PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 596,50 KB
SHA-256 Hash: AD3F383A4BEF84745A5BC32649911BE309D428BDAFC26C3BA1641D5AA5BD811A
SHA-1 Hash: E4A64EDDB87D2C5FBD79562D29A3DBE8C1C99A43
MD5 Hash: 293617C0DD45B56DF95E9DCA294A566B
Imphash: D41D8CD98F00B204E9800998ECF8427E
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 0
SizeOfHeaders: 200
SizeOfImage: 9A000
ImageBase: 0000000140000000
Architecture: x64
Characteristics: 22
TimeDateStamp: F5A07FCE
Date: 03/08/2100 0:33:18
File Type: EXE
Number Of Sections: 2
ASLR: Disabled
Section Names (Optional Header): .text, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	200	94C00	2000	94BD2	7.6154	455669.1
.rsrc	0x40000040 Initialized Data Readable	94E00	400	98000	368	2.6943	115675

Description

OriginalFilename: Dellicious.exe
ProductName: Dellicious
FileVersion: 1.0.0.0
FileDescription: Dellicious
ProductVersion: 1.0.0.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Signatures

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v4.0
Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE+(64): library: .NET(v4.0.30319)[-]
• PE+(64): linker: Microsoft Linker(48.0)[-]
• PE+(64): archive: Resources(-)[-]
• Entropy: 7.61218

File Access

Dellicious.exe

File Access (UNICODE)

Dellicious.exe

Interest's Words

JFIF
<main
attrib
start
expand

IP Addresses

17.0.0.0
11.0.0.0

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (send)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\0	98058	30C	94E58	0C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String

• 1.0.0.0
• Dellicious.exe
• C:\Users\rivera\source\repos\Dellicious\Dellicious\obj\Release\Dellicious.pdb

Flow Anomalies

Offset	RVA	Section	Description
3724	N/A	.text	CALL QWORD PTR [RIP+0x1D001C00]
380A	N/A	.text	CALL QWORD PTR [RIP+0x3B002E00]
955E	N/A	.text	CALL QWORD PTR [RIP+0xA02A002]
A02C	N/A	.text	CALL QWORD PTR [RIP+0x57F16DF8]
B450	N/A	.text	CALL QWORD PTR [RIP+0xF04A001]
D756	N/A	.text	CALL QWORD PTR [RIP+0x66FEE5FF]
E16C	N/A	.text	CALL QWORD PTR [RIP+0xA5F975FC]
F8FE	N/A	.text	CALL QWORD PTR [RIP+0x16FC85FE]
FD10	N/A	.text	JMP QWORD PTR [RIP+0x3EFC61FD]
11576	N/A	.text	CALL QWORD PTR [RIP+0x87004500]
11CA0	N/A	.text	JMP QWORD PTR [RIP+0xE4011101]
139D0	N/A	.text	JMP QWORD PTR [RIP+0x8EFAFDFD]
14DA2	N/A	.text	CALL QWORD PTR [RIP+0xDDFB0AFD]
18F56	N/A	.text	JMP QWORD PTR [RIP+0xB6046401]
19954	N/A	.text	CALL QWORD PTR [RIP+0x78033100]
1AD8A	N/A	.text	CALL QWORD PTR [RIP+0xDDFE58FF]
1AEDE	N/A	.text	CALL QWORD PTR [RIP+0x2DFEACFF]
1E4D8	N/A	.text	JMP QWORD PTR [RIP+0x9F00F900]
1E6B0	N/A	.text	CALL QWORD PTR [RIP+0x1CFCC5FE]
1F896	N/A	.text	CALL QWORD PTR [RIP+0x9002C001]
24E12	N/A	.text	CALL QWORD PTR [RIP+0x45099D04]
26F62	N/A	.text	JMP QWORD PTR [RIP+0x96034701]
2C4B4	N/A	.text	CALL QWORD PTR [RIP+0x1404BF02]
2DCD4	N/A	.text	CALL QWORD PTR [RIP+0xF3FC42FE]
3075E	N/A	.text	JMP QWORD PTR [RIP+0x21035D02]
35427	N/A	.text	CALL QWORD PTR [RIP+0xE6D12C8]
3AC1A	N/A	.text	CALL QWORD PTR [RIP+0x8FEB8FF]
3CAC8	N/A	.text	JMP QWORD PTR [RIP+0x1E055E03]
3FDDC	N/A	.text	JMP QWORD PTR [RIP+0x56FF18FF]
41508	N/A	.text	JMP QWORD PTR [RIP+0x75F511F9]
466D7	N/A	.text	CALL QWORD PTR [RIP+0x136D148A]
47320	N/A	.text	CALL QWORD PTR [RIP+0x6B027A01]
487E6	N/A	.text	CALL QWORD PTR [RIP+0x8906B503]
4C950	N/A	.text	CALL QWORD PTR [RIP+0x6EF63EFA]
4CF77	N/A	.text	CALL QWORD PTR [RIP+0xEE21385]
4D07C	N/A	.text	CALL QWORD PTR [RIP+0x5BF677FB]
4FD4C	N/A	.text	JMP QWORD PTR [RIP+0x9E0B9E06]
5234B	N/A	.text	CALL QWORD PTR [RIP+0xF761599]
53AB1	N/A	.text	CALL QWORD PTR [RIP+0x22871D73]
54D7E	N/A	.text	CALL QWORD PTR [RIP+0x1F0018FF]
55903	N/A	.text	CALL QWORD PTR [RIP+0x15621511]
5811E	N/A	.text	JMP QWORD PTR [RIP+0x83FA68FC]
58366	N/A	.text	JMP QWORD PTR [RIP+0x6300F200]
595A0	N/A	.text	JMP QWORD PTR [RIP+0xECFBC6FC]
5A186	N/A	.text	JMP QWORD PTR [RIP+0x7BF2D7FD]
644C2	N/A	.text	CALL QWORD PTR [RIP+0xE9FA19FD]
65AEA	N/A	.text	JMP QWORD PTR [RIP+0x2CFCAAFE]
67D56	N/A	.text	JMP QWORD PTR [RIP+0xD1F6EEFE]
67E13	N/A	.text	JMP QWORD PTR [RIP+0x1B0A22EF]
684E5	N/A	.text	JMP QWORD PTR [RIP+0x2D24284A]
68B1E	N/A	.text	JMP QWORD PTR [RIP+0x6FF595FA]
6CC2C	N/A	.text	JMP QWORD PTR [RIP+0x3BFCEAFE]
6D1C4	N/A	.text	JMP QWORD PTR [RIP+0x46F421F9]
72F16	N/A	.text	CALL QWORD PTR [RIP+0x9303F202]
761E2	N/A	.text	JMP QWORD PTR [RIP+0x66FF63FF]
764A5	N/A	.text	CALL QWORD PTR [RIP+0x2A68205E]
78078	N/A	.text	JMP QWORD PTR [RIP+0xC7FD93FE]
78564	N/A	.text	JMP QWORD PTR [RIP+0xC7FFD900]
78A24	N/A	.text	JMP QWORD PTR [RIP+0x63010100]
78C68	N/A	.text	JMP QWORD PTR [RIP+0x65007300]
79EDD	N/A	.text	JMP QWORD PTR [RIP+0x230B22B6]
7D044	N/A	.text	CALL QWORD PTR [RIP+0xC103E07]
7D9A7	N/A	.text	JMP QWORD PTR [RIP+0x11CD1D5F]
7E09E	N/A	.text	CALL QWORD PTR [RIP+0xA1074103]
7EB20	N/A	.text	CALL QWORD PTR [RIP+0xB0014702]
7F620	N/A	.text	CALL QWORD PTR [RIP+0xF6099F06]
7FA1C	N/A	.text	CALL QWORD PTR [RIP+0x3CFAD6FD]
7FC7B	N/A	.text	JMP QWORD PTR [RIP+0x24BD2494]
85F90	N/A	.text	JMP QWORD PTR [RIP+0x1EF2E5F8]
8AD4C	N/A	.text	JMP QWORD PTR [RIP+0x34045902]
8B5B9	N/A	.text	JMP QWORD PTR [RIP+0x1F42241F]
907A4	N/A	.text	JMP QWORD PTR [RIP+0x5BFC1CFD]
9174C	N/A	.text	CALL QWORD PTR [RIP+0x3F003300]

Extra Analysis

Metric	Value	Percentage
Ascii Code	404784	66,2694%
Null Byte Code	14489	2,3721%

PESCAN.IO - Analysis Report Basic