PESCAN.IO - Analysis Report Valid Code |
|||||
| File Structure: | |||||
|
|||||
| Information: |
| Size: 60,00 KB SHA-256 Hash: D3B437EBE0504F8FF71D2025FAABF84119C9AACCB38F34D4130F7C633CE4B37F SHA-1 Hash: EA6EB41D6F0CC4BD7BD5349D3009D21A4AFC3DF1 MD5 Hash: 8B9178700E6738AEB688A3F6AE28F02E Imphash: D83BFC9D89F2C92A7C8E032A69AF1862 MajorOSVersion: 4 CheckSum: 000173A0 EntryPoint (rva): 1350 SizeOfHeaders: 400 SizeOfImage: 18000 ImageBase: 0000000062740000 Architecture: x64 ExportTable: 12000 ImportTable: 13000 Characteristics: 222E TimeDateStamp: 5F7684EA Date: 02/10/2020 1:39:54 File Type: DLL Number Of Sections: 11 ASLR: Disabled Section Names (Optional Header): .text, .data, .rdata, .pdata, .xdata, .bss, .edata, .idata, .CRT, .tls, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 36,00 KB Missing] |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60500060 (Executable) | 400 | 8C00 | 1000 | 8AD8 |
| .data | C0600040 (Writeable) | 9000 | 800 | A000 | 6B0 |
| .rdata | 40600040 | 9800 | 3200 | B000 | 30B0 |
| .pdata | 40300040 | CA00 | 600 | F000 | 5A0 |
| .xdata | 40300040 | D000 | 600 | 10000 | 5CC |
| .bss | C0600080 (Writeable) | 0 | 0 | 11000 | B50 |
| .edata | 40300040 | D600 | 200 | 12000 | B8 |
| .idata | C0300040 (Writeable) | D800 | 1200 | 13000 | 1090 |
| .CRT | C0400040 (Writeable) | EA00 | 200 | 15000 | 58 |
| .tls | C0400040 (Writeable) | EC00 | 200 | 16000 | 10 |
| .reloc | 42300040 | EE00 | 200 | 17000 | 170 |
| Entry Point: |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 750 Code -> 4883EC48488B05F5CC0000C7000000000083FA01740A4883C448E991FEFFFF904C894424388954243448894C2428E86D7100 • SUB RSP, 0X48 • MOV RAX, QWORD PTR [RIP + 0XCCF5] • MOV DWORD PTR [RAX], 0 • CMP EDX, 1 • JE 0X1020 • ADD RSP, 0X48 • JMP 0XEB0 • NOP • MOV QWORD PTR [RSP + 0X38], R8 • MOV DWORD PTR [RSP + 0X34], EDX • MOV QWORD PTR [RSP + 0X28], RCX |
| Signatures: |
| CheckSum Integrity Problem: • Header: 95136 • Calculated: 121229 Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler: |
| Detect It Easy (die) • PE+(64): linker: GNU linker ld (GNU Binutils)(2.33)[DLL64] • Entropy: 6.07548 |
| Suspicious Functions: |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| ET Functions (carving): |
| Original Name -> release.dll DllGetClassObject DllRegisterServer DllRegisterServerEx DllUnregisterServer Start |
| File Access: |
| WS2_32.dll SHELL32.dll OLEAUT32.dll ole32.dll msvcrt.dll KERNEL32.dll ADVAPI32.dll release.dll Temp |
| Interest's Words: |
| attrib start hostname systeminfo expand |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Ascii): Registry (RegOpenKeyEx) • Rule Text (Ascii): File (GetTempPath) • Rule Text (Ascii): File (CreateFile) • Rule Text (Ascii): File (WriteFile) • Rule Text (Ascii): File (ReadFile) • Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo) • Rule Text (Ascii): Anti-Analysis VM (GlobalMemoryStatusEx) • Rule Text (Ascii): Stealth (VirtualProtect) • Rule Text (Ascii): Execution (CreateProcessW) • EP Rules: Microsoft Visual C++ 8.0 (DLL) |
| Intelligent String: |
| • @0@.bss • .CRT • .tls • ADVAPI32.dll • KERNEL32.dll • msvcrt.dll • ole32.dll • OLEAUT32.dll • WS2_32.dll |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 31038 | 50,5176% |
| Null Byte Code | 16809 | 27,3584% |
| NOP Cave Found | 0x9090909090 | Block Count: 42 | Total: 0,1709% |
© 2025 All rights reserved.