PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 960,52 KB
SHA-256 Hash: C640E3187A862B3986EFEA88D542A846AC41490BA5B8DE6257B5919A02CB61F8
SHA-1 Hash: BB307DFBAAD8C40D64B39D125C0AA32FD70E78DF
MD5 Hash: 5BCE88F6EE84C9E1A52C2AE31D42BC6A
Imphash: 9E4FCCE306AA2353CBC65C586CC0DDBD
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 157890
SizeOfHeaders: 200
SizeOfImage: 15A000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 1594EC
Characteristics: 226
TimeDateStamp: 6918AFEC
Date: 15/11/2025 16:53:00
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names (Optional Header): .dosx, .fish, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 423,48 KB Missing]

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.dosx	0xE0000080 Uninitialized Data Executable Readable Writeable	200	0	1000	ED000	N/A	N/A
.fish	0xE0000040 Initialized Data Executable Readable Writeable	200	6A600	EE000	6B000	7.9991	569.75
.rsrc	0xC3C14DD8 Type No Padding Initialized Data Uninitialized Data Extended Relocations GP-Relative Readable Writeable	6A800	A00	159000	1000	5.0008	48208.2

Entry Point

The section number (2) have the Entry Point
Information -> EntryPoint (calculated) - 69A90
Code -> 53575655488D358A67F9FF488DBEDB2FF1FF488D877CC11400FF30C7002BC40CC65057B8BA5C1500504889E14889FA4889F7

Assembler

|PUSH RBX

|PUSH RDI

|PUSH RSI

|PUSH RBP

|LEA RSI, [RIP - 0X69876]

|LEA RDI, [RSI - 0XED025]

|LEA RAX, [RDI + 0X14C17C]

|PUSH QWORD PTR [RAX]

|MOV DWORD PTR [RAX], 0XC60CC42B

|PUSH RAX

|PUSH RDI

|MOV EAX, 0X155CBA

|PUSH RAX

|MOV RCX, RSP

|MOV RDX, RDI

|MOV RDI, RSI

Signatures

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Detect It Easy (die)
• Entropy: 7.16918

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	CreateToolhelp32Snapshot	Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL	ReadProcessMemory	Reads data from an area of memory in a specified process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	SleepEx	Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout.
Ws2_32.DLL	socket	Create a communication endpoint for networking applications.
Ws2_32.DLL	connect	Establish a connection to a specified socket.

File Access

ws2_32.dll
userenv.dll
oleaut32.dll
ole32.dll
ntdll.dll
KERNEL32.DLL
bcryptprimitives.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-private-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-core-synch-l1-2-0.dll
.dat
Temp
AppData
UserProfile

Interest's Words

exec
attrib
start
shutdown
systeminfo
ping
replace

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (WSACleanup)
Text	Ascii	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (listen)
Text	Ascii	WinAPI Sockets (accept)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (recv)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CopyFile)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Anti-Analysis VM (CreateToolhelp32Snapshot)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (UnmapViewOfFile)
Text	Ascii	Stealth (MapViewOfFile)
Text	Ascii	Stealth (CreateFileMappingA)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Stealth (ReadProcessMemory)
Text	Ascii	Execution (CreateProcessW)
Text	Ascii	Execution (CreateEventW)
Text	Ascii	Malicious code executed after exploiting a vulnerability (Payload)
Text	Ascii	Malware that installs additional malicious payloads (Dropper)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\24\1\0	15905C	48F	6A85C	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String

• .bss
• .tls

Flow Anomalies

Offset	RVA	Section	Description
13C4	N/A	.fish	JMP QWORD PTR [RIP+0x70E816F2]
30D8	N/A	.fish	CALL QWORD PTR [RIP+0x241E7C8D]
15D60	N/A	.fish	JMP QWORD PTR [RIP+0x1CEB709E]
31594	N/A	.fish	JMP QWORD PTR [RIP+0x23DE86F0]
31B49	N/A	.fish	CALL QWORD PTR [RIP+0xB723919A]
409B0	N/A	.fish	JMP QWORD PTR [RIP+0x78EC5673]
45070	N/A	.fish	JMP QWORD PTR [RIP+0xB1DDC604]
4667F	N/A	.fish	CALL QWORD PTR [RIP+0x7875F890]
466F2	N/A	.fish	CALL QWORD PTR [RIP+0x496C56FF]
47EB0	N/A	.fish	JMP QWORD PTR [RIP+0x812D02A0]
53980	N/A	.fish	JMP QWORD PTR [RIP+0x2DEF79B6]
6A5A1	N/A	.fish	CALL QWORD PTR [RIP+0x1339]
6A5BF	N/A	.fish	CALL QWORD PTR [RIP+0x132B]
6A5D3	N/A	.fish	JMP QWORD PTR [RIP+0x130F]
6A6F8	15849C	.fish	TLS Callback \| Pointer to 14015849C - 0x6A69C .fish
200-6A7FF	EE000	.fish	Executable section anomaly, first bytes: 9CCF00376DC98D79
6B200	N/A	Overlay	0000000004000000000000000100200003010000 \| .............. .....

Extra Analysis

Metric	Value	Percentage
Ascii Code	750082	76,261%
Null Byte Code	78240	7,9547%

PESCAN.IO - Analysis Report Basic