PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 58,16 KB SHA-256 Hash: 5453C9BA6FCE381D01C6AAC62261CE68A6CA5BE3AEE0470A8C6B40C89D688F48 SHA-1 Hash: 7DB45D5192F269A4F7137ABE716961B14C41D551 MD5 Hash: 8D8A6418ED207982FA5BB4827B31E5A6 Imphash: B006D014A69659E856D66F886422AB91 MajorOSVersion: 5 MinorOSVersion: 1 CheckSum: 0000F37C EntryPoint (rva): 2225 SizeOfHeaders: 400 SizeOfImage: 11000 ImageBase: 10000000 Architecture: x86 ExportTable: B580 ImportTable: AEA4 IAT: 9000 Characteristics: 2102 TimeDateStamp: 50CB9C06 Date: 14/12/2012 21:37:10 File Type: DLL Number Of Sections: 5 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 7C00 | 1000 | 7A8A | 6,4654 | 215809,16 |
| .rdata | 40000040 (Initialized Data, Readable) | 8000 | 2A00 | 9000 | 285A | 4,8646 | 474673,48 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | AA00 | E00 | C000 | 2CE8 | 2,2540 | 521564,14 |
| .rsrc | 40000040 (Initialized Data, Readable) | B800 | 200 | F000 | 1B4 | 5,1050 | 5214,00 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | BA00 | E00 | 10000 | CA6 | 4,5837 | 197630,29 |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1625 Code -> 8BFF558BEC837D0C017505E88A290000FF75088B4D108B550CE8ECFEFFFF595DC20C00B858C00010C3A1E0EC0010566A145E • MOV EDI, EDI • PUSH EBP • MOV EBP, ESP • CMP DWORD PTR [EBP + 0XC], 1 • JNE 0X1010 • CALL 0X399A • PUSH DWORD PTR [EBP + 8] • MOV ECX, DWORD PTR [EBP + 0X10] • MOV EDX, DWORD PTR [EBP + 0XC] • CALL 0XF0A • POP ECX • POP EBP • RET 0XC • MOV EAX, 0X1000C058 • RET • MOV EAX, DWORD PTR [0X1000ECE0] • PUSH ESI • PUSH 0X14 • POP ESI |
| Signatures |
| Rich Signature Analyzer: Code -> ACB274ECE8D31ABFE8D31ABFE8D31ABF87A584BFE6D31ABF87A5B0BFB0D31ABFE1AB89BFEFD31ABFE8D31BBFB9D31ABF87A5B1BFF1D31ABF87A581BFE9D31ABF87A587BFE9D31ABF52696368E8D31ABF Footprint md5 Hash -> 77CA1AB0B7D679228AFEB3E30490E0EB • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[DLL32] • PE: compiler: Microsoft Visual C/C++(2010)[msvcrt] • PE: linker: Microsoft Linker(10.0)[-] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.38281 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ET Functions (carving) |
| Original Name -> TIHera.dll ??0CTIHera@@QAE@XZ ??4CTIHera@@QAEAAV0@ABV0@@Z ?fnTIHera@@YAHXZ ?nTIHera@@3HA Hera_CloseUsbDevice Hera_ForceInstall Hera_Install Hera_Install_ti_driver Hera_OpenUsbDevice Hera_ReadI2C Hera_ReadI2CWord Hera_ReadPort Hera_Read_I2C_ToBuffer Hera_Read_SPI_DWORD Hera_Read_Word_FromBuffer Hera_SetI2CDeviceAddress Hera_SetI2CHWAddress Hera_WriteI2C Hera_WriteI2CWord Hera_WritePort Hera_Write_I2C_FromBuffer Hera_Write_SPI_DWORD Hera_Write_Word_ToBuffer |
| File Access |
| TIHera.dll USER32.dll KERNEL32.dll SETUPAPI.dll @.dat Temp |
| File Access (UNICODE) |
| GetLastActivePopupGetActiveWindowMessageBoxWUSER32.DLL KERNEL32.DLL CorExitProcessmscoree.dll Temp |
| Interest's Words |
| PADDINGX exec start ping |
| URLs |
| http://ocsp.thawte.com http://crl.thawte.com/ThawteTimestampingCA.crl http://ts-ocsp.ws.symantec.com http://ts-aia.ws.symantec.com/tss-ca-g2.cer http://ts-crl.ws.symantec.com/tss-ca-g2.crl http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl http://csc3-2010-crl.verisign.com/CSC3-2010.crl http://ocsp.verisign.com http://csc3-2010-aia.verisign.com/CSC3-2010.cer http://logo.verisign.com/vslogo.gif04 http://crl.verisign.com/pca3-g5.crl https://www.verisign.com/rpa https://www.verisign.com/rpa0 https://www.verisign.com/cps0* https://www.verisign.com/rpa0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Antivirus Software (Symantec) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\2\1033 | F058 | 15A | B858 | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" |
| Intelligent String |
| • %s\TiHera.inf • mscoree.dll • KERNEL32.DLL • SETUPAPI.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 462 | 10009118 | .text | CALL [static] | Indirect call to absolute memory address |
| 48C | 10009118 | .text | CALL [static] | Indirect call to absolute memory address |
| 4DD | 10009008 | .text | CALL [static] | Indirect call to absolute memory address |
| 58F | 10009108 | .text | CALL [static] | Indirect call to absolute memory address |
| 599 | 1000900C | .text | CALL [static] | Indirect call to absolute memory address |
| 5C4 | 10009120 | .text | CALL [static] | Indirect call to absolute memory address |
| 66F | 10009108 | .text | CALL [static] | Indirect call to absolute memory address |
| 679 | 1000900C | .text | CALL [static] | Indirect call to absolute memory address |
| 6A4 | 10009120 | .text | CALL [static] | Indirect call to absolute memory address |
| 6CB | 10009120 | .text | CALL [static] | Indirect call to absolute memory address |
| 717 | 1000910C | .text | CALL [static] | Indirect call to absolute memory address |
| 79C | 1000900C | .text | CALL [static] | Indirect call to absolute memory address |
| 822 | 10009108 | .text | CALL [static] | Indirect call to absolute memory address |
| 82C | 1000900C | .text | CALL [static] | Indirect call to absolute memory address |
| 857 | 10009120 | .text | CALL [static] | Indirect call to absolute memory address |
| 864 | 10009114 | .text | CALL [static] | Indirect call to absolute memory address |
| 893 | 10009114 | .text | CALL [static] | Indirect call to absolute memory address |
| 8E0 | 1000910C | .text | CALL [static] | Indirect call to absolute memory address |
| 933 | 10009110 | .text | CALL [static] | Indirect call to absolute memory address |
| 957 | 10009114 | .text | CALL [static] | Indirect call to absolute memory address |
| 97D | 1000900C | .text | CALL [static] | Indirect call to absolute memory address |
| 995 | 10009114 | .text | CALL [static] | Indirect call to absolute memory address |
| 9CA | 1000900C | .text | CALL [static] | Indirect call to absolute memory address |
| A3B | 10009010 | .text | CALL [static] | Indirect call to absolute memory address |
| A87 | 10009014 | .text | CALL [static] | Indirect call to absolute memory address |
| B18 | 10009014 | .text | CALL [static] | Indirect call to absolute memory address |
| C08 | 10009014 | .text | CALL [static] | Indirect call to absolute memory address |
| C55 | 10009014 | .text | CALL [static] | Indirect call to absolute memory address |
| EA8 | 10009014 | .text | CALL [static] | Indirect call to absolute memory address |
| FAF | 10009014 | .text | CALL [static] | Indirect call to absolute memory address |
| 100F | 10009014 | .text | CALL [static] | Indirect call to absolute memory address |
| 1055 | 10009014 | .text | CALL [static] | Indirect call to absolute memory address |
| 10AA | 10009014 | .text | CALL [static] | Indirect call to absolute memory address |
| 1193 | 10009020 | .text | CALL [static] | Indirect call to absolute memory address |
| 11A5 | 1000900C | .text | CALL [static] | Indirect call to absolute memory address |
| 11FC | 10009024 | .text | CALL [static] | Indirect call to absolute memory address |
| 135D | 10009028 | .text | CALL [static] | Indirect call to absolute memory address |
| 13A0 | 1000900C | .text | CALL [static] | Indirect call to absolute memory address |
| 13B8 | 1000900C | .text | CALL [static] | Indirect call to absolute memory address |
| 1404 | 10009034 | .text | CALL [static] | Indirect call to absolute memory address |
| 14E9 | 10009030 | .text | CALL [static] | Indirect call to absolute memory address |
| 14FE | 1000902C | .text | CALL [static] | Indirect call to absolute memory address |
| 1757 | 10009038 | .text | CALL [static] | Indirect call to absolute memory address |
| 178A | 10009038 | .text | CALL [static] | Indirect call to absolute memory address |
| 17C6 | 1000903C | .text | CALL [static] | Indirect call to absolute memory address |
| 17F5 | 1000903C | .text | CALL [static] | Indirect call to absolute memory address |
| 26A0 | 10009048 | .text | CALL [static] | Indirect call to absolute memory address |
| 26AA | 10009044 | .text | CALL [static] | Indirect call to absolute memory address |
| 26B7 | 10009040 | .text | CALL [static] | Indirect call to absolute memory address |
| 26F5 | 10009054 | .text | CALL [static] | Indirect call to absolute memory address |
| 26FC | 10009050 | .text | CALL [static] | Indirect call to absolute memory address |
| 270F | 10009030 | .text | CALL [static] | Indirect call to absolute memory address |
| 293A | 1000DCD8 | .text | CALL [static] | Indirect call to absolute memory address |
| 29C8 | 10009058 | .text | CALL [static] | Indirect call to absolute memory address |
| 29E3 | 1000905C | .text | CALL [static] | Indirect call to absolute memory address |
| 29FB | 10009064 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A0B | 10009060 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A2D | 10009068 | .text | CALL [static] | Indirect call to absolute memory address |
| 2ABD | 1000DCD0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2B2A | 1000DCD4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D79 | 10009074 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E2B | 10009070 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E77 | 1000906C | .text | CALL [static] | Indirect call to absolute memory address |
| 2EDF | 10009030 | .text | CALL [static] | Indirect call to absolute memory address |
| 311B | 10009048 | .text | CALL [static] | Indirect call to absolute memory address |
| 3130 | 10009044 | .text | CALL [static] | Indirect call to absolute memory address |
| 313B | 10009040 | .text | CALL [static] | Indirect call to absolute memory address |
| 3157 | 10009054 | .text | CALL [static] | Indirect call to absolute memory address |
| 315E | 10009050 | .text | CALL [static] | Indirect call to absolute memory address |
| 31A9 | 10009024 | .text | CALL [static] | Indirect call to absolute memory address |
| 31EA | 1000904C | .text | CALL [static] | Indirect call to absolute memory address |
| 31F1 | 10009078 | .text | CALL [static] | Indirect call to absolute memory address |
| 3203 | 1000907C | .text | CALL [static] | Indirect call to absolute memory address |
| 3215 | 10009030 | .text | CALL [static] | Indirect call to absolute memory address |
| 3224 | 10009080 | .text | CALL [static] | Indirect call to absolute memory address |
| 323F | 10009030 | .text | CALL [static] | Indirect call to absolute memory address |
| 3259 | 10009084 | .text | CALL [static] | Indirect call to absolute memory address |
| 327C | 10009064 | .text | CALL [static] | Indirect call to absolute memory address |
| 32BD | 10009088 | .text | CALL [static] | Indirect call to absolute memory address |
| 3323 | 1000900C | .text | CALL [static] | Indirect call to absolute memory address |
| 335F | 10009030 | .text | CALL [static] | Indirect call to absolute memory address |
| 3375 | 1000902C | .text | CALL [static] | Indirect call to absolute memory address |
| 338D | 1000908C | .text | CALL [static] | Indirect call to absolute memory address |
| 3450 | 10009090 | .text | CALL [static] | Indirect call to absolute memory address |
| 352A | 10009030 | .text | CALL [static] | Indirect call to absolute memory address |
| 3547 | 10009080 | .text | CALL [static] | Indirect call to absolute memory address |
| 3557 | 10009064 | .text | CALL [static] | Indirect call to absolute memory address |
| 35F0 | 10009078 | .text | CALL [static] | Indirect call to absolute memory address |
| 36AF | 1000902C | .text | CALL [static] | Indirect call to absolute memory address |
| 36EB | 10009094 | .text | CALL [static] | Indirect call to absolute memory address |
| 3737 | 10009094 | .text | CALL [static] | Indirect call to absolute memory address |
| 3785 | 10009094 | .text | CALL [static] | Indirect call to absolute memory address |
| 37B6 | 100090A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 38E9 | 100090A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 391F | 1000909C | .text | CALL [static] | Indirect call to absolute memory address |
| 3973 | 10009070 | .text | CALL [static] | Indirect call to absolute memory address |
| 3985 | 100090A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 39B3 | 1000909C | .text | CALL [static] | Indirect call to absolute memory address |
| 39DC | 10009098 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A11 | 100090A8 | .text | CALL [static] | Indirect call to absolute memory address |
| C800 | N/A | *Overlay* | A0200000000202003082209306092A864886F70D | . ......0. ...*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 31889 | 53,5482% |
| Null Byte Code | 13397 | 22,4963% |
© 2026 All rights reserved.