PESCAN.IO - Analysis Report
File Structure:
Analysis Image
Information:
Size: 1,58 MB
SHA-256 Hash: AD80C7781D60F18DAA92E7EE6FDF1F885B0E7BB9B5FDC74D686EC04208D31E86
SHA-1 Hash: 43677E8ABDF80A112F70446C0FA2B65F36006DDA
MD5 Hash: 7EDC2F1C2EEAC6DE4E3C862126BABC64
Imphash: D41D8CD98F00B204E9800998ECF8427E
MajorOSVersion: 4
CheckSum: 0319A955
EntryPoint (rva): F000046B
SizeOfHeaders: 30001000
SizeOfImage: C0745E73
ImageBase: F0400000
Architecture: x86
ExportTable: F07E7000
ImportTable: F0895424
Characteristics: FF0E
TimeDateStamp: F0000444
Date: 05/08/2097 9:22:12
File Type: EXE
Number Of Sections: 13107
ASLR: Disabled
Number Of Executable Sections: 872
Subsystem: -4094
Binder/Joiner/Crypter:
Dropper code detected (EOF) - 1018,31 MB
Entry Point:
The section number (13104) have the Entry Point
Information -> EntryPoint (calculated) - FFF9CD80
Signatures:
Certificate - Digital Signature:
• The file is not signed
Duplicate Sections:
Section duplicate 2 times
Packer/Compiler:
Compiler: Microsoft Visual C ++
Detect It Easy (die)
PE: protector: Armadillo(6.X-9.X)[-]
PE: linker: Turbo Linker(83.82)[DLL32]
Entropy: 7.60235
Suspicious Functions:
Library Function Description
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL ReadProcessMemory Reads data from an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
USER32.DLL GetAsyncKeyState Retrieves the status of a virtual key asynchronously.
File Access:
Shell.exe
GDI32.dll
USER32.dll
KERNEL32.dll
mscoree.dll
ComDlg32.dll
COMCTL32.DLL
Temp
File Access (UNICODE):
Temp
Interest's Words:
ToolBar
cscript
exec
start
shutdown
ping
expand
URLs:
http://ocsp.verisign.com
http://crl.verisign.com/tss-ca.crl
http://crl.verisign.com/ThawteTimestampingCA.crl
http://crl.verisign.com/pca3.crl
http://CSC3-2004-crl.verisign.com/CSC3-2004.crl
http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer
http://www.dposoft.net0
https://www.verisign.com/rpa
https://www.verisign.com/rpa01
https://www.verisign.com/rpa0
Payloads:
Unusual NOPS Space > 30 Bytes - (0x90909090909090909090...)
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): WinAPI Sockets (connect)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Stealth (VirtualProtect)
Rule Text (Ascii): Stealth (ReadProcessMemory)
Rule Text (Ascii): Execution (CreateProcessA)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Ascii): Execution (ResumeThread)
Rule Text (Ascii): Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
Intelligent String:
• .PAD
• KERNEL32.DLL
• kernel32.dll
• COMCTL32.DLL
• Kernel32.dll
• User32.dll
• ComDlg32.dll
• RCreateDialogIndirectParamA
• USER32.dll
• MAINICON
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 1055395 63,6209%
Null Byte Code 152392 9,1864%
NOP Cave Found 0x9090909090 Block Count: 1802 | Total: 0,2716%
© 2025 All rights reserved.