PESCAN.IO - Analysis Report Valid Code |
|||||
File Structure: | |||||
![]() |
Information: |
Icon: Size: 1,25 MBSHA-256 Hash: 21581C6E5AE4F7700351C3A01E5669918B34CDC065853BCC7E526D32D874DF3D SHA-1 Hash: 05FF5F094F062953BEE7515562E25CE07E3D7F51 MD5 Hash: 5E5FAE6382B8A3661CD2C43090ED8C2E Imphash: 0B768923437678CE375719E30B21693E MajorOSVersion: 5 CheckSum: 00146E6C EntryPoint (rva): 204F7 SizeOfHeaders: 400 SizeOfImage: 145000 ImageBase: 400000 Architecture: x86 ImportTable: C8E74 Characteristics: 122 TimeDateStamp: 685D26D1 Date: 26/06/2025 10:54:09 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
Sections Info: |
Section Name | Flags | ROffset | RSize | VOffset | VSize |
---|---|---|---|---|---|
.text | 60000020 (Executable) | 400 | 9AC00 | 1000 | 9AA37 |
.rdata | 40000040 | 9B000 | 2FC00 | 9C000 | 2FB92 |
.data | C0000040 (Writeable) | CAC00 | 4800 | CC000 | 705C |
.rsrc | 40000040 | CF400 | 68C00 | D4000 | 68A50 |
.reloc | 42000040 | 138000 | 7600 | 13D000 | 75CC |
Entry Point: |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1F8F7 Code -> E86E050000E97AFEFFFF558BEC56FF75088BF1E858000000C70610FE49008BC65E5DC20400836104008BC183610800C74104 • CALL 0X1573 • JMP 0XE84 • PUSH EBP • MOV EBP, ESP • PUSH ESI • PUSH DWORD PTR [EBP + 8] • MOV ESI, ECX • CALL 0X1070 • MOV DWORD PTR [ESI], 0X49FE10 • MOV EAX, ESI • POP ESI • POP EBP • RET 4 • AND DWORD PTR [ECX + 4], 0 • MOV EAX, ECX • AND DWORD PTR [ECX + 8], 0 |
Signatures: |
Rich Signature Analyzer: Code -> 9AC783AEDEA6EDFDDEA6EDFDDEA6EDFD6A3A1CFDFDA6EDFD6A3A1EFD43A6EDFD6A3A1FFDFDA6EDFD40062AFDDFA6EDFD8CCEE8FCF3A6EDFD8CCEE9FCCCA6EDFD8CCEEEFCCBA6EDFDD7DE6EFDD7A6EDFDD7DE7EFDFBA6EDFDDEA6ECFDF7A4EDFD7BCFE3FC8EA6EDFD7BCFEEFCDFA6EDFD7BCF12FDDFA6EDFDDEA67AFDDFA6EDFD7BCFEFFCDFA6EDFD52696368DEA6EDFD Footprint md5 Hash -> DBBC79F11DC9642146122EDEB8346BE4 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
Packer/Compiler: |
Compiler: Autoit 3 - (You can use a decompiler for this...) Detect It Easy (die) • PE: library: AutoIt(3.XX)[-] • PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32] • PE: compiler: Microsoft Visual C/C++(2017 v.15.9)[-] • PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[EXE32] • Entropy: 7.19579 |
Suspicious Functions: |
Library | Function | Description |
---|---|---|
KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
KERNEL32.DLL | ReadProcessMemory | Reads data from an area of memory in a specified process. |
KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
USER32.DLL | GetAsyncKeyState | Retrieves the status of a virtual key asynchronously. |
SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
Windows REG (UNICODE): |
Software\AutoIt v3\AutoIt SOFTWARE\Classes\ SYSTEM\CurrentControlSet\Control\Nls\Language |
File Access: |
OLEAUT32.dll ole32.dll SHELL32.dll ADVAPI32.dll COMDLG32.dll GDI32.dll USER32.dll KERNEL32.dll UxTheme.dll USERENV.dll IPHLPAPI.DLL PSAPI.DLL WININET.dll MPR.dll COMCTL32.dll WINMM.dll VERSION.dll WSOCK32.dll Temp UserProfile |
File Access (UNICODE): |
api-ms-win-core-synch-l1-2-0.dll kernel32.dll mscoree.dll Temp ProgramFiles AppData UserProfile |
Interest's Words: |
PADDINGX exec attrib start shutdown systeminfo ping replace |
Interest's Words (UNICODE): |
exec attrib start pause comspec shutdown ping expand replace |
Payloads: |
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...) |
IP Addresses: |
255.255.255.255 |
Strings/Hex Code Found With The File Rules: |
• Rule Text (Ascii): Registry (RegCreateKeyEx) • Rule Text (Ascii): Registry (RegOpenKeyEx) • Rule Text (Ascii): Registry (RegSetValueEx) • Rule Text (Ascii): Registry (RegDeleteKeyEx) • Rule Text (Ascii): File (GetTempPath) • Rule Text (Ascii): File (CopyFile) • Rule Text (Ascii): File (CreateFile) • Rule Text (Ascii): File (WriteFile) • Rule Text (Ascii): File (ReadFile) • Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent) • Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo) • Rule Text (Ascii): Anti-Analysis VM (GlobalMemoryStatusEx) • Rule Text (Ascii): Anti-Analysis VM (GetVersion) • Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot) • Rule Text (Ascii): Stealth (VirtualAlloc) • Rule Text (Ascii): Stealth (ReadProcessMemory) • Rule Text (Ascii): Execution (CreateProcessA) • Rule Text (Ascii): Execution (CreateProcessW) • Rule Text (Ascii): Execution (ShellExecute) • Rule Text (Ascii): Execution (ResumeThread) • Rule Text (Unicode): Privileges (SeAssignPrimaryTokenPrivilege) • Rule Text (Unicode): Privileges (SeBackupPrivilege) • Rule Text (Unicode): Privileges (SeDebugPrivilege) • Rule Text (Unicode): Privileges (SeIncreaseQuotaPrivilege) • Rule Text (Unicode): Privileges (SeRestorePrivilege) • Rule Text (Unicode): Privileges (SeShutdownPrivilege) • Rule Text (Unicode): Keyboard Key (ALTDOWN) • Rule Text (Unicode): Keyboard Key (ALTUP) • Rule Text (Unicode): Keyboard Key (SHIFTDOWN) • Rule Text (Unicode): Keyboard Key (SHIFTUP) • Rule Text (Unicode): Keyboard Key (CTRLDOWN) • Rule Text (Unicode): Keyboard Key (CTRLUP) • Rule Text (Unicode): Keyboard Key (LWINDOWN) • Rule Text (Unicode): Keyboard Key (LWINUP) • Rule Text (Unicode): Keyboard Key (RWINDOWN) • Rule Text (Unicode): Keyboard Key (RWINUP) • Rule Text (Unicode): Keyboard Key (LBUTTON) • Rule Text (Unicode): Keyboard Key (MBUTTON) • Rule Text (Unicode): Keyboard Key (RBUTTON) • Rule Text (Unicode): Keyboard Key (NUMPAD0) • Rule Text (Unicode): Keyboard Key (NUMPAD1) • Rule Text (Unicode): Keyboard Key (NUMPAD2) • Rule Text (Unicode): Keyboard Key (NUMPAD3) • Rule Text (Unicode): Keyboard Key (NUMPAD4) • Rule Text (Unicode): Keyboard Key (NUMPAD5) • Rule Text (Unicode): Keyboard Key (NUMPAD6) • Rule Text (Unicode): Keyboard Key (NUMPAD7) • Rule Text (Unicode): Keyboard Key (NUMPAD8) • Rule Text (Unicode): Keyboard Key (NUMPAD9) • Rule Text (Unicode): Keyboard Key (CapsLock) • Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect) • EP Rules: Microsoft Visual C++ 8 • EP Rules: Microsoft Visual C++ 8 • EP Rules: VC8 -> Microsoft Corporation |
Resources: |
Path | DataRVA | Size | FileOffset | Code | Text |
---|---|---|---|---|---|
\ICON\1\2057 | D44A0 | 128 | CF8A0 | 2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F | (....... ...................................z..y_ |
\ICON\2\2057 | D45C8 | 2E8 | CF9C8 | 2800000020000000400000000100040000000000000000000000000000000000000000000000000000000000000000000080 | (... ...@......................................... |
\ICON\3\2057 | D48B0 | 128 | CFCB0 | 2800000010000000200000000100040000000000000000000000000000000000000000000000000000000000000000000080 | (....... ......................................... |
\ICON\4\2057 | D49D8 | EA8 | CFDD8 | 28000000300000006000000001000800000000000000000000000000000000000000000000000000000000009F7747000000 | (...0.......................................wG... |
\ICON\5\2057 | D5880 | 8A8 | D0C80 | 2800000020000000400000000100080000000000000000000000000000000000000000000000000000000000A06A3C00AB7E | (... ...@....................................j<..~ |
\ICON\6\2057 | D6128 | 568 | D1528 | 28000000100000002000000001000800000000000000000000000000000000000000000000000000000000009E6F3E009D72 | (....... ....................................o>..r |
\ICON\7\2057 | D6690 | 25A8 | D1A90 | 2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (...0........ ................................... |
\ICON\8\2057 | D8C38 | 10A8 | D4038 | 2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
\ICON\9\2057 | D9CE0 | 468 | D50E0 | 2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (....... ..... ................................... |
\STRING\7\2057 | DA148 | 594 | D5548 | 0000000000000000000009002800500061007500730065006400290020000C004100750074006F0049007400200045007200 | ............(.P.a.u.s.e.d.). ...A.u.t.o.I.t. .E.r. |
\STRING\8\2057 | DA6DC | 68A | D5ADC | 300049006E0063006F007200720065006300740020006E0075006D0062006500720020006F00660020007000610072006100 | 0.I.n.c.o.r.r.e.c.t. .n.u.m.b.e.r. .o.f. .p.a.r.a. |
\STRING\9\2057 | DAD68 | 490 | D6168 | 30004500780070006500630074006500640020006100200022003D00220020006F00700065007200610074006F0072002000 | 0.E.x.p.e.c.t.e.d. .a. .".=.". .o.p.e.r.a.t.o.r. . |
\STRING\10\2057 | DB1F8 | 5FC | D65F8 | 1A0049006E00760061006C00690064002000660069006C0065002000660069006C0074006500720020006700690076006500 | ..I.n.v.a.l.i.d. .f.i.l.e. .f.i.l.t.e.r. .g.i.v.e. |
\STRING\11\2057 | DB7F4 | 65C | D6BF4 | 3E002200530065006C0065006300740022002000730074006100740065006D0065006E00740020006900730020006D006900 | >.".S.e.l.e.c.t.". .s.t.a.t.e.m.e.n.t. .i.s. .m.i. |
\STRING\12\2057 | DBE50 | 466 | D7250 | 4800430061006E0020007000610073007300200063006F006E007300740061006E0074007300200062007900200072006500 | H.C.a.n. .p.a.s.s. .c.o.n.s.t.a.n.t.s. .b.y. .r.e. |
\STRING\313\2057 | DC2B8 | 158 | D76B8 | 00000000000000000000000000000000150055006E00610062006C006500200074006F002000700061007200730065002000 | ..................U.n.a.b.l.e. .t.o. .p.a.r.s.e. . |
\RCDATA\SCRIPT\0 | DC410 | 600E7 | D7810 | A3484BBE986C4AA9994C530A86D6487D41553321454130364DA8FF7324A73CF67A12F167ACC193E76B43CA52A6AD0000E1BB | .HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R...... |
\GROUP_ICON\99\2057 | 13C4F8 | 76 | 1378F8 | 0000010008002020100001000400E8020000020010101000010004002801000003003030000001000800A80E000004002020 | ...... ....................(.....00............ |
\GROUP_ICON\169\2057 | 13C570 | 14 | 137970 | 0000010001001010100001000400280100000100 | ..............(..... |
\VERSION\1\2057 | 13C584 | DC | 137984 | DC0034000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
\24\1\2057 | 13C660 | 3EF | 137A60 | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" |
Intelligent String: |
• RUNASWAIT • RUNAS • api-ms-win-core-synch-l1-2-0.dll • kernel32.dll • mscoree.dll • COMSPEC • runas • 0.0.0.0 • .lnk • 255.255.255.255 • .icl • .exe • .dll • .tls • .bss • COMCTL32.dll • KERNEL32.dll • USER32.dll • COMDLG32.dll |
Extra 4n4lysis: |
Metric | Value | Percentage |
---|---|---|
Ascii Code | 784169 | 59,9444% |
Null Byte Code | 165459 | 12,6482% |
© 2025 All rights reserved.