PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

Information

Size: 1,58 MB
SHA-256 Hash: AD80C7781D60F18DAA92E7EE6FDF1F885B0E7BB9B5FDC74D686EC04208D31E86
SHA-1 Hash: 43677E8ABDF80A112F70446C0FA2B65F36006DDA
MD5 Hash: 7EDC2F1C2EEAC6DE4E3C862126BABC64
Imphash: D41D8CD98F00B204E9800998ECF8427E
MajorOSVersion: 4
CheckSum: 0319A955
EntryPoint (rva): F000046B
SizeOfHeaders: 30001000
SizeOfImage: C0745E73
ImageBase: F0400000
Architecture: x86
ExportTable: F07E7000
ImportTable: F0895424
Characteristics: FF0E
TimeDateStamp: F0000444
Date: 05/08/2097 9:22:12
File Type: EXE
Number Of Sections: 13107
ASLR: Disabled
Number Of Executable Sections: 872
Subsystem: -4094

Binder/Joiner/Crypter

Dropper code detected (EOF) - 1018,31 MB

Entry Point

The section number (13104) have the Entry Point
Information -> EntryPoint (calculated) - FFF9CD80

Signatures

Certificate - Digital Signature:
• The file is not signed

Duplicate Sections

Section duplicate 2 times

Packer/Compiler

Compiler: Microsoft Visual C ++
Detect It Easy (die)
• PE: protector: Armadillo(6.X-9.X)[-]
• PE: linker: Turbo Linker(83.82)[DLL32]
• Entropy: 7.60235

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	CreateMutexA	Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	WriteProcessMemory	Writes data to an area of memory in a specified process.
KERNEL32.DLL	ReadProcessMemory	Reads data from an area of memory in a specified process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
USER32.DLL	GetAsyncKeyState	Retrieves the status of a virtual key asynchronously.

File Access

Shell.exe
GDI32.dll
USER32.dll
KERNEL32.dll
mscoree.dll
ComDlg32.dll
COMCTL32.DLL
Temp

File Access (UNICODE)

Temp

Interest's Words

ToolBar
cscript
exec
start
shutdown
ping
expand

URLs

http://ocsp.verisign.com
http://crl.verisign.com/tss-ca.crl
http://crl.verisign.com/ThawteTimestampingCA.crl
http://crl.verisign.com/pca3.crl
http://CSC3-2004-crl.verisign.com/CSC3-2004.crl
http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer
http://www.dposoft.net0
https://www.verisign.com/rpa
https://www.verisign.com/rpa01
https://www.verisign.com/rpa0

Payloads

Unusual NOPS Space > 30 Bytes - (0x90909090909090909090...)

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Stealth (ReadProcessMemory)
Text	Ascii	Execution (CreateProcessA)
Text	Ascii	Execution (CreateProcessW)
Text	Ascii	Execution (ResumeThread)
Text	Ascii	Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)

Intelligent String

• .PAD
• KERNEL32.DLL
• kernel32.dll
• COMCTL32.DLL
• Kernel32.dll
• User32.dll
• ComDlg32.dll
• RCreateDialogIndirectParamA
• USER32.dll
• MAINICON

Extra Analysis

Metric	Value	Percentage
Ascii Code	1055395	63,6209%
Null Byte Code	152392	9,1864%
NOP Cave Found	0x9090909090	Block Count: 1802 \| Total: 0,2716%

PESCAN.IO - Analysis Report Basic