PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 2,91 MBSHA-256 Hash: 5753F0779534C179726A88F7517DAB399655F052F4F6C4A8CA98143762E62803 SHA-1 Hash: 9C1C9DBC95FFF61F88006FB00C4189CF1D4AFAFD MD5 Hash: 43361C2D5CE888FFAE0B9CA4E063F6B5 Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 489AB7 SizeOfHeaders: 400 SizeOfImage: 61A000 ImageBase: 400000 Architecture: x86 ImportTable: 3335BC IAT: 32E000 Characteristics: 22 TimeDateStamp: 682F35F6 Date: 22/05/2025 14:34:30 File Type: EXE Number Of Sections: 6 ASLR: Disabled Section Names: .text, .Denuvo0, .Denuvo1, .Denuvo2, .rsrc, .reloc Number Of Executable Sections: 3 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 3,19 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 0 | 0 | 2000 | 1902C0 |
|
|
| .Denuvo0 | 60000020 (Code, Executable, Readable) | 0 | 0 | 194000 | 1995CB |
|
|
| .Denuvo1 | C0000040 (Initialized Data, Readable, Writeable) | 400 | 200 | 32E000 | 8 |
|
|
| .Denuvo2 | 60000020 (Code, Executable, Readable) | 600 | 2C5C00 | 330000 | 2C5B1C |
|
|
| .rsrc | 40000040 (Initialized Data, Readable) | 2C6200 | 21E00 | 5F6000 | 21CD4 |
|
|
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 2E8000 | 200 | 618000 | C |
|
|
| Description |
| OriginalFilename: IMMO OFF TOOL.exe CompanyName: IMMO OFF TOOL LegalCopyright: Copyright 2025 ProductName: IMMO OFF TOOL FileVersion: 1.0.0.0 FileDescription: IMMO OFF TOOL ProductVersion: 1.0.0.0 Comments: IMMO OFF TOOL Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (4) - (.Denuvo2) have the Entry Point Information -> EntryPoint (calculated) - 15A0B7 Code -> FF2500E07200E626F34D755C2ECD1FAAE46A5E1EBEFD466ED8FF16F8FF2C79A986A5A370999304476865A1B554F9DCA1A585 EP changed to another address -> (Address Of EntryPoint > Base Of Data) Assembler |JMP DWORD PTR [0X72E000] |OUT 0X26, AL |DEC EBP |JNE 0X1068 |INT 0X1F |STOSB BYTE PTR ES:[EDI], AL |IN AL, 0X6A |POP ESI |PUSH DS |MOV ESI, 0XD86E46FD |CALL DWORD PTR [ESI] |CLC |LJMP [ECX + EDI*2] |TEST EAX, 0X70A3A586 |CDQ |XCHG EAX, EBX |ADD AL, 0X47 |PUSH 0X54B5A165 |STC |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: False • Version: v4.0 --------> Agile .NET Obfuscator Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(48.0)[-] • Entropy: 7.92474 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandle | Retrieves a handle to the specified module. |
| File Access |
| IMMO OFF TOOL.exe ntdll.dll kernel32.dll mscoree.dll Temp |
| File Access (UNICODE) |
| IMMO OFF TOOL.exe |
| Interest's Words |
| Decrypt exec attrib start expand replace |
| IP Addresses |
| 16.0.0.0 16.10.0.0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | Encryption (FromBase64String) |
| Text | Ascii | Encryption (MD5CryptoServiceProvider) |
| Text | Ascii | Encryption (ToBase64String) |
| Text | Ascii | Keyboard Key (Scroll) |
| Text | Ascii | Technique used to make malicious code harder to analyze (Obfuscation) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 5F60C8 | 21868 | 2C62C8 | 28000000000100000401000001002000000000000008020000000000000000000000000000000000FEFEFEFFFEFEFEFFFEFE | (............. ................................... |
| \GROUP_ICON\32512\0 | 617940 | 14 | 2E7B40 | 0000010001000082000001002000681802000100 | ............ .h..... |
| \VERSION\1\0 | 617964 | 36C | 2E7B64 | 6C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • 1.0.0.0 • IMMO OFF TOOL.exe • repair.bin • 1Text Files (*.bin)|*.bin • key.dnv |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 91FD | 5E9BA012 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 1F12A | 5E9BA012 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 2F784 | 270BC8B4 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 3A998 | 270BC8B4 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 473D3 | 5DE3D51C | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 492E9 | 2275E327 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 51B71 | 7E75155E | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 523EE | 41E92073 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 5C6BF | 41E92073 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 5EDF7 | 41E92073 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 6DE63 | 1B47390 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 7129A | 1B47390 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 78B49 | 1B47390 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 7DB40 | BB17620 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 7F5E0 | BB17620 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 81847 | 6775B83A | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 86195 | 5CBA3C3C | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| A207C | 3A636F3 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| A38C7 | 3EE4F529 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| ACA1F | 3EE4F529 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| BCE27 | 570789E6 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| BE042 | 570789E6 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| D241C | 4F87FB59 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| E260A | 4F87FB59 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| EDF5B | 236A53C0 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| EF9D6 | 236A53C0 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| F106B | 438735E8 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| F1DD5 | 438735E8 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| F4B8B | 438735E8 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| F728F | 3DD0D78E | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| F9EED | 3DD0D78E | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| FA04B | 41400C9A | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| FF6C4 | 2EA75E8D | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 10222C | 2EA75E8D | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1104A0 | 2EA75E8D | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 11131D | 4ADB1745 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 112D2E | 4ADB1745 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 11AF3F | 4ADB1745 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 12474A | 4ADB1745 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 125107 | 4ADB1745 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1273C4 | 6F970ED8 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 128E7A | 6F970ED8 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 128E94 | 6F30959A | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 12FFE5 | 6F30959A | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1311AC | 6F30959A | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 137416 | 5224266E | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 142269 | 2577C8DF | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 146BE4 | 39B3A855 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 14A5C5 | 520E0FC3 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 14CE83 | 2274363C | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 154CBD | 2274363C | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 15A0B7 | 72E000 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 16258D | 72E000 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1637CF | 72E000 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 17A203 | 6794C1B3 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 17AEB1 | 6794C1B3 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 180405 | 6794C1B3 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 18D2D1 | 6794C1B3 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 18E172 | 26D8C602 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 19A211 | 479A8F90 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 1A4CB5 | 479A8F90 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1A50F1 | 50D3795D | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 1AD38B | 41775149 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 1AD58B | 41775149 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1BCA22 | 42561252 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 1C090B | 42561252 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1C180C | 75C445B7 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1C2FBA | 6512C18E | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1CE592 | 6512C18E | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1D480A | 59D35F39 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1D717C | 59D35F39 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1DDE3F | 219EBEA5 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 1DF796 | 219EBEA5 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1E3391 | 63312122 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1EB960 | 63312122 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 1F9EED | 63312122 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 21788E | 5319E2EE | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 227C73 | 5319E2EE | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 22B4D0 | 5319E2EE | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 22CE1C | 5AB1056E | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 236C91 | 3471BC52 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 23FEF5 | 654C7B50 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 2403E1 | 3D4B6F0E | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 242793 | 3D4B6F0E | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 253140 | 336E30F2 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 253267 | 50EE90CB | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 256B8E | 38E6B6D | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 258375 | 38E6B6D | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 25F0DF | 7F48D93D | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 265555 | 7F48D93D | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 268F99 | 1A11198A | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 26F7BC | 3D50952B | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 27A1BC | 2A72056B | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 27B429 | 2A72056B | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 27D1D5 | C5D7764 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 27F5AD | C5D7764 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 283C04 | 61551688 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 285B70 | 63039B19 | .Denuvo2 | JMP [static] | Indirect jump to absolute memory address |
| 288F74 | 2C4AD09F | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 28D7FC | 3296E68 | .Denuvo2 | CALL [static] | Indirect call to absolute memory address |
| 600-2C61FF | 330000 | .Denuvo2 | Executable section anomaly, first bytes: EDC833ED65E7C233 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 2002202 | 65,6904% |
| Null Byte Code | 61797 | 2,0275% |
© 2026 All rights reserved.