PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 188,00 KB
SHA-256 Hash: 7F7E5751277A0169EC2EB4492B0489CA850808F64B52E708F716F46AC160E54B
SHA-1 Hash: 82AD537A7ACB18702A02B6DD2C6D12EAAC0B3656
MD5 Hash: 634AA845F5B0B519B6D8A8670B994906
Imphash: 7922E1BE820DF60496A2BBA714AEFA66
MajorOSVersion: 4
CheckSum: 0003612E
EntryPoint (rva): 1248
SizeOfHeaders: 1000
SizeOfImage: 32000
ImageBase: 400000
Architecture: x86
ImportTable: 24264
Characteristics: 10F
TimeDateStamp: 50AB3102
Date: 20/11/2012 7:28:02
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .data, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	1000	24000	1000	23414
.data	C0000040 (Writeable)	0	0	25000	20E8
.rsrc	40000040	25000	A000	28000	9444

Description:

OriginalFilename: Levavami.exe
ProductName: potted
FileVersion: 9.06
ProductVersion: 9.06
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1248
Code -> 68F4124000E8EEFFFFFF000000000000300000006000000040000000BAEF1952FB73914795AC2EF33050E4B2000000000000
• PUSH 0X4012F4
• CALL 0XFF8
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• XOR BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• PUSHAD
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• MOV EDX, 0XFB5219EF
• JAE 0XFB4
• INC EDI
• XCHG EAX, EBP
• LODSB AL, BYTE PTR [ESI]
• XOR BYTE PTR CS:[EAX - 0X1C], DL
• MOV DL, 0
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL

Signatures:

CheckSum Integrity Problem:
• Header: 221486
• Calculated: 218205
Rich Signature Analyzer:
Code -> C9E107DB8D8069888D8069888D806988BBA664888C806988526963688D806988
Footprint md5 Hash -> CC712C0DECADA20495A465F69E24FC61
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Visual Basic 6 - (PCode)
Detect It Easy (die)
• PE: compiler: Microsoft Visual Basic(6.0)[P-Code]
• PE: linker: Microsoft Linker(6.0*)[EXE32]
• Entropy: 5.36147

Suspicious Functions:

Library	Function	Description
MSVBVM60.DLL	DllFunctionCall	It enables calling routines from external DLLs in VB code, integrating external code into Visual Basic projects.
KERNEL32.DLL	RtlMoveMemory	Moves a block of memory to another location.

File Access:

MSVBVM60.DLL
\Windows\system32\msvbvm60.dll
VBA6.DLL
winmm.dll

File Access (UNICODE):

Levavami.exe
\Tree.ini

Interest's Words:

JFIF
PADDINGX
start

Interest's Words (UNICODE):

JPEG Encoder Class
start

Emails:

korejwa@tiac.net

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Keyboard Key (Scroll)
• EP Rules: Microsoft Visual Basic v5.0 - v6.0
• EP Rules: Microsoft Visual Basic v5.0

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1033	28228	1CA8	25228	2800000030000000600000000100180000000000000000000000000000000000000000000000000000000000000000000000	(...0............................................
\ICON\2\1033	29ED0	1CA8	26ED0	2800000030000000600000000100180000000000000000000000000000000000000000000000000000000000000000000000	(...0............................................
\ICON\3\1033	2BB78	1CA8	28B78	2800000030000000600000000100180000000000000000000000000000000000000000000000000000000000000000000000	(...0............................................
\ICON\4\1033	2D820	1CA8	2A820	2800000030000000600000000100180000000000000000000000000000000000000000000000000000000000000000000000	(...0............................................
\ICON\30001\0	2F4C8	1CA8	2C4C8	2800000030000000600000000100180000000000000000000000000000000000000000000000000000000000000000000000	(...0............................................
\STRING\7\1033	31170	A4	2E170	000000000000000000002500460069006E0067006F0072007400690020004400650072006900760061006C0020004C006500	..........%.F.i.n.g.o.r.t.i. .D.e.r.i.v.a.l. .L.e.
\GROUP_ICON\A4\1033	31214	14	2E214	0000010001003030000001001800A81C00000400	......00............
\GROUP_ICON\1\0	31228	14	2E228	0000010001003030000001001800A81C00003175	......00..........1u
\VERSION\1\1033	3123C	208	2E23C	080234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000600	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String:

• MSVBVM60.DLL
• winmm.dll
• VBA6.DLL
• c:\windows\system32\msvbvm60.dll
• .exe
• C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
• C:\Program Files\Microsoft Visual Studio\VB98\mscomctl.oca
• C:\Windows\system32\MSCOMCT2.oca
• \fruit.wav
• msvbvm60.dll
• .jpg
• Visual Basic sourcecode available at planetsourcecode.com
• \cancel.wav
• \start.wav
• \Tree.ini
• Levavami.exe

Flow Anomalies:

Offset	RVA	Section	Description
E0FA	??	.text	CALL DWORD PTR [EAX] \| Indirect call via pointer at address in EAX
EC54	??	.text	CALL DWORD PTR [EAX] \| Indirect call via pointer at address in EAX
ECE7	??	.text	JMP DWORD PTR [EBX] \| Indirect jump via pointer at address in EBX
13215	??	.text	JMP DWORD PTR [ECX] \| Indirect jump via pointer at address in ECX
14466	??	.text	CALL DWORD PTR [EDI] \| Indirect call via pointer at address in EDI
144F9	??	.text	JMP DWORD PTR [ECX] \| Indirect jump via pointer at address in ECX
1707C	??	.text	CALL DWORD PTR [EBX] \| Indirect call via pointer at address in EBX
187BC	??	.text	JMP DWORD PTR [EAX] \| Indirect jump via pointer at address in EAX

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	79401	41,2447%
Null Byte Code	71548	37,1655%

PESCAN.IO - Analysis Report Valid Code