PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 946,50 KB
SHA-256 Hash: 1F1283F8723CA62693DCD5E8ED07166FEC45450F36F35C0AD274F6F0B2E2DE5F
SHA-1 Hash: 1BA0B9CC6C7DA1B6A32A459416D0D494AD675E74
MD5 Hash: 9D443384F9D21BE3B3D67234F76BD36E
Imphash: 4C8BAABD97009025EB65A2E23335BD24
MajorOSVersion: 6
CheckSum: 00000000
EntryPoint (rva): E6350
SizeOfHeaders: 400
SizeOfImage: F0000
ImageBase: 10000000
Architecture: x86
ExportTable: EC5E0
ImportTable: EC638
Characteristics: 2102
TimeDateStamp: 64B1B8A1
Date: 14/07/2023 21:05:37
File Type: DLL
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	E5E00	1000	E5D33
.rdata	40000040	E6200	5A00	E7000	592E
.data	C0000040 (Writeable)	EBC00	200	ED000	39C
.rsrc	40000040	EBE00	200	EE000	1E0
.reloc	42000040	EC000	A00	EF000	980

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - E5750
Code -> 558BEC837D0C017505E883010000FF7510FF750CFF7508E8AEFEFFFF83C40C5DC20C00558BEC6A00FF1504700E10FF7508FF
• PUSH EBP
• MOV EBP, ESP
• CMP DWORD PTR [EBP + 0XC], 1
• JNE 0X100E
• CALL 0X1191
• PUSH DWORD PTR [EBP + 0X10]
• PUSH DWORD PTR [EBP + 0XC]
• PUSH DWORD PTR [EBP + 8]
• CALL 0XECA
• ADD ESP, 0XC
• POP EBP
• RET 0XC
• PUSH EBP
• MOV EBP, ESP
• PUSH 0
• CALL DWORD PTR [0X100E7004]
• PUSH DWORD PTR [EBP + 8]

Signatures:

Rich Signature Analyzer:
Code -> E1AEC559A5CFAB0AA5CFAB0AA5CFAB0AACB7380AA7CFAB0A1BBEAA0BA6CFAB0A1BBEAE0BAFCFAB0A1BBEAF0BAFCFAB0A1BBEA80BA7CFAB0AFEA7AA0BA7CFAB0AA5CFAA0ABACFAB0A33BDA20BA3CFAB0A33BDAB0BA4CFAB0A33BD540AA4CFAB0A33BDA90BA4CFAB0A52696368A5CFAB0A
Footprint md5 Hash -> 5854B5CC6A9FDF5A0D20D47E6E29EE0A
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE: linker: Microsoft Linker(14.28**)[DLL32]
• Entropy: 5.67719

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

ET Functions (carving):

Original Name -> GenerateKeyExImpl.dll
GenerateKeyEx

File Access:

KERNEL32.dll
api-ms-win-crt-runtime-l1-1-0.dll
VCRUNTIME140.dll
GenerateKeyExImpl.dll

Interest's Words:

exec

Payloads:

Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\24\2\1033	EE060	17D	EBE60	3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779	<?xml version='1.0' encoding='UTF-8' standalone='y

Intelligent String:

• C:\WS\P13A\SW\__P13A_Construction\SQR_SUV_DLL_Project_0\GenerateKeyExImpl\Release\GenerateKeyExImpl.pdb
• .bss

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	458741	47,3311%
Null Byte Code	130565	13,4712%