PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 890,50 KB
SHA-256 Hash: 8F3E95019DFD1CAA9F174DF58F9B8C097E66CB655551C18FE94067F371D9B045
SHA-1 Hash: 66FAAE41226E0D364E6CEAA1FBF5EABB1D5274B3
MD5 Hash: 77F5FEC4AB36CBC857AF81B4051A205B
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): DEC5E
SizeOfHeaders: 200
SizeOfImage: E4000
ImageBase: 400000
Architecture: x86
ImportTable: DEC0C
Characteristics: 102
TimeDateStamp: A11F4E58
Date: 29/08/2055 20:17:28
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	200	DCE00	2000	DCC7C
.rsrc	40000040	DD000	1800	E0000	16F8
.reloc	42000040	DE800	200	E2000	C

Description:

InternalName: cLdl.exe
OriginalFilename: cLdl.exe
LegalCopyright: Copyright 2022
ProductName: WindowsFormsOCR
FileVersion: 1.3.3

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - DCE5E
Code -> FF25002040001F0000002F0000003F0000004F0000005F000000000000000000000000000000000000000000000000000000
• JMP DWORD PTR [0X402000]
• POP DS
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EDI], CH
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EDI], BH
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EDI], CL
• ADD BYTE PTR [EAX], AL
• POP EDI
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v4.0
Detect It Easy (die)
• PE: library: .NET(v4.0.30319)[-]
• PE: compiler: VB.NET(-)[-]
• PE: linker: Microsoft Linker(48.0)[EXE32]
• Entropy: 7.75238

Windows REG (UNICODE):

SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run

File Access:

cLdl.exe
mscoree.dll
user32.dll
kernel32.dll
WindowsFormsOCR.Scr

File Access (UNICODE):

cLdl.exe

Interest's Words:

PassWord
exec
attrib
start
replace

Interest's Words (UNICODE):

PassWord
start

URLs (UNICODE):

https://fanyi-api.baidu.com/api/trans/vip/translatec
https://fanyi-api.baidu.com/api/trans/sdk/picture/rest/2.0/ocr/v1/
https://aip.baidubce.com
https://cloud.baidu.com/doc/OCR/s/fk3h7xu7h
https://cloud.tencent.com/document/product/866/35945
https://cloud.tencent.com/document/product/551/35017
https://fanyi-api.baidu.com/product/113S~v'YMQ9tabPage1
https://github.com/NPCDW/WindowsFormsOCR

IP Addresses:

16.0.0.0
16.0.0.0

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (send)
• Rule Text (Ascii): Encryption (MD5CryptoServiceProvider)
• Rule Text (Ascii): Encryption (ToBase64String)
• Rule Text (Ascii): Keyboard Key (Scroll)
• Rule Text (Unicode): Keyboard Key (Ctrl+F2)
• Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8.0

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	E0100	10A8	DD100	2800000020000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\GROUP_ICON\32512\0	E11B8	14	DE1B8	0000010001002020000001002000A81000000100DC110E001C03000000000000000000001C0334000000560053005F005600	...... .... .........................4...V.S._.V.
\VERSION\1\0	E11DC	31C	DE1DC	1C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000300	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	E1508	1EA	DE508	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String:

• cLdl.exe
• .jpg
• https://fanyi-api.baidu.com/api/trans/vip/translate
• https://fanyi-api.baidu.com/api/trans/sdk/picture
• https://aip.baidubce.com
• )\Resources\Cross.cur
• +chenyongli0520@qq.com
• https://cloud.baidu.com/doc/OCR/s/fk3h7xu7h
• https://cloud.tencent.com/document/product/866/35945
• https://cloud.tencent.com/document/product/551/35017
• https://fanyi-api.baidu.com/product/113
• https://github.com/NPCDW/WindowsFormsOCR
• N 0520.com
• _CorExeMainmscoree.dll
• 1.3.3.0

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	579040	63,5001%
Null Byte Code	55965	6,1374%

PESCAN.IO - Analysis Report Valid Code