PESCAN.IO — Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 11,02 MB
SHA-256 Hash: 77B2E71F0B9B5D9FD91D65481845FC6F206E4A730EC27B68A9FF9E951780161D
SHA-1 Hash: 472D690A7F5721F277B4381B7D75606B09BF33E2
MD5 Hash: 9E62835229954DB4A5C6CAF8127A6AFD
Imphash: 351592D5EAD6DF0859B0CC0056827C95
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00B082F0
EntryPoint (rva): D4A0
SizeOfHeaders: 400
SizeOfImage: 50000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 41AFC
IAT: 2F000
Characteristics: 22
TimeDateStamp: 69BB9ACB
Date: 19/03/2026 6:42:19
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .fptable, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	400	2DA00	1000	2D8A0	6.4766	1138640.58
.rdata	40000040 (Initialized Data, Readable)	2DE00	13A00	2F000	1396A	5.7641	2357283.66
.data	C0000040 (Initialized Data, Readable, Writeable)	41800	E00	43000	50B0	1.8214	589180
.pdata	40000040 (Initialized Data, Readable)	42600	2600	49000	2490	5.3825	307116.84
.fptable	C0000040 (Initialized Data, Readable, Writeable)	44C00	200	4C000	100	0	130560
.rsrc	40000040 (Initialized Data, Readable)	44E00	1800	4D000	16B4	5.6387	135892.67
.reloc	42000040 (Initialized Data, GP-Relative, Readable)	46600	800	4F000	774	5.2714	16661.25

Binder/Joiner/Crypter

Dropper code detected (EOF) - 10,71 MB

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - C8A0
Code -> 4883EC28E8570200004883C428E96AFEFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCC4883EC28E89B08000085C0742165488B0425

Assembler

|SUB RSP, 0X28

|CALL 0X1260

|ADD RSP, 0X28

|JMP 0XE7C

|INT3

|SUB RSP, 0X28

|CALL 0X18C4

|TEST EAX, EAX

|JE 0X104E

Signatures

Rich Signature Analyzer:
Code -> 91C57996D5A417C5D5A417C5D5A417C5AC2512C463A417C5AC2513C4D9A417C5AC2514C4DEA417C5522DEAC5D6A417C5522D14C4DCA417C5522D13C4C4A417C5522D12C4FDA417C5AC2516C4D2A417C5D5A416C558A417C5432D13C4CEA417C5432D15C4D4A417C552696368D5A417C5
Footprint md5 Hash -> 583FD9268A9CFEA3A84EF138A0E4A36D
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(-)[-]
• PE+(64): linker: Microsoft Linker(14.44**)[-]
• PE+(64): overlay: zlib archive(-)[-]
• Entropy: 7.99417

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetProcAddress \| Possible Call API By Name	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

File Access

%s%c%s.exe
6python310.dll
bpython310.dll
bpython3.dll
blibssl-1_1.dll
blibffi-7.dll
blibcrypto-1_1.dll
bVCRUNTIME140.dll
ADVAPI32.dll
KERNEL32.dll
USER32.dll
.dat
@.dat
asyncio.log
bh2-4.3.0.dist-info\top_level.txt
colorama.ini
bbase_library.zip
Failed to construct path to base_library.zip
%s\base_library.zip
Temp

File Access (UNICODE)

mscoree.dll
VCRUNTIME140_1.dll
VCRUNTIME140.dll
Path of ucrtbase.dll
%ls\ucrtbase.dll
Temp

Interest's Words

PADDINGX
exec
attrib
start
cipher
hostname
shutdown
ping
expand
replace

Interest's Words (UNICODE)

<form
exec
expand

URLs

http://schemas.microsoft.com/SMI/2016/WindowsSettings

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindFirstFileW)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Execution (CreateProcessW)
Text	Unicode	Execution (CreateProcessW)
Text	Ascii	Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	PE-Exe Executable Image

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	4D0E8	10A8	44EE8	2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\GROUP_ICON\1\0	4E190	14	45F90	0000010001002020000001002000A81000000100	...... .... .......
\24\1\0	4E1A4	50D	45FA4	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String

• %ls\ucrtbase.dll
• VCRUNTIME140.dll
• VCRUNTIME140_1.dll
• %s%c%s.pkg
• %s%c%s.exe
• dev%s\base_library.zip
• init.tcl
• tk.tcl
• .exe
• .cmd
• .bat
• .com
• mscoree.dll
• .bss
• ADVAPI32.dll
• <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware>
• .WrQ
• b_asyncio.pyd
• b_brotli.cp310-win_amd64.pyd
• b_bz2.pyd
• b_cffi_backend.cp310-win_amd64.pyd
• b_ctypes.pyd
• b_decimal.pyd
• b_hashlib.pyd
• b_lzma.pyd
• b_multiprocessing.pyd
• b_overlapped.pyd
• b_queue.pyd
• b_socket.pyd
• b_ssl.pyd
• bbase_library.zip
• bbcrypt\_bcrypt.pyd
• bcertifi\cacert.pem
• bcharset_normalizer\md.cp310-win_amd64.pyd
• bcharset_normalizer\md__mypyc.cp310-win_amd64.pyd
• bcryptography-45.0.6.dist-info\licenses\LICENSE.BSD
• bcryptography\hazmat\bindings\_rust.pyd
• bh2-4.3.0.dist-info\top_level.txt
• blibcrypto-1_1.dll
• blibffi-7.dll
• blibssl-1_1.dll
• bpyexpat.pyd
• bpython3.dll
• bpython310.dll
• bselect.pyd
• bunicodedata.pyd
• "\"\zPYZ.pyz
• 6python310.dll

Flow Anomalies

Offset	RVA	Section	Description
1093	N/A	.text	CALL QWORD PTR [RIP+0x2D3E7]
10A2	N/A	.text	CALL QWORD PTR [RIP+0x2D3C8]
10D9	N/A	.text	CALL QWORD PTR [RIP+0x2D3A1]
10E8	N/A	.text	CALL QWORD PTR [RIP+0x2D382]
1101	N/A	.text	CALL QWORD PTR [RIP+0x2D379]
1110	N/A	.text	CALL QWORD PTR [RIP+0x2D35A]
1129	N/A	.text	CALL QWORD PTR [RIP+0x2D351]
1138	N/A	.text	CALL QWORD PTR [RIP+0x2D332]
1154	N/A	.text	CALL QWORD PTR [RIP+0x2D326]
1163	N/A	.text	CALL QWORD PTR [RIP+0x2D307]
117F	N/A	.text	CALL QWORD PTR [RIP+0x2D2FB]
11A8	N/A	.text	CALL QWORD PTR [RIP+0x2D2D2]
11BA	N/A	.text	CALL QWORD PTR [RIP+0x2D2B0]
11D6	N/A	.text	CALL QWORD PTR [RIP+0x2D2A4]
11E8	N/A	.text	CALL QWORD PTR [RIP+0x2D282]
1204	N/A	.text	CALL QWORD PTR [RIP+0x2D276]
1216	N/A	.text	CALL QWORD PTR [RIP+0x2D254]
1232	N/A	.text	CALL QWORD PTR [RIP+0x2D248]
1244	N/A	.text	CALL QWORD PTR [RIP+0x2D226]
1260	N/A	.text	CALL QWORD PTR [RIP+0x2D21A]
1272	N/A	.text	CALL QWORD PTR [RIP+0x2D1F8]
128E	N/A	.text	CALL QWORD PTR [RIP+0x2D1EC]
12A1	N/A	.text	CALL QWORD PTR [RIP+0x2D1C9]
12BA	N/A	.text	CALL QWORD PTR [RIP+0x2D1C0]
12C9	N/A	.text	CALL QWORD PTR [RIP+0x2D1A1]
12E5	N/A	.text	CALL QWORD PTR [RIP+0x2D195]
12F4	N/A	.text	CALL QWORD PTR [RIP+0x2D176]
1310	N/A	.text	CALL QWORD PTR [RIP+0x2D16A]
131F	N/A	.text	CALL QWORD PTR [RIP+0x2D14B]
133B	N/A	.text	CALL QWORD PTR [RIP+0x2D13F]
134A	N/A	.text	CALL QWORD PTR [RIP+0x2D120]
1366	N/A	.text	CALL QWORD PTR [RIP+0x2D114]
1375	N/A	.text	CALL QWORD PTR [RIP+0x2D0F5]
1391	N/A	.text	CALL QWORD PTR [RIP+0x2D0E9]
13A0	N/A	.text	CALL QWORD PTR [RIP+0x2D0CA]
13BC	N/A	.text	CALL QWORD PTR [RIP+0x2D0BE]
13CB	N/A	.text	CALL QWORD PTR [RIP+0x2D09F]
13E7	N/A	.text	CALL QWORD PTR [RIP+0x2D093]
13F6	N/A	.text	CALL QWORD PTR [RIP+0x2D074]
1412	N/A	.text	CALL QWORD PTR [RIP+0x2D068]
1424	N/A	.text	CALL QWORD PTR [RIP+0x2D046]
1440	N/A	.text	CALL QWORD PTR [RIP+0x2D03A]
1452	N/A	.text	CALL QWORD PTR [RIP+0x2D018]
146E	N/A	.text	CALL QWORD PTR [RIP+0x2D00C]
1480	N/A	.text	CALL QWORD PTR [RIP+0x2CFEA]
149C	N/A	.text	CALL QWORD PTR [RIP+0x2CFDE]
14AE	N/A	.text	CALL QWORD PTR [RIP+0x2CFBC]
14CA	N/A	.text	CALL QWORD PTR [RIP+0x2CFB0]
14DC	N/A	.text	CALL QWORD PTR [RIP+0x2CF8E]
14F8	N/A	.text	CALL QWORD PTR [RIP+0x2CF82]
150A	N/A	.text	CALL QWORD PTR [RIP+0x2CF60]
1526	N/A	.text	CALL QWORD PTR [RIP+0x2CF54]
1538	N/A	.text	CALL QWORD PTR [RIP+0x2CF32]
1554	N/A	.text	CALL QWORD PTR [RIP+0x2CF26]
1566	N/A	.text	CALL QWORD PTR [RIP+0x2CF04]
1582	N/A	.text	CALL QWORD PTR [RIP+0x2CEF8]
1594	N/A	.text	CALL QWORD PTR [RIP+0x2CED6]
15B0	N/A	.text	CALL QWORD PTR [RIP+0x2CECA]
15C2	N/A	.text	CALL QWORD PTR [RIP+0x2CEA8]
15DE	N/A	.text	CALL QWORD PTR [RIP+0x2CE9C]
15F0	N/A	.text	CALL QWORD PTR [RIP+0x2CE7A]
160C	N/A	.text	CALL QWORD PTR [RIP+0x2CE6E]
161E	N/A	.text	CALL QWORD PTR [RIP+0x2CE4C]
163A	N/A	.text	CALL QWORD PTR [RIP+0x2CE40]
164C	N/A	.text	CALL QWORD PTR [RIP+0x2CE1E]
1668	N/A	.text	CALL QWORD PTR [RIP+0x2CE12]
167A	N/A	.text	CALL QWORD PTR [RIP+0x2CDF0]
1696	N/A	.text	CALL QWORD PTR [RIP+0x2CDE4]
16A8	N/A	.text	CALL QWORD PTR [RIP+0x2CDC2]
16C4	N/A	.text	CALL QWORD PTR [RIP+0x2CDB6]
16D6	N/A	.text	CALL QWORD PTR [RIP+0x2CD94]
16F2	N/A	.text	CALL QWORD PTR [RIP+0x2CD88]
1704	N/A	.text	CALL QWORD PTR [RIP+0x2CD66]
1720	N/A	.text	CALL QWORD PTR [RIP+0x2CD5A]
1732	N/A	.text	CALL QWORD PTR [RIP+0x2CD38]
174E	N/A	.text	CALL QWORD PTR [RIP+0x2CD2C]
1760	N/A	.text	CALL QWORD PTR [RIP+0x2CD0A]
177C	N/A	.text	CALL QWORD PTR [RIP+0x2CCFE]
178E	N/A	.text	CALL QWORD PTR [RIP+0x2CCDC]
17AA	N/A	.text	CALL QWORD PTR [RIP+0x2CCD0]
17BC	N/A	.text	CALL QWORD PTR [RIP+0x2CCAE]
17D8	N/A	.text	CALL QWORD PTR [RIP+0x2CCA2]
17EA	N/A	.text	CALL QWORD PTR [RIP+0x2CC80]
1806	N/A	.text	CALL QWORD PTR [RIP+0x2CC74]
1818	N/A	.text	CALL QWORD PTR [RIP+0x2CC52]
1834	N/A	.text	CALL QWORD PTR [RIP+0x2CC46]
1846	N/A	.text	CALL QWORD PTR [RIP+0x2CC24]
1862	N/A	.text	CALL QWORD PTR [RIP+0x2CC18]
1874	N/A	.text	CALL QWORD PTR [RIP+0x2CBF6]
1890	N/A	.text	CALL QWORD PTR [RIP+0x2CBEA]
18A2	N/A	.text	CALL QWORD PTR [RIP+0x2CBC8]
18BE	N/A	.text	CALL QWORD PTR [RIP+0x2CBBC]
18D0	N/A	.text	CALL QWORD PTR [RIP+0x2CB9A]
18EC	N/A	.text	CALL QWORD PTR [RIP+0x2CB8E]
18FE	N/A	.text	CALL QWORD PTR [RIP+0x2CB6C]
191A	N/A	.text	CALL QWORD PTR [RIP+0x2CB60]
192C	N/A	.text	CALL QWORD PTR [RIP+0x2CB3E]
1948	N/A	.text	CALL QWORD PTR [RIP+0x2CB32]
195A	N/A	.text	CALL QWORD PTR [RIP+0x2CB10]
1976	N/A	.text	CALL QWORD PTR [RIP+0x2CB04]
7E35B9-7E35E0	N/A	padding	Potential obfuscated jump sequence detected, count: 20
803DF2-803E01	N/A	padding	Potential obfuscated jump sequence detected, count: 8
80C165-80C185	N/A	padding	Potential obfuscated jump sequence detected, count: 15
80C814-80C84D	N/A	padding	Potential obfuscated jump sequence detected, count: 29
8A0438-8A045B	N/A	padding	Potential obfuscated jump sequence detected, count: 18
957937-957947	N/A	padding	Potential obfuscated jump sequence detected, count: 7
46E00	N/A	Overlay	78DA5D8FB18EC2300C40E3B6F452B512F71B45E8 \| x.]....0.@...R....E.

Extra Analysis

Metric	Value	Percentage
Ascii Code	7881207	68,1879%
Null Byte Code	97309	0,8419%

PREMIUM PESCAN.IO - Analysis Report