PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 2,77 MB
SHA-256 Hash: 885F53E4C28E876D09CF07D1196AC85946337E6A6F9CC4CFD1E6164BB21C3493
SHA-1 Hash: CA9B5C28845695AB738B254446924C0A7ED0F1B6
MD5 Hash: 37713ACF562A8A58C29125F579EC3364
Imphash: E59D00B0D90522EE1A983F13D4FF7E50
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 002D366E
EntryPoint (rva): 213C0
SizeOfHeaders: 400
SizeOfImage: 5D000
ImageBase: 400000
Architecture: x86
ImportTable: 49C48
IAT: 3C000
Characteristics: 102
TimeDateStamp: 6669B786
Date: 12/06/2024 14:58:14
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	400	3A200	1000	3A1B9	6,6114	1247275,62
.rdata	40000040 (Initialized Data, Readable)	3A600	EA00	3C000	E87A	4,6116	3452062,20
.data	C0000040 (Initialized Data, Readable, Writeable)	49000	1C00	4B000	4BE0	4,0789	374333,29
.rsrc	40000040 (Initialized Data, Readable)	4AC00	8200	50000	8170	5,7847	724249,58
.reloc	42000040 (Initialized Data, GP-Relative, Readable)	52E00	3200	59000	31A8	6,5160	52093,12

Description

OriginalFilename: 7zS.sfx.exe
LegalCopyright: Opera Software 2026
ProductName: 7-Zip
FileVersion: 127.0.5778.76
FileDescription: Opera installer SFX
ProductVersion: 127.0.5778.76
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Binder/Joiner/Crypter

Dropper code detected (EOF) - 2,41 MB

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 207C0
Code -> E8A9040000E97AFEFFFFCCCCCCCCCCCC68302D420064FF35000000008B442410896C24108D6C24102BE0535657A140B04400
• CALL 0X14AE
• JMP 0XE84
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• PUSH 0X422D30
• PUSH DWORD PTR FS:[0]
• MOV EAX, DWORD PTR [ESP + 0X10]
• MOV DWORD PTR [ESP + 0X10], EBP
• LEA EBP, [ESP + 0X10]
• SUB ESP, EAX
• PUSH EBX
• PUSH ESI
• PUSH EDI
• MOV EAX, DWORD PTR [0X44B040]

Signatures

CheckSum Integrity Problem:
• Header: 2963054
• Calculated: 2950476
Rich Signature Analyzer:
Code -> 4E0CC9D70A6DA7840A6DA7840A6DA7844115A485076DA7844115A285BA6DA784C8ECA2855F6DA784C8ECA3851E6DA784C8ECA4851D6DA7844115A3851C6DA7844115A685036DA7840A6DA684C16DA784F9EFAF855C6DA784F9EF58840B6DA7840A6D30840B6DA784F9EFA5850B6DA784526963680A6DA784
Footprint md5 Hash -> 1249711815FEFC9E4D35BBBE318F7DEA
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct

Packer/Compiler

Detect It Easy (die)
• PE: installer: 7-Zip(-)[-]
• PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32]
• PE: compiler: Microsoft Visual C/C++(-)[-]
• PE: archive: 7-Zip(0.4)[-]
• PE: linker: Microsoft Linker(14.39**)[-]
• PE: overlay: 7-zip Installer data(-)[-]
• Entropy: 7.94526

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
SHELL32.DLL	ShellExecuteExW	Performs a run operation on a specific file.

File Access

%%T\\setup.exe
.exe
OLEAUT32.dll
SHELL32.dll
USER32.dll
KERNEL32.dll
.dat
@.dat
g%.WdS
Temp

File Access (UNICODE)

setup.exe
sfx.exe
kernel32.dll
mscoree.dll
Temp

Interest's Words

PADDINGX
exec
attrib
start
systeminfo
ping

URLs

http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://www.digicert.com/CPS0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
http://www.opera.com
http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt
http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Hex	Hex Pattern	PEB AntiDebug (Flag BeingDebugged)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Anti-Analysis VM (GlobalMemoryStatusEx)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindFirstFileW)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (ExitThread)
Text	Ascii	Stealth (ReleaseSemaphore)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Execution (CreateProcessW)
Text	Ascii	Execution (ShellExecute)
Text	Ascii	Execution (CreateSemaphoreW)
Text	Ascii	Execution (CreateEventW)
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	VC8 - Microsoft Corporation

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1033	50448	128	4B048	2800000010000000200000000100040000000000C00000000000000000000000100000000000000000000000000080000080	(....... .........................................
\ICON\2\1033	50570	1E8	4B170	2800000018000000300000000100040000000000800100000000000000000000100000000000000000000000000080000080	(.......0.........................................
\ICON\3\1033	50758	2E8	4B358	2800000020000000400000000100040000000000800200000000000000000000100000000000000000000000000080000080	(... ...@.........................................
\ICON\4\1033	50A40	668	4B640	2800000030000000600000000100040000000000000600000000000000000000100000000000000000000000000080000080	(...0............................................
\ICON\5\1033	510A8	568	4BCA8	28000000100000002000000001000800000000004001000000000000000000000001000000000000000000006E6E6E007372	(....... ...........@.......................nnn.sr
\ICON\6\1033	51610	6C8	4C210	2800000018000000300000000100080000000000A00200000000000000000000000100000000000000000000686768006868	(.......0...................................hgh.hh
\ICON\7\1033	51CD8	8A8	4C8D8	2800000020000000400000000100080000000000800400000000000000000000000100000000000000000000696969006D6D	(... ...@...................................iii.mm
\ICON\8\1033	52580	EA8	4D180	2800000030000000600000000100080000000000800A00000000000000000000000100000000000000000000696969006E6D	(...0......................................iii.nm
\ICON\9\1033	53428	468	4E028	280000001000000020000000010020000000000040040000000000000000000000000000000000006F6F6F206E6F6FFF6F6F	(....... ..... .....@...................ooo noo.oo
\ICON\10\1033	53890	988	4E490	280000001800000030000000010020000000000060090000000000000000000000000000000000006D616115686868FF6968	(.......0..... ........................maa.hhh.ih
\ICON\11\1033	54218	10A8	4EE18	2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000060000	(... ...@..... ...................................
\ICON\12\1033	552C0	25A8	4FEC0	2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000	(...0........ ......%............................
\DIALOG\97\1033	57868	B8	52468	C008C88000000000020000000000BC003C0000000000500072006F0067007200650073007300000008004D00530020005300	................<.....P.r.o.g.r.e.s.s.....M.S. .S.
\STRING\1\1033	57920	60	52520	00000000000000000000000000001100450078007400720061006300740069006F006E0020004600610069006C00650064000F00460069006C006500200069007300200063006F00720072007500700074000000000000000000000000000000	................E.x.t.r.a.c.t.i.o.n. .F.a.i.l.e.d...F.i.l.e. .i.s. .c.o.r.r.u.p.t...............
\STRING\188\1033	57980	54	52580	000000000000000000000000000000000000000000001A00430061006E006E006F0074002000630072006500610074006500200066006F006C00640065007200200027007B0030007D0027000000000000000000	........................C.a.n.n.o.t. .c.r.e.a.t.e. .f.o.l.d.e.r. .'.{.0.}.'.........
\STRING\207\1033	579D4	34	525D4	00000000000000000A00450078007400720061006300740069006E00670000000000000000000000000000000000000000000000	..........E.x.t.r.a.c.t.i.n.g.......................
\GROUP_ICON\1\1033	57A08	AE	52608	000001000C0010101000010004002801000001001818100001000400E801000002002020100001000400E802000003003030	..............(................... ............00
\VERSION\1\0	57AB8	27C	526B8	7C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\VERSION\1\1033	57D34	2BC	52934	BC0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	57FF0	17D	52BF0	3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779	<?xml version='1.0' encoding='UTF-8' standalone='y

Intelligent String

• mscoree.dll
• kernel32.dll
• .exe
• customization_package.bin
• .bss
• KERNEL32.dll
• .PAX
• .PAD
• 7zS.sfx
• 7zS.sfx.exe
• s.HCJ
• f.RKf
• setup.exe
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U

Flow Anomalies

Offset	RVA	Section	Description
4DB	44DBCC	.text	CALL [static] \| Indirect call to absolute memory address
4F0	44DBCC	.text	CALL [static] \| Indirect call to absolute memory address
6A6	43C004	.text	CALL [static] \| Indirect call to absolute memory address
6B9	43C000	.text	CALL [static] \| Indirect call to absolute memory address
106A	43C008	.text	CALL [static] \| Indirect call to absolute memory address
1080	43C018	.text	CALL [static] \| Indirect call to absolute memory address
1087	43C014	.text	CALL [static] \| Indirect call to absolute memory address
10AC	43C010	.text	CALL [static] \| Indirect call to absolute memory address
112D	43C01C	.text	CALL [static] \| Indirect call to absolute memory address
46D7	43C020	.text	CALL [static] \| Indirect call to absolute memory address
4725	43C024	.text	CALL [static] \| Indirect call to absolute memory address
473F	43C020	.text	CALL [static] \| Indirect call to absolute memory address
474F	43C024	.text	CALL [static] \| Indirect call to absolute memory address
483D	43C020	.text	CALL [static] \| Indirect call to absolute memory address
4871	43C024	.text	CALL [static] \| Indirect call to absolute memory address
4897	43C020	.text	CALL [static] \| Indirect call to absolute memory address
4938	43C024	.text	CALL [static] \| Indirect call to absolute memory address
4955	43C020	.text	CALL [static] \| Indirect call to absolute memory address
498B	43C024	.text	CALL [static] \| Indirect call to absolute memory address
5862	43C028	.text	CALL [static] \| Indirect call to absolute memory address
59A6	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
59CD	43C044	.text	CALL [static] \| Indirect call to absolute memory address
59E7	43C034	.text	CALL [static] \| Indirect call to absolute memory address
59F2	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
5A5A	43C038	.text	CALL [static] \| Indirect call to absolute memory address
5A70	43C040	.text	CALL [static] \| Indirect call to absolute memory address
5A7F	43C048	.text	CALL [static] \| Indirect call to absolute memory address
5AAF	43C04C	.text	CALL [static] \| Indirect call to absolute memory address
5ADF	43C02C	.text	CALL [static] \| Indirect call to absolute memory address
5B0F	43C030	.text	CALL [static] \| Indirect call to absolute memory address
5F76	43C228	.text	CALL [static] \| Indirect call to absolute memory address
66CD	43C1D8	.text	CALL [static] \| Indirect call to absolute memory address
72DE	43C224	.text	CALL [static] \| Indirect call to absolute memory address
72F8	43C220	.text	CALL [static] \| Indirect call to absolute memory address
7306	43C21C	.text	CALL [static] \| Indirect call to absolute memory address
732B	43C218	.text	CALL [static] \| Indirect call to absolute memory address
74AF	43C214	.text	CALL [static] \| Indirect call to absolute memory address
7508	43C05C	.text	CALL [static] \| Indirect call to absolute memory address
75B6	43C060	.text	CALL [static] \| Indirect call to absolute memory address
75D1	43C064	.text	CALL [static] \| Indirect call to absolute memory address
773E	43C068	.text	CALL [static] \| Indirect call to absolute memory address
7751	43C06C	.text	CALL [static] \| Indirect call to absolute memory address
7761	43C044	.text	CALL [static] \| Indirect call to absolute memory address
7771	43C070	.text	CALL [static] \| Indirect call to absolute memory address
777E	43C074	.text	CALL [static] \| Indirect call to absolute memory address
778D	43C078	.text	CALL [static] \| Indirect call to absolute memory address
77AB	43C078	.text	CALL [static] \| Indirect call to absolute memory address
77B9	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
78B8	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
79B9	43C07C	.text	CALL [static] \| Indirect call to absolute memory address
7A0A	43C080	.text	CALL [static] \| Indirect call to absolute memory address
7AC8	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
7AE2	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
7B04	43C080	.text	CALL [static] \| Indirect call to absolute memory address
7BBA	43C084	.text	CALL [static] \| Indirect call to absolute memory address
7D0C	43C08C	.text	CALL [static] \| Indirect call to absolute memory address
7D58	43C094	.text	CALL [static] \| Indirect call to absolute memory address
7D63	43C090	.text	CALL [static] \| Indirect call to absolute memory address
7D70	43C098	.text	CALL [static] \| Indirect call to absolute memory address
7DBE	43C090	.text	CALL [static] \| Indirect call to absolute memory address
7E06	43C080	.text	CALL [static] \| Indirect call to absolute memory address
7E21	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
7F8E	43C09C	.text	CALL [static] \| Indirect call to absolute memory address
810B	43C0A0	.text	CALL [static] \| Indirect call to absolute memory address
8154	43C0A4	.text	CALL [static] \| Indirect call to absolute memory address
81A9	43C0A8	.text	CALL [static] \| Indirect call to absolute memory address
81DB	43C0AC	.text	CALL [static] \| Indirect call to absolute memory address
81E9	43C014	.text	CALL [static] \| Indirect call to absolute memory address
81FA	43C014	.text	CALL [static] \| Indirect call to absolute memory address
8257	43C080	.text	CALL [static] \| Indirect call to absolute memory address
8272	43C080	.text	CALL [static] \| Indirect call to absolute memory address
8284	44DA6C	.text	CALL [static] \| Indirect call to absolute memory address
8291	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
82D4	43C080	.text	CALL [static] \| Indirect call to absolute memory address
834A	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
835D	43C0B0	.text	CALL [static] \| Indirect call to absolute memory address
84FF	43C080	.text	CALL [static] \| Indirect call to absolute memory address
8874	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
88AD	43C068	.text	CALL [static] \| Indirect call to absolute memory address
88EC	43C044	.text	CALL [static] \| Indirect call to absolute memory address
8940	43C0B4	.text	CALL [static] \| Indirect call to absolute memory address
894D	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
89B8	43C0B8	.text	CALL [static] \| Indirect call to absolute memory address
89C5	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
8A3F	43C0B8	.text	CALL [static] \| Indirect call to absolute memory address
8A4C	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
8A63	43C080	.text	CALL [static] \| Indirect call to absolute memory address
8AFC	43C06C	.text	CALL [static] \| Indirect call to absolute memory address
8B43	43C0BC	.text	CALL [static] \| Indirect call to absolute memory address
8C33	43C06C	.text	CALL [static] \| Indirect call to absolute memory address
8C75	43C0C0	.text	CALL [static] \| Indirect call to absolute memory address
8CDC	43C0C4	.text	CALL [static] \| Indirect call to absolute memory address
8D7B	43C03C	.text	CALL [static] \| Indirect call to absolute memory address
8D9C	43C080	.text	CALL [static] \| Indirect call to absolute memory address
9432	43C1DC	.text	CALL [static] \| Indirect call to absolute memory address
9481	43C1DC	.text	CALL [static] \| Indirect call to absolute memory address
9585	43C1D4	.text	CALL [static] \| Indirect call to absolute memory address
95DA	43C1D4	.text	CALL [static] \| Indirect call to absolute memory address
96A0	43C210	.text	CALL [static] \| Indirect call to absolute memory address
96FB	43C210	.text	CALL [static] \| Indirect call to absolute memory address
56000	N/A	Overlay	3B2140496E7374616C6C40215554462D38210D0A \| ;!@Install@!UTF-8!..

Extra Analysis

Metric	Value	Percentage
Ascii Code	1955895	67,2445%
Null Byte Code	73139	2,5145%

PESCAN.IO - Analysis Report Basic