [RIP+0x1641] |
| E48 | N/A | .text | CALL QWORD PTR [RIP+0x1612] |
| 10CC | N/A | .text | CALL QWORD PTR [RIP+0x13DE] |
| 10DA | N/A | .text | CALL QWORD PTR [RIP+0x13C8] |
| 10E6 | N/A | .text | CALL QWORD PTR [RIP+0x13B4] |
| 10F6 | N/A | .text | CALL QWORD PTR [RIP+0x1394] |
| 1168 | N/A | .text | JMP QWORD PTR [RIP+0x135A] |
| 11D4 | N/A | .text | CALL QWORD PTR [RIP+0x12AE] |
| 1201 | N/A | .text | CALL QWORD PTR [RIP+0x1291] |
| 121B | N/A | .text | CALL QWORD PTR [RIP+0x1237] |
| 125C | N/A | .text | CALL QWORD PTR [RIP+0x11FE] |
| 12B0 | N/A | .text | CALL QWORD PTR [RIP+0x120A] |
| 12CD | N/A | .text | CALL QWORD PTR [RIP+0x119D] |
| 12D8 | N/A | .text | CALL QWORD PTR [RIP+0x118A] |
| 130E | N/A | .text | CALL QWORD PTR [RIP+0x11A4] |
| 1364 | N/A | .text | JMP QWORD PTR [RIP+0x1106] |
| 13EA | N/A | .text | CALL QWORD PTR [RIP+0x1270] |
| 1426 | N/A | .text | CALL QWORD PTR [RIP+0x1234] |
| 14A0 | N/A | .text | JMP QWORD PTR [RIP+0xFFF3FF0] |
| 1600 | N/A | .text | JMP QWORD PTR [RIP+0xEFA] |
| 1606 | N/A | .text | JMP QWORD PTR [RIP+0xEFC] |
| 160C | N/A | .text | JMP QWORD PTR [RIP+0xEFE] |
| 1612 | N/A | .text | JMP QWORD PTR [RIP+0xF00] |
| 1618 | N/A | .text | JMP QWORD PTR [RIP+0xF8A] |
| 161E | N/A | .text | JMP QWORD PTR [RIP+0xF8C] |
| 1624 | N/A | .text | JMP QWORD PTR [RIP+0xF2E] |
| 162A | N/A | .text | JMP QWORD PTR [RIP+0xFC8] |
| 1630 | N/A | .text | JMP QWORD PTR [RIP+0xFBA] |
| 1636 | N/A | .text | JMP QWORD PTR [RIP+0xFAC] |
| 163C | N/A | .text | JMP QWORD PTR [RIP+0xF9E] |
| 1642 | N/A | .text | JMP QWORD PTR [RIP+0xF90] |
| 1648 | N/A | .text | JMP QWORD PTR [RIP+0xF82] |
| 164E | N/A | .text | JMP QWORD PTR [RIP+0xF64] |
| 1654 | N/A | .text | JMP QWORD PTR [RIP+0xFCE] |
| 165A | N/A | .text | JMP QWORD PTR [RIP+0xF68] |
| 1660 | N/A | .text | JMP QWORD PTR [RIP+0xF5A] |
| 1666 | N/A | .text | JMP QWORD PTR [RIP+0xF24] |
| 166C | N/A | .text | JMP QWORD PTR [RIP+0xEFE] |
| 1672 | N/A | .text | JMP QWORD PTR [RIP+0xEF0] |
| 1678 | N/A | .text | JMP QWORD PTR [RIP+0xECA] |
| 167E | N/A | .text | JMP QWORD PTR [RIP+0xEB4] |
| 1684 | N/A | .text | JMP QWORD PTR [RIP+0xF7E] |
| 168A | N/A | .text | JMP QWORD PTR [RIP+0xEE8] |
| 1690 | N/A | .text | JMP QWORD PTR [RIP+0xEEA] |
| 1696 | N/A | .text | JMP QWORD PTR [RIP+0xEEC] |
| 169C | N/A | .text | JMP QWORD PTR [RIP+0xEF6] |
| 177E | N/A | .text | JMP QWORD PTR [RIP+0xDA4] |
| 17C0 | N/A | .text | JMP QWORD PTR [RIP+0xE9A] |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 7100 | 47,8179% |
| Null Byte Code | 6113 | 41,1705% |
© 2026 All rights reserved.