PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header

Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 14,50 KB
SHA-256 Hash: 3361545F3F475F0467D249DB6511046B5F9717E7AA80D736C16065E267045150
SHA-1 Hash: C826D177CF65FEE52B4D0ADC4A2A330106DB54AD
MD5 Hash: 2629D4EDAFE5CBD84DC3EC22865D52D5
Imphash: 6B17DA9F8DDA6C0A63F02B463D6A725E
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 18D0
SizeOfHeaders: 400
SizeOfImage: 9000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 3D98
IAT: 3000
Characteristics: 22
TimeDateStamp: 67519283
Date: 05/12/2024 11:46:11
File Type: EXE
Number Of Sections: 6
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker

Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60000020
Code
Executable
Readable
400 1400 1000 13FC
6.0785
53578.1
.rdata
0x40000040
Initialized Data
Readable
1800 1800 3000 1690
4.4492
304278.42
.data
0xC0000040
Initialized Data
Readable
Writeable
3000 200 5000 678
0.4444
118591
.pdata
0x40000040
Initialized Data
Readable
3200 400 6000 204
2.2537
147302.5
.rsrc
0x40000040
Initialized Data
Readable
3600 200 7000 1E0
4.7015
9406
.reloc
0x42000040
Initialized Data
GP-Relative
Readable
3800 200 8000 30
0.7016
110050
Entry Point
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - CD0
Code -> 4883EC28E8C70300004883C428E972FEFFFFCCCC40534883EC20488BD933C9FF157B170000488BCBFF156A170000FF157417
Assembler
|SUB RSP, 0X28
|CALL 0X13D0
|ADD RSP, 0X28
|JMP 0XE84
|INT3
|INT3
|PUSH RBX
|SUB RSP, 0X20
|MOV RBX, RCX
|XOR ECX, ECX
|CALL QWORD PTR [RIP + 0X177B]
|MOV RCX, RBX
|CALL QWORD PTR [RIP + 0X176A]
Signatures
Rich Signature Analyzer:
Code -> D073C5499412AB1A9412AB1A9412AB1A9D6A381A9812AB1A5693AA1B9612AB1A5693AE1B8712AB1A5693AF1B9E12AB1A5693A81B9012AB1ADF6AAA1B9112AB1A9412AA1AD212AB1A6790A21B9512AB1A6790541A9512AB1A6790A91B9512AB1A526963689412AB1A
Footprint md5 Hash -> E0495D386C03C1C862FDF549E2F380EA
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): linker: Microsoft Linker(14.39**)[-]
Entropy: 5.05651

Suspicious Functions
Library Function Description
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateRemoteThread Creates a thread in the address space of another process.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
File Access
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
VCRUNTIME140.dll
USER32.dll
KERNEL32.dll
penis.dll
Failed to get handle to kernel32.dll
.dat
@.dat

Interest's Words
exec
attrib
pause

URLs
https://github.com/JohnXina-spec

Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (CreateRemoteThread)
Text Ascii Technique used to insert malicious code into legitimate processes (Inject)
Entry Point Hex Pattern Microsoft Visual C++ 8.0 (DLL)
Entry Point Hex Pattern PE-Exe Executable Image
Resources
Path DataRVA Size FileOffset CodeText
\24\1\1033 7060 17D 3660 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String
• api-ms-win-crt-string-l1-1-0.dll
• <_register_onexit_function_crt_atexitgterminateapi-ms-win-crt-stdio-l1-1-0.dll
• kernel32.dll
• [!] Github: https://github.com/JohnXina-spec
• penis.dll
• .bss
• KERNEL32.dll
• USER32.dll
• VCRUNTIME140.dll
• api-ms-win-crt-runtime-l1-1-0.dll
• api-ms-win-crt-math-l1-1-0.dll
• api-ms-win-crt-locale-l1-1-0.dll
• api-ms-win-crt-heap-l1-1-0.dll

Flow Anomalies
Offset RVA Section Description
448 N/A .text CALL QWORD PTR [RIP+0x21C2]
467 N/A .text CALL QWORD PTR [RIP+0x21B3]
4A5 N/A .text CALL QWORD PTR [RIP+0x2165]
4C8 N/A .text CALL QWORD PTR [RIP+0x214A]
510 N/A .text CALL QWORD PTR [RIP+0x1FD2]
555 N/A .text CALL QWORD PTR [RIP+0x1F85]
567 N/A .text CALL QWORD PTR [RIP+0x1F83]
59A N/A .text CALL QWORD PTR [RIP+0x20A0]
5E8 N/A .text CALL QWORD PTR [RIP+0x1E22]
606 N/A .text CALL QWORD PTR [RIP+0x1E3C]
637 N/A .text JMP QWORD PTR [RIP+0x1F63]
64F N/A .text CALL QWORD PTR [RIP+0x1DBB]
66C N/A .text CALL QWORD PTR [RIP+0x1D96]
692 N/A .text CALL QWORD PTR [RIP+0x1D80]
6B3 N/A .text CALL QWORD PTR [RIP+0x1D87]
6FD N/A .text CALL QWORD PTR [RIP+0x1D4D]
726 N/A .text CALL QWORD PTR [RIP+0x1D0C]
72F N/A .text CALL QWORD PTR [RIP+0x1D03]
74A N/A .text JMP QWORD PTR [RIP+0x1CD8]
7B1 N/A .text CALL QWORD PTR [RIP+0x1C49]
7C2 N/A .text CALL QWORD PTR [RIP+0x1D58]
7E4 N/A .text CALL QWORD PTR [RIP+0x1E4E]
7F2 N/A .text CALL QWORD PTR [RIP+0x1C38]
839 N/A .text CALL QWORD PTR [RIP+0x1C99]
8E3 N/A .text CALL QWORD PTR [RIP+0x1B37]
903 N/A .text CALL QWORD PTR [RIP+0x1C97]
96E N/A .text CALL QWORD PTR [RIP+0x1AAC]
A03 N/A .text CALL QWORD PTR [RIP+0x1B97]
A26 N/A .text CALL QWORD PTR [RIP+0x1B74]
C16 N/A .text CALL QWORD PTR [RIP+0x1A44]
CEF N/A .text CALL QWORD PTR [RIP+0x177B]
CF8 N/A .text CALL QWORD PTR [RIP+0x176A]
CFE N/A .text CALL QWORD PTR [RIP+0x1774]
D12 N/A .text JMP QWORD PTR [RIP+0x1768]
D26 N/A .text CALL QWORD PTR [RIP+0x175C]
DF7 N/A .text CALL QWORD PTR [RIP+0x169B]
E11 N/A .text CALL QWORD PTR [RIP+0x1641]
E48 N/A .text CALL QWORD PTR [RIP+0x1612]
10CC N/A .text CALL QWORD PTR [RIP+0x13DE]
10DA N/A .text CALL QWORD PTR [RIP+0x13C8]
10E6 N/A .text CALL QWORD PTR [RIP+0x13B4]
10F6 N/A .text CALL QWORD PTR [RIP+0x1394]
1168 N/A .text JMP QWORD PTR [RIP+0x135A]
11D4 N/A .text CALL QWORD PTR [RIP+0x12AE]
1201 N/A .text CALL QWORD PTR [RIP+0x1291]
121B N/A .text CALL QWORD PTR [RIP+0x1237]
125C N/A .text CALL QWORD PTR [RIP+0x11FE]
12B0 N/A .text CALL QWORD PTR [RIP+0x120A]
12CD N/A .text CALL QWORD PTR [RIP+0x119D]
12D8 N/A .text CALL QWORD PTR [RIP+0x118A]
130E N/A .text CALL QWORD PTR [RIP+0x11A4]
1364 N/A .text JMP QWORD PTR [RIP+0x1106]
13EA N/A .text CALL QWORD PTR [RIP+0x1270]
1426 N/A .text CALL QWORD PTR [RIP+0x1234]
14A0 N/A .text JMP QWORD PTR [RIP+0xFFF3FF0]
1600 N/A .text JMP QWORD PTR [RIP+0xEFA]
1606 N/A .text JMP QWORD PTR [RIP+0xEFC]
160C N/A .text JMP QWORD PTR [RIP+0xEFE]
1612 N/A .text JMP QWORD PTR [RIP+0xF00]
1618 N/A .text JMP QWORD PTR [RIP+0xF8A]
161E N/A .text JMP QWORD PTR [RIP+0xF8C]
1624 N/A .text JMP QWORD PTR [RIP+0xF2E]
162A N/A .text JMP QWORD PTR [RIP+0xFC8]
1630 N/A .text JMP QWORD PTR [RIP+0xFBA]
1636 N/A .text JMP QWORD PTR [RIP+0xFAC]
163C N/A .text JMP QWORD PTR [RIP+0xF9E]
1642 N/A .text JMP QWORD PTR [RIP+0xF90]
1648 N/A .text JMP QWORD PTR [RIP+0xF82]
164E N/A .text JMP QWORD PTR [RIP+0xF64]
1654 N/A .text JMP QWORD PTR [RIP+0xFCE]
165A N/A .text JMP QWORD PTR [RIP+0xF68]
1660 N/A .text JMP QWORD PTR [RIP+0xF5A]
1666 N/A .text JMP QWORD PTR [RIP+0xF24]
166C N/A .text JMP QWORD PTR [RIP+0xEFE]
1672 N/A .text JMP QWORD PTR [RIP+0xEF0]
1678 N/A .text JMP QWORD PTR [RIP+0xECA]
167E N/A .text JMP QWORD PTR [RIP+0xEB4]
1684 N/A .text JMP QWORD PTR [RIP+0xF7E]
168A N/A .text JMP QWORD PTR [RIP+0xEE8]
1690 N/A .text JMP QWORD PTR [RIP+0xEEA]
1696 N/A .text JMP QWORD PTR [RIP+0xEEC]
169C N/A .text JMP QWORD PTR [RIP+0xEF6]
177E N/A .text JMP QWORD PTR [RIP+0xDA4]
17C0 N/A .text JMP QWORD PTR [RIP+0xE9A]
Extra Analysis
Metric Value Percentage
Ascii Code 7100 47,8179%
Null Byte Code 6113 41,1705%
© 2026 All rights reserved.