PESCAN.IO - Analysis Report Valid Code
File Structure:
Analysis Image
Information:
Size: 576,00 KB
SHA-256 Hash: 612ED5BA60F450BD094DCF6A19DC3E41B94E056DEB2BD7857A3FB3B15A0E7BCE
SHA-1 Hash: 1315C289D05B9DCFF0667DF4B6E8A54D1A787755
MD5 Hash: 53C9E026036FDB83CBE12E298EAC19C9
Imphash: DAE02F32A21E03CE65412F6E56942DAA
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): 9177E
SizeOfHeaders: 200
SizeOfImage: 96000
ImageBase: 400000
Architecture: x86
ImportTable: 91730
Characteristics: 210E
TimeDateStamp: 68B843F8
Date: 03/09/2025 13:34:48
File Type: DLL
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 200 8F800 2000 8F784
.rsrc 40000040 8FA00 400 92000 372
.reloc 42000040 8FE00 200 94000 C
Description:
OriginalFilename: ClassLibrary4.dll
FileVersion: 1.0.9377.29844
ProductVersion: 1.0.9377.29844
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point:
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 8F97E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
JMP DWORD PTR [0X402000]
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
Signatures:
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler:
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: True
Version: v4.0
--------> Agile .NET Obfuscator
Detect It Easy (die)
PE: Protector: Eziriz .NET Reactor(6.x.x.x)[By Dr.FarFar]
PE: library: .NET(v4.0.30319)[-]
PE: linker: Microsoft Linker(48.0)[DLL32,console]
Entropy: 6.0411
Suspicious Functions:
Library Function Description
KERNEL32.DLL LoadLibraryA | Possible Call API By Name Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress | Possible Call API By Name Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateRemoteThread Creates a thread in the address space of another process.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL ReadProcessMemory Reads data from an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
ADVAPI32.DLL CryptDecrypt Performs a cryptographic operation on data in a data block.
Windows REG (UNICODE):
Software\Brave-BrowserEpicPrivacy
Software\Browser
Software\Opera Stable
Software\Opera GX Stable
Software\Opera Neon
Software\Opera Crypto Developer
SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value ';' -Force -PropertyType Stringpowershell
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Software\Etherdyne\Etherwall\geth
SOFTWARE\DownloadManager\
Software\Valve\Steam
Software\Martin Prikryl\WinSCP 2\Sessions
SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
system\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
system\Profiles\9375CFF0413111d3B88A00104B2A6676
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run
File Access:
mscoree.dll
msvcrt.dll
bcrypt.dll
rstrtmgr.dll
ntdll.dll
ClassLibrary4.dll
oleaut32.dll
user32.dll
kernel32.dll
advapi32.dll
ole32.dll
Temp
RootDir
File Access (UNICODE):
ClassLibrary4.dll
kernel32.dll
ntdll.dll
32.dll
Telegram.exe
Games.txt
!AccountsList.txt
profiles.ini
Temp
SQL Queries:
Select * FROM win32_operatingsystem32bit64bit+\root\SecurityCenter2=
Interest's Words:
Encrypt
Decrypt
PassWord
<meta
exec
unescape
attrib
start
cipher
hostname
shutdown
systeminfo
ping
expand
replace
Interest's Words (UNICODE):
Virus
BitCoin
outlook
smtp
Encrypt
PassWord
exec
powershell
attrib
start
hostname
ping
URLs (UNICODE):
http://www.
https://icanhazip.com/
https://discordapp.com/api/v9/users/@me
https://discordapp.com/api/v9/users/@me/guilds
https://steamcommunity.com/profiles/
https://stackoverflow.com/q/2152978/23354sCannot deserialize sub-objects unless a model is provided+Wrong group was ended
https://stackoverflow.com/q/11564914/23354; type: oType is not expected, and no contract can be inferred:
https://stackoverflow.com/q/14436606/23354
AV Services (UNICODE):
Antivirus name extract - (SecurityCenter2)
IP Addresses:
127.0.0.1
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): WinAPI Sockets (bind)
Rule Text (Ascii): WinAPI Sockets (send)
Rule Text (Ascii): File (GetTempPath)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): Service (OpenSCManager)
Rule Text (Ascii): Encryption (AesCryptoServiceProvider)
Rule Text (Unicode): Encryption (AesCryptoServiceProvider)
Rule Text (Ascii): Encryption (CipherMode)
Rule Text (Ascii): Encryption (CreateDecryptor)
Rule Text (Ascii): Encryption (CryptoStream)
Rule Text (Ascii): Encryption (CryptoStreamMode)
Rule Text (Ascii): Encryption (DESCryptoServiceProvider)
Rule Text (Ascii): Encryption (FromBase64String)
Rule Text (Ascii): Encryption (ICryptoTransform)
Rule Text (Ascii): Encryption (MD5CryptoServiceProvider)
Rule Text (Ascii): Encryption (Rijndael)
Rule Text (Ascii): Encryption (RijndaelManaged)
Rule Text (Ascii): Encryption (SHA1CryptoServiceProvider)
Rule Text (Ascii): Encryption (ToBase64String)
Rule Text (Ascii): Encryption (TripleDESCryptoServiceProvider)
Rule Text (Ascii): Encryption API (CryptDecrypt)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Stealth (VirtualProtect)
Rule Text (Ascii): Stealth (ReadProcessMemory)
Rule Text (Ascii): Stealth (CreateRemoteThread)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Ascii): Execution (ShellExecute)
Rule Text (Ascii): Execution (ResumeThread)
Rule Text (Ascii): Execution (NtResumeThread)
Rule Text (Unicode): Antivirus Software (Norton)
Rule Text (Unicode): Information used to authenticate a users identity (Credential)
Rule Text (Ascii): Technique used to make malicious code harder to analyze (Obfuscation)
Rule Text (Unicode): Malware designed to intercept and exfiltrate credit card details from compromised systems (Credit Card)
Rule Text (Unicode): Information used for user authentication (Credential)
Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Rule Text (Unicode): Technique used to capture communications between systems (Intercept)
Rule Text (Unicode): Technique used to circumvent security measures (Bypass)
EP Rules: Microsoft Visual C / Basic .NET
EP Rules: Microsoft Visual C++ 8
EP Rules: Microsoft Visual C++ 8.0
EP Rules: Microsoft Visual C v7.0 / Basic .NET
EP Rules: Microsoft Visual Studio .NET
EP Rules: .NET executable
EP Rules: TrueVision Targa Graphics format
Resources:
Path DataRVA Size FileOffset CodeText
\VERSION\1\0 92058 31A 8FA58 1A0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
Intelligent String:
• ClassLibrary4.dll
• /yyyy-MM-dd_HH-mm-ss.fff
• .exe
• www.
• U:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '
• $Recycle.Bin
• .dll
• }SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe
• kernel32.dll
• ntdll.dll
• logins.json
• moz_logins
• logins
• profiles.ini
• Login Data
• *.png
• xverse.app
• .txt
• https://discordapp.com/api/v9/users/@me
• https://discordapp.com/api/v9/users/@me/guilds
• ).purple\accounts.xml
• dumps
• Telegram.exe
• ngrok.yml
• loginusers.vdf
• !AccountsList.txt
• Games.txt
• 7FileZilla\RecentServers.xml
• 3FileZilla\sitemanager.xml
• 5Invalid wire-type; this usually means you have over-written a file without truncating or setting the length; see https://stackoverflow.com/q/2152978/23354
• 3Conflicting item/add type
• Are you mixing protobuf-net and protobuf-csharp-port? See https://stackoverflow.com/q/11564914/23354; type:
• o; please see https://stackoverflow.com/q/14436606/23354
• 32.dll
• _CorDllMainmscoree.dll
Flow Anomalies:
Offset RVA Section Description
5ADA ?? .text CALL DWORD PTR [ECX] | Indirect call via pointer at address in ECX
2EC21 ?? .text CALL DWORD PTR [ECX] | Indirect call via pointer at address in ECX
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 335346 56,8553%
Null Byte Code 141189 23,9375%
© 2025 All rights reserved.