PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 179,06 KB
SHA-256 Hash: 2FFDEF61AD6F6E925599D889B0FBD1C949D9412719E818867052ABF57E67963A
SHA-1 Hash: 9673B99609492C01A8C64C9A33620EFB3DF338D0
MD5 Hash: 867EED5C96E4E5EEB28884F8D02A0914
Imphash: D41D8CD98F00B204E9800998ECF8427E
MajorOSVersion: 6
CheckSum: 00000000
EntryPoint (rva): 79B4
SizeOfHeaders: 400
SizeOfImage: 31000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 275B0
Characteristics: 22
TimeDateStamp: 674FCB26
Date: 04/12/2024 3:23:18
File Type: EXE
Number Of Sections: 6
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	1BC00	1000	1BBFC
.rdata	40000040	1C000	BC00	1D000	BA2C
.data	C0000040 (Writeable)	27C00	1A00	29000	32CC
.pdata	40000040	29600	1600	2D000	15A8
.rsrc	40000040	2AC00	200	2F000	1E0
.reloc	42000040	2AE00	800	30000	6EC

Entry Point:

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 6DB4
Code -> 008BC8E89F870000E8E607000084C07405E8817F0000E844060000E83706000085C075064883C4205BC3B907000000E89F04
• ADD BYTE PTR [RBX - 0X78601738], CL
• ADD BYTE PTR [RAX], AL
• CALL 0X17F3
• TEST AL, AL
• JE 0X1016
• CALL 0X8F97
• CALL 0X165F
• CALL 0X1657
• TEST EAX, EAX
• JNE 0X102A
• ADD RSP, 0X20
• POP RBX
• RET
• MOV ECX, 7

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Detect It Easy (die)
• PE+(64): linker: Microsoft Linker(14.40)[EXE64]
• Entropy: 6.17463

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	CreateToolhelp32Snapshot	Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
SHELL32.DLL	ShellExecuteExW	Performs a run operation on a specific file.

Windows REG (UNICODE):

Software\Friends
Software\Softina
SOFTWARE\Microsoft\Cryptography

File Access:

WINHTTP.dll
WS2_32.dll
gdiplus.dll
SHLWAPI.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
GDI32.dll
USER32.dll
KERNEL32.dll

File Access (UNICODE):

mscoree.dll
%ProgramFiles%\Mozilla Firefox\firefox.exe
chrome.exe
msedge.exe
firefox.exe
coreServiceShell.exe
PSANHost.exe
mc-fw-host.exe
cmdagent.exe
fcmcomm.exe
McsAgent.exe
x64.exe
SecurityService.exe
Service.exe
MBAMService.exe
avp.exe
guardxservice_x64.exe
fshoster64.exe
ekrn.exe
a2service.exe
dwengine.exe
bdagent.exe
AVGSvc.exe
AvastSvc.exe
QHActiveDefense.exe
CredentialUIBroker.exe
%LOCALAPPDATA%\Mozilla Firefox\firefox.exe
%WINDIR%\System32\wscript.exe
%WINDIR%\System32\rundll32.exe
0\powershell.exe
%WINDIR%\System32\cmd.exe
%TEMP%\kaka.txt
Exec - powershell.exe
Temp
WinDir
ProgramFiles
AppData

Interest's Words:

exec
start
expand

Interest's Words (UNICODE):

wscript
powershell
comspec
rundll32
rundll

Payloads:

Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)

AV Services (UNICODE):

ekrn.exe - (ESET NOD32)

IP Addresses:

111.90.147.138

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Registry (RegCreateKeyEx)
• Rule Text (Ascii): Registry (RegOpenKeyEx)
• Rule Text (Ascii): Registry (RegSetValueEx)
• Rule Text (Ascii): Registry (RegGetValue)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
• Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot)
• Rule Text (Ascii): Execution (CreateProcessW)
• Rule Text (Ascii): Execution (ShellExecute)
• Rule Text (Unicode): Information used to authenticate a users identity (Credential)
• Rule Text (Unicode): Information used for user authentication (Credential)
• EP Rules: Microsoft Visual C++ 8.0 (DLL)

Intelligent String:

• firefox.exe
• msedge.exe
• chrome.exe
• mscoree.dll
• WS2_32.dll
• COMSPEC
• %WINDIR%\System32\cmd.exe
• %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe
• %WINDIR%\System32\rundll32.exe
• %WINDIR%\System32\wscript.exe
• %ws /c "%ws"
• www.ip-api.com
• 111.90.147.138
• %ProgramFiles%\Mozilla Firefox\firefox.exe
• %LOCALAPPDATA%\Mozilla Firefox\firefox.exe
• %ProgramFiles%\Google\Chrome\Application\chrome.exe
• %LOCALAPPDATA%\Google\Chrome\Application\chrome.exe
• %ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe
• %LOCALAPPDATA%\Microsoft\Edge\Application\msedge.exe
• CredentialUIBroker.exe
• %TEMP%\kaka.txt
• QHActiveDefense.exe
• AvastSvc.exe
• AVGSvc.exe
• bdagent.exe
• dwengine.exe
• a2service.exe
• ekrn.exe
• fshoster64.exe
• guardxservice_x64.exe
• avp.exe
• MBAMService.exe
• Avira.Spotlight.Service.exe
• SecurityService.exe
• WRCoreService.x64.exe
• McsAgent.exe
• fcmcomm.exe
• cmdagent.exe
• mc-fw-host.exe
• PSANHost.exe
• coreServiceShell.exe

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	102967	56,1563%
Null Byte Code	43187	23,5534%