PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 142,00 KB
SHA-256 Hash: 32D46F1EC65B792FCDAA715C3FE663F27A64552B2CAABACDE0FFCA74892E4EFA
SHA-1 Hash: A36E7D1D62D9E1EAF8AEC5BC082D5B69BEFEED99
MD5 Hash: 529B694298FC8A3BE412DE2140BD2D55
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): BA1E
SizeOfHeaders: 200
SizeOfImage: 28000
ImageBase: 400000
Architecture: x86
ImportTable: B9D0
Characteristics: 102
TimeDateStamp: 68CB5A30
Date: 18/09/2025 1:02:40
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	200	9C00	2000	9A24
.rsrc	40000040	9E00	19800	C000	19748
.reloc	42000040	23600	200	26000	C

Description:

OriginalFilename: roblox krnl installer.exe
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 9C1E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
• JMP DWORD PTR [0X402000]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: True
• Version: v4.0
Detect It Easy (die)
• PE: library: .NET(v4.0.30319)[-]
• PE: compiler: VB.NET(-)[-]
• PE: linker: Microsoft Linker(11.0)[EXE32]
• Entropy: 4.16914

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetModuleHandle	Retrieves a handle to the specified module.

Windows REG (UNICODE):

SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run

File Access:

roblox krnl installer.exe
mscoree.dll
SHCore.dll
NTdll.dll
user32.dll
avicap32.dll
kernel32.dll
Temp

File Access (UNICODE):

SbieDll.dll
/shutdown.exe
roblox krnl installer.exe
shutdown.exe
powershell.exe
schtasks.exe
Temp

SQL Queries:

Select * from AntivirusProductdisplayName,NoneG

Interest's Words:

Virus
PADDINGX
Encrypt
Decrypt
exec
createobject
attrib
start
cipher
hostname
shutdown
systeminfo
ping
expand
replace

Interest's Words (UNICODE):

Virus
wscript
exec
powershell
schtasks
start
shutdown
schtask
ping

Anti-VM/Sandbox/Debug Tricks (UNICODE):

SandBoxie Library - SbieDll.dll

URLs (UNICODE):

http://ip-api.com/line/?fields=hostingtrue

AV Services (UNICODE):

Antivirus name extract - (SecurityCenter2)

IP Addresses:

14.0.0.0

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (connect)
• Rule Text (Ascii): WinAPI Sockets (send)
• Rule Text (Unicode): WinAPI Sockets (send)
• Rule Text (Ascii): File (GetTempPath)
• Rule Text (Ascii): Encryption (CipherMode)
• Rule Text (Ascii): Encryption (CreateDecryptor)
• Rule Text (Ascii): Encryption (FromBase64String)
• Rule Text (Ascii): Encryption (ICryptoTransform)
• Rule Text (Ascii): Encryption (MD5CryptoServiceProvider)
• Rule Text (Ascii): Encryption (Rijndael)
• Rule Text (Ascii): Encryption (RijndaelManaged)
• Rule Text (Ascii): Encryption (ToBase64String)
• Rule Text (Ascii): Execution (ShellExecute)
• Rule Text (Unicode): Keyboard Key ([ENTER])
• Rule Text (Unicode): Keyboard Key ([Tab])
• Rule Text (Unicode): Keyboard Key ([Shift])
• Rule Text (Unicode): Keyboard Key ([SPACE])
• Rule Text (Unicode): Keyboard Key ([WIN])
• Rule Text (Ascii): Software that records user activity (Logger)
• Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
• Rule Text (Unicode): Technique used to circumvent security measures (Bypass)
• EP Rules: Microsoft Visual C / Basic .NET
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8.0
• EP Rules: Microsoft Visual C v7.0 / Basic .NET
• EP Rules: Microsoft Visual Studio .NET
• EP Rules: .NET executable

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	C220	B5B	A020	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A86600000B224944415478DAEDDD3D535B671A	.PNG........IHDR.............\r.f..."IDATx...=S[g.
\ICON\2\0	CD7C	10828	AB7C	2800000080000000000100000100200000000000000001000000000000000000000000000000000000000000000000000000	(............. ...................................
\ICON\3\0	1D5A4	4228	1B3A4	2800000040000000800000000100200000000000004000000000000000000000000000000000000000000000000000000000	(...@......... ......@............................
\ICON\4\0	217CC	25A8	1F5CC	2800000030000000600000000100200000000000002400000000000000000000000000000000000000000000000000000000	(...0........ ......$............................
\ICON\5\0	23D74	10A8	21B74	2800000020000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\6\0	24E1C	468	22C1C	2800000010000000200000000100200000000000000400000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_ICON\1\0	25284	5A	23084	00000100060000000000000000005B0B00000100808000000000000028080100020040400000000000002842000003003030000000000000A825000004002020000000000000A810000005001010000000000000680400000600	..............[.............(.....@@......(B....00.......%.... ....................h.....
\VERSION\1\0	252E0	27C	230E0	7C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	2555C	1EA	2335C	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String:

• 1.0.0.0
• roblox krnl installer.exe
• \Log.tmp
• schtasks.exe
• [/create /f /RL HIGHEST /sc minute /mo 1 /tn "
• C/create /f /sc minute /mo 1 /tn "
• .lnk
• powershell.exe
• http://ip-api.com/line/?fields=hosting
• SbieDll.dll
• /shutdown.exe /f /s /t 0
• /shutdown.exe /f /r /t 0
• shutdown.exe -L
• .ps1
• .bat
• _CorExeMainmscoree.dll

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	47270	32,5085%
Null Byte Code	65774	45,2341%

PESCAN.IO - Analysis Report Valid Code