PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 12,00 KB
SHA-256 Hash: AC9373F7AE2D3A8631AA725401E32F5BF9A264B78816E2FFC1B424380DEB5E4D
SHA-1 Hash: 4493F05CE276C328501926C5931E654FBF1F9816
MD5 Hash: 58388633EAF163CD95C1183AFB8FADF5
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 464A
SizeOfHeaders: 200
SizeOfImage: A000
ImageBase: 400000
Architecture: x86
ImportTable: 45F5
IAT: 2000
Characteristics: 22
TimeDateStamp: AF4FD865
Date: 16/03/2063 4:39:01
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	200	2800	2000	2650	5.3799	257453.1
.rsrc	0x40000040 Initialized Data Readable	2A00	400	6000	378	2.785	112930
.reloc	0x42000040 Initialized Data GP-Relative Readable	2E00	200	8000	C	0.0815	128522

Description

OriginalFilename: UserInfo.exe
LegalCopyright: Copyright 2022
ProductName: UserInfo
FileVersion: 1.0.0.0
FileDescription: UserInfo
ProductVersion: 1.0.0.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 284A
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Assembler

|JMP DWORD PTR [0X402000]

|ADD BYTE PTR [EAX], AL

Signatures

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: True
• Version: v4.0
Detect It Easy (die)
• PE: library: .NET(v4.0.30319)[-]
• PE: linker: Microsoft Linker(48.0)[-]
• Entropy: 4.9737

File Access

UserInfo.exe
mscoree.dll

File Access (UNICODE)

UserInfo.exe
UserInfo.exe

Interest's Words

PassWord
<main
exec
attrib
start

Interest's Words (UNICODE)

PassWord

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Encryption (FromBase64String)
Entry Point	Hex Pattern	Microsoft Visual C / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	Microsoft Visual C v7.0 / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual Studio .NET
Entry Point	Hex Pattern	.NET executable

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\0	6058	31C	2A58	1C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String

• 1.0.0.0
• UserInfo.exe
• %LDAP://support.htb
• _CorExeMainmscoree.dll

Flow Anomalies

Offset	RVA	Section	Description
284A	402000	.text	JMP [static] \| Indirect jump to absolute memory address

Extra Analysis

Metric	Value	Percentage
Ascii Code	6415	52,2054%
Null Byte Code	4659	37,915%

PESCAN.IO - Analysis Report Basic