PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 1,38 MB SHA-256 Hash: 14340D8660D776F5B06BAA94F1EBF81F97A24588F52384C003B6441F62E8F056 SHA-1 Hash: 626F0E085450A2D69FB886438A13E65B63F20555 MD5 Hash: 7C5C48514D852439654985D96A7B0E63 Imphash: 2CA968D5FB5546758E1111A22FB27AE2 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 0016C13A EntryPoint (rva): 13B0 SizeOfHeaders: 400 SizeOfImage: 166000 ImageBase: 70380000 Architecture: x86 ExportTable: FF000 ImportTable: 100000 IAT: 100118 Characteristics: 230E TimeDateStamp: 69D38E1F Date: 06/04/2026 10:42:39 File Type: DLL Number Of Sections: 9 ASLR: Enabled Section Names: .text, .data, .rdata, .bss, .edata, .idata, .CRT, .tls, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60500060 Code Initialized Data Executable Readable |
400 | 7400 | 1000 | 72B4 |
|
|
| .data | 0xC0600040 Initialized Data Readable Writeable |
7800 | F3C00 | 9000 | F3AEC |
|
|
| .rdata | 0x40600040 Initialized Data Readable |
FB400 | 1000 | FD000 | F78 |
|
|
| .bss | 0xC0600080 Uninitialized Data Readable Writeable |
0 | 0 | FE000 | A30 |
|
|
| .edata | 0x40300040 Initialized Data Readable |
FC400 | 200 | FF000 | 45 |
|
|
| .idata | 0xC0300040 Initialized Data Readable Writeable |
FC600 | 600 | 100000 | 5D4 |
|
|
| .CRT | 0xC0300040 Initialized Data Readable Writeable |
FCC00 | 200 | 101000 | 2C |
|
|
| .tls | 0xC0300040 Initialized Data Readable Writeable |
FCE00 | 200 | 102000 | 8 |
|
|
| .reloc | 0x42300040 Initialized Data GP-Relative Readable |
FD000 | 62200 | 103000 | 621B4 |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 7B0 Code -> 83EC0CC70530E04770000000008B4C24188B5424148B442410E852FEFFFF83C40CC20C008DB426000000008D7426009083EC Assembler |SUB ESP, 0XC |MOV DWORD PTR [0X7047E030], 0 |MOV ECX, DWORD PTR [ESP + 0X18] |MOV EDX, DWORD PTR [ESP + 0X14] |MOV EAX, DWORD PTR [ESP + 0X10] |CALL 0XE70 |ADD ESP, 0XC |RET 0XC |LEA ESI, [ESI] |LEA ESI, [ESI] |NOP |
| Signatures |
| CheckSum Integrity Problem: • Header: 1491258 • Calculated: 1478818 Certificate - Digital Signature: • The file is signed but has been modified |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: MinGW(GCC: (GNU) 10.3.0)[-] • PE: linker: GNU linker ld (GNU Binutils)(2.36)[-] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 5.52846 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| ET Functions (carving) |
| Original Name -> payload.dll NtUmin |
| File Access |
| msvcrt.dll KERNEL32.dll payload.dll .dat |
| File Access (UNICODE) |
| msvcrt.dll |
| Interest's Words |
| pause systeminfo ping |
| URLs |
| http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt http://www.microsoft.com/PKI/docs/CPS/default.htm http://www.microsoft.com/windows0 http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt http://www.microsoft.com/pkiops/Docs/Repository.htm |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (OpenEventA) |
| Text | Ascii | Execution (CreateEventA) |
| Text | Ascii | Antivirus Software (rising) |
| Entry Point | Hex Pattern | Win.Trojan.Peed-422 |
| Entry Point | Hex Pattern | Win.Trojan.Peed-423 |
| Entry Point | Hex Pattern | Win.Trojan.Peed-426 |
| Intelligent String |
| • @@.bss • .CRT • .tls • msvcrt.dll • KERNEL32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 457 | 70480164 | .text | CALL [static] | Indirect call to absolute memory address |
| 83F | 7047CAD8 | .text | CALL [static] | Indirect call to absolute memory address |
| 882 | 70480170 | .text | CALL [static] | Indirect call to absolute memory address |
| 8AA | 7048011C | .text | CALL [static] | Indirect call to absolute memory address |
| 8CA | 70480124 | .text | CALL [static] | Indirect call to absolute memory address |
| 8DA | 70480168 | .text | CALL [static] | Indirect call to absolute memory address |
| 913 | 70480170 | .text | CALL [static] | Indirect call to absolute memory address |
| 978 | 7048011C | .text | CALL [static] | Indirect call to absolute memory address |
| 994 | 70480124 | .text | CALL [static] | Indirect call to absolute memory address |
| 9A4 | 70480168 | .text | CALL [static] | Indirect call to absolute memory address |
| 9E6 | 7048015C | .text | CALL [static] | Indirect call to absolute memory address |
| A1F | 70480120 | .text | CALL [static] | Indirect call to absolute memory address |
| A2F | 70480164 | .text | CALL [static] | Indirect call to absolute memory address |
| A3F | 70480148 | .text | CALL [static] | Indirect call to absolute memory address |
| A97 | 7048012C | .text | CALL [static] | Indirect call to absolute memory address |
| AD9 | 70480128 | .text | CALL [static] | Indirect call to absolute memory address |
| B10 | 70480180 | .text | CALL [static] | Indirect call to absolute memory address |
| B40 | 70480160 | .text | CALL [static] | Indirect call to absolute memory address |
| BCF | 70480118 | .text | CALL [static] | Indirect call to absolute memory address |
| BE7 | 70480164 | .text | CALL [static] | Indirect call to absolute memory address |
| C16 | 70480164 | .text | CALL [static] | Indirect call to absolute memory address |
| C67 | 7048013C | .text | CALL [static] | Indirect call to absolute memory address |
| F2B | 70480178 | .text | CALL [static] | Indirect call to absolute memory address |
| F93 | 70480174 | .text | CALL [static] | Indirect call to absolute memory address |
| FA0 | 70480138 | .text | CALL [static] | Indirect call to absolute memory address |
| 126E | 70480134 | .text | CALL [static] | Indirect call to absolute memory address |
| 12BC | 70480154 | .text | CALL [static] | Indirect call to absolute memory address |
| 1312 | 70480134 | .text | CALL [static] | Indirect call to absolute memory address |
| 1330 | 70480154 | .text | CALL [static] | Indirect call to absolute memory address |
| 1377 | 70480134 | .text | CALL [static] | Indirect call to absolute memory address |
| 13B7 | 70480154 | .text | CALL [static] | Indirect call to absolute memory address |
| 148C | 70480130 | .text | CALL [static] | Indirect call to absolute memory address |
| 14B7 | 7048014C | .text | CALL [static] | Indirect call to absolute memory address |
| 5D18 | 70480134 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E28 | 70480154 | .text | CALL [static] | Indirect call to absolute memory address |
| 5EE7 | 70480154 | .text | CALL [static] | Indirect call to absolute memory address |
| 606D | 70480154 | .text | CALL [static] | Indirect call to absolute memory address |
| 6331 | 70480154 | .text | CALL [static] | Indirect call to absolute memory address |
| 63C9 | 70480154 | .text | CALL [static] | Indirect call to absolute memory address |
| 6A80 | 704801EC | .text | JMP [static] | Indirect jump to absolute memory address |
| 6A88 | 704801E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6A90 | 704801E4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6A98 | 704801E0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AA0 | 704801DC | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AA8 | 704801CC | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AB0 | 704801C8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AB8 | 704801C4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AC0 | 704801C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AC8 | 704801BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AD0 | 704801B8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AD8 | 704801B4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AE0 | 704801B0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AE8 | 704801AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AF0 | 704801A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6AF8 | 70480194 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6B00 | 70480190 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6B08 | 7048018C | .text | JMP [static] | Indirect jump to absolute memory address |
| 6B62 | 70480150 | .text | CALL [static] | Indirect call to absolute memory address |
| 6BA5 | 70480158 | .text | CALL [static] | Indirect call to absolute memory address |
| 6C5B | 70480158 | .text | CALL [static] | Indirect call to absolute memory address |
| 7083 | 7048017C | .text | CALL [static] | Indirect call to absolute memory address |
| 725E | 70480134 | .text | CALL [static] | Indirect call to absolute memory address |
| 72CE | 70480154 | .text | CALL [static] | Indirect call to absolute memory address |
| 737C | 70480140 | .text | CALL [static] | Indirect call to absolute memory address |
| 73F0 | 7047CAE8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7400 | 704801D8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7408 | 704801D4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7410 | 704801D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7418 | 704801A8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7420 | 704801A0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 7428 | 7048019C | .text | JMP [static] | Indirect jump to absolute memory address |
| FCC18 | 1990 | .CRT | TLS Callback | Pointer to 70381990 - 0xD90 .text |
| FCC1C | 1940 | .CRT | TLS Callback | Pointer to 70381940 - 0xD40 .text |
| 15F200 | N/A | *Overlay* | 28260000000202003082261606092A864886F70D | (&......0.&...*.H...) |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1043849 | 72,0902% |
| Null Byte Code | 213236 | 14,7265% |
| NOP Cave Found | 0x9090909090 | Block Count: 33 | Total: 0,0057% |
© 2026 All rights reserved.