PESCAN.IO — Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

Information

Icon:

Size: 281,50 KB
SHA-256 Hash: 09BAF5767920B2DA41ED92C86110B0E44E8E7F14509DA8DEE094377EE472606D
SHA-1 Hash: F87A7FA83FF548CA3A8444F1F16AAD9C2D474834
MD5 Hash: 64AC6C7689CFBE238E16609350376E87
Imphash: 020FC4382D146276B1FF74E3A0AE8E67
MajorOSVersion: 6
CheckSum: 00000000
EntryPoint (rva): 31764
SizeOfHeaders: 400
SizeOfImage: 4B000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 42074
Characteristics: 22
TimeDateStamp: 67FC3BDE
Date: 13/04/2025 22:34:06
File Type: EXE
Number Of Sections: 6
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	32800	1000	326CF
.rdata	40000040	32C00	F200	34000	F12C
.data	C0000040 (Writeable)	41E00	200	44000	310
.pdata	40000040	42000	2600	45000	24FC
.rsrc	40000040	44600	1A00	48000	18B0
.reloc	42000040	46000	600	4A000	4CC

Description

ProductName: Freelancer_Contract_Viewer
FileVersion: 0.1.0

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 30B64
Code -> 4883EC28E8DF0200004883C428E972FEFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC66660F1F8400000000004883EC104C89
• SUB RSP, 0X28
• CALL 0X12E8
• ADD RSP, 0X28
• JMP 0XE84
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• NOP WORD PTR [RAX + RAX]
• SUB RSP, 0X10

Signatures

Rich Signature Analyzer:
Code -> B875380CFC14565FFC14565FFC14565FF56CC55FF014565FED92575EFE14565FED92555EFF14565FED92525EF514565FED92535EEB14565F3B61575EEC14565FB76C575EFF14565FFC14575F4314565FFC14565FEB14565F0693A95FFD14565F0693545EFD14565F52696368FC14565F
Footprint md5 Hash -> B70B8D6FD5AC36448A92D2ACDC5775F3
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(-)[-]
• PE+(64): compiler: Rust(x86_64-pc-windows-msvc)[-]
• PE+(64): linker: Microsoft Linker(14.43**)[EXE64,console]
• Entropy: 6.29364

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	CreateMutexA	Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
KERNEL32.DLL	SleepEx	Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout.
Ws2_32.DLL	socket	Create a communication endpoint for networking applications.
Ws2_32.DLL	connect	Establish a connection to a specified socket.

Windows REG

Software\Microsoft\Windows\CurrentVersion\RunSystemHelper
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exeDebugger
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run

File Access

\cmd.exe
.exe
?@\_cmd.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe
SystemHelper.exe
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
VCRUNTIME140.dll
ntdll.dll
ole32.dll
shell32.dll
ws2_32.dll
user32.dll
kernel32.dll
advapi32.dll
bcryptprimitives.dll
api-ms-win-core-synch-l1-2-0.dll
dbghelp.dll
Temp

Interest's Words

wscript
exec
powershell
attrib
start

Anti-VM/Sandbox/Debug Tricks

OllyDbg Libary - dbghelp.dll

Payloads

Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)
Possible Metasploit Payload - MSFPayload Generate (Detection with heuristic methods)

IP Addresses

96.9.125.200

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (WSACleanup)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (recv)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Execution (CreateProcessW)
Text	Ascii	Technique used to circumvent security measures (Bypass)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	PE-Exe Executable Image

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1033	48310	1588	44910	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000016F724E5401CFA2779A00001542	.PNG........IHDR.............\r.f....orNT...w....B
\GROUP_ICON\1\1033	49898	14	45E98	0000010001000000000001002000881500000100000000000000000000000000000000000000000000000000000000000000	............ .....................................
\VERSION\1\1033	480F0	21C	446F0	1C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String

• NTDLL.DLL
• \\.\pipe\__rust_anonymous_pipe1__.
• Freelancer_Contract_Viewer.pdb
• .tls
• .bss
• SHELL32.dll
• api-ms-win-core-synch-l1-2-0.dll
• bcryptprimitives.dll
• advapi32.dll
• kernel32.dll
• user32.dll
• ws2_32.dll
• api-ms-win-crt-runtime-l1-1-0.dll
• api-ms-win-crt-math-l1-1-0.dll
• api-ms-win-crt-stdio-l1-1-0.dll
• api-ms-win-crt-locale-l1-1-0.dll
• api-ms-win-crt-heap-l1-1-0.dll

Extra Analysis

Metric	Value	Percentage
Ascii Code	167384	58,0678%
Null Byte Code	57090	19,8053%

PREMIUM PESCAN.IO - Analysis Report