PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
| Information |
| Size: 1,04 MB SHA-256 Hash: 2411E9AA6EEB0F8F87D6491EC780568C5C853C3702034A3EDC5B366C31BA0EB2 SHA-1 Hash: D7D44004A812635A4A44AEC341E95C57125ABDD1 MD5 Hash: 48F4D9A0E8DEFF66C92388A937281218 Imphash: ACA6F08EE5BEFA37BE16BAC4BC315573 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): BFE5D SizeOfHeaders: 400 SizeOfImage: 113000 ImageBase: 10000000 Architecture: x86 ExportTable: 1002B0 ImportTable: 100308 IAT: E7000 Characteristics: 2102 TimeDateStamp: 6940F57F Date: 16/12/2025 6:00:31 File Type: DLL Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | E5600 | 1000 | E5598 | 6,6219 | 4857895,77 |
| .rdata | 40000040 (Initialized Data, Readable) | E5A00 | 1A600 | E7000 | 1A462 | 5,9970 | 2120608,86 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 100000 | 2E00 | 102000 | 8F9C | 2,7511 | 1411932,78 |
| .rsrc | 40000040 (Initialized Data, Readable) | 102E00 | 200 | 10B000 | F8 | 2,5313 | 61549,00 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 103000 | 6800 | 10C000 | 66B0 | 6,6523 | 116991,85 |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - BF25D Code -> 558BEC837D0C017505E8E7030000FF7510FF750CFF7508E8AEFEFFFF83C40C5DC20C00836104008BC183610800C741048C75 • PUSH EBP • MOV EBP, ESP • CMP DWORD PTR [EBP + 0XC], 1 • JNE 0X100E • CALL 0X13F5 • PUSH DWORD PTR [EBP + 0X10] • PUSH DWORD PTR [EBP + 0XC] • PUSH DWORD PTR [EBP + 8] • CALL 0XECA • ADD ESP, 0XC • POP EBP • RET 0XC • AND DWORD PTR [ECX + 4], 0 • MOV EAX, ECX • AND DWORD PTR [ECX + 8], 0 |
| Signatures |
| Rich Signature Analyzer: Code -> 5093687614F2062514F2062514F206250099052405F2062500990324A5F206250099022403F206254687032456F206254687022404F206254687052403F206250099072419F2062514F20725AAF20625D8870F2410F20625D887062415F20625D887F92515F20625D887042415F206255269636814F20625 Footprint md5 Hash -> 37847CA310CBB78EB00E2ABC55EE9EA0 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ 6 DLL Detect It Easy (die) • PE: linker: Microsoft Linker(14.29**)[-] • Entropy: 6.6879 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | CopyFileA | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ADVAPI32.DLL | CryptDecrypt | Performs a cryptographic operation on data in a data block. |
| WININET.DLL | InternetConnectA | Opens an File Transfer Protocol (FTP) or HTTP session for a given site. |
| ET Functions (carving) |
| Original Name -> STEALERDLL.dll Main Save |
| Windows REG |
| Software\Microsoft\Windows\Shell\MuiCache SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Thunderbird.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched SOFTWARE\Martin Prikryl\WinSCP 2\Sessions SOFTWARE\Martin Prikryl\WinSCP 2\Sessions\ Software\Microsoft\Office Software\Microsoft\Windows Messaging Subsystem\Profiles Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache system\Profiles |
| File Access |
| monero-wallet-gui.exe WinSCP.exe SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Thunderbird.exe Thunderbird.exe SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe firefox.exe bcrypt.dll WININET.dll SHELL32.dll ADVAPI32.dll KERNEL32.dll CRYPT32.dll STEALERDLL.dll nss3.dll .dat @.dat WinSCP.ini ).zip Temp Exec - netsh wlan show profiles |
| File Access (UNICODE) |
| (null).exe mscoree.dll |
| SQL Queries |
| SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid SELECT tbl,idx,stat FROM %Q.sqlite_stat1 SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14)FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'AND coalesce(rootpage,1)>0 SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21)FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %' SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence'AND coalesce(rootpage,1)>0 SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence'; SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_masterWHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0) INSERT INTO %Q.%s VALUES('index',%Q,%Q,%d,%Q); INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q') INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence'AND coalesce(rootpage,1)>0 INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence'; INSERT INTO vacuum_db.sqlite_masterSELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_masterWHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0) CREATE TABLE %Q.%s(%s) CREATE TABLE CREATE TABLE %Q.sqlite_sequence(name,seq) CREATE TABLE vacuum_db.' || substr(sql,14)FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'AND coalesce(rootpage,1)>0 CREATE TABLE sqlite_master( type text, name text, tbl_name text, rootpage integer, sql text) DROP TABLE to delete table %s DELETE FROM %Q.%s WHERE %s=%Q DELETE FROM %Q.sqlite_sequence WHERE name=%Q DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger' DELETE FROM %Q.%s WHERE name=%Q AND type='index' DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' |
| Interest's Words |
| outlook smtp Stealer Encrypt Decrypt PassWord exec powershell netsh attrib start hostname shutdown systeminfo ping replace |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Encryption (Base64Decode) |
| Text | Ascii | Encryption API (CryptDecrypt) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (MapViewOfFile) |
| Text | Ascii | Stealth (CreateFileMappingA) |
| Text | Ascii | Stealth (CreateFileMappingW) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Text | Ascii | Abuse of power for personal gain or unethical purposes (Corruption) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\2\1033 | 10B060 | 91 | 102E60 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • .exe • .cmd • .bat • .com • mscoree.dll • _*.cab • makecab /F AES • \logins.json • nss3.dll • .purple\accounts.xml • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched\.purple\accounts.xml • im|Psi|Psi\profiles\default\accounts.xml • WinSCP.ini • sshWinSCP.exe • FileZilla\sitemanager.xml • .xml • wifi|WiFi||netsh wlan show profiles • Monero\wallets\).zip • monero-wallet-gui.exe • .bss • KERNEL32.dll • bcrypt.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| C4D | 10B060 | .text | JMP [static] | Indirect jump to absolute memory address |
| 15CC | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 168E | 10102C68 | .text | CALL [static] | Indirect call to absolute memory address |
| 1699 | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 1725 | 10102C1C | .text | CALL [static] | Indirect call to absolute memory address |
| 1742 | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 174E | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 175A | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 1766 | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 17F6 | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 3771 | 10102C34 | .text | CALL [static] | Indirect call to absolute memory address |
| 3781 | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 37D7 | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 380F | 10102C34 | .text | CALL [static] | Indirect call to absolute memory address |
| 381F | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 388E | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 38B3 | 10102C34 | .text | CALL [static] | Indirect call to absolute memory address |
| 38C3 | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 390F | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A07 | 10102C34 | .text | JMP [static] | Indirect jump to absolute memory address |
| 3A1E | 10102C38 | .text | JMP [static] | Indirect jump to absolute memory address |
| 3A3E | 10102C3C | .text | JMP [static] | Indirect jump to absolute memory address |
| 3A5E | 10102C40 | .text | JMP [static] | Indirect jump to absolute memory address |
| 3A7E | 10102C44 | .text | JMP [static] | Indirect jump to absolute memory address |
| 3AE9 | 10102F90 | .text | CALL [static] | Indirect call to absolute memory address |
| 3BA4 | 100E7170 | .text | CALL [static] | Indirect call to absolute memory address |
| 3BC6 | 100E70DC | .text | CALL [static] | Indirect call to absolute memory address |
| 3BE6 | 100E718C | .text | CALL [static] | Indirect call to absolute memory address |
| 3C13 | 100E7198 | .text | CALL [static] | Indirect call to absolute memory address |
| 3C36 | 100E7174 | .text | CALL [static] | Indirect call to absolute memory address |
| 3C6A | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 3C8D | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 3CC3 | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 3D13 | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 3D50 | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 3E11 | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 3E34 | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 3E92 | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 3E9C | 10102C1C | .text | CALL [static] | Indirect call to absolute memory address |
| 3F06 | 10102C0C | .text | CALL [static] | Indirect call to absolute memory address |
| 3F16 | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F62 | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F72 | 10102C0C | .text | CALL [static] | Indirect call to absolute memory address |
| 4005 | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 4072 | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 4088 | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 40B7 | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 40C1 | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 40F1 | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 4135 | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 417B | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 4195 | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 41AB | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 420B | 10102C10 | .text | CALL [static] | Indirect call to absolute memory address |
| 421F | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 422B | 10102C10 | .text | CALL [static] | Indirect call to absolute memory address |
| 4244 | 10102C18 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4256 | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 4292 | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 429C | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 42DE | 10102C10 | .text | CALL [static] | Indirect call to absolute memory address |
| 42F5 | 10102C44 | .text | JMP [static] | Indirect jump to absolute memory address |
| 42FC | 10102C10 | .text | CALL [static] | Indirect call to absolute memory address |
| 4339 | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 43FF | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 440C | 10102C1C | .text | CALL [static] | Indirect call to absolute memory address |
| 4441 | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 4496 | 10102C14 | .text | CALL [static] | Indirect call to absolute memory address |
| 44B8 | 10102C14 | .text | CALL [static] | Indirect call to absolute memory address |
| 44C8 | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 44FB | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 450F | 10102C14 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E7E | 2C248C8B | .text | JMP [static] | Indirect jump to absolute memory address |
| 664B | 10102CE4 | .text | CALL [static] | Indirect call to absolute memory address |
| 66BE | 10102C34 | .text | CALL [static] | Indirect call to absolute memory address |
| 66CE | 10102C3C | .text | CALL [static] | Indirect call to absolute memory address |
| 67E8 | 10102C44 | .text | CALL [static] | Indirect call to absolute memory address |
| 6D7F | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 8735 | 10102C18 | .text | CALL [static] | Indirect call to absolute memory address |
| 8B6E | 10102FCC | .text | CALL [static] | Indirect call to absolute memory address |
| 8BAE | 10102FCC | .text | CALL [static] | Indirect call to absolute memory address |
| 8C13 | 10102DB0 | .text | CALL [static] | Indirect call to absolute memory address |
| 8C41 | 10102F24 | .text | CALL [static] | Indirect call to absolute memory address |
| 8D65 | 10102D20 | .text | CALL [static] | Indirect call to absolute memory address |
| 8D78 | 10102F90 | .text | CALL [static] | Indirect call to absolute memory address |
| 8D81 | 10102D20 | .text | CALL [static] | Indirect call to absolute memory address |
| 8DA6 | 10102E34 | .text | CALL [static] | Indirect call to absolute memory address |
| 8E9D | 10102F6C | .text | CALL [static] | Indirect call to absolute memory address |
| 8EAB | 10102E34 | .text | CALL [static] | Indirect call to absolute memory address |
| 8EB6 | 10102E34 | .text | CALL [static] | Indirect call to absolute memory address |
| 8EF4 | 10102F90 | .text | CALL [static] | Indirect call to absolute memory address |
| 9070 | 10102FD8 | .text | CALL [static] | Indirect call to absolute memory address |
| 907A | 10102E34 | .text | CALL [static] | Indirect call to absolute memory address |
| 90C0 | 10102F90 | .text | CALL [static] | Indirect call to absolute memory address |
| 9137 | 10102E34 | .text | CALL [static] | Indirect call to absolute memory address |
| 9218 | 10102F84 | .text | CALL [static] | Indirect call to absolute memory address |
| 9223 | 10102E34 | .text | CALL [static] | Indirect call to absolute memory address |
| 9261 | 10102F78 | .text | CALL [static] | Indirect call to absolute memory address |
| 926B | 10102E34 | .text | CALL [static] | Indirect call to absolute memory address |
| 92DA | 10102D98 | .text | CALL [static] | Indirect call to absolute memory address |
| 4392-43AF | N/A | .text | Unusual BP Cave, count: 30 |
| 9D3D6-9D3FF | N/A | .text | Unusual BP Cave, count: 42 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 652276 | 59,9801% |
| Null Byte Code | 132266 | 12,1625% |
© 2025 All rights reserved.