PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 5,02 MB SHA-256 Hash: B2DB241FA6EB5C63C67D9768B20D401B19FB526FF3E65A0CA7992183FF70E095 SHA-1 Hash: 690DB2BE6D6FEB9BBC1CE79C7911D0830EBB2F63 MD5 Hash: 37C07AA4965F5F1BD40600EA762A040F Imphash: 2E5708AE5FED0403E8117C645FB23E5B MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 11E9 SizeOfHeaders: 1000 SizeOfImage: 506000 ImageBase: 10000000 Architecture: x86 ExportTable: 2190 ImportTable: 203C IAT: 2000 Characteristics: 210E TimeDateStamp: 59145751 Date: 11/05/2017 12:21:37 File Type: DLL Number Of Sections: 5 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
1000 | 1000 | 1000 | 28C |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
2000 | 1000 | 2000 | 1D8 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
3000 | 1000 | 3000 | 154 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
4000 | 501000 | 4000 | 500060 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
505000 | 1000 | 505000 | 2AC |
|
|
| Binder/Joiner/Crypter |
| 5 Executable files found Dropper code detected (EOF) - 3 Bytes |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 11E9 Code -> 558BEC538B5D08568B750C578B7D1085F67509833D4031001000EB2683FE01740583FE027522A15031001085C07409575653 Assembler |PUSH EBP |MOV EBP, ESP |PUSH EBX |MOV EBX, DWORD PTR [EBP + 8] |PUSH ESI |MOV ESI, DWORD PTR [EBP + 0XC] |PUSH EDI |MOV EDI, DWORD PTR [EBP + 0X10] |TEST ESI, ESI |JNE 0X101C |CMP DWORD PTR [0X10003140], 0 |JMP 0X1042 |CMP ESI, 1 |JE 0X1026 |CMP ESI, 2 |JNE 0X1048 |MOV EAX, DWORD PTR [0X10003150] |TEST EAX, EAX |JE 0X1038 |PUSH EDI |PUSH ESI |PUSH EBX |
| Signatures |
| Rich Signature Analyzer: Code -> 7D9C725F39FD1C0C39FD1C0C39FD1C0CD1E2160C3DFD1C0C39FD1D0C36FD1C0CFAF2410C3AFD1C0CD1E2170C38FD1C0C81FB1A0C38FD1C0CD1E2180C3AFD1C0C5269636839FD1C0C Footprint md5 Hash -> FBA6D12346A0C99D94A960A31BFAD9CB • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Compiler: Microsoft Visual C ++ Compiler: Microsoft Visual C ++ 6 DLL Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(6.0 (1720-8966))[DLL32] • PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt] • PE: linker: Microsoft Linker(6.0)[-] • Entropy: 3.81244 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| ET Functions (carving) |
| Original Name -> launcher.dll PlayGame |
| Windows REG (UNICODE) |
| Software\WinRAR SFX Software\Microsoft\Windows\CurrentVersion |
| File Access |
| eee.exe tasksche.exe mssecsvr.exe OLEAUT32.dll ole32.dll SHELL32.dll ADVAPI32.dll COMDLG32.dll GDI32.dll USER32.dll KERNEL32.dll SHLWAPI.dll COMCTL32.dll msvcrtd.dll msvcrt.dll msvcrt.dll launcher.dll WININET.dll iphlpapi.dll MSVCP60.dll WS2_32.dll @.dat .dat PPh.dat Temp WinDir |
| File Access (UNICODE) |
| CorExitProcessmscoree.dll KERNEL32.DLL riched32.dll 5priched20.dll CryptProtectMemoryCrypt32.dll CreateFileACreateProcessAkernel32.dll USER32.DLL Temp ProgramFiles |
| Interest's Words |
| PADDINGX exec attrib start ping expand replace |
| Interest's Words (UNICODE) |
| PassWord <html <head <meta start ping replace |
| URLs |
| http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com http://schemas.microsoft.com/SMI/2005/WindowsSettings |
| IP Addresses |
| 172.16.99.5 192.168.56.20 |
| PE Carving |
| Start Offset Header | End Offset | Size (Bytes) |
|---|---|---|
| 0 | 4064 | 4064 |
| 4064 | F084 | B020 |
| F084 | 130E4 | 4060 |
| 130E4 | 36108 | 23024 |
| 36108 | 506003 | 4CFEFB |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Service (OpenSCManager) |
| Text | Ascii | Service (CreateService) |
| Text | Ascii | Service (StartServiceCtrlDispatcher) |
| Text | Ascii | Encryption (Microsoft Base Cryptographic Provider v1.0) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (MapViewOfFile) |
| Text | Ascii | Stealth (CreateFileMappingW) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (CreateSemaphoreW) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Unicode | Privileges (SeCreateSymbolicLinkPrivilege) |
| Text | Unicode | Privileges (SeRestorePrivilege) |
| Text | Unicode | Privileges (SeSecurityPrivilege) |
| Text | Ascii | Malware that monitors and collects user data (Spy) |
| Entry Point | Hex Pattern | Armadillov1xxv2xx |
| Entry Point | Hex Pattern | Microsoft Visual C++ 6.0 DLL |
| Entry Point | Hex Pattern | Microsoft Visual C++ 6.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v6.0 DLL |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text | PE/Payload |
|---|---|---|---|---|---|---|
| \W\101\1033 | 4060 | 500000 | 4060 | 00D022004D5A90000300000004000000FFFF0000B80000000000000040000000000000000000000000000000000000000000 | ..".MZ......................@..................... | (Executable found) |
| Intelligent String |
| • msvcrtd.dll • msvcrt.dll • KERNEL32.dll • mscoree.dll • WINDOWSmssecsvr.exe • ADVAPI32.dll • WS2_32.dll • USER32.DLL • msvcrt.dll • /iC:\%s\qeriuwjhrf • WINDOWStasksche.exe • kernel32.dll • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com • .rar • Crypt32.dll • .exe • .inf • .lnk • %s.%d.tmp • runas • winrarsfxmappingfile.tmp • 5priched20.dll • riched32.dll • KERNEL32.DLL • d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb • COMCTL32.dll • SHLWAPI.dll • COMDLG32.dll • WINRAR.SFX • <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> • Setup=eee.exe • eee.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1026 | 10002018 | .text | CALL [static] | Indirect call to absolute memory address |
| 1039 | 10002014 | .text | CALL [static] | Indirect call to absolute memory address |
| 1044 | 10002010 | .text | CALL [static] | Indirect call to absolute memory address |
| 1057 | 1000200C | .text | CALL [static] | Indirect call to absolute memory address |
| 107C | 10002008 | .text | CALL [static] | Indirect call to absolute memory address |
| 1096 | 10002004 | .text | CALL [static] | Indirect call to absolute memory address |
| 109D | 10002000 | .text | CALL [static] | Indirect call to absolute memory address |
| 10F3 | 1000201C | .text | CALL [static] | Indirect call to absolute memory address |
| 1128 | 10002034 | .text | CALL [static] | Indirect call to absolute memory address |
| 116C | 1000202C | .text | CALL [static] | Indirect call to absolute memory address |
| 11D4 | 10002024 | .text | CALL [static] | Indirect call to absolute memory address |
| 1286 | 10002028 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5162 | 40A0B8 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 5185 | 40A0B4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 5625 | 40A0C4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 564E | 40A0C4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 56AE | 40A0A4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 5722 | 40A0A4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 5747 | 40A094 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 5763 | 40A0A4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 57AE | 40A098 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 57CA | 40A0A4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 584A | 40A10C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B04F | 40A08C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B2F0 | 40A090 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B5D6 | 40A114 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B66F | 40A110 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B6B9 | 40A088 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B6CE | 40A118 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B6DB | 40A080 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B6EF | 40A020 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B6FA | 40A084 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B734 | 40A11C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B749 | 40A030 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B759 | 40A054 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B760 | 40A078 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B76B | 40A07C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B773 | 40A110 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B848 | 40A034 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B84F | 40A078 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B85F | 40A110 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B8CA | 40A128 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B8D3 | 40A03C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B8DB | 40A038 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B8EE | 40A124 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B99C | 40A10C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| B9E7 | 40A10C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BA17 | 40A11C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BA2C | 40A030 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BA3C | 40A054 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BA43 | 40A078 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BA4B | 40A0A4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BA6A | 40A0A4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BAD9 | 40A090 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BB47 | 40A048 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BB78 | 40A044 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BB93 | 40A040 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BBA0 | 40A078 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BBDC | 40A078 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BCBA | 40A10C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BCCC | 40A010 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BCFF | 40A014 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BD16 | 40A01C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BD53 | 40A064 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BDD8 | 40A05C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BDEA | 40A058 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BDF9 | 40A0A0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BE0D | 40A050 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BE90 | 40A04C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BEA7 | 431458 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BEC5 | 431460 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BECC | 43144C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BF4C | 431478 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BF5B | 43144C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BF66 | 43144C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BFE4 | 40A00C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C058 | 40A008 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C0A7 | 40A004 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C0D2 | 40A00C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C0E2 | 40A0A4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C0EA | 40A068 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C103 | 40A06C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C109 | 40A12C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C127 | 40A010 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C140 | 40A028 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C18A | 40A000 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C1DF | 40A134 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C1F8 | 40A138 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C29C | 40A0B8 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C2CE | 40A0B4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| C687 | 40A0B8 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| CA05 | 40A0B4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| D1EC | 40A074 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| D20C | 40A070 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| D328 | 40A074 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| D3C3 | 40A070 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| D4BB | 40A070 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| D814 | 40A144 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| D81A | 40A148 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| D820 | 40A14C | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 506000 | N/A | *Overlay* | 000000 | ... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1331589 | 25,2795% |
| Null Byte Code | 3370335 | 63,9841% |
| NOP Cave Found | 0x9090909090 | Block Count: 68 | Total: 0,0032% |
© 2026 All rights reserved.