PESCAN.IO - Analysis Report Valid Code |
|||||
| File Structure: | |||||
|
|||||
| Information: |
Icon: Size: 1,58 MBSHA-256 Hash: E53C379D95E95706C5A2C4D6CD609857368A3BF14F28D7E67F6E3F8DFCE6D486 SHA-1 Hash: 55447378C48561C35BAD1317B58A34EE50C5072F MD5 Hash: 7A9A33206F80078BA80F7A839CD92451 Imphash: 69573714E11441683EA863C40A1C0D54 MajorOSVersion: 6 CheckSum: 00198E4C EntryPoint (rva): B91D4 SizeOfHeaders: 400 SizeOfImage: 199000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 1223D0 Characteristics: 22 TimeDateStamp: 64E9ADC0 Date: 26/08/2023 7:46:08 File Type: EXE Number Of Sections: 10 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .00cfg, .gxfg, .tls, _RDATA, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 400 | E6400 | 1000 | E6326 |
| .rdata | 40000040 | E6800 | 40200 | E8000 | 401EC |
| .data | C0000040 (Writeable) | 126A00 | 1000 | 129000 | 559C |
| .pdata | 40000040 | 127A00 | 6E00 | 12F000 | 6C90 |
| .00cfg | 40000040 | 12E800 | 200 | 136000 | 38 |
| .gxfg | 40000040 | 12EA00 | 2C00 | 137000 | 2A60 |
| .tls | C0000040 (Writeable) | 131600 | 200 | 13A000 | 11 |
| _RDATA | 40000040 | 131800 | 200 | 13B000 | 15C |
| .rsrc | 40000040 | 131A00 | 5AC00 | 13C000 | 5AB40 |
| .reloc | 42000040 | 18C600 | 2000 | 197000 | 1ECC |
| Description: |
| OriginalFilename: PuTTY CompanyName: Simon Tatham LegalCopyright: Copyright 1997-2023 Simon Tatham. ProductName: PuTTY suite FileVersion: Release 0.79 (with embedded help) FileDescription: SSH, Telnet, Rlogin, and SUPDUP client ProductVersion: Release 0.79 Language: English (United Kingdom) (ID=0x809) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point: |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - B85D4 Code -> 4883EC28E85B0200004883C428E97AFEFFFFCCCC4883EC28E80F00000048F7D81BC0F7D8FFC84883C428C3CC40534883EC20 • SUB RSP, 0X28 • CALL 0X1264 • ADD RSP, 0X28 • JMP 0XE8C • INT3 • INT3 • SUB RSP, 0X28 • CALL 0X102C • NEG RAX • SBB EAX, EAX • NEG EAX • DEC EAX • ADD RSP, 0X28 • RET • INT3 • PUSH RBX • SUB RSP, 0X20 |
| Signatures: |
| Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler: |
| Compiler: Microsoft Visual C ++ Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(2015 v.14.0)[-] • PE+(64): linker: Microsoft Linker(14.0)[EXE64,signed] • PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.93101 |
| Suspicious Functions: |
| Library | Function | Description |
|---|---|---|
| Ws2_32.DLL | socket | Possible Call API By Name | Create a communication endpoint for networking applications. |
| Ws2_32.DLL | connect | Possible Call API By Name | Establish a connection to a specified socket. |
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| Ws2_32.DLL | socket | Create a communication endpoint for networking applications. |
| Ws2_32.DLL | connect | Establish a connection to a specified socket. |
| ADVAPI32.DLL | RegCreateKeyExA | Creates a new registry key or opens an existing one. |
| ADVAPI32.DLL | RegDeleteKeyA | Used to delete a subkey and its values from the Windows registry. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| Windows REG: |
| Software\SimonTatham\PuTTY\Jumplist Software\SimonTatham\PuTTY\SshHostKeys SOFTWARE\MIT\Kerberos Software\SimonTatham\PuTTY\Sessions Software\SimonTatham\PuTTY\SshHostCAs Software\SimonTatham Software\SimonTatham\PuTTY\CHMPath Software\SimonTatham\PuTTY64\CHMPath Software\SimonTatham\PuTTY |
| File Access: |
| PuTTYgen.exe Pageant.exe ADVAPI32.dll COMDLG32.dll SHELL32.dll KERNEL32.dll USER32.dll ole32.dll IMM32.dll GDI32.dll *.dll Dynamic Library Files (*.dll Microsoft SSPI SECUR32.DLL Using SSPI from SECUR32.DLL Using GSSAPI from GSSAPI64.DLL MIT Kerberos GSSAPI64.DLL ws2_32.dll wsock32.dll comctl32.dll secur32.dll crypt32.dll wship6.dll shcore.dll sspicli.dll dwmapi.dll winmm.dll spoolss.dll i64.dll Temp |
| File Access (UNICODE): |
| mscoree.dll Temp |
| Interest's Words: |
| Encrypt Decrypt Encryption PassWord exec attrib start pause cipher hostname sdelete shutdown ping expand route |
| Interest's Words (UNICODE): |
| zombie PassWord start cipher ping |
| URLs: |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings http://schemas.microsoft.com/SMI/2016/WindowsSettings http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt http://ocsp.sectigo.com http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0 http://crl.comodoca.com/AAACertificateServices.crl http://ocsp.comodoca.com http://crl.comodo.net/AAACertificateServices.crl http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt http://ocsp.usertrust.com http://crl.sectigo.com/SectigoRSATimeStampingCA.crl http://crt.sectigo.com/SectigoRSATimeStampingCA.crt https://www.chiark.greenend.org.uk/~sgtatham/putty/ https://sectigo.com/CPS0 |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Ascii): WinAPI Sockets (WSACleanup) • Rule Text (Ascii): WinAPI Sockets (bind) • Rule Text (Ascii): WinAPI Sockets (listen) • Rule Text (Unicode): WinAPI Sockets (listen) • Rule Text (Ascii): WinAPI Sockets (accept) • Rule Text (Ascii): WinAPI Sockets (connect) • Rule Text (Unicode): WinAPI Sockets (connect) • Rule Text (Ascii): WinAPI Sockets (recv) • Rule Text (Ascii): WinAPI Sockets (send) • Rule Text (Unicode): WinAPI Sockets (send) • Rule Text (Ascii): Registry (RegCreateKeyEx) • Rule Text (Ascii): Registry (RegOpenKeyEx) • Rule Text (Ascii): Registry (RegSetValueEx) • Rule Text (Ascii): File (GetTempPath) • Rule Text (Ascii): File (CreateFile) • Rule Text (Ascii): File (WriteFile) • Rule Text (Ascii): File (ReadFile) • Rule Text (Ascii): Encryption (Blowfish) • Rule Text (Ascii): Encryption API (CryptAcquireContext) • Rule Text (Ascii): Encryption API (CryptReleaseContext) • Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent) • Rule Text (Ascii): Anti-Analysis VM (GetVersion) • Rule Text (Ascii): Execution (CreateProcessA) • Rule Text (Ascii): Execution (ShellExecute) • Rule Text (Ascii): Antivirus Software (comodo) • Rule Text (Ascii): Antivirus Software (f-prot) • Rule Text (Ascii): Keyboard Key (Alt+) • Rule Text (Ascii): Keyboard Key (Scroll) • Rule Text (Ascii): Keyboard Key (CapsLock) • Rule Text (Ascii): Keyboard Key (Backspace) • Rule Text (Ascii): Information used to authenticate a users identity (Credential) • Rule Text (Ascii): Information used for user authentication (Credential) • Rule Text (Ascii): Unauthorized movement of funds or data (Transfer) • Rule Text (Ascii): Technique used to circumvent security measures (Bypass) • EP Rules: Microsoft Visual C++ 8.0 (DLL) • EP Rules: PE-Exe Executable Image |
| Resources: |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 13C520 | 128 | 131F20 | 2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \ICON\2\1033 | 13C648 | 2E8 | 132048 | 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\3\1033 | 13C930 | 668 | 132330 | 2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080 | (...0............................................ |
| \ICON\4\1033 | 13CF98 | B0 | 132998 | 2800000010000000200000000100010000000000400000000000000000000000000000000000000000000000FFFFFF000000 | (....... ...........@............................. |
| \ICON\5\1033 | 13D048 | 130 | 132A48 | 2800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFFFF000000 | (... ...@......................................... |
| \ICON\6\1033 | 13D178 | 330 | 132B78 | 2800000030000000600000000100010000000000800100000000000000000000000000000000000000000000FFFFFF000000 | (...0............................................ |
| \ICON\7\1033 | 13D508 | 128 | 132F08 | 2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \ICON\8\1033 | 13D630 | 2E8 | 133030 | 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\9\1033 | 13D918 | 668 | 133318 | 2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080 | (...0............................................ |
| \ICON\10\1033 | 13DF80 | B0 | 133980 | 2800000010000000200000000100010000000000400000000000000000000000000000000000000000000000FFFFFF000000 | (....... ...........@............................. |
| \ICON\11\1033 | 13E030 | 130 | 133A30 | 2800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFFFF000000 | (... ...@......................................... |
| \ICON\12\1033 | 13E160 | 330 | 133B60 | 2800000030000000600000000100010000000000800100000000000000000000000000000000000000000000FFFFFF000000 | (...0............................................ |
| \DIALOG\102\1033 | 195DA8 | 76 | 18B7A8 | C000C880000000000000000000002C01FC0000005000750054005400590043006F006E0066006900670042006F0078000000 | ..............,.....P.u.T.T.Y.C.o.n.f.i.g.B.o.x... |
| \DIALOG\110\1033 | 195E20 | BA | 18B820 | C000C880000000000300640014002C017700000000005000750054005400590020004500760065006E00740020004C006F00 | ..........d...,.w.....P.u.T.T.Y. .E.v.e.n.t. .L.o. |
| \DIALOG\111\1033 | 195CA8 | FA | 18B6A8 | C000C8800000000004008C0028000E01880000000000410062006F0075007400200050007500540054005900000008004D00 | ............(.........A.b.o.u.t. .P.u.T.T.Y.....M. |
| \DIALOG\113\1033 | 195EE0 | 8A | 18B8E0 | C000C880000000000200320032004601EF00000000005000750054005400590020004C006900630065006E00630065000000 | ..........2.2.F.......P.u.T.T.Y. .L.i.c.e.n.c.e... |
| \DIALOG\114\1033 | 195F70 | 1AE | 18B970 | C000C880000000000800320032005401F00000005000750054005400590048006F00730074004B0065007900440069006100 | ..........2.2.T.....P.u.T.T.Y.H.o.s.t.K.e.y.D.i.a. |
| \DIALOG\116\1033 | 196120 | DE | 18BB20 | C000C8800000000001008C00280090012C0100005000750054005400590048006F00730074004B00650079004D006F007200 | ............(...,...P.u.T.T.Y.H.o.s.t.K.e.y.M.o.r. |
| \DIALOG\117\1033 | 196200 | A8 | 18BC00 | C000C880000000000000000000005E01040100005000750054005400590043006F006E0066006900670042006F0078000000 | ...................P.u.T.T.Y.C.o.n.f.i.g.B.o.x... |
| \GROUP_ICON\200\1033 | 13D4A8 | 5A | 132EA8 | 00000100060010101000010004002801000001002020100001000400E8020000020030301000010004006806000003001010020001000100B0000000040020200200010001003001000005003030020001000100300300000600 | ..............(..... ............00......h................... ......0.....00......0..... |
| \GROUP_ICON\201\1033 | 13E490 | 5A | 133E90 | 00000100060010101000010004002801000007002020100001000400E8020000080030301000010004006806000009001010020001000100B00000000A002020020001000100300100000B003030020001000100300300000C00 | ..............(..... ............00......h................... ......0.....00......0..... |
| \VERSION\1\1033 | 1962A8 | 338 | 18BCA8 | 380334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001004F00 | 8.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............O. |
| \24\1\1033 | 1965E0 | 559 | 18BFE0 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| \2000\2000\1033 | 13E4F0 | 577B7 | 133EF0 | 49545346030000006000000001000000123456780908000010FD017CAA7BD0119E0C00A0C922E6EC11FD017CAA7BD0119E0C | ITSF............4Vx.......|.{.......".....|.{.... |
| Intelligent String: |
| • @.tls • Version string did not have expected prefix • Pageant.exePuTTYgen.exe • part.ptr • /home/simon/mem/.build/workdirs/bob-fffbk9my/putty/ssh/login1.c • ssh->gss_state.lib • strncmp(pipename, "\\\\.\\pipe\\", 9) == 0 • mscoree.dll • contents.hhc • SSH, Telnet, Rlogin, and SUPDUP client • xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> • xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings"> |
| Flow Anomalies: |
| Offset | RVA | Section | Description |
|---|---|---|---|
| E6726-E67FF | ?? | ?? | Unusual BP Cave, count: 218 |
| 18E600 | ?? | *Overlay* | 20570000000202003082571206092A864886F70D | W......0.W...*.H... |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1042492 | 63,0267% |
| Null Byte Code | 244676 | 14,7926% |
© 2025 All rights reserved.