PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 5,05 MB
SHA-256 Hash: 2BFB9742D15E8C2D1E01DEFD46D2F09E1D758E68E49A7C1C5DC1A4557B311C7D
SHA-1 Hash: A5A71A601C41D8346A7279EC292FDBDC8DFFEA16
MD5 Hash: 843B7D700D01ADEB4EDDEAAED20EAE05
Imphash: 0CDADFA1098D845DD3B4CF92625B5F04
MajorOSVersion: 5
MinorOSVersion: 2
CheckSum: 0051CBC1
EntryPoint (rva): 15EC
SizeOfHeaders: 400
SizeOfImage: 513000
ImageBase: 0000000180000000
Architecture: x64
ExportTable: BB80
ImportTable: B3FC
IAT: 9000
Characteristics: 2022
TimeDateStamp: 59145729
Date: 11/05/2017 12:20:57
File Type: DLL
Number Of Sections: 6
ASLR: Enabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60000020
Code
Executable
Readable
 400 7C00 1000 7B78
6.3247
239750.79
.rdata
0x40000040
Initialized Data
Readable
 8000 2C00 9000 2BC8
4.7048
603706.23
.data
0xC0000040
Initialized Data
Readable
Writeable
 AC00 1400 C000 3660
1.8228
846434.1
.pdata
0x40000040
Initialized Data
Readable
 C000 800 10000 78C
4.2494
147578.5
.rsrc
0x40000040
Initialized Data
Readable
 C800 500200 11000 500200
3.5727
593309938.18
.reloc
0x42000040
Initialized Data
GP-Relative
Readable
 50CA00 E00 512000 CA8
0
913920
Binder/Joiner/Crypter
5 Executable files found
Entry Point
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 9EC
Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E81B2700004C8BC78BD3488BCE488B5C2430488B7424
Assembler
|MOV QWORD PTR [RSP + 8], RBX
|MOV QWORD PTR [RSP + 0X10], RSI
|PUSH RDI
|SUB RSP, 0X20
|MOV RDI, R8
|MOV EBX, EDX
|MOV RSI, RCX
|CMP EDX, 1
|JNE 0X1021
|CALL 0X373C
|MOV R8, RDI
|MOV EDX, EBX
|MOV RCX, RSI
|MOV RBX, QWORD PTR [RSP + 0X30]
Signatures
CheckSum Integrity Problem:
Header: 5360577
Calculated: 5323492
Rich Signature Analyzer:
Code -> 6B554B172F3425442F3425442F34254434A98F447C34254434A9BB4426342544264CB6442C3425442F3424447F34254434A98E443834254434A9BE442E34254434A9BF442E34254434A9B8442E342544526963682F342544
Footprint md5 Hash -> 2F1A3CC277D2C04A42D0D86BA0B4F54B
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual C ++
Compiler: Microsoft Visual C ++ 6 DLL
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(2010 SP1)[-]
PE+(64): linker: Microsoft Linker(10.0)[-]
Entropy: 3.60153
Suspicious Functions
Library Function Description
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL CopyFileA Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
ADVAPI32.DLL CryptEncrypt Performs a cryptographic operation on data in a data block.
ADVAPI32.DLL CryptDecrypt Performs a cryptographic operation on data in a data block.
ADVAPI32.DLL RegSetValueExA Sets the data and type of a specified value under a registry key.
ET Functions (carving)
Original Name -> launcher.dll
PlayGame
File Access
tasksche.exe
cmd.exe
mssecsvr.exe
kernel32.dll
advapi32.dll
MSVCP60.dll
MSVCRT.dll
WS2_32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
msvcrtd.dll
msvcrt.dll
launcher.dll
WININET.dll
iphlpapi.dll
@.dat
.dat
PPh.dat
Temp
File Access (UNICODE)
CorExitProcessmscoree.dll
USER32.DLL
CreateFileACreateProcessAkernel32.dll
Temp
Interest's Words
Encrypt
Decrypt
attrib
start
cacls
icacls
systeminfo
replace
URLs
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
IP Addresses
172.16.99.5
192.168.56.20
PE Carving
Start Offset Header End Offset Size (Bytes)
0 C8A8 C8A8
C8A8 178C8 B020
178C8 1B928 4060
1B928 3E94C 23024
3E94C 50D800 4CEEB4
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (GetTempPath)
Text Ascii File (CopyFile)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Service (OpenSCManager)
Text Ascii Service (CreateService)
Text Ascii Service (StartServiceCtrlDispatcher)
Text Ascii Encryption (Microsoft Base Cryptographic Provider v1.0)
Text Ascii Encryption (Microsoft Enhanced RSA and AES Cryptographic Provider)
Text Ascii Encryption API (CryptAcquireContext)
Text Ascii Encryption API (CryptGenKey)
Text Ascii Encryption API (CryptDecrypt)
Text Ascii Encryption API (CryptReleaseContext)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (IsBadReadPtr)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Execution (CreateProcessA)
Text Ascii Malware that monitors and collects user data (Spy)
Resources
Path DataRVA Size FileOffset CodeTextPE/Payload
\W\101\1033 110A4 500000 C8A4 00D022004D5A90000300000004000000FFFF0000B80000000000000040000000000000000000000000000000000000000000..".MZ......................@.....................(Executable found)
\24\2\1033 5110A4 15A 50C8A4 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000..................................................N/A
Intelligent String
• msvcrtd.dll
• msvcrt.dll
• KERNEL32.dll
• WINDOWSmssecsvr.exe
• WS2_32.dll
• ADVAPI32.dll
• USER32.DLL
• mscoree.dll
• msvcrt.dll
• /iC:\%s\qeriuwjhrf
• WINDOWStasksche.exe
• kernel32.dll
• http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
• advapi32.dll
• .der
• .pfx
• .key
• .crt
• .csr
• .pem
• .odt
• .ott
• .sxw
• .stw
• .uot
• .max
• .ods
• .ots
• .sxc
• .stc
• .dif
• .slk
• .odp
• .otp
• .sxd
• .std
• .uop
• .odg
• .otg
• .sxm
• .mml
• .lay
• .asc
• .sql
• .mdb
• .dbf
• .odb
• .frm
• .myd
• .myi
• .ibd
• .mdf
• .ldf
• .sln
• .suo
• .cpp
• .pas
• .asm
• .cmd
• .bat
• .ps1
• .vbs
• .dip
• .dch
• .sch
• .brd
• .jsp
• .php
• .asp
• .jar
• .wav
• .swf
• .fla
• .wmv
• .mpg
• .vob
• .asf
• .avi
• .mov
• .mkv
• .flv
• .wma
• .mid
• .svg
• .psd
• .nef
• .tif
• .cgm
• .raw
• .gif
• .png
• .bmp
• .jpg
• .vcd
• .iso
• .zip
• .rar
• .tgz
• .tar
• .bak
• .tbk
• .PAQ
• .ARC
• .aes
• .gpg
• .vmx
• .vdi
• .sti
• .sxi
• .hwp
• .snt
• .dwg
• .pdf
• .wks
• .rtf
• .csv
• .txt
• .vsd
• .edb
• .eml
• .msg
• .ost
• .pst
• .pps
• .pot
• .ppt
• .xlc
• .xlm
• .xlt
• .xlw
• .xls
• .dot
• .doc
• CreateFileWkernel32.dll
• cmd.exe /c "%s"XIA115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
• Global\MsWinZonesCacheCounterMutexAtasksche.exe
• icacls . /grant Everyone:F /T /C /Qattrib +h .WNcry@2ol7
Flow Anomalies
Offset RVA Section Description
436 N/A .text CALL QWORD PTR [RIP+0x7FF4]
455 N/A .text CALL QWORD PTR [RIP+0x7FCD]
463 N/A .text CALL QWORD PTR [RIP+0x7FB7]
47B N/A .text CALL QWORD PTR [RIP+0x7F97]
4AF N/A .text CALL QWORD PTR [RIP+0x7F5B]
4D3 N/A .text CALL QWORD PTR [RIP+0x7F2F]
4DC N/A .text CALL QWORD PTR [RIP+0x7F1E]
578 N/A .text CALL QWORD PTR [RIP+0x7EBA]
587 N/A .text CALL QWORD PTR [RIP+0x7E73]
592 N/A .text CALL QWORD PTR [RIP+0x7E68]
7B3 N/A .text CALL QWORD PTR [RIP+0x7C97]
88A N/A .text CALL QWORD PTR [RIP+0x7BB8]
89E N/A .text CALL QWORD PTR [RIP+0x7B9C]
13A9 N/A .text CALL QWORD PTR [RIP+0x70A9]
13F1 N/A .text CALL QWORD PTR [RIP+0x7061]
1411 N/A .text CALL QWORD PTR [RIP+0x7041]
18B5 N/A .text CALL QWORD PTR [RIP+0x6BCD]
193D N/A .text CALL QWORD PTR [RIP+0x6B2D]
1947 N/A .text CALL QWORD PTR [RIP+0x6B1B]
1952 N/A .text CALL QWORD PTR [RIP+0x6B08]
19AC N/A .text CALL QWORD PTR [RIP+0x6AEE]
19BF N/A .text JMP QWORD PTR [RIP+0x6AD3]
19EF N/A .text CALL QWORD PTR [RIP+0x6A63]
1BF4 N/A .text CALL QWORD PTR [RIP+0xCE56]
1C32 N/A .text CALL QWORD PTR [RIP+0x6870]
1D2B N/A .text JMP QWORD PTR [RIP+0x675F]
1D47 N/A .text CALL QWORD PTR [RIP+0x676B]
1E22 N/A .text CALL QWORD PTR [RIP+0x66A0]
1E30 N/A .text CALL QWORD PTR [RIP+0x667A]
1E5C N/A .text CALL QWORD PTR [RIP+0x65E6]
1E70 N/A .text CALL QWORD PTR [RIP+0x65CA]
1E88 N/A .text CALL QWORD PTR [RIP+0x6632]
200D N/A .text CALL QWORD PTR [RIP+0x649D]
201E N/A .text CALL QWORD PTR [RIP+0x6424]
204F N/A .text CALL QWORD PTR [RIP+0x647B]
2080 N/A .text CALL QWORD PTR [RIP+0x63C2]
2094 N/A .text CALL QWORD PTR [RIP+0x63A6]
20CE N/A .text CALL QWORD PTR [RIP+0x6404]
20E0 N/A .text CALL QWORD PTR [RIP+0x63E2]
2136 N/A .text CALL QWORD PTR [RIP+0x63A4]
21BD N/A .text CALL QWORD PTR [RIP+0x631D]
2243 N/A .text CALL QWORD PTR [RIP+0x6297]
2293 N/A .text CALL QWORD PTR [RIP+0x6257]
22A8 N/A .text CALL QWORD PTR [RIP+0x623A]
22CF N/A .text CALL QWORD PTR [RIP+0x6223]
23CC N/A .text CALL QWORD PTR [RIP+0xC66E]
2440 N/A .text CALL QWORD PTR [RIP+0xC602]
24B0 N/A .text CALL QWORD PTR [RIP+0x5FA2]
24CE N/A .text CALL QWORD PTR [RIP+0x5F84]
250E N/A .text CALL QWORD PTR [RIP+0x5F44]
2528 N/A .text CALL QWORD PTR [RIP+0x5F2A]
2538 N/A .text CALL QWORD PTR [RIP+0x5F1A]
25C4 N/A .text CALL QWORD PTR [RIP+0x5F2E]
2649 N/A .text CALL QWORD PTR [RIP+0x5ED1]
27B4 N/A .text CALL QWORD PTR [RIP+0x5D5E]
27F2 N/A .text CALL QWORD PTR [RIP+0x5D18]
2851 N/A .text CALL QWORD PTR [RIP+0x5CB1]
2868 N/A .text CALL QWORD PTR [RIP+0x5CAA]
2899 N/A .text CALL QWORD PTR [RIP+0x5C71]
28D4 N/A .text CALL QWORD PTR [RIP+0x5C26]
2932 N/A .text CALL QWORD PTR [RIP+0x5BF0]
2CA6 N/A .text CALL QWORD PTR [RIP+0x5884]
2D81 N/A .text CALL QWORD PTR [RIP+0x57C1]
2DD8 N/A .text CALL QWORD PTR [RIP+0x5762]
2E13 N/A .text CALL QWORD PTR [RIP+0x5727]
2E2B N/A .text CALL QWORD PTR [RIP+0x5707]
2E39 N/A .text CALL QWORD PTR [RIP+0x56F9]
2EE2 N/A .text CALL QWORD PTR [RIP+0x5678]
2EF4 N/A .text CALL QWORD PTR [RIP+0x565E]
2F12 N/A .text CALL QWORD PTR [RIP+0x5638]
2F2F N/A .text CALL QWORD PTR [RIP+0x5633]
315F N/A .text CALL QWORD PTR [RIP+0x5423]
316A N/A .text CALL QWORD PTR [RIP+0x5410]
3176 N/A .text CALL QWORD PTR [RIP+0x52C4]
3182 N/A .text CALL QWORD PTR [RIP+0x53F0]
3193 N/A .text CALL QWORD PTR [RIP+0x53D7]
321E N/A .text CALL QWORD PTR [RIP+0x536C]
322D N/A .text CALL QWORD PTR [RIP+0x5295]
3477 N/A .text CALL QWORD PTR [RIP+0x5123]
3492 N/A .text CALL QWORD PTR [RIP+0x5100]
3584 N/A .text CALL QWORD PTR [RIP+0x4FB6]
35BC N/A .text CALL QWORD PTR [RIP+0x4E46]
3618 N/A .text CALL QWORD PTR [RIP+0x4DEA]
36EC N/A .text CALL QWORD PTR [RIP+0x4DD6]
37AF N/A .text CALL QWORD PTR [RIP+0x4C53]
3891 N/A .text CALL QWORD PTR [RIP+0x4B71]
3961 N/A .text CALL QWORD PTR [RIP+0x4BD9]
39A9 N/A .text CALL QWORD PTR [RIP+0x4A59]
39BE N/A .text CALL QWORD PTR [RIP+0x4B04]
3A0D N/A .text CALL QWORD PTR [RIP+0x4AB5]
3A2B N/A .text CALL QWORD PTR [RIP+0x49D7]
3DB9 N/A .text JMP QWORD PTR [RIP+0x47E9]
3DEB N/A .text JMP QWORD PTR [RIP+0x47B7]
3E3A N/A .text JMP QWORD PTR [RIP+0x4770]
3E57 N/A .text JMP QWORD PTR [RIP+0x4753]
3F4E N/A .text CALL QWORD PTR [RIP+0x4664]
41EA N/A .text CALL QWORD PTR [RIP+0x43D8]
4214 N/A .text CALL QWORD PTR [RIP+0x43A6]
42D3 N/A .text CALL QWORD PTR [RIP+0x42F7]
42E8 N/A .text CALL QWORD PTR [RIP+0x42CA]
Extra Analysis
Metric Value Percentage
Ascii Code 1252971 23,6491%
Null Byte Code 3518281 66,4055%
NOP Cave Found 0x9090909090 Block Count: 68 | Total: 0,0032%
© 2026 All rights reserved.