PESCAN.IO - Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 11,43 MB
SHA-256 Hash: 9CB8AE757D4DBAD46D8AFB9DD7DBEFF52AD14E89D6E1EDED557723190B5A8B38
SHA-1 Hash: E9F54B466CFA92C3BBA4189F09B5CF7D20D9F498
MD5 Hash: 94D3BCCF8AC8F6867BC5033D4DC0F89E
Imphash: 351592D5EAD6DF0859B0CC0056827C95
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00B73110
EntryPoint (rva): D4A0
SizeOfHeaders: 400
SizeOfImage: 5D000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 41AFC
IAT: 2F000
Characteristics: 22
TimeDateStamp: 697D4CC8
Date: 31/01/2026 0:28:56
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .fptable, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	400	2DA00	1000	2D8A0	6.4766	1138640.58
.rdata	0x40000040 Initialized Data Readable	2DE00	13A00	2F000	1396A	5.7641	2357284.59
.data	0xC0000040 Initialized Data Readable Writeable	41800	E00	43000	50B0	1.8214	589180
.pdata	0x40000040 Initialized Data Readable	42600	2600	49000	2490	5.3825	307116.84
.fptable	0xC0000040 Initialized Data Readable Writeable	44C00	200	4C000	100	0	130560
.rsrc	0x40000040 Initialized Data Readable	44E00	F000	4D000	EF8C	7.3501	287701.44
.reloc	0x42000040 Initialized Data GP-Relative Readable	53E00	800	5C000	774	5.2714	16661.25

Binder/Joiner/Crypter

Dropper code detected (EOF) - 11,07 MB

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - C8A0
Code -> 4883EC28E8570200004883C428E96AFEFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCC4883EC28E89B08000085C0742165488B0425

Assembler

|SUB RSP, 0X28

|CALL 0X1260

|ADD RSP, 0X28

|JMP 0XE7C

|INT3

|SUB RSP, 0X28

|CALL 0X18C4

|TEST EAX, EAX

|JE 0X104E

Signatures

Rich Signature Analyzer:
Code -> 91C57996D5A417C5D5A417C5D5A417C5AC2512C463A417C5AC2513C4D9A417C5AC2514C4DEA417C5522DEAC5D6A417C5522D14C4DCA417C5522D13C4C4A417C5522D12C4FDA417C5AC2516C4D2A417C5D5A416C558A417C5432D13C4CEA417C5432D15C4D4A417C552696368D5A417C5
Footprint md5 Hash -> 583FD9268A9CFEA3A84EF138A0E4A36D
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(-)[-]
• PE+(64): linker: Microsoft Linker(14.44**)[-]
• PE+(64): overlay: zlib archive(-)[-]
• Entropy: 7.9949

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetProcAddress \| Possible Call API By Name	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

File Access

%s%c%s.exe
python314.dll
bpython314.dll
blibssl-3.dll
blibffi-8.dll
blibcrypto-3.dll
bVCRUNTIME140_1.dll
bVCRUNTIME140.dll
ADVAPI32.dll
KERNEL32.dll
USER32.dll
setuptools._vendor.jar
setuptools._vendor.jar
!setuptools._vendor.jar
setuptools._vendor.jar
setuptools._distutils.sys
.dat
@.dat
setuptools.log
setuptools._distutils.log
asyncio.log
bsetuptools\_vendor\jaraco\text\Lorem ipsum.txt
bsetuptools\_vendor\importlib_metadata-8.7.1.dist-info\top_level.txt
.Vbe
bbase_library.zip
setuptools._vendor.zip
$setuptools._vendor.zip
&setuptools._vendor.zip
setuptools._vendor.zip
setuptools._vendor.zip
setuptools._vendor.zip
Failed to construct path to base_library.zip
%s\base_library.zip
.Rar
Temp

File Access (UNICODE)

mscoree.dll
VCRUNTIME140_1.dll
VCRUNTIME140.dll
Path of ucrtbase.dll
%ls\ucrtbase.dll
Temp

Interest's Words

PADDINGX
exec
attrib
start
hostname
wmic
shutdown
ping
expand
replace

Interest's Words (UNICODE)

<form
exec
expand

URLs

http://schemas.microsoft.com/SMI/2016/WindowsSettings

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindFirstFileW)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Execution (CreateProcessW)
Text	Unicode	Execution (CreateProcessW)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	PE-Exe Executable Image

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	4D208	EA8	45008	28000000300000006000000001000800000000000000000000000000000000000000000000000000000000000B0702000005	(...0............................................
\ICON\2\0	4E0B0	8A8	45EB0	2800000020000000400000000100080000000000000000000000000000000000000000000000000000000000050302000606	(... ...@.........................................
\ICON\3\0	4E958	568	46758	2800000010000000200000000100080000000000000000000000000000000000000000000000000000000000080400000C08	(....... .........................................
\ICON\4\0	4EEC0	909B	46CC0	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000090624944415478DAEC5D07601CC5D5	.PNG........IHDR.............\r.f...bIDATx..]....
\ICON\5\0	57F5C	25A8	4FD5C	2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...0........ ...................................
\ICON\6\0	5A504	10A8	52304	2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\7\0	5B5AC	468	533AC	28000000100000002000000001002000000000000000000000000000000000000000000000000000000000000F0800175838	(....... ..... .................................X8
\GROUP_ICON\1\0	5BA14	68	53814	0000010007003030000001000800A80E000001002020000001000800A8080000020010100000010008006805000003000000	......00............ ....................h.......
\24\1\0	5BA7C	50D	5387C	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String

• %ls\ucrtbase.dll
• VCRUNTIME140.dll
• VCRUNTIME140_1.dll
• %s%c%s.pkg
• %s%c%s.exe
• dev%s\base_library.zip
• init.tcl
• tk.tcl
• .exe
• .cmd
• .bat
• .com
• mscoree.dll
• .bss
• ADVAPI32.dll
• <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware>
• .nlJ
• b_asyncio.pyd
• b_bz2.pyd
• b_ctypes.pyd
• b_decimal.pyd
• b_hashlib.pyd
• b_lzma.pyd
• b_multiprocessing.pyd
• b_overlapped.pyd
• b_queue.pyd
• b_socket.pyd
• b_ssl.pyd
• b_wmi.pyd
• b_zstd.pyd
• bbase_library.zip
• bcertifi\cacert.pem
• bcharset_normalizer\md.cp314-win_amd64.pyd
• bcharset_normalizer\md__mypyc.cp314-win_amd64.pyd
• blibcrypto-3.dll
• blibffi-8.dll
• blibssl-3.dll
• bpyexpat.pyd
• bpython314.dll
• bselect.pyd
• bsetuptools\_vendor\importlib_metadata-8.7.1.dist-info\top_level.txt
• bsetuptools\_vendor\jaraco\text\Lorem ipsum.txt
• bunicodedata.pyd
• zPYZ.pyz
• :python314.dll

Flow Anomalies

Offset	RVA	Section	Description
1093	N/A	.text	CALL QWORD PTR [RIP+0x2D3E7]
10A2	N/A	.text	CALL QWORD PTR [RIP+0x2D3C8]
10D9	N/A	.text	CALL QWORD PTR [RIP+0x2D3A1]
10E8	N/A	.text	CALL QWORD PTR [RIP+0x2D382]
1101	N/A	.text	CALL QWORD PTR [RIP+0x2D379]
1110	N/A	.text	CALL QWORD PTR [RIP+0x2D35A]
1129	N/A	.text	CALL QWORD PTR [RIP+0x2D351]
1138	N/A	.text	CALL QWORD PTR [RIP+0x2D332]
1154	N/A	.text	CALL QWORD PTR [RIP+0x2D326]
1163	N/A	.text	CALL QWORD PTR [RIP+0x2D307]
117F	N/A	.text	CALL QWORD PTR [RIP+0x2D2FB]
11A8	N/A	.text	CALL QWORD PTR [RIP+0x2D2D2]
11BA	N/A	.text	CALL QWORD PTR [RIP+0x2D2B0]
11D6	N/A	.text	CALL QWORD PTR [RIP+0x2D2A4]
11E8	N/A	.text	CALL QWORD PTR [RIP+0x2D282]
1204	N/A	.text	CALL QWORD PTR [RIP+0x2D276]
1216	N/A	.text	CALL QWORD PTR [RIP+0x2D254]
1232	N/A	.text	CALL QWORD PTR [RIP+0x2D248]
1244	N/A	.text	CALL QWORD PTR [RIP+0x2D226]
1260	N/A	.text	CALL QWORD PTR [RIP+0x2D21A]
1272	N/A	.text	CALL QWORD PTR [RIP+0x2D1F8]
128E	N/A	.text	CALL QWORD PTR [RIP+0x2D1EC]
12A1	N/A	.text	CALL QWORD PTR [RIP+0x2D1C9]
12BA	N/A	.text	CALL QWORD PTR [RIP+0x2D1C0]
12C9	N/A	.text	CALL QWORD PTR [RIP+0x2D1A1]
12E5	N/A	.text	CALL QWORD PTR [RIP+0x2D195]
12F4	N/A	.text	CALL QWORD PTR [RIP+0x2D176]
1310	N/A	.text	CALL QWORD PTR [RIP+0x2D16A]
131F	N/A	.text	CALL QWORD PTR [RIP+0x2D14B]
133B	N/A	.text	CALL QWORD PTR [RIP+0x2D13F]
134A	N/A	.text	CALL QWORD PTR [RIP+0x2D120]
1366	N/A	.text	CALL QWORD PTR [RIP+0x2D114]
1375	N/A	.text	CALL QWORD PTR [RIP+0x2D0F5]
1391	N/A	.text	CALL QWORD PTR [RIP+0x2D0E9]
13A0	N/A	.text	CALL QWORD PTR [RIP+0x2D0CA]
13BC	N/A	.text	CALL QWORD PTR [RIP+0x2D0BE]
13CB	N/A	.text	CALL QWORD PTR [RIP+0x2D09F]
13E7	N/A	.text	CALL QWORD PTR [RIP+0x2D093]
13F6	N/A	.text	CALL QWORD PTR [RIP+0x2D074]
1412	N/A	.text	CALL QWORD PTR [RIP+0x2D068]
1424	N/A	.text	CALL QWORD PTR [RIP+0x2D046]
1440	N/A	.text	CALL QWORD PTR [RIP+0x2D03A]
1452	N/A	.text	CALL QWORD PTR [RIP+0x2D018]
146E	N/A	.text	CALL QWORD PTR [RIP+0x2D00C]
1480	N/A	.text	CALL QWORD PTR [RIP+0x2CFEA]
149C	N/A	.text	CALL QWORD PTR [RIP+0x2CFDE]
14AE	N/A	.text	CALL QWORD PTR [RIP+0x2CFBC]
14CA	N/A	.text	CALL QWORD PTR [RIP+0x2CFB0]
14DC	N/A	.text	CALL QWORD PTR [RIP+0x2CF8E]
14F8	N/A	.text	CALL QWORD PTR [RIP+0x2CF82]
150A	N/A	.text	CALL QWORD PTR [RIP+0x2CF60]
1526	N/A	.text	CALL QWORD PTR [RIP+0x2CF54]
1538	N/A	.text	CALL QWORD PTR [RIP+0x2CF32]
1554	N/A	.text	CALL QWORD PTR [RIP+0x2CF26]
1566	N/A	.text	CALL QWORD PTR [RIP+0x2CF04]
1582	N/A	.text	CALL QWORD PTR [RIP+0x2CEF8]
1594	N/A	.text	CALL QWORD PTR [RIP+0x2CED6]
15B0	N/A	.text	CALL QWORD PTR [RIP+0x2CECA]
15C2	N/A	.text	CALL QWORD PTR [RIP+0x2CEA8]
15DE	N/A	.text	CALL QWORD PTR [RIP+0x2CE9C]
15F0	N/A	.text	CALL QWORD PTR [RIP+0x2CE7A]
160C	N/A	.text	CALL QWORD PTR [RIP+0x2CE6E]
161E	N/A	.text	CALL QWORD PTR [RIP+0x2CE4C]
163A	N/A	.text	CALL QWORD PTR [RIP+0x2CE40]
164C	N/A	.text	CALL QWORD PTR [RIP+0x2CE1E]
1668	N/A	.text	CALL QWORD PTR [RIP+0x2CE12]
167A	N/A	.text	CALL QWORD PTR [RIP+0x2CDF0]
1696	N/A	.text	CALL QWORD PTR [RIP+0x2CDE4]
16A8	N/A	.text	CALL QWORD PTR [RIP+0x2CDC2]
16C4	N/A	.text	CALL QWORD PTR [RIP+0x2CDB6]
16D6	N/A	.text	CALL QWORD PTR [RIP+0x2CD94]
16F2	N/A	.text	CALL QWORD PTR [RIP+0x2CD88]
1704	N/A	.text	CALL QWORD PTR [RIP+0x2CD66]
1720	N/A	.text	CALL QWORD PTR [RIP+0x2CD5A]
1732	N/A	.text	CALL QWORD PTR [RIP+0x2CD38]
174E	N/A	.text	CALL QWORD PTR [RIP+0x2CD2C]
1760	N/A	.text	CALL QWORD PTR [RIP+0x2CD0A]
177C	N/A	.text	CALL QWORD PTR [RIP+0x2CCFE]
178E	N/A	.text	CALL QWORD PTR [RIP+0x2CCDC]
17AA	N/A	.text	CALL QWORD PTR [RIP+0x2CCD0]
17BC	N/A	.text	CALL QWORD PTR [RIP+0x2CCAE]
17D8	N/A	.text	CALL QWORD PTR [RIP+0x2CCA2]
17EA	N/A	.text	CALL QWORD PTR [RIP+0x2CC80]
1806	N/A	.text	CALL QWORD PTR [RIP+0x2CC74]
1818	N/A	.text	CALL QWORD PTR [RIP+0x2CC52]
1834	N/A	.text	CALL QWORD PTR [RIP+0x2CC46]
1846	N/A	.text	CALL QWORD PTR [RIP+0x2CC24]
1862	N/A	.text	CALL QWORD PTR [RIP+0x2CC18]
1874	N/A	.text	CALL QWORD PTR [RIP+0x2CBF6]
1890	N/A	.text	CALL QWORD PTR [RIP+0x2CBEA]
18A2	N/A	.text	CALL QWORD PTR [RIP+0x2CBC8]
18BE	N/A	.text	CALL QWORD PTR [RIP+0x2CBBC]
18D0	N/A	.text	CALL QWORD PTR [RIP+0x2CB9A]
18EC	N/A	.text	CALL QWORD PTR [RIP+0x2CB8E]
18FE	N/A	.text	CALL QWORD PTR [RIP+0x2CB6C]
191A	N/A	.text	CALL QWORD PTR [RIP+0x2CB60]
192C	N/A	.text	CALL QWORD PTR [RIP+0x2CB3E]
1948	N/A	.text	CALL QWORD PTR [RIP+0x2CB32]
195A	N/A	.text	CALL QWORD PTR [RIP+0x2CB10]
1976	N/A	.text	CALL QWORD PTR [RIP+0x2CB04]
5B908D-5B90C0	N/A	padding	Potential obfuscated jump sequence detected, count: 26
5E1782-5E179E	N/A	padding	Potential obfuscated jump sequence detected, count: 7
54600	N/A	Overlay	78DA4D8FBF4EC33010C6EFEC344DC98058A05287 \| x.M..N.0....4M..X.R.

Extra Analysis

Metric	Value	Percentage
Ascii Code	8183023	68,2764%
Null Byte Code	108850	0,9082%

PREMIUM PESCAN.IO - Analysis Report