PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 261,00 KB SHA-256 Hash: AAA7320E258C24A6DA855496639EB25766BB85AD6979FC8BF06EFA53EA00036A SHA-1 Hash: 1839F262CEA6EEB8985F3358EEDF522379A143DD MD5 Hash: 57F4E3A665E2D98D98E274AD9D24633C Imphash: 57D6E7112C8E716CFE2EB0FF9F36763C MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 1170 SizeOfHeaders: 400 SizeOfImage: 46000 ImageBase: 10000000 Architecture: x86 ImportTable: 2168 IAT: 2000 Characteristics: 2102 TimeDateStamp: 69DE4F3C Date: 14/04/2026 14:29:16 File Type: DLL Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 400 | 1000 | 298 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
800 | 400 | 2000 | 2C0 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
C00 | 40400 | 3000 | 40229 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
41000 | 200 | 44000 | E0 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
41200 | 200 | 45000 | 38 |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 570 Code -> 558BEC518B450C8945FC837DFC017402EB06E8C9FEFFFF90B8010000008BE55DC20C00CCCCCCCCCCCCCCCCCCCCCCCCCC558B Assembler |PUSH EBP |MOV EBP, ESP |PUSH ECX |MOV EAX, DWORD PTR [EBP + 0XC] |MOV DWORD PTR [EBP - 4], EAX |CMP DWORD PTR [EBP - 4], 1 |JE 0X1012 |JMP 0X1018 |CALL 0XEE0 |NOP |MOV EAX, 1 |MOV ESP, EBP |POP EBP |RET 0XC |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |PUSH EBP |
| Signatures |
| Rich Signature Analyzer: Code -> 5F1806E51B7968B61B7968B61B7968B66FF869B7187968B61B7969B6167968B694F06CB71A7968B694F097B61A7968B694F06AB71A7968B6526963681B7968B6 Footprint md5 Hash -> 313735189903F6DC778E06B227B75358 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: linker: Microsoft Linker(14.44**)[-] • Entropy: 5.34839 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateRemoteThread | Creates a thread in the address space of another process. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ADVAPI32.DLL | CryptEncrypt | Performs a cryptographic operation on data in a data block. |
| ADVAPI32.DLL | CryptDecrypt | Performs a cryptographic operation on data in a data block. |
| File Access |
| rundll32.exe winhttp.dll rpcrt4.dll wininet.dll ws2_32.dll user32.dll crypt32.dll advapi32.dll kernel32.dll ntdll.dll ole32.dll server.dll .dat @.dat |
| File Access (UNICODE) |
| mscoree.dll |
| Interest's Words |
| Encrypt Decrypt attrib start rundll32 rundll |
| URLs (UNICODE) |
| https://5.252.177.38:443/tn3dmIAc9i_AeMF5qYRW_w0K_RTXVgnoItHX5JMx_tjWAMiIPqisUPzgUJRSns-KK90zt2H5tsnoA1BhYgFtDhOyFdErzmarrpxc19ic/ |
| IP Addresses |
| 5.252.177.38 |
| PE Carving |
| Start Offset Header | End Offset | Size (Bytes) |
|---|---|---|
| 0 | C00 | C00 |
| C00 | 41400 | 40800 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Unicode | Encryption (Microsoft Enhanced Cryptographic Provider v1.0) |
| Text | Unicode | Encryption (Microsoft Enhanced RSA and AES Cryptographic Provider) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptDecrypt) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (SetThreadContext) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealth (CreateRemoteThread) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateSemaphoreA) |
| Text | Ascii | Execution (OpenEventA) |
| Text | Ascii | Execution (CreateEventA) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Unicode | Privileges (SeDebugPrivilege) |
| Text | Unicode | Privileges (SeSecurityPrivilege) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\VS_VERSION_INFO\1033 | 44080 | 5C | 41080 | 5C0034000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000000001000000000000000100000017000000000000000400000002000000000000000000000000000000 | \.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O......................................................... |
| Intelligent String |
| • winhttp.dll • wininet.dll • crypt32.dll • rpcrt4.dll • user32.dll • ntdll.dll • kernel32.dll • advapi32.dll • KERNEL32.dll • mscoree.dll • .bss • server.dll • WS2_32.dll • ws2_32.dll • rundll32.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 499 | 1000201C | .text | CALL [static] | Indirect call to absolute memory address |
| 4C3 | 1000201C | .text | CALL [static] | Indirect call to absolute memory address |
| 4EB | 10002020 | .text | CALL [static] | Indirect call to absolute memory address |
| 503 | 10002028 | .text | CALL [static] | Indirect call to absolute memory address |
| 520 | 1000202C | .text | CALL [static] | Indirect call to absolute memory address |
| 53A | 10002024 | .text | CALL [static] | Indirect call to absolute memory address |
| 544 | 10002018 | .text | CALL [static] | Indirect call to absolute memory address |
| 54E | 10002000 | .text | CALL [static] | Indirect call to absolute memory address |
| 558 | 10002000 | .text | CALL [static] | Indirect call to absolute memory address |
| 561 | 10002014 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E4 | 10002030 | .text | CALL [static] | Indirect call to absolute memory address |
| 602 | 10002008 | .text | CALL [static] | Indirect call to absolute memory address |
| 624 | 10002010 | .text | CALL [static] | Indirect call to absolute memory address |
| 637 | 10002000 | .text | CALL [static] | Indirect call to absolute memory address |
| 64D | 1000200C | .text | CALL [static] | Indirect call to absolute memory address |
| 67F | 10002004 | .text | CALL [static] | Indirect call to absolute memory address |
| 68A | 10002000 | .text | CALL [static] | Indirect call to absolute memory address |
| 1398 | 1002504C | .data | CALL [static] | Indirect call to absolute memory address |
| 1C44 | 1002509C | .data | CALL [static] | Indirect call to absolute memory address |
| 1C4B | 10025048 | .data | CALL [static] | Indirect call to absolute memory address |
| 1C73 | 10025040 | .data | CALL [static] | Indirect call to absolute memory address |
| 1C88 | 10025044 | .data | CALL [static] | Indirect call to absolute memory address |
| 1CBE | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 1D17 | 100250A4 | .data | CALL [static] | Indirect call to absolute memory address |
| 1D34 | 1002509C | .data | CALL [static] | Indirect call to absolute memory address |
| 1D48 | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 27C0 | 100250A8 | .data | CALL [static] | Indirect call to absolute memory address |
| 27EB | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 28F7 | 100250B0 | .data | CALL [static] | Indirect call to absolute memory address |
| 28FD | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2937 | 100250B8 | .data | CALL [static] | Indirect call to absolute memory address |
| 29AA | 100250B0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2A0E | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2A4A | 100250B8 | .data | CALL [static] | Indirect call to absolute memory address |
| 2A62 | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2A7C | 100250B0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2A88 | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2AB0 | 100250AC | .data | CALL [static] | Indirect call to absolute memory address |
| 2B0F | 100250A4 | .data | CALL [static] | Indirect call to absolute memory address |
| 2B34 | 1002509C | .data | CALL [static] | Indirect call to absolute memory address |
| 2BAF | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2C29 | 100250B8 | .data | CALL [static] | Indirect call to absolute memory address |
| 2C32 | 100250B4 | .data | CALL [static] | Indirect call to absolute memory address |
| 2C39 | 100250B0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2C8A | 100250BC | .data | CALL [static] | Indirect call to absolute memory address |
| 2C94 | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2CB5 | 100250B0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2CDE | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2D08 | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2D59 | 100250B0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2E15 | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 2E4D | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 318A | 1002525C | .data | CALL [static] | Indirect call to absolute memory address |
| 3898 | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 390A | 1002525C | .data | CALL [static] | Indirect call to absolute memory address |
| 3916 | 1002525C | .data | CALL [static] | Indirect call to absolute memory address |
| 3B42 | 1002525C | .data | CALL [static] | Indirect call to absolute memory address |
| 3B68 | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 3B73 | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 3C01 | 1002525C | .data | CALL [static] | Indirect call to absolute memory address |
| 3C0D | 1002525C | .data | CALL [static] | Indirect call to absolute memory address |
| 3D3B | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 3D84 | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 3E3E | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 3F79 | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 3F86 | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 3FD7 | 1002525C | .data | CALL [static] | Indirect call to absolute memory address |
| 4109 | 100250B0 | .data | CALL [static] | Indirect call to absolute memory address |
| 410F | 100250A0 | .data | CALL [static] | Indirect call to absolute memory address |
| 43F0 | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 43FC | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 4496 | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 462E | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 49DA | 100250C0 | .data | CALL [static] | Indirect call to absolute memory address |
| 4CAE | 100250C4 | .data | CALL [static] | Indirect call to absolute memory address |
| 4CB5 | 100250A8 | .data | CALL [static] | Indirect call to absolute memory address |
| 543B | 1002519C | .data | CALL [static] | Indirect call to absolute memory address |
| 5462 | 1002519C | .data | CALL [static] | Indirect call to absolute memory address |
| 548C | 1002519C | .data | CALL [static] | Indirect call to absolute memory address |
| 54EC | 100250CC | .data | CALL [static] | Indirect call to absolute memory address |
| 5510 | 100250E8 | .data | CALL [static] | Indirect call to absolute memory address |
| 5527 | 100250D0 | .data | CALL [static] | Indirect call to absolute memory address |
| 5540 | 100250D4 | .data | CALL [static] | Indirect call to absolute memory address |
| 5557 | 100250D0 | .data | CALL [static] | Indirect call to absolute memory address |
| 557E | 100250E0 | .data | CALL [static] | Indirect call to absolute memory address |
| 559A | 100250D0 | .data | CALL [static] | Indirect call to absolute memory address |
| 58E8 | 100250B8 | .data | CALL [static] | Indirect call to absolute memory address |
| 5903 | 100250B8 | .data | CALL [static] | Indirect call to absolute memory address |
| 5915 | 100250EC | .data | CALL [static] | Indirect call to absolute memory address |
| 5923 | 100250F0 | .data | CALL [static] | Indirect call to absolute memory address |
| 5BB6 | 100250F4 | .data | CALL [static] | Indirect call to absolute memory address |
| 5BFD | 100250DC | .data | CALL [static] | Indirect call to absolute memory address |
| 5C07 | 100250E4 | .data | CALL [static] | Indirect call to absolute memory address |
| 5C11 | 100250D8 | .data | CALL [static] | Indirect call to absolute memory address |
| 668B | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 66B3 | 10025258 | .data | CALL [static] | Indirect call to absolute memory address |
| 66CE | 1002501C | .data | CALL [static] | Indirect call to absolute memory address |
| 66E9 | 10025030 | .data | CALL [static] | Indirect call to absolute memory address |
| 66FD | 10025030 | .data | CALL [static] | Indirect call to absolute memory address |
| 6716 | 10025020 | .data | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 117923 | 44,1223% |
| Null Byte Code | 101034 | 37,8031% |
© 2026 All rights reserved.