PESCAN.IO - Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 1,05 MB
SHA-256 Hash: E6D6E4467919D58C63962AF6D28F307F41E21690FD62931135662F4661FB6FD5
SHA-1 Hash: 718D64A3D3BA31838EA5F25F191E96A8DF202C6C
MD5 Hash: 6F7E59EAA31A56B06F98F9E804E7B6AD
Imphash: A252CD53EBC44617E8418747345D10C1
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): C30EB
SizeOfHeaders: 400
SizeOfImage: 118000
ImageBase: 10000000
Architecture: x86
ExportTable: 103380
ImportTable: 1033D8
IAT: EA000
Characteristics: 2102
TimeDateStamp: 69D8F92A
Date: 10/04/2026 13:20:42
File Type: DLL
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	400	E8200	1000	E8018	6.5901	5074618.98
.rdata	0x40000040 Initialized Data Readable	E8600	1A600	EA000	1A532	5.9826	2132498.69
.data	0xC0000040 Initialized Data Readable Writeable	102C00	2E00	105000	900C	2.7647	1411364.83
.rsrc	0x40000040 Initialized Data Readable	105A00	200	10F000	F8	2.5313	61549
.reloc	0x42000040 Initialized Data GP-Relative Readable	105C00	7600	110000	75A0	6.7092	121884.44

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - C24EB
Code -> 558BEC837D0C017505E819020000FF7510FF750CFF7508E8AEFEFFFF83C40C5DC20C00836104008BC183610800C74104544E

Assembler

|PUSH EBP

|MOV EBP, ESP

|CMP DWORD PTR [EBP + 0XC], 1

|JNE 0X100E

|CALL 0X1227

|PUSH DWORD PTR [EBP + 0X10]

|PUSH DWORD PTR [EBP + 0XC]

|PUSH DWORD PTR [EBP + 8]

|CALL 0XECA

|ADD ESP, 0XC

|POP EBP

|RET 0XC

|AND DWORD PTR [ECX + 4], 0

|MOV EAX, ECX

|AND DWORD PTR [ECX + 8], 0

Signatures

Rich Signature Analyzer:
Code -> 084ECA4D4C2FA41E4C2FA41E4C2FA41E5844A71F5D2FA41E5844A11FFD2FA41E5844A01F5B2FA41E1E5AA11F0E2FA41E1E5AA01F5C2FA41E1E5AA71F5B2FA41E5844A51F412FA41E4C2FA51EF22FA41E805AA01F4D2FA41E805AA11F4F2FA41E805AA41F4D2FA41E805A5B1E4D2FA41E805AA61F4D2FA41E526963684C2FA41E
Footprint md5 Hash -> AFC264A592D66394624EB3E1C6CDAC1A
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual C ++ 6 DLL
Detect It Easy (die)
• PE: linker: Microsoft Linker(14.29**)[-]
• Entropy: 6.66924

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	CreateMutexW	Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL	CopyFileA	Copies an existing file to a new file.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	CreateToolhelp32Snapshot	Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
ADVAPI32.DLL	CryptDecrypt	Performs a cryptographic operation on data in a data block.
WININET.DLL	InternetConnectA	Opens an File Transfer Protocol (FTP) or HTTP session for a given site.

ET Functions (carving)

Original Name -> STEALERDLL.dll
Main
Save

Windows REG

Software\Microsoft\Windows\Shell\MuiCache
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Thunderbird.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched
SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
SOFTWARE\Martin Prikryl\WinSCP 2\Sessions\
Software\Microsoft\Office
Software\Microsoft\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
system\Profiles

File Access

monero-wallet-gui.exe
WinSCP.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Thunderbird.exe
Thunderbird.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
firefox.exe
bcrypt.dll
WININET.dll
SHELL32.dll
ADVAPI32.dll
KERNEL32.dll
CRYPT32.dll
STEALERDLL.dll
nss3.dll
.dat
@.dat
WinSCP.ini
).zip
Temp
Exec - netsh wlan show profiles

File Access (UNICODE)

(null).exe
mscoree.dll

SQL Queries

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14)FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'AND coalesce(rootpage,1)>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21)FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence'AND coalesce(rootpage,1)>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_masterWHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO %Q.%s VALUES('index',%Q,%Q,%d,%Q);
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence'AND coalesce(rootpage,1)>0
INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_masterSELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_masterWHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
CREATE TABLE sqlite_master( type text, name text, tbl_name text, rootpage integer, sql text)
CREATE TABLE %Q.%s(%s)
CREATE TABLE
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE vacuum_db.' || substr(sql,14)FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'AND coalesce(rootpage,1)>0
DROP TABLE to delete table %s
DELETE FROM %Q.%s WHERE %s=%Q
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Interest's Words

outlook
smtp
Stealer
Encrypt
Decrypt
PassWord
exec
powershell
netsh
attrib
start
hostname
shutdown
systeminfo
ping
replace

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CopyFile)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Encryption (Base64Decode)
Text	Ascii	Encryption API (CryptDecrypt)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Anti-Analysis VM (CreateToolhelp32Snapshot)
Text	Ascii	Reconnaissance (FindFirstFileA)
Text	Ascii	Reconnaissance (FindNextFileA)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (ExitThread)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (UnmapViewOfFile)
Text	Ascii	Stealth (MapViewOfFile)
Text	Ascii	Stealth (CreateFileMappingA)
Text	Ascii	Stealth (CreateFileMappingW)
Text	Ascii	Execution (CreateProcessA)
Text	Ascii	Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Text	Ascii	Abuse of power for personal gain or unethical purposes (Corruption)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\24\2\1033	10F060	91	105A60	3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779	<?xml version='1.0' encoding='UTF-8' standalone='y

Intelligent String

• _*.cab
• makecab /F AES
• \logins.json
• nss3.dll
• Thunderbird.exe
• .purple\accounts.xml
• SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched\.purple\accounts.xml
• im|Psi|Psi\profiles\default\accounts.xml
• WinSCP.ini
• sshWinSCP.exe
• FileZilla\sitemanager.xml
• .xml
• wifi|WiFi||netsh wlan show profiles
• Monero\wallets\).zip
• monero-wallet-gui.exe
• .exe
• .cmd
• .bat
• .com
• mscoree.dll
• .bss
• KERNEL32.dll
• ADVAPI32.dll
• BCryptDecryptbcrypt.dll

Flow Anomalies

Offset	RVA	Section	Description
1692	10105030	.text	CALL [static] \| Indirect call to absolute memory address
31B1	10105054	.text	CALL [static] \| Indirect call to absolute memory address
31BB	10105030	.text	CALL [static] \| Indirect call to absolute memory address
31FD	10105028	.text	CALL [static] \| Indirect call to absolute memory address
3210	1010505C	.text	CALL [static] \| Indirect call to absolute memory address
3219	10105028	.text	CALL [static] \| Indirect call to absolute memory address
3315	10105054	.text	CALL [static] \| Indirect call to absolute memory address
3355	1010505C	.text	CALL [static] \| Indirect call to absolute memory address
343B	10105054	.text	CALL [static] \| Indirect call to absolute memory address
3445	10105030	.text	CALL [static] \| Indirect call to absolute memory address
3487	10105028	.text	CALL [static] \| Indirect call to absolute memory address
349A	1010505C	.text	CALL [static] \| Indirect call to absolute memory address
34A9	10105028	.text	CALL [static] \| Indirect call to absolute memory address
47D2	10105054	.text	CALL [static] \| Indirect call to absolute memory address
47DC	10105030	.text	CALL [static] \| Indirect call to absolute memory address
481E	10105028	.text	CALL [static] \| Indirect call to absolute memory address
4831	1010505C	.text	CALL [static] \| Indirect call to absolute memory address
483A	10105028	.text	CALL [static] \| Indirect call to absolute memory address
4B17	10105140	.text	CALL [static] \| Indirect call to absolute memory address
4B29	101053B0	.text	CALL [static] \| Indirect call to absolute memory address
4B32	10105140	.text	CALL [static] \| Indirect call to absolute memory address
4B57	10105254	.text	CALL [static] \| Indirect call to absolute memory address
4C4D	1010538C	.text	CALL [static] \| Indirect call to absolute memory address
4C57	10105254	.text	CALL [static] \| Indirect call to absolute memory address
4DF0	101053F8	.text	CALL [static] \| Indirect call to absolute memory address
4DFA	10105254	.text	CALL [static] \| Indirect call to absolute memory address
4E40	101053B0	.text	CALL [static] \| Indirect call to absolute memory address
4EB7	10105254	.text	CALL [static] \| Indirect call to absolute memory address
4F8F	101053A4	.text	CALL [static] \| Indirect call to absolute memory address
4F9A	10105254	.text	CALL [static] \| Indirect call to absolute memory address
4FE1	10105398	.text	CALL [static] \| Indirect call to absolute memory address
4FEB	10105254	.text	CALL [static] \| Indirect call to absolute memory address
505A	101051B8	.text	CALL [static] \| Indirect call to absolute memory address
5069	10105254	.text	CALL [static] \| Indirect call to absolute memory address
50AF	10105230	.text	CALL [static] \| Indirect call to absolute memory address
50CB	10105254	.text	CALL [static] \| Indirect call to absolute memory address
51B5	1010535C	.text	CALL [static] \| Indirect call to absolute memory address
51C4	10105254	.text	CALL [static] \| Indirect call to absolute memory address
51D7	101053B0	.text	CALL [static] \| Indirect call to absolute memory address
51E1	10105254	.text	CALL [static] \| Indirect call to absolute memory address
526B	101053D4	.text	CALL [static] \| Indirect call to absolute memory address
5280	10105254	.text	CALL [static] \| Indirect call to absolute memory address
52C1	1010535C	.text	CALL [static] \| Indirect call to absolute memory address
532D	1010535C	.text	CALL [static] \| Indirect call to absolute memory address
5342	10105254	.text	CALL [static] \| Indirect call to absolute memory address
53E5	1010535C	.text	CALL [static] \| Indirect call to absolute memory address
541E	101053D4	.text	CALL [static] \| Indirect call to absolute memory address
5487	101053D4	.text	CALL [static] \| Indirect call to absolute memory address
54AD	10105254	.text	CALL [static] \| Indirect call to absolute memory address
54F8	101053D4	.text	CALL [static] \| Indirect call to absolute memory address
5546	101053D4	.text	CALL [static] \| Indirect call to absolute memory address
58A9	10105224	.text	CALL [static] \| Indirect call to absolute memory address
58B3	10105254	.text	CALL [static] \| Indirect call to absolute memory address
58F1	101053B0	.text	CALL [static] \| Indirect call to absolute memory address
5951	10105158	.text	CALL [static] \| Indirect call to absolute memory address
595E	10105254	.text	CALL [static] \| Indirect call to absolute memory address
59A0	101053B0	.text	CALL [static] \| Indirect call to absolute memory address
5A29	10105054	.text	CALL [static] \| Indirect call to absolute memory address
5A33	10105030	.text	CALL [static] \| Indirect call to absolute memory address
5A75	10105028	.text	CALL [static] \| Indirect call to absolute memory address
5A88	1010505C	.text	CALL [static] \| Indirect call to absolute memory address
5A91	10105028	.text	CALL [static] \| Indirect call to absolute memory address
5AED	10105054	.text	CALL [static] \| Indirect call to absolute memory address
5AF7	10105030	.text	CALL [static] \| Indirect call to absolute memory address
5B39	10105028	.text	CALL [static] \| Indirect call to absolute memory address
5B4C	1010505C	.text	CALL [static] \| Indirect call to absolute memory address
5B6C	10105028	.text	CALL [static] \| Indirect call to absolute memory address
5BF5	10105054	.text	CALL [static] \| Indirect call to absolute memory address
5BFF	10105030	.text	CALL [static] \| Indirect call to absolute memory address
5C41	10105028	.text	CALL [static] \| Indirect call to absolute memory address
5C54	1010505C	.text	CALL [static] \| Indirect call to absolute memory address
5C5D	10105028	.text	CALL [static] \| Indirect call to absolute memory address
5D26	10105054	.text	CALL [static] \| Indirect call to absolute memory address
5D30	10105030	.text	CALL [static] \| Indirect call to absolute memory address
5D72	10105028	.text	CALL [static] \| Indirect call to absolute memory address
5D85	1010505C	.text	CALL [static] \| Indirect call to absolute memory address
5D8E	10105028	.text	CALL [static] \| Indirect call to absolute memory address
5DD6	10105218	.text	CALL [static] \| Indirect call to absolute memory address
5DE6	10105194	.text	CALL [static] \| Indirect call to absolute memory address
5DF4	10105254	.text	CALL [static] \| Indirect call to absolute memory address
5E36	101053B0	.text	CALL [static] \| Indirect call to absolute memory address
5E3D	10105218	.text	CALL [static] \| Indirect call to absolute memory address
5E48	10105254	.text	CALL [static] \| Indirect call to absolute memory address
5EED	10105054	.text	CALL [static] \| Indirect call to absolute memory address
5F25	1010505C	.text	CALL [static] \| Indirect call to absolute memory address
5F39	1010504C	.text	CALL [static] \| Indirect call to absolute memory address
5F47	10105054	.text	CALL [static] \| Indirect call to absolute memory address
5F70	1010504C	.text	CALL [static] \| Indirect call to absolute memory address
5F7E	1010505C	.text	CALL [static] \| Indirect call to absolute memory address
5FD3	10105054	.text	CALL [static] \| Indirect call to absolute memory address
604A	101053D4	.text	CALL [static] \| Indirect call to absolute memory address
6058	10105254	.text	CALL [static] \| Indirect call to absolute memory address
60F2	1010535C	.text	CALL [static] \| Indirect call to absolute memory address
6100	10105254	.text	CALL [static] \| Indirect call to absolute memory address
6166	1010535C	.text	CALL [static] \| Indirect call to absolute memory address
6178	10105254	.text	CALL [static] \| Indirect call to absolute memory address
6190	1010505C	.text	CALL [static] \| Indirect call to absolute memory address
61BB	1010504C	.text	CALL [static] \| Indirect call to absolute memory address
61C9	10105054	.text	CALL [static] \| Indirect call to absolute memory address
61DD	1010504C	.text	CALL [static] \| Indirect call to absolute memory address
225F2-2260F	N/A	.text	Unusual BP Cave, count: 30
B1101-B111F	N/A	.text	Unusual BP Cave, count: 31

Extra Analysis

Metric	Value	Percentage
Ascii Code	656437	59,5496%
Null Byte Code	133751	12,1334%

PREMIUM PESCAN.IO - Analysis Report