PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 85,52 KB SHA-256 Hash: 607F36AC0CEF9C4DCC39B28237DB3CCBC254827DE7EA3A35B09DDEFA267F0E4C SHA-1 Hash: B689B848321247D6B395D6710DD25C8344E2B38A MD5 Hash: 4806737A08B0932C9E854AE94B313C6F Imphash: 0F39F711F3D80D159C72235CAAB9AB6C MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 0001F531 EntryPoint (rva): 11F0 SizeOfHeaders: 600 SizeOfImage: 1C000 ImageBase: 64EC0000 Architecture: x86 ExportTable: 8000 ImportTable: 9000 IAT: 90D0 Characteristics: 2106 TimeDateStamp: 69DC7F94 Date: 13/04/2026 5:31:00 File Type: DLL Number Of Sections: 17 ASLR: Enabled Section Names: .text, .data, .rdata, /4, .bss, .edata, .idata, .tls, .reloc, /14, /29, /41, /55, /67, /78, /94, /110 Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
600 | 2400 | 1000 | 2210 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
2A00 | 200 | 4000 | E4 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
2C00 | 400 | 5000 | 388 |
|
|
| /4 | 0x40000040 Initialized Data Readable |
3000 | C00 | 6000 | AE4 |
|
|
| .bss | 0xC0000080 Uninitialized Data Readable Writeable |
0 | 0 | 7000 | A4 |
|
|
| .edata | 0x40000040 Initialized Data Readable |
3C00 | 200 | 8000 | 86 |
|
|
| .idata | 0x40000040 Initialized Data Readable |
3E00 | 600 | 9000 | 404 |
|
|
| .tls | 0xC0000040 Initialized Data Readable Writeable |
4400 | 200 | A000 | 8 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
4600 | 400 | B000 | 258 |
|
|
| /14 | 0x42000040 Initialized Data GP-Relative Readable |
4A00 | 200 | C000 | 1B8 |
|
|
| /29 | 0x42000040 Initialized Data GP-Relative Readable |
4C00 | 6A00 | D000 | 6955 |
|
|
| /41 | 0x42000040 Initialized Data GP-Relative Readable |
B600 | 1600 | 14000 | 15A7 |
|
|
| /55 | 0x42000040 Initialized Data GP-Relative Readable |
CC00 | 1800 | 16000 | 16CC |
|
|
| /67 | 0x42000040 Initialized Data GP-Relative Readable |
E400 | 200 | 18000 | FE |
|
|
| /78 | 0x42000040 Initialized Data GP-Relative Readable |
E600 | A00 | 19000 | 980 |
|
|
| /94 | 0x42000040 Initialized Data GP-Relative Readable |
F000 | C00 | 1A000 | A68 |
|
|
| /110 | 0x42000040 Initialized Data GP-Relative Readable |
FC00 | 200 | 1B000 | 1B0 |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 7F0 Code -> 8D4C240483E4F0FF71FC5589E55756535183EC288B59048B39C7056070EC64000000008B7108891DC840EC6485DB7558A10C Assembler |LEA ECX, [ESP + 4] |AND ESP, 0XFFFFFFF0 |PUSH DWORD PTR [ECX - 4] |PUSH EBP |MOV EBP, ESP |PUSH EDI |PUSH ESI |PUSH EBX |PUSH ECX |SUB ESP, 0X28 |MOV EBX, DWORD PTR [ECX + 4] |MOV EDI, DWORD PTR [ECX] |MOV DWORD PTR [0X64EC7060], 0 |MOV ESI, DWORD PTR [ECX + 8] |MOV DWORD PTR [0X64EC40C8], EBX |TEST EBX, EBX |JNE 0X1088 |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • Entropy: 5.52846 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| ET Functions (carving) |
| Original Name -> l3.dll DllCanUnloadNow DllGetActivationFactory StartApplication |
| File Access |
| msvcrt.dll KERNEL32.dll l3.dll libgcc_s_dw2-1.dll .dat \Users\Public\readme.DAT |
| Interest's Words |
| Encrypt Decrypt exec start pause |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Intelligent String |
| • .bss • @.bss • @.tls • C:\Users\Public\readme.DAT • KERNEL32.dll • msvcrt.dll • .tls |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 94E | 64EC90F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 964 | 64EC9104 | .text | CALL [static] | Indirect call to absolute memory address |
| A04 | 64EC90E4 | .text | CALL [static] | Indirect call to absolute memory address |
| ABC | 64EC90F4 | .text | CALL [static] | Indirect call to absolute memory address |
| C9A | 64EC90E8 | .text | CALL [static] | Indirect call to absolute memory address |
| D0A | 64EC90E8 | .text | CALL [static] | Indirect call to absolute memory address |
| D5A | 64EC90E8 | .text | CALL [static] | Indirect call to absolute memory address |
| DB2 | 64EC90E8 | .text | CALL [static] | Indirect call to absolute memory address |
| E3A | 64EC7030 | .text | CALL [static] | Indirect call to absolute memory address |
| FBE | 64EC90D4 | .text | CALL [static] | Indirect call to absolute memory address |
| FDD | 64EC90EC | .text | CALL [static] | Indirect call to absolute memory address |
| 1070 | 64EC9108 | .text | CALL [static] | Indirect call to absolute memory address |
| 1084 | 64EC90D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 10BD | 64EC90D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1149 | 64EC90D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1263 | 64EC9104 | .text | CALL [static] | Indirect call to absolute memory address |
| 129B | 64EC90F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1379 | 64EC90E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 14C2 | 64EC90E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1645 | 64EC911C | .text | CALL [static] | Indirect call to absolute memory address |
| 1651 | 64EC7030 | .text | CALL [static] | Indirect call to absolute memory address |
| 1818 | 64EC90E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B0B | 64EC9118 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B73 | 64EC9114 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B80 | 64EC90F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F0E | 64EC90DC | .text | CALL [static] | Indirect call to absolute memory address |
| 1F5C | 64EC9100 | .text | CALL [static] | Indirect call to absolute memory address |
| 1FB2 | 64EC90DC | .text | CALL [static] | Indirect call to absolute memory address |
| 1FD0 | 64EC9100 | .text | CALL [static] | Indirect call to absolute memory address |
| 2017 | 64EC90DC | .text | CALL [static] | Indirect call to absolute memory address |
| 2067 | 64EC9100 | .text | CALL [static] | Indirect call to absolute memory address |
| 213C | 64EC90D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2177 | 64EC90FC | .text | CALL [static] | Indirect call to absolute memory address |
| 2780 | 64EC9124 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2788 | 64EC9128 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2790 | 64EC912C | .text | JMP [static] | Indirect jump to absolute memory address |
| 2798 | 64EC9130 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27A0 | 64EC9134 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27A8 | 64EC9138 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27B0 | 64EC913C | .text | JMP [static] | Indirect jump to absolute memory address |
| 27B8 | 64EC9140 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27C0 | 64EC9144 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27C8 | 64EC9148 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27D0 | 64EC914C | .text | JMP [static] | Indirect jump to absolute memory address |
| 27D8 | 64EC9150 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27E0 | 64EC9154 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27E8 | 64EC9158 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27F0 | 64EC915C | .text | JMP [static] | Indirect jump to absolute memory address |
| 3A0F | 0 | /4 | CALL [static] | Indirect call to absolute memory address |
| 3A3F | 0 | /4 | JMP [static] | Indirect jump to absolute memory address |
| 1858-187F | N/A | .text | Unusual NOPS Space, count: 40 |
| 2F74 | 2390 | .rdata | TLS Callback | Pointer to 64EC2390 - 0x1990 .text |
| 2F78 | 2350 | .rdata | TLS Callback | Pointer to 64EC2350 - 0x1950 .text |
| FE00 | N/A | *Overlay* | 2E66696C6500000022000000FEFF000067016372 | .file...".......g.cr |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 45349 | 51,7872% |
| Null Byte Code | 28127 | 32,1202% |
| NOP Cave Found | 0x9090909090 | Block Count: 27 | Total: 0,0771% |
© 2026 All rights reserved.