PREMIUM PESCAN.IO - Analysis Report |
|||||
| File Structure |
|
| Information |
Icon: Size: 1,25 MBSHA-256 Hash: 21581C6E5AE4F7700351C3A01E5669918B34CDC065853BCC7E526D32D874DF3D SHA-1 Hash: 05FF5F094F062953BEE7515562E25CE07E3D7F51 MD5 Hash: 5E5FAE6382B8A3661CD2C43090ED8C2E Imphash: 0B768923437678CE375719E30B21693E MajorOSVersion: 5 CheckSum: 00146E6C EntryPoint (rva): 204F7 SizeOfHeaders: 400 SizeOfImage: 145000 ImageBase: 400000 Architecture: x86 ImportTable: C8E74 Characteristics: 122 TimeDateStamp: 685D26D1 Date: 26/06/2025 10:54:09 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 400 | 9AC00 | 1000 | 9AA37 |
| .rdata | 40000040 | 9B000 | 2FC00 | 9C000 | 2FB92 |
| .data | C0000040 (Writeable) | CAC00 | 4800 | CC000 | 705C |
| .rsrc | 40000040 | CF400 | 68C00 | D4000 | 68A50 |
| .reloc | 42000040 | 138000 | 7600 | 13D000 | 75CC |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1F8F7 Code -> E86E050000E97AFEFFFF558BEC56FF75088BF1E858000000C70610FE49008BC65E5DC20400836104008BC183610800C74104 • CALL 0X1573 • JMP 0XE84 • PUSH EBP • MOV EBP, ESP • PUSH ESI • PUSH DWORD PTR [EBP + 8] • MOV ESI, ECX • CALL 0X1070 • MOV DWORD PTR [ESI], 0X49FE10 • MOV EAX, ESI • POP ESI • POP EBP • RET 4 • AND DWORD PTR [ECX + 4], 0 • MOV EAX, ECX • AND DWORD PTR [ECX + 8], 0 |
| Signatures |
| Rich Signature Analyzer: Code -> 9AC783AEDEA6EDFDDEA6EDFDDEA6EDFD6A3A1CFDFDA6EDFD6A3A1EFD43A6EDFD6A3A1FFDFDA6EDFD40062AFDDFA6EDFD8CCEE8FCF3A6EDFD8CCEE9FCCCA6EDFD8CCEEEFCCBA6EDFDD7DE6EFDD7A6EDFDD7DE7EFDFBA6EDFDDEA6ECFDF7A4EDFD7BCFE3FC8EA6EDFD7BCFEEFCDFA6EDFD7BCF12FDDFA6EDFDDEA67AFDDFA6EDFD7BCFEFFCDFA6EDFD52696368DEA6EDFD Footprint md5 Hash -> DBBC79F11DC9642146122EDEB8346BE4 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Autoit 3 - (You can use a decompiler for this...) Detect It Easy (die) • PE: library: AutoIt(3.XX)[-] • PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32] • PE: compiler: Microsoft Visual C/C++(2017 v.15.9)[-] • PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[EXE32] • Entropy: 7.19579 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | ReadProcessMemory | Reads data from an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| USER32.DLL | GetAsyncKeyState | Retrieves the status of a virtual key asynchronously. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| Windows REG (UNICODE) |
| Software\AutoIt v3\AutoIt SOFTWARE\Classes\ SYSTEM\CurrentControlSet\Control\Nls\Language |
| File Access |
| OLEAUT32.dll ole32.dll SHELL32.dll ADVAPI32.dll COMDLG32.dll GDI32.dll USER32.dll KERNEL32.dll UxTheme.dll USERENV.dll IPHLPAPI.DLL PSAPI.DLL WININET.dll MPR.dll COMCTL32.dll WINMM.dll VERSION.dll WSOCK32.dll Temp UserProfile |
| File Access (UNICODE) |
| api-ms-win-core-synch-l1-2-0.dll kernel32.dll mscoree.dll Temp ProgramFiles AppData UserProfile |
| Interest's Words |
| PADDINGX exec attrib start shutdown systeminfo ping replace |
| Interest's Words (UNICODE) |
| exec attrib start pause comspec shutdown ping expand replace |
| Payloads |
| Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...) |
| IP Addresses |
| 255.255.255.255 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Registry (RegDeleteKeyEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GlobalMemoryStatusEx) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (ReadProcessMemory) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Unicode | Privileges (SeAssignPrimaryTokenPrivilege) |
| Text | Unicode | Privileges (SeBackupPrivilege) |
| Text | Unicode | Privileges (SeDebugPrivilege) |
| Text | Unicode | Privileges (SeIncreaseQuotaPrivilege) |
| Text | Unicode | Privileges (SeRestorePrivilege) |
| Text | Unicode | Privileges (SeShutdownPrivilege) |
| Text | Unicode | Keyboard Key (ALTDOWN) |
| Text | Unicode | Keyboard Key (ALTUP) |
| Text | Unicode | Keyboard Key (SHIFTDOWN) |
| Text | Unicode | Keyboard Key (SHIFTUP) |
| Text | Unicode | Keyboard Key (CTRLDOWN) |
| Text | Unicode | Keyboard Key (CTRLUP) |
| Text | Unicode | Keyboard Key (LWINDOWN) |
| Text | Unicode | Keyboard Key (LWINUP) |
| Text | Unicode | Keyboard Key (RWINDOWN) |
| Text | Unicode | Keyboard Key (RWINUP) |
| Text | Unicode | Keyboard Key (LBUTTON) |
| Text | Unicode | Keyboard Key (MBUTTON) |
| Text | Unicode | Keyboard Key (RBUTTON) |
| Text | Unicode | Keyboard Key (NUMPAD0) |
| Text | Unicode | Keyboard Key (NUMPAD1) |
| Text | Unicode | Keyboard Key (NUMPAD2) |
| Text | Unicode | Keyboard Key (NUMPAD3) |
| Text | Unicode | Keyboard Key (NUMPAD4) |
| Text | Unicode | Keyboard Key (NUMPAD5) |
| Text | Unicode | Keyboard Key (NUMPAD6) |
| Text | Unicode | Keyboard Key (NUMPAD7) |
| Text | Unicode | Keyboard Key (NUMPAD8) |
| Text | Unicode | Keyboard Key (NUMPAD9) |
| Text | Unicode | Keyboard Key (CapsLock) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | VC8 -> Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\2057 | D44A0 | 128 | CF8A0 | 2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F | (....... ...................................z..y_ |
| \ICON\2\2057 | D45C8 | 2E8 | CF9C8 | 2800000020000000400000000100040000000000000000000000000000000000000000000000000000000000000000000080 | (... ...@......................................... |
| \ICON\3\2057 | D48B0 | 128 | CFCB0 | 2800000010000000200000000100040000000000000000000000000000000000000000000000000000000000000000000080 | (....... ......................................... |
| \ICON\4\2057 | D49D8 | EA8 | CFDD8 | 28000000300000006000000001000800000000000000000000000000000000000000000000000000000000009F7747000000 | (...0.......................................wG... |
| \ICON\5\2057 | D5880 | 8A8 | D0C80 | 2800000020000000400000000100080000000000000000000000000000000000000000000000000000000000A06A3C00AB7E | (... ...@....................................j<..~ |
| \ICON\6\2057 | D6128 | 568 | D1528 | 28000000100000002000000001000800000000000000000000000000000000000000000000000000000000009E6F3E009D72 | (....... ....................................o>..r |
| \ICON\7\2057 | D6690 | 25A8 | D1A90 | 2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (...0........ ................................... |
| \ICON\8\2057 | D8C38 | 10A8 | D4038 | 2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\9\2057 | D9CE0 | 468 | D50E0 | 2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (....... ..... ................................... |
| \STRING\7\2057 | DA148 | 594 | D5548 | 0000000000000000000009002800500061007500730065006400290020000C004100750074006F0049007400200045007200 | ............(.P.a.u.s.e.d.). ...A.u.t.o.I.t. .E.r. |
| \STRING\8\2057 | DA6DC | 68A | D5ADC | 300049006E0063006F007200720065006300740020006E0075006D0062006500720020006F00660020007000610072006100 | 0.I.n.c.o.r.r.e.c.t. .n.u.m.b.e.r. .o.f. .p.a.r.a. |
| \STRING\9\2057 | DAD68 | 490 | D6168 | 30004500780070006500630074006500640020006100200022003D00220020006F00700065007200610074006F0072002000 | 0.E.x.p.e.c.t.e.d. .a. .".=.". .o.p.e.r.a.t.o.r. . |
| \STRING\10\2057 | DB1F8 | 5FC | D65F8 | 1A0049006E00760061006C00690064002000660069006C0065002000660069006C0074006500720020006700690076006500 | ..I.n.v.a.l.i.d. .f.i.l.e. .f.i.l.t.e.r. .g.i.v.e. |
| \STRING\11\2057 | DB7F4 | 65C | D6BF4 | 3E002200530065006C0065006300740022002000730074006100740065006D0065006E00740020006900730020006D006900 | >.".S.e.l.e.c.t.". .s.t.a.t.e.m.e.n.t. .i.s. .m.i. |
| \STRING\12\2057 | DBE50 | 466 | D7250 | 4800430061006E0020007000610073007300200063006F006E007300740061006E0074007300200062007900200072006500 | H.C.a.n. .p.a.s.s. .c.o.n.s.t.a.n.t.s. .b.y. .r.e. |
| \STRING\313\2057 | DC2B8 | 158 | D76B8 | 00000000000000000000000000000000150055006E00610062006C006500200074006F002000700061007200730065002000 | ..................U.n.a.b.l.e. .t.o. .p.a.r.s.e. . |
| \RCDATA\SCRIPT\0 | DC410 | 600E7 | D7810 | A3484BBE986C4AA9994C530A86D6487D41553321454130364DA8FF7324A73CF67A12F167ACC193E76B43CA52A6AD0000E1BB | .HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R...... |
| \GROUP_ICON\99\2057 | 13C4F8 | 76 | 1378F8 | 0000010008002020100001000400E8020000020010101000010004002801000003003030000001000800A80E000004002020 | ...... ....................(.....00............ |
| \GROUP_ICON\169\2057 | 13C570 | 14 | 137970 | 0000010001001010100001000400280100000100 | ..............(..... |
| \VERSION\1\2057 | 13C584 | DC | 137984 | DC0034000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\2057 | 13C660 | 3EF | 137A60 | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" |
| Intelligent String |
| • RUNASWAIT • RUNAS • api-ms-win-core-synch-l1-2-0.dll • kernel32.dll • mscoree.dll • COMSPEC • runas • 0.0.0.0 • .lnk • 255.255.255.255 • .icl • .exe • .dll • .tls • .bss • COMCTL32.dll • KERNEL32.dll • USER32.dll • COMDLG32.dll |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 784169 | 59,9444% |
| Null Byte Code | 165459 | 12,6482% |
© 2025 All rights reserved.