PESCAN.IO - Analysis Report Valid Code

File Structure:
Analysis Image
Information:
Icon: Icon
Size: 1,25 MB
SHA-256 Hash: 21581C6E5AE4F7700351C3A01E5669918B34CDC065853BCC7E526D32D874DF3D
SHA-1 Hash: 05FF5F094F062953BEE7515562E25CE07E3D7F51
MD5 Hash: 5E5FAE6382B8A3661CD2C43090ED8C2E
Imphash: 0B768923437678CE375719E30B21693E
MajorOSVersion: 5
CheckSum: 00146E6C
EntryPoint (rva): 204F7
SizeOfHeaders: 400
SizeOfImage: 145000
ImageBase: 400000
Architecture: x86
ImportTable: C8E74
Characteristics: 122
TimeDateStamp: 685D26D1
Date: 26/06/2025 10:54:09
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 9AC00 1000 9AA37
.rdata 40000040 9B000 2FC00 9C000 2FB92
.data C0000040 (Writeable) CAC00 4800 CC000 705C
.rsrc 40000040 CF400 68C00 D4000 68A50
.reloc 42000040 138000 7600 13D000 75CC
Entry Point:
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1F8F7
Code -> E86E050000E97AFEFFFF558BEC56FF75088BF1E858000000C70610FE49008BC65E5DC20400836104008BC183610800C74104
CALL 0X1573
JMP 0XE84
PUSH EBP
MOV EBP, ESP
PUSH ESI
PUSH DWORD PTR [EBP + 8]
MOV ESI, ECX
CALL 0X1070
MOV DWORD PTR [ESI], 0X49FE10
MOV EAX, ESI
POP ESI
POP EBP
RET 4
AND DWORD PTR [ECX + 4], 0
MOV EAX, ECX
AND DWORD PTR [ECX + 8], 0

Signatures:
Rich Signature Analyzer:
Code -> 9AC783AEDEA6EDFDDEA6EDFDDEA6EDFD6A3A1CFDFDA6EDFD6A3A1EFD43A6EDFD6A3A1FFDFDA6EDFD40062AFDDFA6EDFD8CCEE8FCF3A6EDFD8CCEE9FCCCA6EDFD8CCEEEFCCBA6EDFDD7DE6EFDD7A6EDFDD7DE7EFDFBA6EDFDDEA6ECFDF7A4EDFD7BCFE3FC8EA6EDFD7BCFEEFCDFA6EDFD7BCF12FDDFA6EDFDDEA67AFDDFA6EDFD7BCFEFFCDFA6EDFD52696368DEA6EDFD
Footprint md5 Hash -> DBBC79F11DC9642146122EDEB8346BE4
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:
Compiler: Autoit 3 - (You can use a decompiler for this...)
Detect It Easy (die)
PE: library: AutoIt(3.XX)[-]
PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32]
PE: compiler: Microsoft Visual C/C++(2017 v.15.9)[-]
PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[EXE32]
Entropy: 7.19579

Suspicious Functions:
Library Function Description
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL CopyFileW Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL ReadProcessMemory Reads data from an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
USER32.DLL GetAsyncKeyState Retrieves the status of a virtual key asynchronously.
SHELL32.DLL ShellExecuteW Performs a run operation on a specific file.
SHELL32.DLL ShellExecuteExW Performs a run operation on a specific file.
Windows REG (UNICODE):
Software\AutoIt v3\AutoIt
SOFTWARE\Classes\
SYSTEM\CurrentControlSet\Control\Nls\Language

File Access:
OLEAUT32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
COMDLG32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
UxTheme.dll
USERENV.dll
IPHLPAPI.DLL
PSAPI.DLL
WININET.dll
MPR.dll
COMCTL32.dll
WINMM.dll
VERSION.dll
WSOCK32.dll
Temp
UserProfile

File Access (UNICODE):
api-ms-win-core-synch-l1-2-0.dll
kernel32.dll
mscoree.dll
Temp
ProgramFiles
AppData
UserProfile

Interest's Words:
PADDINGX
exec
attrib
start
shutdown
systeminfo
ping
replace

Interest's Words (UNICODE):
exec
attrib
start
pause
comspec
shutdown
ping
expand
replace

Payloads:
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)

IP Addresses:
255.255.255.255

Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): Registry (RegCreateKeyEx)
Rule Text (Ascii): Registry (RegOpenKeyEx)
Rule Text (Ascii): Registry (RegSetValueEx)
Rule Text (Ascii): Registry (RegDeleteKeyEx)
Rule Text (Ascii): File (GetTempPath)
Rule Text (Ascii): File (CopyFile)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
Rule Text (Ascii): Anti-Analysis VM (GlobalMemoryStatusEx)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot)
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Stealth (ReadProcessMemory)
Rule Text (Ascii): Execution (CreateProcessA)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Ascii): Execution (ShellExecute)
Rule Text (Ascii): Execution (ResumeThread)
Rule Text (Unicode): Privileges (SeAssignPrimaryTokenPrivilege)
Rule Text (Unicode): Privileges (SeBackupPrivilege)
Rule Text (Unicode): Privileges (SeDebugPrivilege)
Rule Text (Unicode): Privileges (SeIncreaseQuotaPrivilege)
Rule Text (Unicode): Privileges (SeRestorePrivilege)
Rule Text (Unicode): Privileges (SeShutdownPrivilege)
Rule Text (Unicode): Keyboard Key (ALTDOWN)
Rule Text (Unicode): Keyboard Key (ALTUP)
Rule Text (Unicode): Keyboard Key (SHIFTDOWN)
Rule Text (Unicode): Keyboard Key (SHIFTUP)
Rule Text (Unicode): Keyboard Key (CTRLDOWN)
Rule Text (Unicode): Keyboard Key (CTRLUP)
Rule Text (Unicode): Keyboard Key (LWINDOWN)
Rule Text (Unicode): Keyboard Key (LWINUP)
Rule Text (Unicode): Keyboard Key (RWINDOWN)
Rule Text (Unicode): Keyboard Key (RWINUP)
Rule Text (Unicode): Keyboard Key (LBUTTON)
Rule Text (Unicode): Keyboard Key (MBUTTON)
Rule Text (Unicode): Keyboard Key (RBUTTON)
Rule Text (Unicode): Keyboard Key (NUMPAD0)
Rule Text (Unicode): Keyboard Key (NUMPAD1)
Rule Text (Unicode): Keyboard Key (NUMPAD2)
Rule Text (Unicode): Keyboard Key (NUMPAD3)
Rule Text (Unicode): Keyboard Key (NUMPAD4)
Rule Text (Unicode): Keyboard Key (NUMPAD5)
Rule Text (Unicode): Keyboard Key (NUMPAD6)
Rule Text (Unicode): Keyboard Key (NUMPAD7)
Rule Text (Unicode): Keyboard Key (NUMPAD8)
Rule Text (Unicode): Keyboard Key (NUMPAD9)
Rule Text (Unicode): Keyboard Key (CapsLock)
Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
EP Rules: Microsoft Visual C++ 8
EP Rules: Microsoft Visual C++ 8
EP Rules: VC8 -> Microsoft Corporation

Resources:
Path DataRVA Size FileOffset CodeText
\ICON\1\2057 D44A0 128 CF8A0 2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F(....... ...................................z..y_
\ICON\2\2057 D45C8 2E8 CF9C8 2800000020000000400000000100040000000000000000000000000000000000000000000000000000000000000000000080(... ...@.........................................
\ICON\3\2057 D48B0 128 CFCB0 2800000010000000200000000100040000000000000000000000000000000000000000000000000000000000000000000080(....... .........................................
\ICON\4\2057 D49D8 EA8 CFDD8 28000000300000006000000001000800000000000000000000000000000000000000000000000000000000009F7747000000(...0.......................................wG...
\ICON\5\2057 D5880 8A8 D0C80 2800000020000000400000000100080000000000000000000000000000000000000000000000000000000000A06A3C00AB7E(... ...@....................................j<..~
\ICON\6\2057 D6128 568 D1528 28000000100000002000000001000800000000000000000000000000000000000000000000000000000000009E6F3E009D72(....... ....................................o>..r
\ICON\7\2057 D6690 25A8 D1A90 2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000(...0........ ...................................
\ICON\8\2057 D8C38 10A8 D4038 2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000(... ...@..... ...................................
\ICON\9\2057 D9CE0 468 D50E0 2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000(....... ..... ...................................
\STRING\7\2057 DA148 594 D5548 0000000000000000000009002800500061007500730065006400290020000C004100750074006F0049007400200045007200............(.P.a.u.s.e.d.). ...A.u.t.o.I.t. .E.r.
\STRING\8\2057 DA6DC 68A D5ADC 300049006E0063006F007200720065006300740020006E0075006D0062006500720020006F006600200070006100720061000.I.n.c.o.r.r.e.c.t. .n.u.m.b.e.r. .o.f. .p.a.r.a.
\STRING\9\2057 DAD68 490 D6168 30004500780070006500630074006500640020006100200022003D00220020006F00700065007200610074006F00720020000.E.x.p.e.c.t.e.d. .a. .".=.". .o.p.e.r.a.t.o.r. .
\STRING\10\2057 DB1F8 5FC D65F8 1A0049006E00760061006C00690064002000660069006C0065002000660069006C0074006500720020006700690076006500..I.n.v.a.l.i.d. .f.i.l.e. .f.i.l.t.e.r. .g.i.v.e.
\STRING\11\2057 DB7F4 65C D6BF4 3E002200530065006C0065006300740022002000730074006100740065006D0065006E00740020006900730020006D006900>.".S.e.l.e.c.t.". .s.t.a.t.e.m.e.n.t. .i.s. .m.i.
\STRING\12\2057 DBE50 466 D7250 4800430061006E0020007000610073007300200063006F006E007300740061006E0074007300200062007900200072006500H.C.a.n. .p.a.s.s. .c.o.n.s.t.a.n.t.s. .b.y. .r.e.
\STRING\313\2057 DC2B8 158 D76B8 00000000000000000000000000000000150055006E00610062006C006500200074006F002000700061007200730065002000..................U.n.a.b.l.e. .t.o. .p.a.r.s.e. .
\RCDATA\SCRIPT\0 DC410 600E7 D7810 A3484BBE986C4AA9994C530A86D6487D41553321454130364DA8FF7324A73CF67A12F167ACC193E76B43CA52A6AD0000E1BB.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R......
\GROUP_ICON\99\2057 13C4F8 76 1378F8 0000010008002020100001000400E8020000020010101000010004002801000003003030000001000800A80E000004002020...... ....................(.....00............
\GROUP_ICON\169\2057 13C570 14 137970 0000010001001010100001000400280100000100..............(.....
\VERSION\1\2057 13C584 DC 137984 DC0034000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\2057 13C660 3EF 137A60 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122<assembly xmlns="urn:schemas-microsoft-com:asm.v1"
Intelligent String:
• RUNASWAIT
• RUNAS
• api-ms-win-core-synch-l1-2-0.dll
• kernel32.dll
• mscoree.dll
• COMSPEC
• runas
• 0.0.0.0
• .lnk
• 255.255.255.255
• .icl
• .exe
• .dll
• .tls
• .bss
• COMCTL32.dll
• KERNEL32.dll
• USER32.dll
• COMDLG32.dll

Extra 4n4lysis:
Metric Value Percentage
Ascii Code 784169 59,9444%
Null Byte Code 165459 12,6482%
© 2025 All rights reserved.