PESCAN.IO - Analysis Report |
|||||
| File Structure: | |||||
|
|||||
| Information: |
| Size: 363,00 KB SHA-256 Hash: DFD51A30C7BC3C5941D26E2C00D7FCD88C779DF583EAD1E9A93319F820D7BDB5 SHA-1 Hash: 7333900C35991607B282D6D8872D73516A6711F6 MD5 Hash: 37C9DD078348D82F43416139D3A3A31B Imphash: B4AA0644CCED24BDF6C7A44F9D97B720 MajorOSVersion: 6 CheckSum: 00000000 EntryPoint (rva): 2998 SizeOfHeaders: 400 SizeOfImage: 5F000 ImageBase: 0000000180000000 Architecture: x64 ExportTable: 5080 ImportTable: 54C4 Characteristics: 2022 TimeDateStamp: 67F68B6F Date: 09/04/2025 14:59:59 File Type: DLL Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 400 | 2800 | 1000 | 2748 |
| .rdata | 40000040 | 2C00 | 1C00 | 4000 | 1A54 |
| .data | C0000040 (Writeable) | 4800 | 200 | 6000 | 7B0 |
| .pdata | 40000040 | 4A00 | 400 | 7000 | 354 |
| .rsrc | 40000040 | 4E00 | 55C00 | 8000 | 55AF8 |
| .reloc | 42000040 | 5AA00 | 200 | 5E000 | 50 |
| Entry Point: |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 1D98 Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8D70100004C8BC78BD3488BCE488B5C2430488B7424 • MOV QWORD PTR [RSP + 8], RBX • MOV QWORD PTR [RSP + 0X10], RSI • PUSH RDI • SUB RSP, 0X20 • MOV RDI, R8 • MOV EBX, EDX • MOV RSI, RCX • CMP EDX, 1 • JNE 0X1021 • CALL 0X11F8 • MOV R8, RDI • MOV EDX, EBX • MOV RCX, RSI • MOV RBX, QWORD PTR [RSP + 0X30] |
| Signatures: |
| Rich Signature Analyzer: Code -> B246806CF627EE3FF627EE3FF627EE3FFF5F7D3FFE27EE3FB95BEF3EF427EE3FB95BEB3EE727EE3FB95BEA3EFE27EE3FB95BED3EF227EE3F2555EF3EF527EE3FF627EF3FD927EE3F375BE73EF127EE3F375BEE3EF727EE3F375B113FF727EE3F375BEC3EF727EE3F52696368F627EE3F Footprint md5 Hash -> 112B97359180897A2D48680EE0786334 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler: |
| Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.34**)[DLL64] • Entropy: 7.88202 |
| Suspicious Functions: |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ET Functions (carving): |
| Original Name -> wwlib.dll GetFileVersionInfoA version_ori.GetFileVersionInfoA GetFileVersionInfoByHandle version_ori.GetFileVersionInfoByHandle GetFileVersionInfoExA version_ori.GetFileVersionInfoExA GetFileVersionInfoExW version_ori.GetFileVersionInfoExW GetFileVersionInfoSizeA version_ori.GetFileVersionInfoSizeA GetFileVersionInfoSizeExA version_ori.GetFileVersionInfoSizeExA GetFileVersionInfoSizeExW version_ori.GetFileVersionInfoSizeExW GetFileVersionInfoSizeW version_ori.GetFileVersionInfoSizeW GetFileVersionInfoW version_ori.GetFileVersionInfoW VerFindFileA version_ori.VerFindFileA VerFindFileW version_ori.VerFindFileW VerInstallFileA version_ori.VerInstallFileA VerInstallFileW version_ori.VerInstallFileW VerLanguageNameA version_ori.VerLanguageNameA VerLanguageNameW version_ori.VerLanguageNameW VerQueryValueA version_ori.VerQueryValueA VerQueryValueW version_ori.VerQueryValueW |
| File Access: |
| \Windows\explorer.exe \Program Files\Internet Explorer\iexplore.exe explorer.exe api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-convert-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll VCRUNTIME140.dll KERNEL32.dll wwlib.dll PDF Viewer - Document.pdf |
| File Access (UNICODE): |
| NtAllocateVirtualMemoryntdll.dll kernel32.dll kernelbase.dll |
| Interest's Words: |
| exec attrib |
| Payloads: |
| Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...) |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent) • Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot) • Rule Text (Ascii): Stealth (NtWriteVirtualMemory) • Rule Text (Ascii): Execution (CreateProcessA) • EP Rules: Microsoft Visual C++ 8.0 (DLL) |
| Resources: |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \DATA\115\2057 | 8070 | 55A88 | 4E70 | D5C549D8CC2484225A1263E5EE3F926997F33593F1F014A8581A23B2D06288E4C558D948B404037E7E42BD6BF1F38A0C8281 | ..I..$."Z.c..?.i..5.....X...b...X.H...~~B.k...... |
| Intelligent String: |
| • PDF Viewer - Document.pdf • explorer.exe • C:\Program Files\Internet Explorer\iexplore.exe • C:\Windows\explorer.exe • kernel32.dll • kernelbase.dll • .bss • VCRUNTIME140.dll • api-ms-win-crt-string-l1-1-0.dll • api-ms-win-crt-convert-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • api-ms-win-crt-heap-l1-1-0.dll |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 254640 | 68,5046% |
| Null Byte Code | 8612 | 2,3168% |
© 2025 All rights reserved.