PESCAN.IO - Analysis Report
File Structure:
Analysis Image
Information:
Size: 2,12 MB
SHA-256 Hash: 7B9BD343D47DFCC9CCFCA72362B2D77DE49CE4A1C16A514319AF20E816610254
SHA-1 Hash: 8349D523E7D4F7E5B31AE732DEEC30B1424BA6A8
MD5 Hash: 8816A5E3065E21D4CC307B73B340917C
Imphash: F1C42DB92FAA8567AD2AD34FBEFC61E1
MajorOSVersion: 6
CheckSum: 002216F2
EntryPoint (rva): 136D30
SizeOfHeaders: 400
SizeOfImage: 226000
ImageBase: 400000
Architecture: x86
ExportTable: 1FF590
ImportTable: 1FFA58
Characteristics: 102
TimeDateStamp: 6572836B
Date: 08/12/2023 2:46:03
File Type: EXE
Number Of Sections: 7
ASLR: Enabled
Section Names: .text, .rdata, .data, .didat, .tls, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 19AC00 1000 19AAEA
.rdata 40000040 19B000 65400 19C000 6520A
.data C0000040 (Writeable) 200400 7400 202000 B038
.didat C0000040 (Writeable) 207800 200 20E000 10
.tls C0000040 (Writeable) 207A00 200 20F000 9
.rsrc 40000040 207C00 3E00 210000 3DAC
.reloc 42000040 20BA00 11400 214000 1134C
Description:
InternalName: wa_3rd_party_host_32.exe
OriginalFilename: libwapshost.dll
CompanyName: OPSWAT, Inc.
LegalCopyright: Copyright 2020
ProductName: libwapshost
FileVersion: 2023.12.8.243
Binder/Joiner/Crypter:
2 Executable files found
Entry Point:
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 136130
Code -> E856040000E988FEFFFFCCCCCCCCCCCC518D4C24042BC81BC0F7D023C88BC42500F0FFFF3BC8F2720B8BC159948B00890424
CALL 0X145B
JMP 0XE92
INT3
INT3
INT3
INT3
INT3
INT3
PUSH ECX
LEA ECX, [ESP + 4]
SUB ECX, EAX
SBB EAX, EAX
NOT EAX
AND ECX, EAX
MOV EAX, ESP
AND EAX, 0XFFFFF000
CMP ECX, EAX
• BND JB 0X1034
MOV EAX, ECX
POP ECX
XCHG EAX, ESP
MOV EAX, DWORD PTR [EAX]
MOV DWORD PTR [ESP], EAX
Signatures:
Rich Signature Analyzer:
Code -> FEABA093BACACEC0BACACEC0BACACEC0AEA1CBC104CACEC0AEA1CDC1A8CACEC0246A09C0B9CACEC01794CDC1A2CACEC01794CAC19FCACEC01794CBC133CACEC0AEA1C8C1B8CACEC0AEA1CAC1A3CACEC0AEA1CFC1ABCACEC0BACACFC09ACBCEC07DBFCAC1A9CACEC00D94C6C1E9CACEC00D94CEC1BBCACEC00D9431C0BBCACEC0BACA59C0BBCACEC00D94CCC1BBCACEC052696368BACACEC0
Footprint md5 Hash -> E2B090131A54135B2977447F712CC8EB
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct
Packer/Compiler:
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE: compiler: EP:Microsoft Visual C/C++(2013-2017)[EXE32]
PE: compiler: Microsoft Visual C/C++(2015 v.14.0)[-]
PE: linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[EXE32,console,signed]
PE: Sign tool: Windows Authenticode(2.0)[PKCS 7]
Entropy: 6.62509
Suspicious Functions:
Library Function Description
KERNEL32.DLL GetProcAddress | Possible Call API By Name Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL CreateMutexW Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL CopyFileW Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL DeleteFileA Deletes an existing file.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
Windows REG (UNICODE):
Software\Classes\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}\Path
SOFTWARE\Avira\AntiVir Desktop
SOFTWARE\Avira\AntiVir Workstation
SOFTWARE\Avira\AntiVir Server
SOFTWARE\ComputerAssociates\Anti-Virus Plus
SOFTWARE\Eset\ESET Security\CurrentVersion\Info
SOFTWARE\GFI Software\VIPRE Antivirus
Software\VIPRE Antivirus
SOFTWARE\GFI Software\VIPRE Internet Security
Software\VIPRE Internet Security
SOFTWARE\GFI Software\VIPRE Business Agent
Software\VIPRE Business Agent
SOFTWARE\GFI Software\GFI Business Agent
Software\GFI Business Agent
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\
SOFTWARE\Quick Heal\
SOFTWARE\Norton\SecurityStatusSDK\
SOFTWARE\VIPRE Business Agent
SOFTWARE\VIPRE Internet Security
SOFTWARE\VIPRE Antivirus
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SCANNER.EXE
SYSTEM\CurrentControlSet\Services\wuauserv
SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
File Access:
wa_3rd_party_host_32.exe
mscoree.dll
libwapshost.dll
WININET.dll
SHLWAPI.dll
VERSION.dll
OLEAUT32.dll
ole32.dll
ADVAPI32.dll
USER32.dll
KERNEL32.dll
wevtapi.dll
.txt
Temp
File Access (UNICODE):
libwapshost.dll
pExecutionResourcecombase.dll
mscoree.dll
GetRequestedRuntimeInfomscoree.dll
AVWKS_Procwksstats.dll
MalwareAPI.dll
vete.dll
a2framework.dll
a2engine.dll
bdcore.dll
SBTE.dll
%WINDIR%\System32\wscapi.dll
GetHealthStatus] not found wscapi.dll
Kernel32.dll
UpdatesDeployment.dll
%WINDIR%\System32\CCM\UpdatesDeployment.dll
%WINDIR%\CCM\UpdatesDeployment.dll
libwaremoval.dll
kernel32.dll
QHInitiateFullScanopswatai.dll
\Windows\system32\Taskkill.exe
wa_3rd_party_host_32.exe
\Windows\system32\timeout.exe
VMWindow.exe
\Windows\system32\VMWindow.exe
vmwindow.exe
cmd.exe
\System32\cmd.exe
powershell.exe
SBAMCommandLineScanner.exe
0\powershell.exe
*.txt
%PROGRAMDATA%\CA\Consumer\CCube\ccupdatelog.txt
a2settings.ini
Exec - cmd.exe /s /c ""
Exec - powershell.exe
Exec - powershell.exe
Temp
WinDir
AppData
SQL Queries:
Select 1 FROM "%w".sqlite_master WHERE name NOT LIKE 'sqliteX_%%' ESCAPE 'X' AND sql NOT LIKE 'create virtual%%' AND sqlite_rename_test(%Q, sql, type, name, %d, %Q, %d)=NULL
Select 1 FROM temp.sqlite_master WHERE name NOT LIKE 'sqliteX_%%' ESCAPE 'X' AND sql NOT LIKE 'create virtual%%' AND sqlite_rename_test(%Q, sql, type, name, 1, %Q, %d)=NULL
Select raise(ABORT,%Q) FROM "%w"."%w"
Select CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*'
Select tbl,idx,stat FROM %Q.sqlite_stat1
Select sql FROM "%w".sqlite_schema WHERE type='index'
Insert into %Q.sqlite_master VALUES('index',%Q,%Q,%d,%Q);
Insert into generated column "%s"
Insert into %Q.sqlite_master VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
Insert into vacuum_db.'||quote(name)||' SELECT*FROM"%w".'||quote(name)FROM vacuum_db.sqlite_schema WHERE type='table'AND coalesce(rootpage,1)>0
Insert into vacuum_db.sqlite_schema SELECT*FROM "%w".sqlite_schema WHERE type IN('view','trigger') OR(type='table'AND rootpage=0)
Drop table to delete table %s
Select UpdateId from CCM_TargetedUpdateEx1 where UpdateState = 0
Select UpdateId from CCM_TargetedUpdateEx1 where UpdateState = 1
Select * from CCM_UpdateStatus
Select * from CCM_SoftwareUpdate
Select * from CCM_SoftwareUpdate
Select * FROM virus_protection ORDER BY sr_no ASCREPORT\reports.dbreport_filenamereport_typeincident_dateinfected_filenamevirus_action
Select ExecutablePath,ProcessId,CommandLine from Win32_Process
Select CommandLine from Win32_Process where CommandLine like "%%"
Interest's Words:
Virus
PADDINGX
Encrypt
Encryption
<title
exec
createobject
powershell
attrib
start
systeminfo
bginfo
ping
expand
replace
Interest's Words (UNICODE):
Virus
Spam
taskkill
Encrypt
Encryption
<title
exec
powershell
taskkill
start
pause
regedit
systeminfo
ping
Anti-VM/Sandbox/Debug Tricks (UNICODE):
LabTools - regedit
URLs:
http://www.w3.org/2000/09/xmldsig
http://www.w3.org/2001/10/xml-exc-c14nWithComments
http://www.w3.org/2001/04/xmldsig-morersa-sha512
http://www.w3.org/2000/09/xmldsigenveloped-signature
http://www.w3.org/2000/09/xmldsigsha1
http://crl3.digicert.com/sha2-assured-cs-g1.crl
http://crl4.digicert.com/sha2-assured-cs-g1.crl
http://www.digicert.com/CPS0
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
https://www.digicert.com/CPS0
Payloads:
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)
Possible Metasploit Payload - MSFPayload Generate (Detection with heuristic methods)
IP Addresses:
127.0.0.1
PE Carving:
Start Offset Header End Offset Size (Bytes)
0 207CE8 207CE8
207CE8 21F158 17470
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): Unicode escape - \u00 - (Common Unicode escape sequences)
Rule Text (Ascii): WinAPI Sockets (bind)
Rule Text (Unicode): WinAPI Sockets (listen)
Rule Text (Ascii): WinAPI Sockets (connect)
Rule Text (Unicode): WinAPI Sockets (connect)
Rule Text (Ascii): WinAPI Sockets (send)
Rule Text (Unicode): WinAPI Sockets (send)
Rule Text (Ascii): Registry (RegOpenKeyEx)
Rule Text (Ascii): File (GetTempPath)
Rule Text (Ascii): File (CopyFile)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Service (OpenSCManager)
Rule Text (Ascii): Encryption (FromBase64String)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot)
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Stealth (VirtualProtect)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Unicode): Execution (ShellExecute)
Rule Text (Unicode): Antivirus Software (defender)
Rule Text (Ascii): Antivirus Software (Symantec)
Rule Text (Unicode): Antivirus Software (Symantec)
Rule Text (Unicode): Antivirus Software (Norton)
Rule Text (Unicode): Privileges (SeBackupPrivilege)
Rule Text (Ascii): Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
Rule Text (Ascii): Software that records user activity (Logger)
Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Rule Text (Unicode): Technique used to circumvent security measures (Bypass)
EP Rules: Microsoft Visual C++ 8
EP Rules: Microsoft Visual C++ 8
EP Rules: VC8 -> Microsoft Corporation
Resources:
Path DataRVA Size FileOffset CodeTextPE/Payload
\RCDATA\102\1033 2100E8 3800 207CE8 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000MZ......................@.........................(Executable found)
\VERSION\1\1033 2138E8 344 20B4E8 440334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000C00D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033 213C2C 17D 20B82C 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String:
• wa_3rd_party_host_32.exe
• 1.0.0.0
• libwapshost.dll
• .txt
• v4Debug.dat
• .tls
• uSO
• wevtapi.dll
• combase.dll
• advapi32.dll
• WLC_ALL
• mscoree.dll
• ?KERNEL32.DLL
• \u0009
• \u00
• \u0000
• v4DebugInfo_wa_3rd_party_host_32.log
• C:\Windows
• \System32\WindowsPowerShell\v1.0\powershell.exe
• AVG2013\log\history.xml
• AVG2014\log\history.xml
• AVG2015\log\history.xml
• Avg\log\AV16\history.xml
• wksstats.dll
• <?xml version="1.0" encoding="UTF-8" standalone="no" ?><enabledScanType value="0"><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig">
• <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14nWithComments"
• <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-morersa-sha512"
• <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsigenveloped-signature"
• <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsigsha1"
• vete.dll
• %PROGRAMDATA%\CA\Consumer\CCube\ccupdatelog.txt
• a2framework.dll
• C:\Program Files\Emsisoft Anti-Malware\a2settings.ini
• a2engine.dll
• bdcore.dll
• a2settings.ini
• warnlog.dat
• :.RTP
• spamlog.dat
• virlog.dat
• *.txt
• SBTE.dll
• SBAMCommandLineScanner.exe
• 127.0.0.1
• opswat_gfi_languard_missing_patches.xml
• MpCmdRun.log
• %WINDIR%\System32\wscapi.dll
• technet.microsoft.com
• www.catalog.update.microsoft.com
• Kernel32.dll
• UpdatesDeployment.dll
• %WINDIR%\System32\CCM\UpdatesDeployment.dll
• %WINDIR%\CCM\UpdatesDeployment.dll
• powershell.exe
• wsusscn2.cab
• \System32\cmd.exe
• libwaremoval.dll
• .reg
• cmd.exe /S /C ""
• kernel32.dll
• vmwindow.exe
• C:\Windows\system32\VMWindow.exe
• "VMWindow.exe" -file "
• C:\Windows\system32\timeout.exe
• C:\Windows\system32\Taskkill.exe
• "C:\Windows\system32\Taskkill.exe" /PID
• opswatai.dll
• SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SCANNER.EXE
• SCANAPI.DLL
• wa_3rd_party_host_32.pdb
• .bss
• ADVAPI32.dll
• +v4DebugInfo_ps_32.log
• +v4DebugInfo_ps_64.log
• C:\buildagent\work\e92649e6840d750\additions\libwapshost\obj\x86\Release_static\libwapshost.pdb\N
• _CorDllMainmscoree.dll
• H0F08
• https://www.digicert.com/CPS0
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U

Extra 4n4lysis:
Metric Value Percentage
Ascii Code 1282140 57,6379%
Null Byte Code 348602 15,6712%
© 2025 All rights reserved.