PREMIUM PESCAN.IO - Analysis Report |
|||||
| File Structure |
|
| Information |
Icon: Size: 890,50 KBSHA-256 Hash: 8F3E95019DFD1CAA9F174DF58F9B8C097E66CB655551C18FE94067F371D9B045 SHA-1 Hash: 66FAAE41226E0D364E6CEAA1FBF5EABB1D5274B3 MD5 Hash: 77F5FEC4AB36CBC857AF81B4051A205B Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 CheckSum: 00000000 EntryPoint (rva): DEC5E SizeOfHeaders: 200 SizeOfImage: E4000 ImageBase: 400000 Architecture: x86 ImportTable: DEC0C Characteristics: 102 TimeDateStamp: A11F4E58 Date: 29/08/2055 20:17:28 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 200 | DCE00 | 2000 | DCC7C |
| .rsrc | 40000040 | DD000 | 1800 | E0000 | 16F8 |
| .reloc | 42000040 | DE800 | 200 | E2000 | C |
| Description |
| InternalName: cLdl.exe OriginalFilename: cLdl.exe LegalCopyright: Copyright 2022 ProductName: WindowsFormsOCR FileVersion: 1.3.3 |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - DCE5E Code -> FF25002040001F0000002F0000003F0000004F0000005F000000000000000000000000000000000000000000000000000000 • JMP DWORD PTR [0X402000] • POP DS • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EDI], CH • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EDI], BH • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EDI], CL • ADD BYTE PTR [EAX], AL • POP EDI • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: False • Version: v4.0 Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: compiler: VB.NET(-)[-] • PE: linker: Microsoft Linker(48.0)[EXE32] • Entropy: 7.75238 |
| Windows REG (UNICODE) |
| SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access |
| cLdl.exe mscoree.dll user32.dll kernel32.dll WindowsFormsOCR.Scr |
| File Access (UNICODE) |
| cLdl.exe |
| Interest's Words |
| PassWord exec attrib start replace |
| Interest's Words (UNICODE) |
| PassWord start |
| URLs (UNICODE) |
| https://fanyi-api.baidu.com/api/trans/vip/translatec https://fanyi-api.baidu.com/api/trans/sdk/picture/rest/2.0/ocr/v1/ https://aip.baidubce.com https://cloud.baidu.com/doc/OCR/s/fk3h7xu7h https://cloud.tencent.com/document/product/866/35945 https://cloud.tencent.com/document/product/551/35017 https://fanyi-api.baidu.com/product/113S~v'YMQ9tabPage1 https://github.com/NPCDW/WindowsFormsOCR |
| IP Addresses |
| 16.0.0.0 16.0.0.0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Encryption (MD5CryptoServiceProvider) |
| Text | Ascii | Encryption (ToBase64String) |
| Text | Ascii | Keyboard Key (Scroll) |
| Text | Unicode | Keyboard Key (Ctrl+F2) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | E0100 | 10A8 | DD100 | 2800000020000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \GROUP_ICON\32512\0 | E11B8 | 14 | DE1B8 | 0000010001002020000001002000A81000000100DC110E001C03000000000000000000001C0334000000560053005F005600 | ...... .... .........................4...V.S._.V. |
| \VERSION\1\0 | E11DC | 31C | DE1DC | 1C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000300 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | E1508 | 1EA | DE508 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • cLdl.exe • .jpg • https://fanyi-api.baidu.com/api/trans/vip/translate • https://fanyi-api.baidu.com/api/trans/sdk/picture • https://aip.baidubce.com • )\Resources\Cross.cur • +chenyongli0520@qq.com • https://cloud.baidu.com/doc/OCR/s/fk3h7xu7h • https://cloud.tencent.com/document/product/866/35945 • https://cloud.tencent.com/document/product/551/35017 • https://fanyi-api.baidu.com/product/113 • https://github.com/NPCDW/WindowsFormsOCR • N 0520.com • _CorExeMainmscoree.dll • 1.3.3.0 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 579040 | 63,5001% |
| Null Byte Code | 55965 | 6,1374% |
© 2025 All rights reserved.