PESCAN.IO - Analysis Report Valid Code |
|||||
File Structure: | |||||
![]() |
Information: |
Icon: Size: 281,50 KBSHA-256 Hash: 09BAF5767920B2DA41ED92C86110B0E44E8E7F14509DA8DEE094377EE472606D SHA-1 Hash: F87A7FA83FF548CA3A8444F1F16AAD9C2D474834 MD5 Hash: 64AC6C7689CFBE238E16609350376E87 Imphash: 020FC4382D146276B1FF74E3A0AE8E67 MajorOSVersion: 6 CheckSum: 00000000 EntryPoint (rva): 31764 SizeOfHeaders: 400 SizeOfImage: 4B000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 42074 Characteristics: 22 TimeDateStamp: 67FC3BDE Date: 13/04/2025 22:34:06 File Type: EXE Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console |
Sections Info: |
Section Name | Flags | ROffset | RSize | VOffset | VSize |
---|---|---|---|---|---|
.text | 60000020 (Executable) | 400 | 32800 | 1000 | 326CF |
.rdata | 40000040 | 32C00 | F200 | 34000 | F12C |
.data | C0000040 (Writeable) | 41E00 | 200 | 44000 | 310 |
.pdata | 40000040 | 42000 | 2600 | 45000 | 24FC |
.rsrc | 40000040 | 44600 | 1A00 | 48000 | 18B0 |
.reloc | 42000040 | 46000 | 600 | 4A000 | 4CC |
Description: |
ProductName: Freelancer_Contract_Viewer FileVersion: 0.1.0 |
Entry Point: |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 30B64 Code -> 4883EC28E8DF0200004883C428E972FEFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC66660F1F8400000000004883EC104C89 • SUB RSP, 0X28 • CALL 0X12E8 • ADD RSP, 0X28 • JMP 0XE84 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • NOP WORD PTR [RAX + RAX] • SUB RSP, 0X10 |
Signatures: |
Rich Signature Analyzer: Code -> B875380CFC14565FFC14565FFC14565FF56CC55FF014565FED92575EFE14565FED92555EFF14565FED92525EF514565FED92535EEB14565F3B61575EEC14565FB76C575EFF14565FFC14575F4314565FFC14565FEB14565F0693A95FFD14565F0693545EFD14565F52696368FC14565F Footprint md5 Hash -> B70B8D6FD5AC36448A92D2ACDC5775F3 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
Packer/Compiler: |
Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): compiler: Rust(x86_64-pc-windows-msvc)[-] • PE+(64): linker: Microsoft Linker(14.43**)[EXE64,console] • Entropy: 6.29364 |
Suspicious Functions: |
Library | Function | Description |
---|---|---|
KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
KERNEL32.DLL | SleepEx | Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout. |
Ws2_32.DLL | socket | Create a communication endpoint for networking applications. |
Ws2_32.DLL | connect | Establish a connection to a specified socket. |
Windows REG: |
Software\Microsoft\Windows\CurrentVersion\RunSystemHelper SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exeDebugger Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
File Access: |
\cmd.exe .exe ?@\_cmd.exe SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe SystemHelper.exe api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll VCRUNTIME140.dll ntdll.dll ole32.dll shell32.dll ws2_32.dll user32.dll kernel32.dll advapi32.dll bcryptprimitives.dll api-ms-win-core-synch-l1-2-0.dll dbghelp.dll Temp |
Interest's Words: |
wscript exec powershell attrib start |
Anti-VM/Sandbox/Debug Tricks: |
OllyDbg Libary - dbghelp.dll |
Payloads: |
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...) Possible Metasploit Payload - MSFPayload Generate (Detection with heuristic methods) |
IP Addresses: |
96.9.125.200 |
Strings/Hex Code Found With The File Rules: |
• Rule Text (Ascii): WinAPI Sockets (WSACleanup) • Rule Text (Ascii): WinAPI Sockets (connect) • Rule Text (Ascii): WinAPI Sockets (recv) • Rule Text (Ascii): WinAPI Sockets (send) • Rule Text (Ascii): Registry (RegCreateKeyEx) • Rule Text (Ascii): Registry (RegOpenKeyEx) • Rule Text (Ascii): Registry (RegSetValueEx) • Rule Text (Ascii): File (CreateFile) • Rule Text (Ascii): File (WriteFile) • Rule Text (Ascii): File (ReadFile) • Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent) • Rule Text (Ascii): Execution (CreateProcessW) • Rule Text (Ascii): Technique used to circumvent security measures (Bypass) • EP Rules: Microsoft Visual C++ 8.0 (DLL) • EP Rules: Microsoft Visual C++ 8.0 • EP Rules: PE-Exe Executable Image |
Resources: |
Path | DataRVA | Size | FileOffset | Code | Text |
---|---|---|---|---|---|
\ICON\1\1033 | 48310 | 1588 | 44910 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000016F724E5401CFA2779A00001542 | .PNG........IHDR.............\r.f....orNT...w....B |
\GROUP_ICON\1\1033 | 49898 | 14 | 45E98 | 0000010001000000000001002000881500000100000000000000000000000000000000000000000000000000000000000000 | ............ ..................................... |
\VERSION\1\1033 | 480F0 | 21C | 446F0 | 1C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
Intelligent String: |
• NTDLL.DLL • \\.\pipe\__rust_anonymous_pipe1__. • Freelancer_Contract_Viewer.pdb • .tls • .bss • SHELL32.dll • api-ms-win-core-synch-l1-2-0.dll • bcryptprimitives.dll • advapi32.dll • kernel32.dll • user32.dll • ws2_32.dll • api-ms-win-crt-runtime-l1-1-0.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-locale-l1-1-0.dll • api-ms-win-crt-heap-l1-1-0.dll |
Extra 4n4lysis: |
Metric | Value | Percentage |
---|---|---|
Ascii Code | 167384 | 58,0678% |
Null Byte Code | 57090 | 19,8053% |
© 2025 All rights reserved.