PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 1,65 MB SHA-256 Hash: 2659F660691D65628D2FCC3BFC334686CD053F162CDB73BF7A0DA0AC6449DB92 SHA-1 Hash: F597D519A59A5FD809E8A1E097FDD6E0077F72DE MD5 Hash: 7099C67FE850D902106C03D07BFB773B Imphash: DAE02F32A21E03CE65412F6E56942DAA MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 001B2EAD EntryPoint (rva): 1A710A SizeOfHeaders: 200 SizeOfImage: 1AC000 ImageBase: 10000000 Architecture: x86 ImportTable: 1A70B7 IAT: 2000 Characteristics: 2022 TimeDateStamp: B4D43D98 Date: 19/02/2066 12:31:20 File Type: DLL Number Of Sections: 3 ASLR: Enabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
200 | 1A5200 | 2000 | 1A5118 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
1A5400 | 400 | 1A8000 | 37C |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
1A5800 | 200 | 1AA000 | C |
|
|
| Description |
| OriginalFilename: libwebp.dll CompanyName: Google, Inc. LegalCopyright: Copyright (C) 2023 ProductName: WebP Image Codec FileVersion: 1.3.2 FileDescription: libwebp DLL ProductVersion: 1.3.2 Comments: DLL support by Alessandro Iacopetti & Gilles Vollant Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| 7 Executable files found |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1A530A Code -> FF25002000100D000A00FFFE0000000000000000000000000000000000000000000000000000000000000000000000000000 Assembler |JMP DWORD PTR [0X10002000] |OR EAX, 0XFF000A00 |INC BYTE PTR [EAX] |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: True • Version: v2.0 Compiler: Microsoft Visual C ++ Detect It Easy (die) • PE: library: .NET(v2.0.50727)[-] • PE: linker: Microsoft Linker(48.0)[-] • Entropy: 6.64005 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetModuleHandle | Retrieves a handle to the specified module. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ET Functions (carving) |
| Original Name -> libzstd.dll ZSTD_CCtx_setParameter ZSTD_CStreamInSize ZSTD_CStreamOutSize ZSTD_DCtx_setParameter ZSTD_DStreamInSize ZSTD_DStreamOutSize ZSTD_compressStream2 ZSTD_createCCtx ZSTD_createDStream ZSTD_decompressStream ZSTD_freeCStream ZSTD_freeDStream ZSTD_getErrorName ZSTD_initDStream ZSTD_isError ZSTD_sizeof_CCtx ZSTD_sizeof_DCtx |
| Windows REG (UNICODE) |
| SOFTWARE\Microsoft\Cryptography SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList SYSTEM\CurrentControlSet\Services\ |
| File Access |
| mscoree.dll KERNEL32.dll libzstd.dll zlibvc.dll libwebp.dll ScreenConnect.Windows.dll winmm.dll ScreenConnect.Properties.libz.x86.dll ScreenConnect.Properties.libwebp.x86.dll ScreenConnect.Properties.libzstd.x86.dll ScreenConnect.Properties.libz.x64.dll ScreenConnect.Properties.libwebp.x64.dll ScreenConnect.Properties.libzstd.x64.dll user32.dll .dat @.dat Temp |
| File Access (UNICODE) |
| libwebp.dll mscoree.dll CorExitProcessmscoree.dll zlib.dll ZLib.DLL Windows.dll 0\powershell.exe cmd.exe GetLastActivePopupGetActiveWindowMessageBoxWUSER32.DLL KERNEL32.DLL USER32.DLL *.dll Exec - powershell.exe /c Temp AppData |
| SQL Queries |
| SELECT ProcessId, ParentProcessId FROM Win32_Process SELECT * FROM Win32_GroupUser WHERE GroupComponent="Win32_Group.Domain='',Name=''"PartComponent |
| Interest's Words |
| lockbit Encrypt Decrypt PassWord exec attrib start pause wmic shutdown systeminfo ping expand getmac replace |
| Interest's Words (UNICODE) |
| exec powershell start pause |
| PE Carving |
| Start Offset Header | End Offset | Size (Bytes) |
|---|---|---|
| 0 | 2AD68 | 2AD68 |
| 2AD68 | 92370 | 67608 |
| 92370 | E7578 | 55208 |
| E7578 | FC380 | 14E08 |
| FC380 | 10E788 | 12408 |
| 10E788 | 160190 | 51A08 |
| 160190 | 1A5A00 | 45870 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Unicode | WinAPI Sockets (connect) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | Service (OpenSCManager) |
| Text | Ascii | Service (CreateService) |
| Text | Unicode | Encryption (AesCryptoServiceProvider) |
| Text | Ascii | Encryption (CreateDecryptor) |
| Text | Ascii | Encryption (FromBase64String) |
| Text | Ascii | Encryption (ICryptoTransform) |
| Text | Ascii | Encryption (Rijndael) |
| Text | Ascii | Encryption (RijndaelManaged) |
| Text | Ascii | Encryption (ToBase64String) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GlobalMemoryStatusEx) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Privileges (SE_PRIVILEGE_ENABLED) |
| Text | Ascii | Privileges (SE_PRIVILEGE_REMOVED) |
| Text | Ascii | Keyboard Key (ALTDOWN) |
| Text | Ascii | Keyboard Key (LBUTTON) |
| Text | Ascii | Keyboard Key (RBUTTON) |
| Text | Ascii | Keyboard Key (Scroll) |
| Text | Ascii | Information used for user authentication (Credential) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | TrueVision Targa Graphics format |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\0 | 1A8058 | 320 | 1A5458 | 200334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000400 | .4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • ScreenConnect.Windows.dll • KERNEL32.dll • .bss • mscoree.dll • ZLib.DLL • zlib.dll • libwebp.dll • .avi • runas • cmd.exe • KWindowsPowershell\v1.0\powershell.exe • *.dll • USER32.DLL • KERNEL32.DLL • _CorDllMainmscoree.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 2C13E | 64CE4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C4E8 | 6493A | .text | CALL [static] | Indirect call to absolute memory address |
| 2C63B | 6483F | .text | CALL [static] | Indirect call to absolute memory address |
| 2C651 | 64819 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C664 | 6481E | .text | CALL [static] | Indirect call to absolute memory address |
| 2C67E | 647F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C6E2 | 64778 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C709 | 64741 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C72F | 6470B | .text | CALL [static] | Indirect call to absolute memory address |
| 2C755 | 646D5 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C77C | 646E6 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C7A8 | 646AA | .text | CALL [static] | Indirect call to absolute memory address |
| 2C7CD | 64675 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C7F1 | 64641 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D32D | 63C75 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D33B | 63C5F | .text | CALL [static] | Indirect call to absolute memory address |
| 2D349 | 63C41 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D3E9 | 63BB9 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D3F4 | 63BA6 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D3FF | 63B8B | .text | CALL [static] | Indirect call to absolute memory address |
| 2D48A | 63B08 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D492 | 63AF0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D4B0 | 63AE2 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D4B8 | 63ACA | .text | CALL [static] | Indirect call to absolute memory address |
| 2E0F4 | 62F0E | .text | CALL [static] | Indirect call to absolute memory address |
| 2E11D | 62EF5 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E267 | 62DA3 | .text | CALL [static] | Indirect call to absolute memory address |
| 30805 | 60775 | .text | CALL [static] | Indirect call to absolute memory address |
| 32ABC | 5E2C6 | .text | CALL [static] | Indirect call to absolute memory address |
| 32B75 | 5E20D | .text | CALL [static] | Indirect call to absolute memory address |
| 32CF2 | 5E0C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3390E | 5D6A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 33925 | 5D685 | .text | CALL [static] | Indirect call to absolute memory address |
| 339A0 | 5D612 | .text | CALL [static] | Indirect call to absolute memory address |
| 339AD | 5D5FD | .text | CALL [static] | Indirect call to absolute memory address |
| 33A72 | 5D540 | .text | CALL [static] | Indirect call to absolute memory address |
| 33A7F | 5D52B | .text | CALL [static] | Indirect call to absolute memory address |
| 33B43 | 5D46F | .text | CALL [static] | Indirect call to absolute memory address |
| 33B50 | 5D45A | .text | CALL [static] | Indirect call to absolute memory address |
| 34044 | 5CF6E | .text | CALL [static] | Indirect call to absolute memory address |
| 340E2 | 5CED0 | .text | CALL [static] | Indirect call to absolute memory address |
| 341A4 | 5CE0E | .text | CALL [static] | Indirect call to absolute memory address |
| 349A8 | 5C60A | .text | CALL [static] | Indirect call to absolute memory address |
| 34A31 | 5C581 | .text | CALL [static] | Indirect call to absolute memory address |
| 34AD3 | 5C4DF | .text | CALL [static] | Indirect call to absolute memory address |
| 34BA7 | 5C40B | .text | CALL [static] | Indirect call to absolute memory address |
| 34C20 | 5C392 | .text | CALL [static] | Indirect call to absolute memory address |
| 34CC3 | 5C2EF | .text | CALL [static] | Indirect call to absolute memory address |
| 36FCF | 59FFB | .text | CALL [static] | Indirect call to absolute memory address |
| 36FFF | 59FC3 | .text | CALL [static] | Indirect call to absolute memory address |
| 371C5 | 59E2D | .text | CALL [static] | Indirect call to absolute memory address |
| 37546 | 596CC | .text | CALL [static] | Indirect call to absolute memory address |
| 37567 | 596AB | .text | CALL [static] | Indirect call to absolute memory address |
| 37575 | 59695 | .text | CALL [static] | Indirect call to absolute memory address |
| 37596 | 59674 | .text | CALL [static] | Indirect call to absolute memory address |
| 37736 | 598BC | .text | CALL [static] | Indirect call to absolute memory address |
| 3832A | 588F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3849B | 58777 | .text | CALL [static] | Indirect call to absolute memory address |
| 384A9 | 58761 | .text | CALL [static] | Indirect call to absolute memory address |
| 38572 | 58A80 | .text | CALL [static] | Indirect call to absolute memory address |
| 38D8C | 57E8E | .text | CALL [static] | Indirect call to absolute memory address |
| 39313 | 57CBF | .text | CALL [static] | Indirect call to absolute memory address |
| 3A8AB | 56537 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A8D3 | 564E7 | .text | CALL [static] | Indirect call to absolute memory address |
| 3AC7D | 5617D | .text | CALL [static] | Indirect call to absolute memory address |
| 3ACB1 | 56119 | .text | CALL [static] | Indirect call to absolute memory address |
| 3ACD0 | 560F2 | .text | CALL [static] | Indirect call to absolute memory address |
| 3AEF3 | 55EB7 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B0EA | 55CF0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B2DA | 55AC8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B416 | 559F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B437 | 559CB | .text | CALL [static] | Indirect call to absolute memory address |
| 3B44D | 5593D | .text | CALL [static] | Indirect call to absolute memory address |
| 3B599 | 557F9 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B5CB | 559AF | .text | CALL [static] | Indirect call to absolute memory address |
| 3B60D | 5580D | .text | CALL [static] | Indirect call to absolute memory address |
| 3B6B2 | 55760 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B716 | 55684 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B72C | 556EE | .text | CALL [static] | Indirect call to absolute memory address |
| 3B7E6 | 55624 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B84F | 55543 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B88D | 5558D | .text | CALL [static] | Indirect call to absolute memory address |
| 3B9B8 | 5542A | .text | CALL [static] | Indirect call to absolute memory address |
| 3BB45 | 552B5 | .text | CALL [static] | Indirect call to absolute memory address |
| 3BB64 | 55266 | .text | CALL [static] | Indirect call to absolute memory address |
| 3BCF8 | 550E2 | .text | CALL [static] | Indirect call to absolute memory address |
| 3C6A5 | 5474D | .text | CALL [static] | Indirect call to absolute memory address |
| 3C6D2 | 54718 | .text | CALL [static] | Indirect call to absolute memory address |
| 3C7C6 | 54634 | .text | CALL [static] | Indirect call to absolute memory address |
| 3C8BE | 5452C | .text | JMP [static] | Indirect jump to absolute memory address |
| 3C8EE | 54504 | .text | JMP [static] | Indirect jump to absolute memory address |
| 3F6D2 | 4DAB0 | .text | CALL [static] | Indirect call to absolute memory address |
| 43ABE | 4D4CC | .text | CALL [static] | Indirect call to absolute memory address |
| 43AD3 | 4D4B7 | .text | CALL [static] | Indirect call to absolute memory address |
| 43AEB | 4D49F | .text | CALL [static] | Indirect call to absolute memory address |
| 43B03 | 4D487 | .text | CALL [static] | Indirect call to absolute memory address |
| 4415E | 4CE44 | .text | CALL [static] | Indirect call to absolute memory address |
| 44180 | 4CE22 | .text | JMP [static] | Indirect jump to absolute memory address |
| 45ECD | 472B5 | .text | CALL [static] | Indirect call to absolute memory address |
| 4AA88 | 4638A | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1035648 | 59,9689% |
| Null Byte Code | 296613 | 17,1753% |
© 2026 All rights reserved.