PESCAN.IO - Analysis Report |
||
| File Structure: | ||
|
||
| Information: |
Icon: Size: 1,92 MBSHA-256 Hash: E54AA829C41C2FDD061E51A97B09479C1701523CCC08DAD59CAC9E39ED0C5EAC SHA-1 Hash: CCBE85521B7465258F2946DEAD99FED051510E68 MD5 Hash: 7BC440C3BEB6F6C96EE297609AF6534F Imphash: 56A78D55F3F7AF51443E58E0CE2FB5F6 MajorOSVersion: 4 CheckSum: 001EF2D5 EntryPoint (rva): 352D SizeOfHeaders: 400 SizeOfImage: 75000 ImageBase: 400000 Architecture: x86 ImportTable: 8610 Characteristics: 10F TimeDateStamp: 614F9B5A Date: 25/09/2021 21:57:46 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .ndata, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 400 | 6A00 | 1000 | 6897 |
| .rdata | 40000040 | 6E00 | 1600 | 8000 | 14A6 |
| .data | C0000040 (Writeable) | 8400 | 600 | A000 | 2B018 |
| .ndata | C0000080 (Writeable) | 0 | 0 | 36000 | 36000 |
| .rsrc | 40000040 | 8A00 | 8C00 | 6C000 | 8AB0 |
| Description: |
| CompanyName: Fast Corporation LTD LegalCopyright: Fast Corporation LTD ProductName: PC App Store |
| Binder/Joiner/Crypter: |
| Dropper code detected (EOF) - 1,47 MB |
| Entry Point: |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 292D Code -> 558BEC81ECF40300005356576A205F33DB6801800000895DECC745FCE0A24000895DF0FF15CC8040008B35D08040008D85C0 • PUSH EBP • MOV EBP, ESP • SUB ESP, 0X3F4 • PUSH EBX • PUSH ESI • PUSH EDI • PUSH 0X20 • POP EDI • XOR EBX, EBX • PUSH 0X8001 • MOV DWORD PTR [EBP - 0X14], EBX • MOV DWORD PTR [EBP - 4], 0X40A2E0 • MOV DWORD PTR [EBP - 0X10], EBX • CALL DWORD PTR [0X4080CC] • MOV ESI, DWORD PTR [0X4080D0] |
| Signatures: |
| Rich Signature Analyzer: Code -> AD310881E95066D2E95066D2E95066D22A5F39D2EB5066D2E95067D24C5066D22A5F3BD2E65066D2BD7356D2E35066D22E5660D2E85066D252696368E95066D2 Footprint md5 Hash -> 8D248B46736E162BA0D0DEE443AD4BB3 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler: |
| Compiler: Nullsoft Install System - Version: v3.08 Detect It Easy (die) • PE: installer: Nullsoft Scriptable Install System(3.08)[zlib] • PE: linker: Microsoft Linker(6.0*)[EXE32,signed] • PE: overlay: NSIS data(-)[-] • Entropy: 7.98851 |
| Suspicious Functions: |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| Windows REG (UNICODE): |
| Software\Microsoft\Windows\CurrentVersion |
| File Access: |
| Nullsoft.NSIS.exe KERNEL32.dll GDI32.dll USER32.dll COMCTL32.dll ole32.dll SHELL32.dll ADVAPI32.dll Temp |
| File Access (UNICODE): |
| %s%S.dll Temp |
| Interest's Words: |
| exec attrib shutdown ping expand |
| Interest's Words (UNICODE): |
| shutdown |
| URLs: |
| http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://www.digicert.com/CPS0 http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl |
| URLs (UNICODE): |
| http://nsis.sf.net/NSIS_Error |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Ascii): Registry (RegCreateKeyEx) • Rule Text (Ascii): Registry (RegOpenKeyEx) • Rule Text (Ascii): Registry (RegSetValueEx) • Rule Text (Ascii): Registry (RegDeleteKeyEx) • Rule Text (Ascii): File (GetTempPath) • Rule Text (Ascii): File (CopyFile) • Rule Text (Ascii): File (CreateFile) • Rule Text (Ascii): File (WriteFile) • Rule Text (Ascii): File (ReadFile) • Rule Text (Ascii): Anti-Analysis VM (GetVersion) • Rule Text (Ascii): Execution (CreateProcessW) • Rule Text (Ascii): Execution (ShellExecute) • Rule Text (Unicode): Privileges (SeShutdownPrivilege) • EP Rules: fasm -> Tomasz Grysztar |
| Resources: |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 6C298 | 4228 | 8C98 | 280000004000000080000000010020000000000000400000130B0000130B0000000000000000000000000000000000000000 | (...@......... ......@............................ |
| \ICON\2\1033 | 704C0 | 25A8 | CEC0 | 280000003000000060000000010020000000000000240000130B0000130B0000000000000000000000000000000000000000 | (...0........ ......$............................ |
| \ICON\3\1033 | 72A68 | 10A8 | F468 | 280000002000000040000000010020000000000000100000130B0000130B0000000000000000000000000000E3D9CF00E5D7 | (... ...@..... ................................... |
| \ICON\4\1033 | 73B10 | 468 | 10510 | 280000001000000020000000010020000000000000040000130B0000130B00000000000000000000E3DCD307E3DBD267E3DB | (....... ..... ................................g.. |
| \DIALOG\105\1033 | 73F78 | 202 | 10978 | 0100FFFF00000000000000004808CA800E00000000004B01DE000000000000000800000000014D0053002000530068006500 | ............H.........K...............M.S. .S.h.e. |
| \DIALOG\106\1033 | 74180 | F8 | 10B80 | 0100FFFF0000000000000000480400400400000000002C018C000000000000000800000000014D0053002000530068006500 | ............H..@......,...............M.S. .S.h.e. |
| \DIALOG\107\1033 | 74278 | A0 | 10C78 | 0100FFFF0000000000000000480400400300000000002C018C000000000000000800000000014D0053002000530068006500 | ............H..@......,...............M.S. .S.h.e. |
| \DIALOG\111\1033 | 74318 | EE | 10D18 | 0100FFFF0000000000000000C8080080030000000000A7002B000000000000000800000000014D0053002000530068006500 | ........................+.............M.S. .S.h.e. |
| \GROUP_ICON\103\1033 | 74408 | 3E | 10E08 | 00000100040010100000010020006804000004002020000001002000A810000003003030000001002000A825000002004040 | ............ .h..... .... .......00.... ..%....@@ |
| \VERSION\1\1033 | 74448 | 240 | 10E48 | 400234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000000000000 | @.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 74688 | 423 | 11088 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String: |
| • COMCTL32.dll • USER32.dll • http://nsis.sf.net/NSIS_Error • .tmp • .exe • %s%S.dll • JNHd • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1365515 | 67,7489% |
| Null Byte Code | 17639 | 0,8751% |