PESCAN.IO - Analysis Report Valid Code
File Structure:
Analysis Image
Information:
Icon: Icon
Size: 281,50 KB
SHA-256 Hash: 09BAF5767920B2DA41ED92C86110B0E44E8E7F14509DA8DEE094377EE472606D
SHA-1 Hash: F87A7FA83FF548CA3A8444F1F16AAD9C2D474834
MD5 Hash: 64AC6C7689CFBE238E16609350376E87
Imphash: 020FC4382D146276B1FF74E3A0AE8E67
MajorOSVersion: 6
CheckSum: 00000000
EntryPoint (rva): 31764
SizeOfHeaders: 400
SizeOfImage: 4B000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 42074
Characteristics: 22
TimeDateStamp: 67FC3BDE
Date: 13/04/2025 22:34:06
File Type: EXE
Number Of Sections: 6
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 32800 1000 326CF
.rdata 40000040 32C00 F200 34000 F12C
.data C0000040 (Writeable) 41E00 200 44000 310
.pdata 40000040 42000 2600 45000 24FC
.rsrc 40000040 44600 1A00 48000 18B0
.reloc 42000040 46000 600 4A000 4CC
Description:
ProductName: Freelancer_Contract_Viewer
FileVersion: 0.1.0
Entry Point:
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 30B64
Code -> 4883EC28E8DF0200004883C428E972FEFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC66660F1F8400000000004883EC104C89
SUB RSP, 0X28
CALL 0X12E8
ADD RSP, 0X28
JMP 0XE84
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
NOP WORD PTR [RAX + RAX]
SUB RSP, 0X10
Signatures:
Rich Signature Analyzer:
Code -> B875380CFC14565FFC14565FFC14565FF56CC55FF014565FED92575EFE14565FED92555EFF14565FED92525EF514565FED92535EEB14565F3B61575EEC14565FB76C575EFF14565FFC14575F4314565FFC14565FEB14565F0693A95FFD14565F0693545EFD14565F52696368FC14565F
Footprint md5 Hash -> B70B8D6FD5AC36448A92D2ACDC5775F3
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler:
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): compiler: Rust(x86_64-pc-windows-msvc)[-]
PE+(64): linker: Microsoft Linker(14.43**)[EXE64,console]
Entropy: 6.29364
Suspicious Functions:
Library Function Description
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
KERNEL32.DLL SleepEx Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout.
Ws2_32.DLL socket Create a communication endpoint for networking applications.
Ws2_32.DLL connect Establish a connection to a specified socket.
Windows REG:
Software\Microsoft\Windows\CurrentVersion\RunSystemHelper
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exeDebugger
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run
File Access:
\cmd.exe
.exe
?@\_cmd.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe
SystemHelper.exe
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
VCRUNTIME140.dll
ntdll.dll
ole32.dll
shell32.dll
ws2_32.dll
user32.dll
kernel32.dll
advapi32.dll
bcryptprimitives.dll
api-ms-win-core-synch-l1-2-0.dll
dbghelp.dll
Temp
Interest's Words:
wscript
exec
powershell
attrib
start
Anti-VM/Sandbox/Debug Tricks:
OllyDbg Libary - dbghelp.dll
Payloads:
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)
Possible Metasploit Payload - MSFPayload Generate (Detection with heuristic methods)
IP Addresses:
96.9.125.200
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): WinAPI Sockets (WSACleanup)
Rule Text (Ascii): WinAPI Sockets (connect)
Rule Text (Ascii): WinAPI Sockets (recv)
Rule Text (Ascii): WinAPI Sockets (send)
Rule Text (Ascii): Registry (RegCreateKeyEx)
Rule Text (Ascii): Registry (RegOpenKeyEx)
Rule Text (Ascii): Registry (RegSetValueEx)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Ascii): Technique used to circumvent security measures (Bypass)
EP Rules: Microsoft Visual C++ 8.0 (DLL)
EP Rules: Microsoft Visual C++ 8.0
EP Rules: PE-Exe Executable Image
Resources:
Path DataRVA Size FileOffset CodeText
\ICON\1\1033 48310 1588 44910 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000016F724E5401CFA2779A00001542.PNG........IHDR.............\r.f....orNT...w....B
\GROUP_ICON\1\1033 49898 14 45E98 0000010001000000000001002000881500000100000000000000000000000000000000000000000000000000000000000000............ .....................................
\VERSION\1\1033 480F0 21C 446F0 1C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
Intelligent String:
• NTDLL.DLL
• \\.\pipe\__rust_anonymous_pipe1__.
• Freelancer_Contract_Viewer.pdb
• .tls
• .bss
• SHELL32.dll
• api-ms-win-core-synch-l1-2-0.dll
• bcryptprimitives.dll
• advapi32.dll
• kernel32.dll
• user32.dll
• ws2_32.dll
• api-ms-win-crt-runtime-l1-1-0.dll
• api-ms-win-crt-math-l1-1-0.dll
• api-ms-win-crt-stdio-l1-1-0.dll
• api-ms-win-crt-locale-l1-1-0.dll
• api-ms-win-crt-heap-l1-1-0.dll
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 167384 58,0678%
Null Byte Code 57090 19,8053%
© 2025 All rights reserved.