PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 83,00 KBSHA-256 Hash: EC35774A85572387AEF98CFD029FF79632B37A62A485E0367D961881372D550D SHA-1 Hash: 77857E29D800F7D7118A20F42F0E6C26172838D4 MD5 Hash: 4F3A79345AB21DCF7F799735BDA4CEF3 Imphash: 6C58D5790EE7BAB93B5571AE4B2D2C46 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 000150D9 EntryPoint (rva): 14A0 SizeOfHeaders: 400 SizeOfImage: 1B000 ImageBase: 400000 Architecture: x86 ImportTable: 15000 IAT: 15224 Characteristics: 30F TimeDateStamp: 61562B46 Date: 30/09/2021 21:25:26 File Type: EXE Number Of Sections: 9 ASLR: Disabled Section Names: .text, .data, .rdata, .eh_fram, .bss, .idata, .CRT, .tls, .rsrc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60500060 Code Initialized Data Executable Readable |
400 | AC00 | 1000 | AA14 |
|
|
| .data | 0xC0300040 Initialized Data Readable Writeable |
B000 | 200 | C000 | 5C |
|
|
| .rdata | 0x40600040 Initialized Data Readable |
B200 | 4600 | D000 | 44E0 |
|
|
| .eh_fram | 0x40300040 Initialized Data Readable |
F800 | 1C00 | 12000 | 1A90 |
|
|
| .bss | 0xC0600080 Uninitialized Data Readable Writeable |
0 | 0 | 14000 | F08 |
|
|
| .idata | 0xC0300040 Initialized Data Readable Writeable |
11400 | C00 | 15000 | BE0 |
|
|
| .CRT | 0xC0300040 Initialized Data Readable Writeable |
12000 | 200 | 16000 | 34 |
|
|
| .tls | 0xC0300040 Initialized Data Readable Writeable |
12200 | 200 | 17000 | 8 |
|
|
| .rsrc | 0xC0300040 Initialized Data Readable Writeable |
12400 | 2800 | 18000 | 2668 |
|
|
| Description |
| FileVersion: 0.0.0.0 ProductVersion: 0.0.0.0 Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 8A0 Code -> 83EC0CC705F844410000000000E81E44000083C40CE996FCFFFF8DB60000000083EC1C8B442420890424E859A1000085C00F Assembler |SUB ESP, 0XC |MOV DWORD PTR [0X4144F8], 0 |CALL 0X5430 |ADD ESP, 0XC |JMP 0XCB0 |LEA ESI, [ESI] |SUB ESP, 0X1C |MOV EAX, DWORD PTR [ESP + 0X20] |MOV DWORD PTR [ESP], EAX |CALL 0XB188 |TEST EAX, EAX |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: linker: GNU linker ld (GNU Binutils)(2.32)[-] • Entropy: 6.42562 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| File Access |
| .exe perl.exe parl.exe perl532.dll KERNEL32.dll ADVAPI32.dll msvcrt.dll libgcc_s_dw2-1.dll .dat Temp WinDir |
| File Access (UNICODE) |
| msvcrt.dll |
| Interest's Words |
| exec attrib start ping |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Stealth (VirtualProtect) |
| Entry Point | Hex Pattern | XE Executable Image (using DOSExtender) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 181D0 | 568 | 125D0 | 2800000010000000200000000100080000000000000100000000000000000000000100000001000006060600040404000202 | (....... ......................................... |
| \ICON\2\1033 | 18738 | 8A8 | 12B38 | 2800000020000000400000000100080000000000000400000000000000000000000100000001000000000000010101000202 | (... ...@......................................... |
| \ICON\3\1033 | 18FE0 | 568 | 133E0 | 2800000010000000200000000100080000000000000100000000000000000000000100000001000006060600040404000202 | (....... ......................................... |
| \ICON\4\1033 | 19548 | 8A8 | 13948 | 2800000020000000400000000100080000000000000400000000000000000000000100000001000000000000010101000202 | (... ...@......................................... |
| \GROUP_ICON\WINEXE\1033 | 19DF0 | 3E | 141F0 | 00000100040010100000010008006805000001002020000001000800A8080000020010100000010008006805000003002020000001000800A80800000400 | ..............h..... ....................h..... ............ |
| \VERSION\1\1033 | 19E30 | 258 | 14230 | 580234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | X.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 1A088 | 5DA | 14488 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • 0.0.0.0 • msvcrt.dll • @0@.bss • .CRT • .tls • C:\TEMPTMPDIRTEMPDIRTEMPTMPUSERNAME%02xWinDir%s\temppar-%s%s%s%sPATHparl.exe.par%s%scache-%s%s%s%stemp-%u%s%s%stemp-%u-%u%sperl.exe0PAR::Packer::VERSION1.052 • $0 [ -B|-b ] [-Ooutfile] src.par • qw( C:\\TEMP /tmp . ) • WideCharToMultiBytePL_do_undump • libgcc_s_dw2-1.dll • ADVAPI32.dll • KERNEL32.dll • perl532.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 623 | 415354 | .text | CALL [static] | Indirect call to absolute memory address |
| 833 | 415330 | .text | CALL [static] | Indirect call to absolute memory address |
| 8F0 | 415324 | .text | CALL [static] | Indirect call to absolute memory address |
| 906 | 415348 | .text | CALL [static] | Indirect call to absolute memory address |
| 9B4 | 41530C | .text | CALL [static] | Indirect call to absolute memory address |
| B11 | 415284 | .text | CALL [static] | Indirect call to absolute memory address |
| BA2 | 41526C | .text | CALL [static] | Indirect call to absolute memory address |
| C45 | 415270 | .text | CALL [static] | Indirect call to absolute memory address |
| C5A | 415268 | .text | CALL [static] | Indirect call to absolute memory address |
| C67 | 415288 | .text | CALL [static] | Indirect call to absolute memory address |
| CA9 | 415324 | .text | CALL [static] | Indirect call to absolute memory address |
| CB7 | 415298 | .text | CALL [static] | Indirect call to absolute memory address |
| CD5 | 41530C | .text | CALL [static] | Indirect call to absolute memory address |
| CE1 | 415298 | .text | CALL [static] | Indirect call to absolute memory address |
| E31 | 415398 | .text | CALL [static] | Indirect call to absolute memory address |
| E7F | 415320 | .text | CALL [static] | Indirect call to absolute memory address |
| 1514 | 4152FC | .text | CALL [static] | Indirect call to absolute memory address |
| 1793 | 415264 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DDE | 415388 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E71 | 415380 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EA9 | 415390 | .text | CALL [static] | Indirect call to absolute memory address |
| 1ED3 | 415380 | .text | CALL [static] | Indirect call to absolute memory address |
| 4BF0 | 4153B0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4BF8 | 4153AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 4CB0 | 415244 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D09 | 415334 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D1A | 415314 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D22 | 415318 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D2A | 415338 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D39 | 415350 | .text | CALL [static] | Indirect call to absolute memory address |
| 4DCF | 415354 | .text | CALL [static] | Indirect call to absolute memory address |
| 4DDF | 415364 | .text | CALL [static] | Indirect call to absolute memory address |
| 4DE8 | 415310 | .text | CALL [static] | Indirect call to absolute memory address |
| 4DF9 | 41535C | .text | CALL [static] | Indirect call to absolute memory address |
| 509D | 41536C | .text | CALL [static] | Indirect call to absolute memory address |
| 50F7 | 415368 | .text | CALL [static] | Indirect call to absolute memory address |
| 5104 | 41531C | .text | CALL [static] | Indirect call to absolute memory address |
| 558E | 415308 | .text | CALL [static] | Indirect call to absolute memory address |
| 55DC | 415344 | .text | CALL [static] | Indirect call to absolute memory address |
| 563E | 415308 | .text | CALL [static] | Indirect call to absolute memory address |
| 565C | 415344 | .text | CALL [static] | Indirect call to absolute memory address |
| 56A7 | 415308 | .text | CALL [static] | Indirect call to absolute memory address |
| 56D8 | 415344 | .text | CALL [static] | Indirect call to absolute memory address |
| 579C | 415304 | .text | CALL [static] | Indirect call to absolute memory address |
| 57D7 | 41533C | .text | CALL [static] | Indirect call to absolute memory address |
| 5B60 | 415228 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5B68 | 415224 | .text | JMP [static] | Indirect jump to absolute memory address |
| 9818 | 415308 | .text | CALL [static] | Indirect call to absolute memory address |
| 990E | 415344 | .text | CALL [static] | Indirect call to absolute memory address |
| 99F7 | 415344 | .text | CALL [static] | Indirect call to absolute memory address |
| 9D42 | 415344 | .text | CALL [static] | Indirect call to absolute memory address |
| 9DC8 | 415344 | .text | CALL [static] | Indirect call to absolute memory address |
| A3F4 | 415340 | .text | CALL [static] | Indirect call to absolute memory address |
| A437 | 41534C | .text | CALL [static] | Indirect call to absolute memory address |
| A4DB | 41534C | .text | CALL [static] | Indirect call to absolute memory address |
| A7A3 | 415370 | .text | CALL [static] | Indirect call to absolute memory address |
| A970 | 4152F4 | .text | JMP [static] | Indirect jump to absolute memory address |
| A978 | 4152F0 | .text | JMP [static] | Indirect jump to absolute memory address |
| A980 | 4152EC | .text | JMP [static] | Indirect jump to absolute memory address |
| A988 | 4152E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| A990 | 4152E4 | .text | JMP [static] | Indirect jump to absolute memory address |
| A998 | 4152E0 | .text | JMP [static] | Indirect jump to absolute memory address |
| A9A0 | 4152DC | .text | JMP [static] | Indirect jump to absolute memory address |
| A9A8 | 4152D8 | .text | JMP [static] | Indirect jump to absolute memory address |
| A9B0 | 4152D4 | .text | JMP [static] | Indirect jump to absolute memory address |
| A9B8 | 4152D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| A9C0 | 4152CC | .text | JMP [static] | Indirect jump to absolute memory address |
| A9C8 | 4152C4 | .text | JMP [static] | Indirect jump to absolute memory address |
| A9D0 | 4152C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| A9D8 | 4152BC | .text | JMP [static] | Indirect jump to absolute memory address |
| A9E0 | 4152B8 | .text | JMP [static] | Indirect jump to absolute memory address |
| A9E8 | 4152B4 | .text | JMP [static] | Indirect jump to absolute memory address |
| A9F0 | 4152B0 | .text | JMP [static] | Indirect jump to absolute memory address |
| A9F8 | 4152AC | .text | JMP [static] | Indirect jump to absolute memory address |
| AA00 | 4152A8 | .text | JMP [static] | Indirect jump to absolute memory address |
| AA08 | 4152A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| AA10 | 41529C | .text | JMP [static] | Indirect jump to absolute memory address |
| AA18 | 415294 | .text | JMP [static] | Indirect jump to absolute memory address |
| AA20 | 41528C | .text | JMP [static] | Indirect jump to absolute memory address |
| AA28 | 415280 | .text | JMP [static] | Indirect jump to absolute memory address |
| AA30 | 415274 | .text | JMP [static] | Indirect jump to absolute memory address |
| AA38 | 415264 | .text | JMP [static] | Indirect jump to absolute memory address |
| AA40 | 41525C | .text | JMP [static] | Indirect jump to absolute memory address |
| AA48 | 415258 | .text | JMP [static] | Indirect jump to absolute memory address |
| AA50 | 415254 | .text | JMP [static] | Indirect jump to absolute memory address |
| AA58 | 415250 | .text | JMP [static] | Indirect jump to absolute memory address |
| AA60 | 41524C | .text | JMP [static] | Indirect jump to absolute memory address |
| AA68 | 415248 | .text | JMP [static] | Indirect jump to absolute memory address |
| AA70 | 41523C | .text | JMP [static] | Indirect jump to absolute memory address |
| AA78 | 415238 | .text | JMP [static] | Indirect jump to absolute memory address |
| AB0C | 415328 | .text | CALL [static] | Indirect call to absolute memory address |
| AB80 | 40C050 | .text | JMP [static] | Indirect jump to absolute memory address |
| AB90 | 4152C8 | .text | JMP [static] | Indirect jump to absolute memory address |
| AB98 | 4152A0 | .text | JMP [static] | Indirect jump to absolute memory address |
| ABA0 | 415230 | .text | JMP [static] | Indirect jump to absolute memory address |
| ABA8 | 41522C | .text | JMP [static] | Indirect jump to absolute memory address |
| ABD5 | 4153A4 | .text | CALL [static] | Indirect call to absolute memory address |
| ABEB | 4153B4 | .text | CALL [static] | Indirect call to absolute memory address |
| AC01 | 4153B8 | .text | CALL [static] | Indirect call to absolute memory address |
| AC46 | 41539C | .text | CALL [static] | Indirect call to absolute memory address |
| 12020 | 5A60 | .CRT | TLS Callback | Pointer to 405A60 - 0x4E60 .text |
| 12024 | 5A10 | .CRT | TLS Callback | Pointer to 405A10 - 0x4E10 .text |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 54664 | 64,3166% |
| Null Byte Code | 15221 | 17,9087% |
| NOP Cave Found | 0x9090909090 | Block Count: 37 | Total: 0,1088% |
© 2026 All rights reserved.