PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 289,50 KB
SHA-256 Hash: 81BB792A9DA341A780B7A4D52E968AE79360185AB4683AFF01B94D5642DAC40F
SHA-1 Hash: 40FEEDCA56B1F21C6909D70DA9826A10118AF4C3
MD5 Hash: 4DCCF7F1FBBED80D8452C23E1785DB67
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 4E00A
SizeOfHeaders: 400
SizeOfImage: 52000
ImageBase: 400000
Architecture: x86
ImportTable: 26220
IAT: 4E000
Characteristics: 22
TimeDateStamp: D2FFA8CC
Date: 05/03/2082 21:04:12
File Type: EXE
Number Of Sections: 5
ASLR: Disabled
Section Names (Optional Header): E~$;RN{c, .text, .rsrc, *unnamed*, .reloc
Number Of Executable Sections: 2
Subsystem: Windows GUI
UAC Execution Level Manifest: requireAdministrator

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
E~$;RN{c	0xE0000040 Initialized Data Executable Readable Writeable	400	21400	2000	21270	7.9987	250.87
.text	0x60000020 Code Executable Readable	21800	C200	24000	C1B0	5.4245	814898.66
.rsrc	0x40000040 Initialized Data Readable	2DA00	1A800	32000	1A63B	7.9697	6553.34
unnamed	0x60000020 Code Executable Readable	48200	200	4E000	10	0.1426	127004
.reloc	0x42000040 Initialized Data GP-Relative Readable	48400	200	50000	C	0.098	128016

Description

OriginalFilename: CLIENT.exe
LegalCopyright: Copyright 2026
ProductName: CLIENT
FileVersion: 1.0.0.0
FileDescription: CLIENT
ProductVersion: 1.0.0.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (4) have the Entry Point
Information -> EntryPoint (calculated) - 4820A
Code -> FF2500E044000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
EP changed to another address -> (Address Of EntryPoint > Base Of Data)

Assembler

|JMP DWORD PTR [0X44E000]

|ADD BYTE PTR [EAX], AL

Signatures

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v4.0
Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE: protector: Confuser(1.X)[-]
• PE: library: .NET(v4.0.30319)[-]
• PE: linker: Microsoft Linker(48.0)[-]
• Entropy: 7.81475

File Access

CLIENT.exe
kernel32.dll
mscoree.dll
CLIENT.PT3D.dat

File Access (UNICODE)

CLIENT.exe

Interest's Words

exec
attrib
start
replace
route

URLs

http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings
https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

IP Addresses

11.0.0.0

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	Encryption (FromBase64String)
Text	Ascii	Encryption (ToBase64String)
Text	Ascii	Stealth (VirtualProtect)
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	32130	19496	2DB30	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000016F724E5401CFA2779A00008000	.PNG........IHDR.............\r.f....orNT...w.....
\GROUP_ICON\32512\0	4B5C8	14	46FC8	0000010001000000000001002000969401000100	............ .......
\VERSION\1\0	4B5DC	30C	46FDC	0C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	4B8E8	D53	472E8	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D227574662D38223F3E0D0A3C617373656D62	...<?xml version="1.0" encoding="utf-8"?>..<assemb

Intelligent String

• 1.0.0.0
• CLIENT.exe
• DepenceActivator.pdb
• _CorExeMainmscoree.dll
• Makes the application long-path aware. See https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation -->
• <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
• <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware>

Flow Anomalies

Offset	RVA	Section	Description
A8A	27F8BCB6	E~$;RN{c	CALL [static] \| Indirect call to absolute memory address
507A	277F2295	E~$;RN{c	CALL [static] \| Indirect call to absolute memory address
50D3	277F2295	E~$;RN{c	JMP [static] \| Indirect jump to absolute memory address
AD16	277F2295	E~$;RN{c	JMP [static] \| Indirect jump to absolute memory address
E735	277F2295	E~$;RN{c	CALL [static] \| Indirect call to absolute memory address
204C6	277F2295	E~$;RN{c	JMP [static] \| Indirect jump to absolute memory address
2146D	46CB6362	E~$;RN{c	JMP [static] \| Indirect jump to absolute memory address
34ED8	5F8EDB6E	.rsrc	CALL [static] \| Indirect call to absolute memory address
43BBE	5F8EDB6E	.rsrc	CALL [static] \| Indirect call to absolute memory address
449D4	54CF4BC2	.rsrc	JMP [static] \| Indirect jump to absolute memory address
45CAE	54CF4BC2	.rsrc	JMP [static] \| Indirect jump to absolute memory address
4820A	44E000	unnamed	JMP [static] \| Indirect jump to absolute memory address
400-217FF	2000	E~$;RN{c	Executable section anomaly, first bytes: 048C65D4D6264103
48200-483FF	4E000	unnamed	Executable section anomaly, first bytes: 5062020000000000

Extra Analysis

Metric	Value	Percentage
Ascii Code	198723	67,0347%
Null Byte Code	7886	2,6602%

PESCAN.IO - Analysis Report Basic