PESCAN.IO - Analysis Report Valid Code
File Structure:
Analysis Image
Information:
Size: 1,05 MB
SHA-256 Hash: 856991BA177F3A8A3D5209551D2074A198FCC6AA6F5B1E4280ED53B07271FFDD
SHA-1 Hash: F02E808C40257B83DAAE79ACACD2DA12DB595921
MD5 Hash: 408192A358AF4CF90216A134BD4C0AD0
Imphash: 231E4C5D9FA7D8178AC0E68A75A85072
MajorOSVersion: 6
CheckSum: 00000000
EntryPoint (rva): B25E0
SizeOfHeaders: 400
SizeOfImage: 115000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 102B64
Characteristics: 22
TimeDateStamp: 6892288A
Date: 05/08/2025 15:51:38
File Type: EXE
Number Of Sections: 8
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, _RDATA, .fptable, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: highestAvailable
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 D7C00 1000 D7B7C
.rdata 40000040 D8000 2AA00 D9000 2A9F2
.data C0000040 (Writeable) 102A00 2600 104000 5390
.pdata 40000040 105000 7000 10A000 6F3C
_RDATA 40000040 10C000 200 111000 F4
.fptable C0000040 (Writeable) 10C200 200 112000 100
.rsrc 40000040 10C400 200 113000 1E8
.reloc 42000040 10C600 E00 114000 C90
Entry Point:
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - B19E0
Code -> 4883EC28E8570A00004883C428E97AFEFFFFCCCC4883EC284D8B4138488BCA498BD1E80D000000B8010000004883C428C3CC
SUB RSP, 0X28
CALL 0X1A60
ADD RSP, 0X28
JMP 0XE8C
INT3
INT3
SUB RSP, 0X28
MOV R8, QWORD PTR [R9 + 0X38]
MOV RCX, RDX
MOV RDX, R9
CALL 0X1034
MOV EAX, 1
ADD RSP, 0X28
RET
INT3

Signatures:
Rich Signature Analyzer:
Code -> 3045814D7424EF1E7424EF1E7424EF1E00A5EA1FC124EF1E00A5EB1F6124EF1E00A5EC1F7F24EF1E7424EF1E7524EF1E124B121E7024EF1E2651EB1F6424EF1E2651EC1F7E24EF1EBB51EB1F0624EF1E2651EA1F2124EF1E00A5EE1F7D24EF1E7424EE1EC724EF1EBB51E61F7524EF1EBB51101E7524EF1EBB51ED1F7524EF1E526963687424EF1E
Footprint md5 Hash -> 8FC13A2ECB2E33E602D0921F8AACBDF3
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler:
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): linker: Microsoft Linker(14.29**)[EXE64]
Entropy: 6.50443
Suspicious Functions:
Library Function Description
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
URLMON.DLL URLDownloadToFileA Download a file from the internet and save it to a local file.
ADVAPI32.DLL CryptEncrypt Performs a cryptographic operation on data in a data block.
File Access:
.exe
u8.exe
urlmon.dll
bcrypt.dll
SHELL32.dll
KERNEL32.dll
.dll
.ini
File Access (UNICODE):
kernel32.dll
mscoree.dll
Interest's Words:
Encrypt
exec
attrib
start
cipher
ping
URLs:
http://38.246.248.140/0805/110.217.zip
IP Addresses:
38.246.248.140
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): WinAPI Sockets (connect)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Stealth (VirtualProtect)
Rule Text (Ascii): Execution (CreateProcessA)
Rule Text (Ascii): Malicious code executed after exploiting a vulnerability (Payload)
EP Rules: Microsoft Visual C++ 8.0 (DLL)
EP Rules: PE-Exe Executable Image
Resources:
Path DataRVA Size FileOffset CodeText
\24\1\1033 113060 184 10C460 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String:
• kernel32.dll
• (www.memtest86.com). At the time of writing it is free (GPLd).
• mscoree.dll
• .exe
• .dll
• .xml
• .log
• .ini
• .bak
• .tmp
• .dat
• .cfg
• http://38.246.248.140/0805/110.217.zip
• .tls
• .bss
• KERNEL32.dll
• urlmon.dll
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 678851 61,5544%
Null Byte Code 163821 14,8544%
© 2025 All rights reserved.