PESCAN.IO - Analysis Report
File Structure:
Analysis Image
Information:
Size: 2,76 MB
SHA-256 Hash: CF6948F4940F54826BD5D61B0A3396554AD751B206FEF8995D005DB027EB8848
SHA-1 Hash: 5A9E3B9A36A2A7711ED90E2AC9556ECCFE95184C
MD5 Hash: 55A03F84017F76834A06AE361CB81669
Imphash: EAA6039D7EB6E6C5DF830272879946DA
MajorOSVersion: 6
CheckSum: 002C90CF
EntryPoint (rva): 173FA0
SizeOfHeaders: 400
SizeOfImage: 2CA000
ImageBase: 0000000140000000
Architecture: x64
ExportTable: 294CB0
ImportTable: 295108
Characteristics: 22
TimeDateStamp: 67179787
Date: 22/10/2024 12:16:07
File Type: EXE
Number Of Sections: 9
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .didat, .tls, .gehcont, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 1F1A00 1000 1F193C
.rdata 40000040 1F1E00 A3E00 1F3000 A3D72
.data C0000040 (Writeable) 295C00 A400 297000 FDB4
.pdata 40000040 2A0000 18400 2A7000 182C4
.didat C0000040 (Writeable) 2B8400 200 2C0000 20
.tls C0000040 (Writeable) 2B8600 200 2C1000 9
.gehcont 40000040 2B8800 200 2C2000 24
.rsrc 40000040 2B8A00 4000 2C3000 3FB4
.reloc 42000040 2BCA00 2C00 2C7000 2AF8
Description:
InternalName: wa_3rd_party_host_64.exe
OriginalFilename: libwapshost.dll
CompanyName: OPSWAT, Inc.
LegalCopyright: Copyright 2020
ProductName: libwapshost
FileVersion: 2024.10.22.1210
Binder/Joiner/Crypter:
2 Executable files found
Entry Point:
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 1733A0
Code -> 4883EC28E8370500004883C428E96AFEFFFFCCCC4883EC284D8B4138488BCA498BD1E80D000000B8010000004883C428C3CC
SUB RSP, 0X28
CALL 0X1540
ADD RSP, 0X28
JMP 0XE7C
INT3
INT3
SUB RSP, 0X28
MOV R8, QWORD PTR [R9 + 0X38]
MOV RCX, RDX
MOV RDX, R9
CALL 0X1034
MOV EAX, 1
ADD RSP, 0X28
RET
INT3

Signatures:
Rich Signature Analyzer:
Code -> 12E2003C56836E6F56836E6F56836E6F42E86D6E5A836E6F42E86B6EE8836E6FC823A96F55836E6FFBDD6D6E5F836E6FFBDD6A6E7E836E6FFBDD6B6EDE836E6F42E8686E54836E6F42E86A6E4E836E6F42E86F6E47836E6F56836F6F72826E6F91F66A6E45836E6FE1DD666E05836E6FE1DD6E6E57836E6FE1DD916F57836E6F5683F96F57836E6FE1DD6C6E57836E6F5269636856836E6F
Footprint md5 Hash -> 362287E3982CF13EA3877490F8B68056
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct
Packer/Compiler:
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(2015 v.14.0)[-]
PE+(64): linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[EXE64,console,signed]
Entropy: 6.39915
Suspicious Functions:
Library Function Description
KERNEL32.DLL GetProcAddress | Possible Call API By Name Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL CreateMutexW Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL CopyFileW Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL DeleteFileA Deletes an existing file.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
Windows REG (UNICODE):
Software\Classes\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}\Path
SOFTWARE\Avira\AntiVir Desktop
SOFTWARE\Avira\AntiVir Workstation
SOFTWARE\Avira\AntiVir Server
SOFTWARE\ComputerAssociates\Anti-Virus Plus
SOFTWARE\Eset\ESET Security\CurrentVersion\Info
SOFTWARE\GFI Software\VIPRE Antivirus
Software\VIPRE Antivirus
SOFTWARE\GFI Software\VIPRE Business Agent
Software\VIPRE Business Agent
SOFTWARE\GFI Software\VIPRE Internet Security
Software\VIPRE Internet Security
SOFTWARE\GFI Software\GFI Business Agent
Software\GFI Business Agent
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\
SOFTWARE\Quick Heal\
SOFTWARE\Norton\SecurityStatusSDK\
SOFTWARE\VIPRE Antivirus Plus
SOFTWARE\VIPRE Internet Security
SOFTWARE\VIPRE Business Agent
SOFTWARE\VIPRE Antivirus
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SCANNER.EXE
SYSTEM\CurrentControlSet\Services\wuauserv
SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System
File Access:
wa_3rd_party_host_64.exe
mscoree.dll
libwapshost.dll
WININET.dll
SHLWAPI.dll
VERSION.dll
OLEAUT32.dll
ole32.dll
ADVAPI32.dll
USER32.dll
KERNEL32.dll
wevtapi.dll
.txt
Temp
File Access (UNICODE):
mscoree.dll
\Windows\System32\kernel32.dll
libwapshost.dll
combase.dll
advapi32.dll
Error loading MSCOREE.dll
wksstats.dll
MalwareAPI.dll
vete.dll
a2framework.dll
bdcore.dll
a2engine.dll
SBTE.dll
GetHealthStatus] not found wscapi.dll
%WINDIR%\System32\wscapi.dll
UpdatesDeployment.dll
Kernel32.dll
%WINDIR%\CCM\UpdatesDeployment.dll
%WINDIR%\System32\CCM\UpdatesDeployment.dll
libwaremoval.dll
kernel32.dll
opswatai.dll
0\powershell.exe
\Windows\system32\Taskkill.exe
wa_3rd_party_host_64.exe
\Windows\system32\VMWindow.exe
VMWindow.exe
\Windows\system32\timeout.exe
vmwindow.exe
cmd.exe
\System32\cmd.exe
powershell.exe
SBAMCommandLineScanner.exe
*.txt
%PROGRAMDATA%\CA\Consumer\CCube\ccupdatelog.txt
a2settings.ini
Exec - cmd.exe /s /c ""
Exec - powershell.exe
Exec - powershell.exe
Exec - powershell.exe
Temp
WinDir
AppData
SQL Queries:
Select 1 FROM "%w".sqlite_master WHERE name NOT LIKE 'sqliteX_%%' ESCAPE 'X' AND sql NOT LIKE 'create virtual%%' AND sqlite_rename_test(%Q, sql, type, name, %d, %Q, %d)=NULL
Select 1 FROM temp.sqlite_master WHERE name NOT LIKE 'sqliteX_%%' ESCAPE 'X' AND sql NOT LIKE 'create virtual%%' AND sqlite_rename_test(%Q, sql, type, name, 1, %Q, %d)=NULL
Select raise(ABORT,%Q) FROM "%w"."%w"
Select CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*' OR quick_check GLOB 'non-* value in*'
Select tbl,idx,stat FROM %Q.sqlite_stat1
Select sql FROM "%w".sqlite_schema WHERE type='index'
Insert into %Q.sqlite_master VALUES('index',%Q,%Q,%d,%Q);
Insert into generated column "%s"
Insert into %Q.sqlite_master VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
Insert into vacuum_db.'||quote(name)||' SELECT*FROM"%w".'||quote(name)FROM vacuum_db.sqlite_schema WHERE type='table'AND coalesce(rootpage,1)>0
Insert into vacuum_db.sqlite_schema SELECT*FROM "%w".sqlite_schema WHERE type IN('view','trigger') OR(type='table'AND rootpage=0)
Drop table to delete table %s
Select UpdateId from CCM_TargetedUpdateEx1 where UpdateState = 0
Select UpdateId from CCM_TargetedUpdateEx1 where UpdateState = 1
Select * from CCM_UpdateStatus
Select * from CCM_SoftwareUpdate
Select * from CCM_SoftwareUpdate
Select * FROM virus_protection ORDER BY sr_no ASC
Select ExecutablePath,ProcessId,CommandLine from Win32_Process
Select CommandLine from Win32_Process where CommandLine like "%suspendC:\Windows\system32\timeout.exe"VMWindow.exe" -file "
Interest's Words:
Virus
PADDINGX
Encrypt
Encryption
<title
exec
createobject
powershell
attrib
start
systeminfo
bginfo
ping
expand
replace
Interest's Words (UNICODE):
Virus
Spam
taskkill
Encrypt
Encryption
<title
exec
powershell
taskkill
start
pause
regedit
systeminfo
ping
Anti-VM/Sandbox/Debug Tricks (UNICODE):
LabTools - regedit
URLs:
http://www.w3.org/2000/09/xmldsig
http://www.w3.org/2001/10/xml-exc-c14nWithComments
http://www.w3.org/2001/04/xmldsig-morersa-sha512
http://www.w3.org/2000/09/xmldsigenveloped-signature
http://www.w3.org/2000/09/xmldsigsha1
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0
http://ocsp.sectigo.com
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt
http://www.gendigital.com
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
http://ocsp.usertrust.com
https://sectigo.com/CPS0
Payloads:
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)
Possible Metasploit Payload - MSFPayload Generate (Detection with heuristic methods)
IP Addresses:
127.0.0.1
PE Carving:
Start Offset Header End Offset Size (Bytes)
0 2B8AE8 2B8AE8
2B8AE8 2C1F70 9488
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): Unicode escape - \u00 - (Common Unicode escape sequences)
Rule Text (Ascii): WinAPI Sockets (bind)
Rule Text (Unicode): WinAPI Sockets (listen)
Rule Text (Ascii): WinAPI Sockets (connect)
Rule Text (Unicode): WinAPI Sockets (connect)
Rule Text (Ascii): WinAPI Sockets (send)
Rule Text (Unicode): WinAPI Sockets (send)
Rule Text (Ascii): Registry (RegOpenKeyEx)
Rule Text (Ascii): File (GetTempPath)
Rule Text (Ascii): File (CopyFile)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Service (OpenSCManager)
Rule Text (Ascii): Encryption (FromBase64String)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot)
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Stealth (VirtualProtect)
Rule Text (Ascii): Stealth (CreateRemoteThread)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Unicode): Execution (ShellExecute)
Rule Text (Unicode): Antivirus Software (defender)
Rule Text (Ascii): Antivirus Software (Symantec)
Rule Text (Unicode): Antivirus Software (Symantec)
Rule Text (Unicode): Antivirus Software (Norton)
Rule Text (Unicode): Privileges (SeBackupPrivilege)
Rule Text (Ascii): Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
Rule Text (Ascii): Software that records user activity (Logger)
Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Rule Text (Unicode): Technique used to circumvent security measures (Bypass)
EP Rules: Microsoft Visual C++ 8.0 (DLL)
Resources:
Path DataRVA Size FileOffset CodeTextPE/Payload
\RCDATA\102\1033 2C30E8 3A00 2B8AE8 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000MZ......................@.........................(Executable found)
\VERSION\1\1033 2C6AE8 34C 2BC4E8 4C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000A00L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033 2C6E34 17D 2BC834 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String:
• wa_3rd_party_host_64.exe
• 1.0.0.0
• libwapshost.dll
• .txt
• v4Debug.dat
• mscoree.dll
• .tls
• wevtapi.dll
• combase.dll
• advapi32.dll
• >KERNEL32.DLL
• \u0009
• \u00
• \u0000
• v4DebugInfo_wa_3rd_party_host_64.log
• \System32\WindowsPowerShell\v1.0\powershell.exe
• C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
• AVG2014\log\history.xml
• AVG2013\log\history.xml
• Avg\log\AV16\history.xml
• AVG2015\log\history.xml
• wksstats.dll
• <?xml version="1.0" encoding="UTF-8" standalone="no" ?><enabledScanType value="0"><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig">
• <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14nWithComments"
• <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-morersa-sha512"
• <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsigenveloped-signature"
• <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsigsha1"
• %PROGRAMDATA%\CA\Consumer\CCube\ccupdatelog.txt
• vete.dll
• a2framework.dll
• C:\Program Files\Emsisoft Anti-Malware\a2settings.ini
• bdcore.dll
• a2engine.dll
• a2settings.ini
• warnlog.dat
• :.RTP
• virlog.dat
• spamlog.dat
• *.txt
• SBTE.dll
• SBAMCommandLineScanner.exe
• 127.0.0.1
• opswat_gfi_languard_missing_patches.xml
• MpCmdRun.log
• %WINDIR%\System32\wscapi.dll
• technet.microsoft.com
• www.catalog.update.microsoft.com
• UpdatesDeployment.dll
• Kernel32.dll
• %WINDIR%\CCM\UpdatesDeployment.dll
• %WINDIR%\System32\CCM\UpdatesDeployment.dll
• powershell.exe
• wsusscn2.cab
• C:\Windows
• \System32\cmd.exe
• libwaremoval.dll
• .reg
• cmd.exe /S /C ""
• kernel32.dll
• vmwindow.exe
• C:\Windows\system32\timeout.exe
• "VMWindow.exe" -file "
• C:\Windows\system32\VMWindow.exe
• "C:\Windows\system32\Taskkill.exe" /PID
• C:\Windows\system32\Taskkill.exe
• opswatai.dll
• SCANAPI.DLL
• SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SCANNER.EXE
• wa_3rd_party_host_64.pdb
• .bss
• ADVAPI32.dll
• +v4DebugInfo_ps_32.log
• +v4DebugInfo_ps_64.log
• C:\Windows\System32\kernel32.dll
• C:\buildagent\work\e92649e6840d750\additions\libwapshost\obj\x64\Release_static\libwapshost.pdbhQ
• _CorDllMainmscoree.dll
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 1677690 58,0188%
Null Byte Code 534558 18,4864%
© 2025 All rights reserved.