PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 62,50 KBSHA-256 Hash: 3E12861EF91F80A65820C55F931D58E49B82F2EA805E0F0B6CD4BA9AB857E7B9 SHA-1 Hash: 521BC39F57104F6943B0C421ED593E7C49677109 MD5 Hash: 73844A5A0C7875646238C3C6FE541A1F Imphash: DC73A9BD8DE0FD640549C85AC4089B87 MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 0000ECDD EntryPoint (rva): 102B SizeOfHeaders: 400 SizeOfImage: 14000 ImageBase: 400000 Architecture: x86 ImportTable: 2050 IAT: 2000 Characteristics: 102 TimeDateStamp: 50D4CDC2 Date: 21/12/2012 20:59:46 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 200 | 1000 | 1F6 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
600 | 200 | 2000 | 1D8 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
800 | 200 | 3000 | 34 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
A00 | EE00 | 4000 | EC38 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
F800 | 200 | 13000 | 52 |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 42B Code -> E8070000006A00E805010000558BEC81C4F4FBFFFF5657536A00E804010000A330304000C745F8000000006A0A6800304000 Assembler |CALL 0X100C |PUSH 0 |CALL 0X1111 |PUSH EBP |MOV EBP, ESP |ADD ESP, 0XFFFFFBF4 |PUSH ESI |PUSH EDI |PUSH EBX |PUSH 0 |CALL 0X1123 |MOV DWORD PTR [0X403030], EAX |MOV DWORD PTR [EBP - 8], 0 |PUSH 0XA |PUSH 0X403000 |
| Signatures |
| CheckSum Integrity Problem: • Header: 60637 • Calculated: 125089 Rich Signature Analyzer: Code -> 69916DC22DF003912DF003912DF00391D1D011912CF0039142869F912EF003912DF002913CF0039142869D912CF00391428699912CF0039142869E912CF00391526963682DF00391 Footprint md5 Hash -> 57C4CF2498F70CE022452597E1647082 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: patcher: dUP diablo2oo2's Universal Patcher(2.0)[-] • PE: compiler: Microsoft Visual C/C++(2010)[-] • PE: linker: Microsoft Linker(10.0)[-] • Entropy: 7.88103 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | RtlMoveMemory | Moves a block of memory to another location. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| File Access |
| \dup2patcher.dll kernel32.dll @.dat Temp |
| Interest's Words |
| PADDINGX exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Entry Point | Hex Pattern | Borland Delphi 4.0 |
| Entry Point | Hex Pattern | MASM/TASM - sig1(h) |
| Entry Point | Hex Pattern | MASM/TASM - sig4 (h) |
| Entry Point | Hex Pattern | Metasploit Shellcode - Reverse TCP x86 |
| Entry Point | Hex Pattern | PE Diminisher v0.1 |
| Entry Point | Hex Pattern | TrueVision Targa Graphics format |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 4138 | 568 | B38 | 2800000010000000200000000100080000000000000100000000000000000000000100000000000000000000000080000080 | (....... ......................................... |
| \RCDATA\DLL\0 | 46A0 | E200 | 10A0 | A28FF4C420AD76C7198F3F166DE75E637B0A7EAF65C38D35D8FC694347C80FEA80208F2612F7E76E328399AB53CEFC54CF78 | .... .v...?.m.c{.~.e..5..iCG.... .&...n2...S..T.x |
| \GROUP_ICON\500\0 | 128A0 | 14 | F2A0 | 0000010001001010000100000000680500000100 | ..............h..... |
| \24\1\0 | 128B4 | 382 | F2B4 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • kernel32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 536 | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| 53C | 402004 | .text | JMP [static] | Indirect jump to absolute memory address |
| 542 | 402008 | .text | JMP [static] | Indirect jump to absolute memory address |
| 548 | 40200C | .text | JMP [static] | Indirect jump to absolute memory address |
| 54E | 402010 | .text | JMP [static] | Indirect jump to absolute memory address |
| 554 | 402014 | .text | JMP [static] | Indirect jump to absolute memory address |
| 55A | 402018 | .text | JMP [static] | Indirect jump to absolute memory address |
| 560 | 40201C | .text | JMP [static] | Indirect jump to absolute memory address |
| 566 | 402020 | .text | JMP [static] | Indirect jump to absolute memory address |
| 56C | 402024 | .text | JMP [static] | Indirect jump to absolute memory address |
| 572 | 402028 | .text | JMP [static] | Indirect jump to absolute memory address |
| 578 | 40202C | .text | JMP [static] | Indirect jump to absolute memory address |
| 57E | 402030 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5DE | 402034 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5E4 | 402038 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5EA | 40203C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F0 | 402040 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2403 | 402040 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BC87 | 402040 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 42781 | 66,8453% |
| Null Byte Code | 3002 | 4,6906% |
© 2026 All rights reserved.