PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 1,25 MB
SHA-256 Hash: 21581C6E5AE4F7700351C3A01E5669918B34CDC065853BCC7E526D32D874DF3D
SHA-1 Hash: 05FF5F094F062953BEE7515562E25CE07E3D7F51
MD5 Hash: 5E5FAE6382B8A3661CD2C43090ED8C2E
Imphash: 0B768923437678CE375719E30B21693E
MajorOSVersion: 5
CheckSum: 00146E6C
EntryPoint (rva): 204F7
SizeOfHeaders: 400
SizeOfImage: 145000
ImageBase: 400000
Architecture: x86
ImportTable: C8E74
Characteristics: 122
TimeDateStamp: 685D26D1
Date: 26/06/2025 10:54:09
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	9AC00	1000	9AA37
.rdata	40000040	9B000	2FC00	9C000	2FB92
.data	C0000040 (Writeable)	CAC00	4800	CC000	705C
.rsrc	40000040	CF400	68C00	D4000	68A50
.reloc	42000040	138000	7600	13D000	75CC

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1F8F7
Code -> E86E050000E97AFEFFFF558BEC56FF75088BF1E858000000C70610FE49008BC65E5DC20400836104008BC183610800C74104
• CALL 0X1573
• JMP 0XE84
• PUSH EBP
• MOV EBP, ESP
• PUSH ESI
• PUSH DWORD PTR [EBP + 8]
• MOV ESI, ECX
• CALL 0X1070
• MOV DWORD PTR [ESI], 0X49FE10
• MOV EAX, ESI
• POP ESI
• POP EBP
• RET 4
• AND DWORD PTR [ECX + 4], 0
• MOV EAX, ECX
• AND DWORD PTR [ECX + 8], 0

Signatures:

Rich Signature Analyzer:
Code -> 9AC783AEDEA6EDFDDEA6EDFDDEA6EDFD6A3A1CFDFDA6EDFD6A3A1EFD43A6EDFD6A3A1FFDFDA6EDFD40062AFDDFA6EDFD8CCEE8FCF3A6EDFD8CCEE9FCCCA6EDFD8CCEEEFCCBA6EDFDD7DE6EFDD7A6EDFDD7DE7EFDFBA6EDFDDEA6ECFDF7A4EDFD7BCFE3FC8EA6EDFD7BCFEEFCDFA6EDFD7BCF12FDDFA6EDFDDEA67AFDDFA6EDFD7BCFEFFCDFA6EDFD52696368DEA6EDFD
Footprint md5 Hash -> DBBC79F11DC9642146122EDEB8346BE4
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Autoit 3 - (You can use a decompiler for this...)
Detect It Easy (die)
• PE: library: AutoIt(3.XX)[-]
• PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32]
• PE: compiler: Microsoft Visual C/C++(2017 v.15.9)[-]
• PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[EXE32]
• Entropy: 7.19579

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	CopyFileW	Copies an existing file to a new file.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	CreateToolhelp32Snapshot	Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL	WriteProcessMemory	Writes data to an area of memory in a specified process.
KERNEL32.DLL	ReadProcessMemory	Reads data from an area of memory in a specified process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
USER32.DLL	GetAsyncKeyState	Retrieves the status of a virtual key asynchronously.
SHELL32.DLL	ShellExecuteW	Performs a run operation on a specific file.
SHELL32.DLL	ShellExecuteExW	Performs a run operation on a specific file.

Windows REG (UNICODE):

Software\AutoIt v3\AutoIt
SOFTWARE\Classes\
SYSTEM\CurrentControlSet\Control\Nls\Language

File Access:

OLEAUT32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
COMDLG32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
UxTheme.dll
USERENV.dll
IPHLPAPI.DLL
PSAPI.DLL
WININET.dll
MPR.dll
COMCTL32.dll
WINMM.dll
VERSION.dll
WSOCK32.dll
Temp
UserProfile

File Access (UNICODE):

api-ms-win-core-synch-l1-2-0.dll
kernel32.dll
mscoree.dll
Temp
ProgramFiles
AppData
UserProfile

Interest's Words:

PADDINGX
exec
attrib
start
shutdown
systeminfo
ping
replace

Interest's Words (UNICODE):

exec
attrib
start
pause
comspec
shutdown
ping
expand
replace

Payloads:

Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)

IP Addresses:

255.255.255.255

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Registry (RegCreateKeyEx)
• Rule Text (Ascii): Registry (RegOpenKeyEx)
• Rule Text (Ascii): Registry (RegSetValueEx)
• Rule Text (Ascii): Registry (RegDeleteKeyEx)
• Rule Text (Ascii): File (GetTempPath)
• Rule Text (Ascii): File (CopyFile)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
• Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
• Rule Text (Ascii): Anti-Analysis VM (GlobalMemoryStatusEx)
• Rule Text (Ascii): Anti-Analysis VM (GetVersion)
• Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot)
• Rule Text (Ascii): Stealth (VirtualAlloc)
• Rule Text (Ascii): Stealth (ReadProcessMemory)
• Rule Text (Ascii): Execution (CreateProcessA)
• Rule Text (Ascii): Execution (CreateProcessW)
• Rule Text (Ascii): Execution (ShellExecute)
• Rule Text (Ascii): Execution (ResumeThread)
• Rule Text (Unicode): Privileges (SeAssignPrimaryTokenPrivilege)
• Rule Text (Unicode): Privileges (SeBackupPrivilege)
• Rule Text (Unicode): Privileges (SeDebugPrivilege)
• Rule Text (Unicode): Privileges (SeIncreaseQuotaPrivilege)
• Rule Text (Unicode): Privileges (SeRestorePrivilege)
• Rule Text (Unicode): Privileges (SeShutdownPrivilege)
• Rule Text (Unicode): Keyboard Key (ALTDOWN)
• Rule Text (Unicode): Keyboard Key (ALTUP)
• Rule Text (Unicode): Keyboard Key (SHIFTDOWN)
• Rule Text (Unicode): Keyboard Key (SHIFTUP)
• Rule Text (Unicode): Keyboard Key (CTRLDOWN)
• Rule Text (Unicode): Keyboard Key (CTRLUP)
• Rule Text (Unicode): Keyboard Key (LWINDOWN)
• Rule Text (Unicode): Keyboard Key (LWINUP)
• Rule Text (Unicode): Keyboard Key (RWINDOWN)
• Rule Text (Unicode): Keyboard Key (RWINUP)
• Rule Text (Unicode): Keyboard Key (LBUTTON)
• Rule Text (Unicode): Keyboard Key (MBUTTON)
• Rule Text (Unicode): Keyboard Key (RBUTTON)
• Rule Text (Unicode): Keyboard Key (NUMPAD0)
• Rule Text (Unicode): Keyboard Key (NUMPAD1)
• Rule Text (Unicode): Keyboard Key (NUMPAD2)
• Rule Text (Unicode): Keyboard Key (NUMPAD3)
• Rule Text (Unicode): Keyboard Key (NUMPAD4)
• Rule Text (Unicode): Keyboard Key (NUMPAD5)
• Rule Text (Unicode): Keyboard Key (NUMPAD6)
• Rule Text (Unicode): Keyboard Key (NUMPAD7)
• Rule Text (Unicode): Keyboard Key (NUMPAD8)
• Rule Text (Unicode): Keyboard Key (NUMPAD9)
• Rule Text (Unicode): Keyboard Key (CapsLock)
• Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8
• EP Rules: VC8 -> Microsoft Corporation

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\2057	D44A0	128	CF8A0	2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F	(....... ...................................z..y_
\ICON\2\2057	D45C8	2E8	CF9C8	2800000020000000400000000100040000000000000000000000000000000000000000000000000000000000000000000080	(... ...@.........................................
\ICON\3\2057	D48B0	128	CFCB0	2800000010000000200000000100040000000000000000000000000000000000000000000000000000000000000000000080	(....... .........................................
\ICON\4\2057	D49D8	EA8	CFDD8	28000000300000006000000001000800000000000000000000000000000000000000000000000000000000009F7747000000	(...0.......................................wG...
\ICON\5\2057	D5880	8A8	D0C80	2800000020000000400000000100080000000000000000000000000000000000000000000000000000000000A06A3C00AB7E	(... ...@....................................j<..~
\ICON\6\2057	D6128	568	D1528	28000000100000002000000001000800000000000000000000000000000000000000000000000000000000009E6F3E009D72	(....... ....................................o>..r
\ICON\7\2057	D6690	25A8	D1A90	2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...0........ ...................................
\ICON\8\2057	D8C38	10A8	D4038	2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\9\2057	D9CE0	468	D50E0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\7\2057	DA148	594	D5548	0000000000000000000009002800500061007500730065006400290020000C004100750074006F0049007400200045007200	............(.P.a.u.s.e.d.). ...A.u.t.o.I.t. .E.r.
\STRING\8\2057	DA6DC	68A	D5ADC	300049006E0063006F007200720065006300740020006E0075006D0062006500720020006F00660020007000610072006100	0.I.n.c.o.r.r.e.c.t. .n.u.m.b.e.r. .o.f. .p.a.r.a.
\STRING\9\2057	DAD68	490	D6168	30004500780070006500630074006500640020006100200022003D00220020006F00700065007200610074006F0072002000	0.E.x.p.e.c.t.e.d. .a. .".=.". .o.p.e.r.a.t.o.r. .
\STRING\10\2057	DB1F8	5FC	D65F8	1A0049006E00760061006C00690064002000660069006C0065002000660069006C0074006500720020006700690076006500	..I.n.v.a.l.i.d. .f.i.l.e. .f.i.l.t.e.r. .g.i.v.e.
\STRING\11\2057	DB7F4	65C	D6BF4	3E002200530065006C0065006300740022002000730074006100740065006D0065006E00740020006900730020006D006900	>.".S.e.l.e.c.t.". .s.t.a.t.e.m.e.n.t. .i.s. .m.i.
\STRING\12\2057	DBE50	466	D7250	4800430061006E0020007000610073007300200063006F006E007300740061006E0074007300200062007900200072006500	H.C.a.n. .p.a.s.s. .c.o.n.s.t.a.n.t.s. .b.y. .r.e.
\STRING\313\2057	DC2B8	158	D76B8	00000000000000000000000000000000150055006E00610062006C006500200074006F002000700061007200730065002000	..................U.n.a.b.l.e. .t.o. .p.a.r.s.e. .
\RCDATA\SCRIPT\0	DC410	600E7	D7810	A3484BBE986C4AA9994C530A86D6487D41553321454130364DA8FF7324A73CF67A12F167ACC193E76B43CA52A6AD0000E1BB	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R......
\GROUP_ICON\99\2057	13C4F8	76	1378F8	0000010008002020100001000400E8020000020010101000010004002801000003003030000001000800A80E000004002020	...... ....................(.....00............
\GROUP_ICON\169\2057	13C570	14	137970	0000010001001010100001000400280100000100	..............(.....
\VERSION\1\2057	13C584	DC	137984	DC0034000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\2057	13C660	3EF	137A60	3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122	<assembly xmlns="urn:schemas-microsoft-com:asm.v1"

Intelligent String:

• RUNASWAIT
• RUNAS
• api-ms-win-core-synch-l1-2-0.dll
• kernel32.dll
• mscoree.dll
• COMSPEC
• runas
• 0.0.0.0
• .lnk
• 255.255.255.255
• .icl
• .exe
• .dll
• .tls
• .bss
• COMCTL32.dll
• KERNEL32.dll
• USER32.dll
• COMDLG32.dll

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	784169	59,9444%
Null Byte Code	165459	12,6482%

PESCAN.IO - Analysis Report Valid Code