PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 5,14 MBSHA-256 Hash: 62110A522ED6C98700A337C78785291187B089EB5A46C16579645489078E9583 SHA-1 Hash: 6C75EDDE8AB11711D6964C15AB4927A77CDF7806 MD5 Hash: 64F11822B315F907B4CFE75DDF28A309 Imphash: DFCC2EEDCDCAA0D7653D47AAB36294F9 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00529066 EntryPoint (rva): 9DD000 SizeOfHeaders: 400 SizeOfImage: 9F7000 ImageBase: 400000 Architecture: x86 ImportTable: 9C4000 Characteristics: 123 TimeDateStamp: BD7F65FC Date: 29/09/2070 19:03:24 File Type: EXE Number Of Sections: 4 ASLR: Disabled Section Names (Optional Header): *unnamed*, *unnamed*, .rsrc, *unnamed* Number Of Executable Sections: 0 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker [Incomplete Binary or Compressor Packer - 4,82 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| *unnamed* | 60000000 (Executable, Readable) | 400 | 0 | 1000 | 9C3000 | N/A | N/A |
| *unnamed* | C0000040 (Initialized Data, Readable, Writeable) | 400 | 200 | 9C4000 | 1000 | 3,7988 | 29898,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | 600 | 17310 | 9C5000 | 17310 | 5,0314 | 4331863,17 |
| *unnamed* | E0000040 (Initialized Data, Executable, Readable, Writeable) | 17A00 | 19AB9 | 9DD000 | 1A000 | 7,9974 | 386,22 |
| Description |
| OriginalFilename: MekaLauncher.exe CompanyName: MekaLauncher ProductName: MekaLauncher FileVersion: 1.0.0.0 FileDescription: MekaLauncher ProductVersion: 1.0.0 Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (4) have the Entry Point Information -> EntryPoint (calculated) - 17A00 Code -> EB0523AECDA20850EB040D1C2F54E81A000000EB021526EB0469E3B8D733C0EB04198333D67161EB048FA9F131EB01E3B83F • JMP 0X1007 • AND EBP, DWORD PTR [ESI + 0X5008A2CD] • JMP 0X100E • OR EAX, 0XE8542F1C • SBB AL, BYTE PTR [EAX] • ADD BYTE PTR [EAX], AL • JMP 0X1017 • ADC EAX, 0X6904EB26 • JECXZ 0XFD4 • XLATB • XOR EAX, EAX • JMP 0X1025 • SBB DWORD PTR [EBX + 0X6171D633], EAX • JMP 0X102D EP changed to another address -> (Address Of EntryPoint > Base Of Data) |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Duplicate Sections |
| Section *unnamed* duplicate 3 times |
| Packer/Compiler |
| Detect It Easy (die) • Entropy: 7.99284 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| File Access |
| comctl32.dll mscoree.dll shell32.dll advapi32.dll user32.dll kernel32.dll |
| File Access (UNICODE) |
| MekaLauncher.exe |
| Interest's Words |
| exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Malware that monitors and collects user data (Spy) |
| Entry Point | Hex Pattern | FSG v1.10 - dulek/xt - (Microsoft Visual C++ 7.0) |
| Entry Point | Hex Pattern | Obsidium V1.3.0.0 - Obsidium Software |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 9C5078 | 16B70 | 678 | 28000000960000002C0100000100200000000000905F0100130B0000130B00000000000000000000FFA55FFFFFAB4EFFFFAB | (.......,..... ......_...................._...N... |
| \GROUP_ICON\MEKACOOL\0 | 9DBC3C | 14 | 1723C | 0000010001009696000001002000706B01000100 | ............ .pk.... |
| \VERSION\1\0 | 9DBC90 | 2E8 | 17290 | E80234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 9DBFB8 | 1EA | 175B8 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| \RCDATA\16295\0 | 9DC1E4 | 12B | 177E4 | DC5F2D6BC1505AF9E4533754CCE98E59DF26BF306F22D0043C31D7AC55FC941D72912EF53137A976BF3741DA6765C54124A1 | ._-k.PZ..S7T...Y.&.0o"..<1..U...r...17.v.7A.ge.A$. |
| Intelligent String |
| • MekaLauncher.exe • 1.0.0.0 • kernel32.dll • user32.dll • advapi32.dll • comctl32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1DA35 | 2995E325 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 23325 | 2995E325 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 34C0D | 191AA480 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 48F97 | 191AA480 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 4E7B8 | 7CDAA49A | *padding* | CALL [static] | Indirect call to absolute memory address |
| 60657 | 7CDAA49A | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 660E3 | 7CDAA49A | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 667F4 | 7CDAA49A | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 6BDB5 | 7CDAA49A | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 7061C | 52216E1F | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 73BDE | 52216E1F | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 7828E | 52216E1F | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 82632 | 7537AA24 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 9069E | 794974B4 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| AA055 | 699F7C37 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| AC69E | 699F7C37 | *padding* | CALL [static] | Indirect call to absolute memory address |
| AF691 | 1813C44C | *padding* | JMP [static] | Indirect jump to absolute memory address |
| B3AC3 | 7626E0FB | *padding* | CALL [static] | Indirect call to absolute memory address |
| B3F53 | 7626E0FB | *padding* | CALL [static] | Indirect call to absolute memory address |
| B59A9 | 7626E0FB | *padding* | JMP [static] | Indirect jump to absolute memory address |
| B9669 | 7626E0FB | *padding* | JMP [static] | Indirect jump to absolute memory address |
| BB823 | 7626E0FB | *padding* | CALL [static] | Indirect call to absolute memory address |
| C6CE4 | 7626E0FB | *padding* | CALL [static] | Indirect call to absolute memory address |
| E6CDF | 7626E0FB | *padding* | CALL [static] | Indirect call to absolute memory address |
| EC87E | 1E0D444C | *padding* | JMP [static] | Indirect jump to absolute memory address |
| F06A6 | 1E0D444C | *padding* | CALL [static] | Indirect call to absolute memory address |
| 104334 | 5B9BE452 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 104A1C | 3A496F29 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 107B18 | 288B8D6A | *padding* | CALL [static] | Indirect call to absolute memory address |
| 116EB0 | 288B8D6A | *padding* | CALL [static] | Indirect call to absolute memory address |
| 1213D2 | 512E88FD | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 12E2E8 | 509C4D9E | *padding* | CALL [static] | Indirect call to absolute memory address |
| 13129B | 49FA520A | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 1333EB | 125D04F3 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 1344C4 | 7BB79A98 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 138999 | 6DD97284 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 1416B7 | 63084390 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 142EF8 | 63084390 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 14330F | 63084390 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 14D7FA | 579DCBCE | *padding* | CALL [static] | Indirect call to absolute memory address |
| 156F3C | 5826D578 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 159458 | 5826D578 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 168556 | 5826D578 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 16C849 | 5826D578 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 17CEE7 | 5826D578 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 18BBF3 | 5826D578 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 18D099 | 5826D578 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 18DD3A | 5826D578 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 18F776 | 5826D578 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 199D78 | B9DACBB | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 1AB84B | B9DACBB | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 1AC086 | B9DACBB | *padding* | CALL [static] | Indirect call to absolute memory address |
| 1B1773 | B9DACBB | *padding* | CALL [static] | Indirect call to absolute memory address |
| 1BE6BE | 7E207812 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 1C3DFF | 7E207812 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 1D212B | 21C6B5C2 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 1D6179 | 78322E1 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 1D924D | 4EAA4DB6 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 1E8BA3 | 4EAA4DB6 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 1F5850 | 15D69C8D | *padding* | CALL [static] | Indirect call to absolute memory address |
| 1FC170 | 5EBAAB81 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 1FEED8 | 334DBB1A | *padding* | CALL [static] | Indirect call to absolute memory address |
| 202428 | 30167DA7 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 210B0B | 30167DA7 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 21B501 | 30167DA7 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 22122E | 30167DA7 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 221983 | 30167DA7 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 22C8D1 | 30167DA7 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 23434D | 2108533B | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 23839E | 2108533B | *padding* | CALL [static] | Indirect call to absolute memory address |
| 242458 | 751605FA | *padding* | CALL [static] | Indirect call to absolute memory address |
| 249026 | 751605FA | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 25F1BF | 751605FA | *padding* | CALL [static] | Indirect call to absolute memory address |
| 2689AB | 751605FA | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 26B4EE | 751605FA | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 26B82C | 65FC9F98 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 2791CC | 5429F653 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 283CCC | 5429F653 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 28E95F | 5429F653 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 2985A2 | 5429F653 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 29AC35 | 3949BC23 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 2A04A7 | 34664289 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 2A4732 | 34664289 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 2A48C2 | 18750E98 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 2B7E01 | 5DC1BD23 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 2B8B89 | 5DC1BD23 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 2BF781 | 5DC1BD23 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 2CECBD | 5DC1BD23 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 2E00D1 | 4AE48CB0 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 2EC6E8 | 4AE48CB0 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 2F82F3 | 74E6FE7F | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 2F99EE | 74E6FE7F | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 300735 | 41DECC05 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 307067 | 41DECC05 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 30AAC9 | 41DECC05 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 318932 | 41DECC05 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 31F7AA | 6EEFBAF | *padding* | CALL [static] | Indirect call to absolute memory address |
| 32E6E5 | 6EEFBAF | *padding* | CALL [static] | Indirect call to absolute memory address |
| 33191C | 155F09C5 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 346698 | 1A78C958 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 314B9 | N/A | *Overlay* | 4FA699EF1725D3CC4CF23EAE84F2FDC9649AF9FE | O....%..L.>.....d... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3668306 | 68,052% |
| Null Byte Code | 30188 | 0,56% |
© 2026 All rights reserved.