PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 126,00 KB SHA-256 Hash: BA312E50F9C282C8D60F83AFF086917D60E35A30C8DF290C2AA3F6640D48363E SHA-1 Hash: 6FAE5372D2A1E1028D1CD696CC23AAEE0DEDD39E MD5 Hash: 4E4971DCC1D55A85DE7A108D89C122B0 Imphash: F326F88CA83C9AACAA44ACFB8884F1D4 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 1000 SizeOfHeaders: 400 SizeOfImage: 24000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 1F198 IAT: 1F6C8 Characteristics: 2F TimeDateStamp: 5D400538 Date: 30/07/2019 8:52:08 File Type: DLL Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .code, .text, .rdata, .pdata, .data, .rsrc Number Of Executable Sections: 2 Subsystem: Windows Console |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .code | 0x60000020 Code Executable Readable |
400 | 5C00 | 1000 | 5B79 |
|
|
| .text | 0x60000020 Code Executable Readable |
6000 | 10E00 | 7000 | 10D25 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
16E00 | 4C00 | 18000 | 4B9D |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
1BA00 | 1200 | 1D000 | 1140 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
1CC00 | 1600 | 1F000 | 23B8 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
1E200 | 1600 | 22000 | 1498 |
|
|
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 400 Code -> 4883EC2849C7C0600100004831D248B9CC04024001000000E8E35F00004831C9E8E15F0000488905A8F401004D31C048C7C2 Assembler |SUB RSP, 0X28 |MOV R8, 0X160 |XOR RDX, RDX |MOVABS RCX, 0X1400204CC |CALL 0X7000 |XOR RCX, RCX |CALL 0X7006 |MOV QWORD PTR [RIP + 0X1F4A8], RAX |XOR R8, R8 |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Pure Basic 4.x Detect It Easy (die) • PE+(64): compiler: PureBasic(4.X*)[-] • PE+(64): linker: Polink(2.50*)[-] • Entropy: 6.54622 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| File Access |
| COMCTL32.DLL GDI32.DLL USER32.DLL SHLWAPI.DLL OLE32.DLL WINMM.DLL SHELL32.DLL KERNEL32.dll msvcrt.dll @.dat Temp |
| File Access (UNICODE) |
| 0123456789abcdefKernel32.dll Shell32.DLL Kernel32.DLL SHELL32.DLL |
| Interest's Words |
| PADDINGX exec attrib |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \RCDATA\DA016EDA19AEA68A6EAB2AAF2EABDDAB\0 | 2221C | E | 1E41C | 789C636018052319000002000001 | x.c......... |
| \RCDATA\E0DC75C96780508246DD9574DAF59BAF\0 | 2222C | FC0 | 1E42C | 24E31631DD7AA65CC91C45AF55D76E4AB263D7E8730291B27A1D16FC8931E06B59D78E13FF30E6FBFEFA3080E4561D6F391C | $..1.z.\..E.U.nJ.c..s...z....1.kY....0....0..V.o9. |
| \RCDATA\EAE7BF02E9\0 | 231EC | 1 | 1F3EC | 01 | . |
| \RCDATA\F01D71F4DCC11CDDC95CB6C5BCE43B99B62B77EA\0 | 231F0 | 8 | 1F3F0 | 31E30677D137AD3A | 1..w.7.: |
| \24\1\0 | 231F8 | 2A0 | 1F3F8 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • SHELL32.DLL • 0123456789abcdefKernel32.dll • msvcrt.dll • USER32.DLL • GDI32.DLL • COMCTL32.DLL |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 6000 | N/A | .text | JMP QWORD PTR [RIP+0x186C2] |
| 6006 | N/A | .text | JMP QWORD PTR [RIP+0x18744] |
| 600C | N/A | .text | JMP QWORD PTR [RIP+0x18746] |
| 6012 | N/A | .text | JMP QWORD PTR [RIP+0x18748] |
| 6018 | N/A | .text | JMP QWORD PTR [RIP+0x1874A] |
| 601E | N/A | .text | JMP QWORD PTR [RIP+0x1874C] |
| 6024 | N/A | .text | JMP QWORD PTR [RIP+0x1874E] |
| 602A | N/A | .text | JMP QWORD PTR [RIP+0x18750] |
| 6030 | N/A | .text | JMP QWORD PTR [RIP+0x18752] |
| 6036 | N/A | .text | JMP QWORD PTR [RIP+0x18754] |
| 603C | N/A | .text | JMP QWORD PTR [RIP+0x18756] |
| 6042 | N/A | .text | JMP QWORD PTR [RIP+0x18758] |
| 6048 | N/A | .text | JMP QWORD PTR [RIP+0x1875A] |
| 604E | N/A | .text | JMP QWORD PTR [RIP+0x1875C] |
| 6054 | N/A | .text | JMP QWORD PTR [RIP+0x1875E] |
| 605A | N/A | .text | JMP QWORD PTR [RIP+0x18760] |
| 6060 | N/A | .text | JMP QWORD PTR [RIP+0x18762] |
| 6066 | N/A | .text | JMP QWORD PTR [RIP+0x18764] |
| 606C | N/A | .text | JMP QWORD PTR [RIP+0x18766] |
| 6072 | N/A | .text | JMP QWORD PTR [RIP+0x18768] |
| 6078 | N/A | .text | JMP QWORD PTR [RIP+0x1876A] |
| 607E | N/A | .text | JMP QWORD PTR [RIP+0x1894C] |
| 6084 | N/A | .text | JMP QWORD PTR [RIP+0x1894E] |
| 608A | N/A | .text | JMP QWORD PTR [RIP+0x18950] |
| 6090 | N/A | .text | JMP QWORD PTR [RIP+0x18952] |
| 6096 | N/A | .text | JMP QWORD PTR [RIP+0x18954] |
| 609C | N/A | .text | JMP QWORD PTR [RIP+0x1862E] |
| 60A2 | N/A | .text | JMP QWORD PTR [RIP+0x18630] |
| 60A8 | N/A | .text | JMP QWORD PTR [RIP+0x18632] |
| 60AE | N/A | .text | JMP QWORD PTR [RIP+0x18634] |
| 60B4 | N/A | .text | JMP QWORD PTR [RIP+0x18636] |
| 60BA | N/A | .text | JMP QWORD PTR [RIP+0x18638] |
| 60C0 | N/A | .text | JMP QWORD PTR [RIP+0x1863A] |
| 60C6 | N/A | .text | JMP QWORD PTR [RIP+0x1863C] |
| 60CC | N/A | .text | JMP QWORD PTR [RIP+0x1863E] |
| 60D2 | N/A | .text | JMP QWORD PTR [RIP+0x18640] |
| 60D8 | N/A | .text | JMP QWORD PTR [RIP+0x18642] |
| 60DE | N/A | .text | JMP QWORD PTR [RIP+0x18644] |
| 60E4 | N/A | .text | JMP QWORD PTR [RIP+0x18646] |
| 60EA | N/A | .text | JMP QWORD PTR [RIP+0x18648] |
| 60F0 | N/A | .text | JMP QWORD PTR [RIP+0x1864A] |
| 60F6 | N/A | .text | JMP QWORD PTR [RIP+0x18834] |
| 60FC | N/A | .text | JMP QWORD PTR [RIP+0x18856] |
| 6102 | N/A | .text | JMP QWORD PTR [RIP+0x18858] |
| 6115 | N/A | .text | CALL QWORD PTR [RIP+0x186D5] |
| 6124 | N/A | .text | CALL QWORD PTR [RIP+0x186CE] |
| 6152 | N/A | .text | JMP QWORD PTR [RIP+0x186A8] |
| 6160 | N/A | .text | JMP QWORD PTR [RIP+0x186A2] |
| 617F | N/A | .text | CALL QWORD PTR [RIP+0x1868B] |
| 61AF | N/A | .text | CALL QWORD PTR [RIP+0x1863B] |
| 61D4 | N/A | .text | CALL QWORD PTR [RIP+0x18636] |
| 61E9 | N/A | .text | CALL QWORD PTR [RIP+0x18611] |
| 621B | N/A | .text | CALL QWORD PTR [RIP+0x185F7] |
| 6228 | N/A | .text | CALL QWORD PTR [RIP+0x185C2] |
| 624B | N/A | .text | CALL QWORD PTR [RIP+0x185A7] |
| 6273 | N/A | .text | JMP QWORD PTR [RIP+0x18587] |
| 62AB | N/A | .text | CALL QWORD PTR [RIP+0x1856F] |
| 62C4 | N/A | .text | CALL QWORD PTR [RIP+0x18526] |
| 62DC | N/A | .text | CALL QWORD PTR [RIP+0x1852E] |
| 62E9 | N/A | .text | CALL QWORD PTR [RIP+0x18509] |
| 633C | N/A | .text | CALL QWORD PTR [RIP+0x184BE] |
| 6372 | N/A | .text | CALL QWORD PTR [RIP+0x18630] |
| 638A | N/A | .text | JMP QWORD PTR [RIP+0x18498] |
| 63D1 | N/A | .text | CALL QWORD PTR [RIP+0x18459] |
| 640B | N/A | .text | CALL QWORD PTR [RIP+0x1841F] |
| 6B23 | N/A | .text | CALL QWORD PTR [RIP+0x17D0F] |
| 6C05 | N/A | .text | CALL QWORD PTR [RIP+0x17C35] |
| 6E14 | N/A | .text | CALL QWORD PTR [RIP+0x17BE6] |
| 760A | N/A | .text | CALL QWORD PTR [RIP+0x173F8] |
| 763F | N/A | .text | CALL QWORD PTR [RIP+0x173C3] |
| 766D | N/A | .text | CALL QWORD PTR [RIP+0x17395] |
| 7678 | N/A | .text | CALL QWORD PTR [RIP+0x1738A] |
| 770C | N/A | .text | CALL QWORD PTR [RIP+0x172F6] |
| 7717 | N/A | .text | CALL QWORD PTR [RIP+0x172EB] |
| A551 | N/A | .text | CALL QWORD PTR [RIP+0x145C9] |
| A559 | N/A | .text | CALL QWORD PTR [RIP+0x14459] |
| A59F | N/A | .text | CALL QWORD PTR [RIP+0x1446B] |
| A5F0 | N/A | .text | CALL QWORD PTR [RIP+0x14242] |
| A631 | N/A | .text | CALL QWORD PTR [RIP+0x14209] |
| A664 | N/A | .text | CALL QWORD PTR [RIP+0x143AE] |
| A68D | N/A | .text | CALL QWORD PTR [RIP+0x1438D] |
| A69D | N/A | .text | CALL QWORD PTR [RIP+0x14385] |
| A6B5 | N/A | .text | CALL QWORD PTR [RIP+0x1417D] |
| A6CB | N/A | .text | CALL QWORD PTR [RIP+0x1435F] |
| A6E6 | N/A | .text | CALL QWORD PTR [RIP+0x1434C] |
| A6F6 | N/A | .text | CALL QWORD PTR [RIP+0x14344] |
| A70C | N/A | .text | CALL QWORD PTR [RIP+0x14336] |
| A7A6 | N/A | .text | CALL QWORD PTR [RIP+0x14364] |
| A7E2 | N/A | .text | CALL QWORD PTR [RIP+0x14268] |
| A7F3 | N/A | .text | CALL QWORD PTR [RIP+0x1425F] |
| A81D | N/A | .text | CALL QWORD PTR [RIP+0x1423D] |
| A849 | N/A | .text | CALL QWORD PTR [RIP+0x14219] |
| A85C | N/A | .text | CALL QWORD PTR [RIP+0x141D6] |
| A87B | N/A | .text | CALL QWORD PTR [RIP+0x141EF] |
| A88B | N/A | .text | CALL QWORD PTR [RIP+0x141DF] |
| A8E0 | N/A | .text | CALL QWORD PTR [RIP+0x14192] |
| A8FE | N/A | .text | CALL QWORD PTR [RIP+0x1417C] |
| A94E | N/A | .text | CALL QWORD PTR [RIP+0x14124] |
| A96C | N/A | .text | CALL QWORD PTR [RIP+0x14116] |
| A9C9 | N/A | .text | CALL QWORD PTR [RIP+0x140A9] |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 82377 | 63,8463% |
| Null Byte Code | 19434 | 15,0623% |
© 2026 All rights reserved.