PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 3,52 MB
SHA-256 Hash: 3563FED4C47EBF9C176C8FDC772FEBB5BBC61512A8DDA6C32BDCA6F3B843B02C
SHA-1 Hash: A98804AD419F4F44A1BE1DA83F47D71FE05F5386
MD5 Hash: 8700A910E21A258418620E2BE04DDD0C
Imphash: 1D0E3506C01CB61E9312CBEA4911E92E
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00392B00
EntryPoint (rva): 19D0C
SizeOfHeaders: 400
SizeOfImage: 26000
ImageBase: 400000
Architecture: x86
ImportTable: 1F21C
IAT: 1C000
Characteristics: 12F
TimeDateStamp: 62D172E0
Date: 15/07/2022 14:00:00
File Type: EXE
Number Of Sections: 5
ASLR: Disabled
Section Names: .text, .rdata, .data, .sxdata, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	400	1A400	1000	1A345	6.6211	558725.6
.rdata	0x40000040 Initialized Data Readable	1A800	3C00	1C000	3B0A	4.444	869435.4
.data	0xC0000040 Initialized Data Readable Writeable	1E400	200	20000	23F0	3.3119	42458
.sxdata	0xC0000240 Initialized Data Readable Writeable	1E600	200	23000	4	0.0204	130049
.rsrc	0x40000040 Initialized Data Readable	1E800	1200	24000	107C	5.0449	132392.89

Description

OriginalFilename: 7zS.sfx.exe
CompanyName: Igor Pavlov
LegalCopyright: Copyright (c) 1999-2022 Igor Pavlov
ProductName: 7-Zip
FileVersion: 22.01
FileDescription: 7z Setup SFX
ProductVersion: 22.01
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Binder/Joiner/Crypter

Dropper code detected (EOF) - 3,38 MB

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1910C
Code -> 558BEC6AFF6800D3410068069D410064A100000000506489250000000083EC685356578965E833DB895DFC6A02FF15ECC041

Assembler

|PUSH EBP

|MOV EBP, ESP

|PUSH -1

|PUSH 0X41D300

|PUSH 0X419D06

|MOV EAX, DWORD PTR FS:[0]

|PUSH EAX

|MOV DWORD PTR FS:[0], ESP

|SUB ESP, 0X68

|PUSH EBX

|PUSH ESI

|PUSH EDI

|MOV DWORD PTR [EBP - 0X18], ESP

|XOR EBX, EBX

|MOV DWORD PTR [EBP - 4], EBX

|PUSH 2

Signatures

Rich Signature Analyzer:
Code -> 854D6800C12C0653C12C0653C12C0653AE330D53C22C065342300853C92C0653AE330C53CA2C0653AE330253C32C06534F245953C02C0653C12C07534B2C065342245B53C82C0653F70A0D53822C0653F70A0C53C32C0653DAB1AC53CD2C0653595E0552C02C0653062A0053C02C065352696368C12C0653
Footprint md5 Hash -> 22F5E53D875652AF238590904BFC390B
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct

Packer/Compiler

Detect It Easy (die)
• PE: installer: 7-Zip(1.0.0.0)[-]
• PE: compiler: EP:Microsoft Visual C/C++(6.0 (1720-9782))[EXE32]
• PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]
• PE: archive: 7-Zip(0.4)[-]
• PE: linker: Microsoft Linker(6.0*)[-]
• PE: overlay: 7-zip Installer data(-)[-]
• Entropy: 7.99388

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
SHELL32.DLL	ShellExecuteExW	Performs a run operation on a specific file.

File Access

ietrust.exe
f5epi.exe
f5PolicyServer.exe
cabinstaller.exe
.exe
f5InspectionHost.dll
KERNEL32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
OLEAUT32.dll
@.dat
Temp

File Access (UNICODE)

sfx.exe
setup.exe
Cannot find setup.exe
Error kernel32.dll
Temp

Interest's Words

fuck - }:)
PADDINGX
exec
attrib
start
systeminfo
ping

URLs

http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
http://www.entrust.net/rpa03
http://ocsp.entrust.net00
http://crl.entrust.net/g2ca.crl
http://ocsp.entrust.net01
http://crl.entrust.net/csbr1.crl
http://www.entrust.net/rpa0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://ocsp.entrust.net02
http://aia.entrust.net/evcs2-chain.p7c01
http://crl.entrust.net/evcs2.crl
http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt
http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Anti-Analysis VM (GlobalMemoryStatusEx)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindFirstFileW)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (ReleaseSemaphore)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Execution (CreateProcessW)
Text	Ascii	Execution (ShellExecute)
Text	Ascii	Execution (CreateSemaphoreW)
Text	Ascii	Execution (CreateEventW)
Text	Ascii	Antivirus Software (etrust)
Entry Point	Hex Pattern	Microsoft Visual C++ 5.0
Entry Point	Hex Pattern	Microsoft Visual C++ v6.0
Entry Point	Hex Pattern	Microsoft Visual C++ v6.0
Entry Point	Hex Pattern	Microsoft Visual C++

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1033	24250	2E8	1EA50	2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080	(... ...@.........................................
\ICON\2\1033	24538	128	1ED38	2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000000080000080	(....... .........................................
\DIALOG\97\1033	24660	B8	1EE60	C008C88000000000020000000000BC003C0000000000500072006F0067007200650073007300000008004D00530020005300	................<.....P.r.o.g.r.e.s.s.....M.S. .S.
\STRING\1\1033	24718	60	1EF18	00000000000000000000000000001100450078007400720061006300740069006F006E0020004600610069006C00650064000F00460069006C006500200069007300200063006F00720072007500700074000000000000000000000000000000	................E.x.t.r.a.c.t.i.o.n. .F.a.i.l.e.d...F.i.l.e. .i.s. .c.o.r.r.u.p.t...............
\STRING\188\1033	24778	54	1EF78	000000000000000000000000000000000000000000001A00430061006E006E006F0074002000630072006500610074006500200066006F006C00640065007200200027007B0030007D0027000000000000000000	........................C.a.n.n.o.t. .c.r.e.a.t.e. .f.o.l.d.e.r. .'.{.0.}.'.........
\STRING\207\1033	247CC	34	1EFCC	00000000000000000A00450078007400720061006300740069006E00670000000000000000000000000000000000000000000000	..........E.x.t.r.a.c.t.i.n.g.......................
\GROUP_ICON\1\1033	24800	22	1F000	0000010002002020100001000400E802000001001010100001000400280100000200	...... ....................(.....
\VERSION\1\1033	24824	2BC	1F024	BC0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	24AE0	59C	1F2E0	3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122	<assembly xmlns="urn:schemas-microsoft-com:asm.v1"

Intelligent String

• Cannot find setup.exe
• setup.exe
• .tmp
• kernel32.dll
• .exe
• .dll
• OLEAUT32.dll
• MSVCRT.dll
• .PAX
• .PAD
• 7zS.sfx
• 7zS.sfx.exe
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U

Flow Anomalies

Offset	RVA	Section	Description
46A	41C0D4	.text	CALL [static] \| Indirect call to absolute memory address
6E2	75FF0000	.text	JMP [static] \| Indirect jump to absolute memory address
94A	41C168	.text	CALL [static] \| Indirect call to absolute memory address
B51	41C0D8	.text	CALL [static] \| Indirect call to absolute memory address
C0C	41C0DC	.text	CALL [static] \| Indirect call to absolute memory address
C34	41C0E0	.text	CALL [static] \| Indirect call to absolute memory address
C3B	41C0DC	.text	CALL [static] \| Indirect call to absolute memory address
D53	41C14C	.text	CALL [static] \| Indirect call to absolute memory address
D7E	41C0D0	.text	CALL [static] \| Indirect call to absolute memory address
F85	41C144	.text	CALL [static] \| Indirect call to absolute memory address
101B	41C0CC	.text	CALL [static] \| Indirect call to absolute memory address
1271	41C0C4	.text	CALL [static] \| Indirect call to absolute memory address
1294	41C0C8	.text	CALL [static] \| Indirect call to absolute memory address
12D2	41C0C4	.text	CALL [static] \| Indirect call to absolute memory address
12E7	41C0C8	.text	CALL [static] \| Indirect call to absolute memory address
17C8	41C0C4	.text	CALL [static] \| Indirect call to absolute memory address
17D2	41C0C8	.text	CALL [static] \| Indirect call to absolute memory address
1B09	41C194	.text	CALL [static] \| Indirect call to absolute memory address
1B1D	41C198	.text	CALL [static] \| Indirect call to absolute memory address
1E5C	41C190	.text	CALL [static] \| Indirect call to absolute memory address
217B	41C18C	.text	CALL [static] \| Indirect call to absolute memory address
2187	41C18C	.text	CALL [static] \| Indirect call to absolute memory address
2193	41C18C	.text	CALL [static] \| Indirect call to absolute memory address
2200	41C0C0	.text	CALL [static] \| Indirect call to absolute memory address
220E	41C0C0	.text	CALL [static] \| Indirect call to absolute memory address
2358	41C188	.text	CALL [static] \| Indirect call to absolute memory address
26AA	41C134	.text	CALL [static] \| Indirect call to absolute memory address
26CF	41C130	.text	CALL [static] \| Indirect call to absolute memory address
2730	41C184	.text	CALL [static] \| Indirect call to absolute memory address
28F2	41C144	.text	CALL [static] \| Indirect call to absolute memory address
2D98	41C160	.text	CALL [static] \| Indirect call to absolute memory address
2F55	41C12C	.text	CALL [static] \| Indirect call to absolute memory address
3002	41C144	.text	CALL [static] \| Indirect call to absolute memory address
3109	41C14C	.text	CALL [static] \| Indirect call to absolute memory address
3158	41C144	.text	CALL [static] \| Indirect call to absolute memory address
38F3	41C0B8	.text	CALL [static] \| Indirect call to absolute memory address
39F5	41C0B0	.text	CALL [static] \| Indirect call to absolute memory address
3A10	41C0B4	.text	CALL [static] \| Indirect call to absolute memory address
3A33	41C0A0	.text	CALL [static] \| Indirect call to absolute memory address
3A4A	41C0A4	.text	CALL [static] \| Indirect call to absolute memory address
3A56	41C0DC	.text	CALL [static] \| Indirect call to absolute memory address
3A66	41C09C	.text	CALL [static] \| Indirect call to absolute memory address
3A73	41C098	.text	CALL [static] \| Indirect call to absolute memory address
3A82	41C08C	.text	CALL [static] \| Indirect call to absolute memory address
3B29	41C0CC	.text	CALL [static] \| Indirect call to absolute memory address
3BE4	41C08C	.text	CALL [static] \| Indirect call to absolute memory address
3BF2	41C0CC	.text	CALL [static] \| Indirect call to absolute memory address
3C6E	41C088	.text	CALL [static] \| Indirect call to absolute memory address
3CD6	41C084	.text	CALL [static] \| Indirect call to absolute memory address
3DE8	41C084	.text	CALL [static] \| Indirect call to absolute memory address
3E60	41C080	.text	CALL [static] \| Indirect call to absolute memory address
3E98	41C07C	.text	CALL [static] \| Indirect call to absolute memory address
3F42	41C078	.text	CALL [static] \| Indirect call to absolute memory address
3F7D	41C070	.text	CALL [static] \| Indirect call to absolute memory address
3F88	41C074	.text	CALL [static] \| Indirect call to absolute memory address
3F93	41C0AC	.text	CALL [static] \| Indirect call to absolute memory address
3FF2	41C074	.text	CALL [static] \| Indirect call to absolute memory address
4025	41C084	.text	CALL [static] \| Indirect call to absolute memory address
404B	41C0CC	.text	CALL [static] \| Indirect call to absolute memory address
4196	41C06C	.text	CALL [static] \| Indirect call to absolute memory address
41CA	41C068	.text	CALL [static] \| Indirect call to absolute memory address
4264	41C064	.text	CALL [static] \| Indirect call to absolute memory address
429F	41C060	.text	CALL [static] \| Indirect call to absolute memory address
42ED	41C084	.text	CALL [static] \| Indirect call to absolute memory address
42F7	41C084	.text	CALL [static] \| Indirect call to absolute memory address
430B	42016C	.text	CALL [static] \| Indirect call to absolute memory address
4318	41C0CC	.text	CALL [static] \| Indirect call to absolute memory address
436C	41C084	.text	CALL [static] \| Indirect call to absolute memory address
43CA	41C0CC	.text	CALL [static] \| Indirect call to absolute memory address
43DC	41C05C	.text	CALL [static] \| Indirect call to absolute memory address
453E	41C084	.text	CALL [static] \| Indirect call to absolute memory address
471A	41C14C	.text	CALL [static] \| Indirect call to absolute memory address
489A	41C058	.text	CALL [static] \| Indirect call to absolute memory address
49CA	41C0CC	.text	CALL [static] \| Indirect call to absolute memory address
4A09	41C0A0	.text	CALL [static] \| Indirect call to absolute memory address
4A2B	41C0DC	.text	CALL [static] \| Indirect call to absolute memory address
4A4F	41C054	.text	CALL [static] \| Indirect call to absolute memory address
4A5C	41C0CC	.text	CALL [static] \| Indirect call to absolute memory address
4AA3	41C050	.text	CALL [static] \| Indirect call to absolute memory address
4AB0	41C0CC	.text	CALL [static] \| Indirect call to absolute memory address
4B0A	41C050	.text	CALL [static] \| Indirect call to absolute memory address
4B17	41C0CC	.text	CALL [static] \| Indirect call to absolute memory address
4B2E	41C084	.text	CALL [static] \| Indirect call to absolute memory address
4BC0	41C0A4	.text	CALL [static] \| Indirect call to absolute memory address
4C13	41C04C	.text	CALL [static] \| Indirect call to absolute memory address
4CF7	41C0A4	.text	CALL [static] \| Indirect call to absolute memory address
4D39	41C048	.text	CALL [static] \| Indirect call to absolute memory address
4D97	41C044	.text	CALL [static] \| Indirect call to absolute memory address
4E12	41C0CC	.text	CALL [static] \| Indirect call to absolute memory address
4E33	41C084	.text	CALL [static] \| Indirect call to absolute memory address
5399	41C07C	.text	CALL [static] \| Indirect call to absolute memory address
5552	41C158	.text	CALL [static] \| Indirect call to absolute memory address
5596	41C158	.text	CALL [static] \| Indirect call to absolute memory address
5685	41C15C	.text	CALL [static] \| Indirect call to absolute memory address
56B8	41C15C	.text	CALL [static] \| Indirect call to absolute memory address
5781	41C180	.text	CALL [static] \| Indirect call to absolute memory address
5809	41C180	.text	CALL [static] \| Indirect call to absolute memory address
5879	41C180	.text	CALL [static] \| Indirect call to absolute memory address
58D6	41C03C	.text	CALL [static] \| Indirect call to absolute memory address
58DD	41C040	.text	CALL [static] \| Indirect call to absolute memory address
1FA00	N/A	Overlay	3B2140496E7374616C6C40215554462D38210D0A \| ;!@Install@!UTF-8!..

Extra Analysis

Metric	Value	Percentage
Ascii Code	2527907	68,3992%
Null Byte Code	35646	0,9645%
NOP Cave Found	0x9090909090	Block Count: 124 \| Total: 0,0084%

PESCAN.IO - Analysis Report Basic