PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 1,87 MBSHA-256 Hash: 5EAF998FB8D4F7B74C441E8011430F3C4BC01DF1F889A3BF88967836EEF2C01A SHA-1 Hash: 213890713A3D6E1114F6E8021D4027DC9BF0B55D MD5 Hash: 39082448D97ECDFC389DB325A2171503 Imphash: ADDD10C7C0D1C8F966E372D0FFBBCBB7 MajorOSVersion: 1 MinorOSVersion: 0 CheckSum: 001EAFAA EntryPoint (rva): A5F8 SizeOfHeaders: 400 SizeOfImage: 14000 ImageBase: 400000 Architecture: x86 ImportTable: D000 Characteristics: 818F TimeDateStamp: 2A425E19 Date: 19/06/1992 22:22:17 File Type: EXE Number Of Sections: 8 ASLR: Enabled Section Names: CODE, DATA, BSS, .idata, .tls, .rdata, .reloc, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| CODE | 60000020 (Code, Executable, Readable) | 400 | 9E00 | 1000 | 9D30 | 6,6317 | 253582,75 |
| DATA | C0000040 (Initialized Data, Readable, Writeable) | A200 | 400 | B000 | 250 | 2,7547 | 113115,00 |
| BSS | C0000000 (Readable, Writeable) | A600 | 0 | C000 | E90 | N/A | N/A |
| .idata | C0000040 (Initialized Data, Readable, Writeable) | A600 | A00 | D000 | 950 | 4,4307 | 90263,40 |
| .tls | C0000000 (Readable, Writeable) | B000 | 0 | E000 | 8 | N/A | N/A |
| .rdata | 50000040 (Initialized Data, Discardable, Readable) | B000 | 200 | F000 | 18 | 0,2045 | 125001,00 |
| .reloc | 50000040 (Initialized Data, Discardable, Readable) | 0 | 0 | 10000 | 8C4 | N/A | N/A |
| .rsrc | 50000040 (Initialized Data, Discardable, Readable) | B200 | 2C00 | 11000 | 2C00 | 4,5996 | 491032,27 |
| Description |
| CompanyName: NoVirusThanks Company Srl ProductName: NoVirusThanks Driver Radar Pro FileVersion: 1.7.1.0 FileDescription: NoVirusThanks Driver Radar Pro Setup ProductVersion: 1.7.1.0 Comments: This installation was built with Inno Setup. Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 1,80 MB |
| Entry Point |
| The section number (1) - (CODE) have the Entry Point Information -> EntryPoint (calculated) - 99F8 Code -> 558BEC83C4C453565733C08945F08945DCE8CE8AFFFFE8D59CFFFFE8649FFFFFE807A0FFFFE8A6BFFFFFE811E9FFFFE878EA • PUSH EBP • MOV EBP, ESP • ADD ESP, -0X3C • PUSH EBX • PUSH ESI • PUSH EDI • XOR EAX, EAX • MOV DWORD PTR [EBP - 0X10], EAX • MOV DWORD PTR [EBP - 0X24], EAX • CALL 0XFFFF9AE4 • CALL 0XFFFFACF0 • CALL 0XFFFFAF84 • CALL 0XFFFFB02C • CALL 0XFFFFCFD0 • CALL 0XFFFFF940 |
| Signatures |
| Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Detect It Easy (die) • PE: installer: Inno Setup Module(5.5.7)[-] • PE: compiler: Borland Delphi(2)[-] • PE: linker: Turbo Linker(2.25*,Delphi)[-] • PE: overlay: Inno Setup Installer data(-)[-] • Entropy: 7.99386 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| USER32.DLL | CallWindowProcA | Invokes the window procedure for the specified window and messages. |
| File Access |
| advapi32.dll comctl32.dll user32.dll kernel32.dll oleaut32.dll shell32.dll Temp UserProfile |
| Interest's Words |
| Virus PassWord exec attrib start shutdown systeminfo ping |
| Interest's Words (UNICODE) |
| Virus |
| URLs |
| http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline http://schemas.microsoft.com/SMI/2005/WindowsSettings http://crl.globalsign.net/root.crl http://crl.globalsign.com/gs/gstimestampingg2.crl http://secure.globalsign.com/cacert/gstimestampingg2.crt http://crl.globalsign.com/gs/gscodesigng2.crl http://secure.globalsign.com/cacert/gscodesigng2.crt http://ocsp2.globalsign.com/gscodesigng20 https://www.globalsign.com/repository/03 https://www.globalsign.com/repository/ |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Privileges (SeShutdownPrivilege) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Borland Delphi 4.0 |
| Entry Point | Hex Pattern | fasm - Tomasz Grysztar |
| Entry Point | Hex Pattern | LE-Exe Executable Image |
| Entry Point | Hex Pattern | Stranik 1.3 Modula/C/Pascal |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1043 | 11354 | 128 | B554 | 2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000008000008000 | (....... ......................................... |
| \ICON\2\1043 | 1147C | 568 | B67C | 2800000010000000200000000100080000000000400100000000000000000000000000000000000000000000800000000080 | (....... ...........@............................. |
| \ICON\3\1043 | 119E4 | 2E8 | BBE4 | 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000008000008000 | (... ...@......................................... |
| \ICON\4\1043 | 11CCC | 8A8 | BECC | 2800000020000000400000000100080000000000800400000000000000000000000000000000000000000000800000000080 | (... ...@......................................... |
| \STRING\4089\0 | 12574 | 2F2 | C774 | 2100270025007300270020006900730020006E006F007400200061002000760061006C0069006400200069006E0074006500 | !.'.%.s.'. .i.s. .n.o.t. .a. .v.a.l.i.d. .i.n.t.e. |
| \STRING\4090\0 | 12868 | 30C | CA68 | 10004400690076006900730069006F006E0020006200790020007A00650072006F001100520061006E006700650020006300 | ..D.i.v.i.s.i.o.n. .b.y. .z.e.r.o...R.a.n.g.e. .c. |
| \STRING\4091\0 | 12B74 | 2CE | CD74 | 310046006F0072006D006100740020002700250073002700200069006E00760061006C006900640020006F00720020006900 | 1.F.o.r.m.a.t. .'.%.s.'. .i.n.v.a.l.i.d. .o.r. .i. |
| \STRING\4093\0 | 12E44 | 68 | D044 | 03004A0061006E00030046006500620003004D0061007200030041007000720003004D006100790003004A0075006E000300 | ..J.a.n...F.e.b...M.a.r...A.p.r...M.a.y...J.u.n... |
| \STRING\4094\0 | 12EAC | B4 | D0AC | 07004A0061006E00750061007200790008004600650062007200750061007200790005004D00610072006300680005004100 | ..J.a.n.u.a.r.y...F.e.b.r.u.a.r.y...M.a.r.c.h...A. |
| \STRING\4095\0 | 12F60 | AE | D160 | 0300530075006E0003004D006F006E0003005400750065000300570065006400030054006800750003004600720069000300 | ..S.u.n...M.o.n...T.u.e...W.e.d...T.h.u...F.r.i... |
| \RCDATA\11111\0 | 13010 | 2C | D210 | 72446C507453CDE6D77B0B2A01000000DDE11D00122B1A0050F10A006CEEF5C205FC190000DE00003F768523 | rDlPtS...{.*.........+..P...l...........?v. |
| \GROUP_ICON\MAINICON\1033 | 1303C | 3E | D23C | 000001000400101010000100040028010000010010100000010008006805000002002020100001000400E802000003002020000001000800A80800000400 | ..............(.............h..... ............ ............ |
| \VERSION\1\1033 | 1307C | 4F4 | D27C | F40434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000700 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 13570 | 62C | D770 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • CloseHandleuser32.dll • .tmp • kernel32.dll • .tls • x:\dirname" • For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline • MessageBoxAoleaut32.dll • CharPrevAcomctl32.dll • advapi32.dll • <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 57C | 40D120 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 584 | 40D11C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 58C | 40D118 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 594 | 40D114 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 59C | 40D110 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5A4 | 40D10C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5AC | 40D108 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5B4 | 40D128 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5BC | 40D104 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5C4 | 40D100 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5CC | 40D0FC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5D4 | 40D0F8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5DC | 40D0F4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5E4 | 40D0F0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5EC | 40D0EC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5F4 | 40D0E8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5FC | 40D0E4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 604 | 40D0E0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 60C | 40D0DC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 614 | 40D0D8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 61C | 40D0D4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 624 | 40D140 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 62C | 40D13C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 634 | 40D138 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 63C | 40D134 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 644 | 40D130 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 64C | 40D0D0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 654 | 40D0CC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 65C | 40D0C8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 664 | 40D0C4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 66C | 40D0C0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 674 | 40D0BC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 67C | 40D0B8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 684 | 40D0B4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 1998 | 40B004 | CODE | CALL [static] | Indirect call to absolute memory address |
| 19B0 | 40B008 | CODE | CALL [static] | Indirect call to absolute memory address |
| 19D1 | 40B00C | CODE | CALL [static] | Indirect call to absolute memory address |
| 19EA | 40B008 | CODE | CALL [static] | Indirect call to absolute memory address |
| 1A03 | 40B004 | CODE | CALL [static] | Indirect call to absolute memory address |
| 2170 | 40C00C | CODE | CALL [static] | Indirect call to absolute memory address |
| 379C | 40D158 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37A4 | 40D154 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37AC | 40D150 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37B4 | 40D14C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37BC | 40D148 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37C4 | 40D208 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37CC | 40D204 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37D4 | 40D200 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37DC | 40D1FC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37E4 | 40D1F8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37EC | 40D1F4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37F4 | 40D1F0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 37FC | 40D1EC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3804 | 40D1E8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 380C | 40D1E4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3814 | 40D1E0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 381C | 40D1DC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3824 | 40D1D8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 382C | 40D1D4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3834 | 40D1D0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 383C | 40D1CC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3844 | 40D1C8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 384C | 40D1C4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3854 | 40D1C0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 385C | 40D1BC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3864 | 40D1B8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 386C | 40D1B4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3874 | 40D1B0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 387C | 40D1AC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3884 | 40D1A8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 388C | 40D1A4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3894 | 40D1A0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 389C | 40D19C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38A4 | 40D198 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38AC | 40D194 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38B4 | 40D190 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38BC | 40D18C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38C4 | 40D188 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38CC | 40D184 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38D4 | 40D180 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38DC | 40D17C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38E4 | 40D178 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38EC | 40D174 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38F4 | 40D170 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38FC | 40D16C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3904 | 40D168 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 390C | 40D164 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3914 | 40D160 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 391C | 40D238 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3924 | 40D23C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 392C | 40D234 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3934 | 40D230 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 393C | 40D22C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3944 | 40D228 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 394C | 40D224 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3954 | 40D220 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 395C | 40D21C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3964 | 40D218 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 396C | 40D214 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3974 | 40D210 | CODE | JMP [static] | Indirect jump to absolute memory address |
| DE00 | N/A | *Overlay* | 7A6C621A5D00008000002696861DF7F2016B0275 | zlb.].....&......k.u |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1343637 | 68,4016% |
| Null Byte Code | 19904 | 1,0133% |
© 2026 All rights reserved.