PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 80,00 KBSHA-256 Hash: B48C24AC602E4ADBBA8533BBBCE356320142202DCBA05F6D5153E6FBDE6E9C17 SHA-1 Hash: 88852507749508B686800C6B5EC6B83C580B2213 MD5 Hash: 5111FF0F448F1D2A866E0C29BA4C76EF Imphash: DC73A9BD8DE0FD640549C85AC4089B87 MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 0000ECDD EntryPoint (rva): 102B SizeOfHeaders: 400 SizeOfImage: 19000 ImageBase: 400000 Architecture: x86 ImportTable: 2050 IAT: 2000 Characteristics: 102 TimeDateStamp: 50D4CDC2 Date: 21/12/2012 20:59:46 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 200 | 1000 | 1F6 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
600 | 200 | 2000 | 1D8 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
800 | 200 | 3000 | 34 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
A00 | 13400 | 4000 | 13204 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
13E00 | 200 | 18000 | 52 |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 42B Code -> E8070000006A00E805010000558BEC81C4F4FBFFFF5657536A00E804010000A330304000C745F8000000006A0A6800304000 Assembler |CALL 0X100C |PUSH 0 |CALL 0X1111 |PUSH EBP |MOV EBP, ESP |ADD ESP, 0XFFFFFBF4 |PUSH ESI |PUSH EDI |PUSH EBX |PUSH 0 |CALL 0X1123 |MOV DWORD PTR [0X403030], EAX |MOV DWORD PTR [EBP - 8], 0 |PUSH 0XA |PUSH 0X403000 |
| Signatures |
| CheckSum Integrity Problem: • Header: 60637 • Calculated: 121795 Rich Signature Analyzer: Code -> 69916DC22DF003912DF003912DF00391D1D011912CF0039142869F912EF003912DF002913CF0039142869D912CF00391428699912CF0039142869E912CF00391526963682DF00391 Footprint md5 Hash -> 57C4CF2498F70CE022452597E1647082 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: patcher: dUP diablo2oo2's Universal Patcher(2.0)[-] • PE: compiler: Microsoft Visual C/C++(2010)[-] • PE: linker: Microsoft Linker(10.0)[-] • Entropy: 7.65596 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | RtlMoveMemory | Moves a block of memory to another location. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| File Access |
| \dup2patcher.dll kernel32.dll @.dat Temp |
| Interest's Words |
| PADDINGX exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Entry Point | Hex Pattern | Borland Delphi 4.0 |
| Entry Point | Hex Pattern | MASM/TASM - sig1(h) |
| Entry Point | Hex Pattern | MASM/TASM - sig4 (h) |
| Entry Point | Hex Pattern | Metasploit Shellcode - Reverse TCP x86 |
| Entry Point | Hex Pattern | PE Diminisher v0.1 |
| Entry Point | Hex Pattern | TrueVision Targa Graphics format |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 4198 | 468 | B98 | 280000001000000020000000010020000000000000000000130B0000130B0000000000000000000000000000000000000000 | (....... ..... ................................... |
| \ICON\2\0 | 4600 | 10A8 | 1000 | 280000002000000040000000010020000000000000000000130B0000130B0000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\3\0 | 56A8 | 25A8 | 20A8 | 280000003000000060000000010020000000000000000000130B0000130B0000000000000000000000000000000000000000 | (...0........ ................................... |
| \RCDATA\DLL\0 | 7C50 | F200 | 4650 | A28FF4C420ADF60779BF57723FACF8F646292CA869C9983ECAF773300D6FBBC80D6BBD413EFD5E4B473C791BEB729EA3C372 | .... ...y.Wr?...F),.i..>..s0.o...k.A>.KG<y..r...r |
| \GROUP_ICON\500\0 | 16E50 | 30 | 13850 | 00000100030010100000010020006804000001002020000001002000A810000002003030000001002000A82500000300 | ............ .h..... .... .......00.... ..%.... |
| \24\1\0 | 16E80 | 382 | 13880 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • kernel32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 536 | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| 53C | 402004 | .text | JMP [static] | Indirect jump to absolute memory address |
| 542 | 402008 | .text | JMP [static] | Indirect jump to absolute memory address |
| 548 | 40200C | .text | JMP [static] | Indirect jump to absolute memory address |
| 54E | 402010 | .text | JMP [static] | Indirect jump to absolute memory address |
| 554 | 402014 | .text | JMP [static] | Indirect jump to absolute memory address |
| 55A | 402018 | .text | JMP [static] | Indirect jump to absolute memory address |
| 560 | 40201C | .text | JMP [static] | Indirect jump to absolute memory address |
| 566 | 402020 | .text | JMP [static] | Indirect jump to absolute memory address |
| 56C | 402024 | .text | JMP [static] | Indirect jump to absolute memory address |
| 572 | 402028 | .text | JMP [static] | Indirect jump to absolute memory address |
| 578 | 40202C | .text | JMP [static] | Indirect jump to absolute memory address |
| 57E | 402030 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5DE | 402034 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5E4 | 402038 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5EA | 40203C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F0 | 402040 | .text | JMP [static] | Indirect jump to absolute memory address |
| F4F | 39FF5869 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 2A3B | FF1314 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 2BC3 | 1EFF1515 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 2C8B | 20FF2525 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 2EBF | FF2525 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 377F | 19FFE85D | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 3CAB | 4DFF545D | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 3E53 | 22FF7E90 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 3EDF | 30FF8098 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 3F9F | 36FF8198 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 412F | 2BFF7D91 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| D29B | 2BFF7D91 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 50105 | 61,1633% |
| Null Byte Code | 7031 | 8,5828% |
© 2026 All rights reserved.