PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 43,50 KB
SHA-256 Hash: 1DFE14E63635E47D87E96A475A04379853C1FD8F7A519F142FA6C1703900F696
SHA-1 Hash: E11918605DEC504EE67CC64C4F09092D09E37F04
MD5 Hash: 517993B1BADE0FC481154B6E260DBC54
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): B85E
SizeOfHeaders: 400
SizeOfImage: 12000
ImageBase: 400000
Architecture: x86
ImportTable: B810
Characteristics: 102
TimeDateStamp: 55660E43
Date: 27/05/2015 18:34:43
File Type: EXE
Number Of Sections: 4
ASLR: Enabled
Section Names: .text, .sdata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 28,50 KB Missing]

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	9A00	2000	9864
.sdata	C0000040 (Writeable)	9E00	200	C000	AD
.rsrc	40000040	A000	C00	E000	A80
.reloc	42000040	AC00	200	10000	C

Description:

InternalName: Autoclick TyToos v2.exe
OriginalFilename: Autoclick TyToos v2.exe
LegalCopyright: Copyright 2015
ProductName: Autoclick Esperra
FileVersion: 1.0.0.0

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 9C5E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
• JMP DWORD PTR [0X402000]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: True
• Version: v2.0
Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE: library: .NET(v2.0.50727)[-]
• PE: compiler: VB.NET(-)[-]
• PE: linker: Microsoft Linker(8.0)[EXE32]
• Entropy: 6.89722

Suspicious Functions:

Library	Function	Description
USER32.DLL	GetAsyncKeyState	Retrieves the status of a virtual key asynchronously.

File Access:

Autoclick TyToos v2.exe
mscoree.dll
Temp

File Access (UNICODE):

Autoclick TyToos v2.exe

Interest's Words:

exec
attrib
start
shutdown

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (send)
• EP Rules: Microsoft Visual C / Basic .NET
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8.0
• EP Rules: Microsoft Visual C v7.0 / Basic .NET
• EP Rules: Microsoft Visual Studio .NET
• EP Rules: .NET executable

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\2\0	E458	2E8	A458	2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080	(... ...@.........................................
\ICON\3\0	E740	128	A740	2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000000080000080	(....... .........................................
\GROUP_ICON\32512\0	E868	22	A868	0000010002002020100001000400E802000002001010100001000400280100000300000000000000EFBBBF3C3F786D6C2076	...... ....................(..............<?xml v
\VERSION\1\0	E160	2F8	A160	F80234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	E890	1EA	A890	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String:

• 1.0.0.0
• Autoclick TyToos v2.exe
• _CorExeMainmscoree.dll
• n\Desktop\Autoclicks Creados\Autoclick TyToos v2\Autoclick TyToos v2\obj\Debug\Autoclick TyToos v2.pdb

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	26776	60,1114%
Null Byte Code	8428	18,9206%