PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 1,39 MB
SHA-256 Hash: 39361D4569670DAC47BA97CF1214E48C24E2E7530C22AB52ACAEEC0F8CB4AB36
SHA-1 Hash: 73671D4C05DCE34D7BCDBE6C43D3EEB8B861DE07
MD5 Hash: A180C4415D7172CFC760C3C80D961191
Imphash: AFCDF79BE1557326C854B6E20CB900A7
MajorOSVersion: 5
MinorOSVersion: 1
CheckSum: 00166F5F
EntryPoint (rva): 2800A
SizeOfHeaders: 400
SizeOfImage: 16B000
ImageBase: 400000
Architecture: x86
ImportTable: BC0CC
IAT: 8F000
Characteristics: 122
TimeDateStamp: 662A0119
Date: 25/04/2024 7:07:05
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	400	8E000	1000	8DFDD	6.6752	3075403.98
.rdata	0x40000040 Initialized Data Readable	8E400	2FE00	8F000	2FD8E	5.7632	4998913.71
.data	0xC0000040 Initialized Data Readable Writeable	BE200	5200	BF000	8F74	1.1964	4320740.59
.rsrc	0x40000040 Initialized Data Readable	C3400	9A200	C8000	9A080	7.9526	92415.91
.reloc	0x42000040 Initialized Data GP-Relative Readable	15D600	7200	163000	7134	6.784	110144.86

Description

Language: English (United Kingdom) (ID=0x809)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 2740A
Code -> E8C8D00000E97FFEFFFFCCCCCCCCCCCCCCCCCCCCCCCC57568B7424108B4C24148B7C240C8BC18BD103C63BFE76083BF80F82

Assembler

|CALL 0XE0CD

|JMP 0XE89

|INT3

|PUSH EDI

|PUSH ESI

|MOV ESI, DWORD PTR [ESP + 0X10]

|MOV ECX, DWORD PTR [ESP + 0X14]

|MOV EDI, DWORD PTR [ESP + 0XC]

|MOV EAX, ECX

|MOV EDX, ECX

|ADD EAX, ESI

|CMP EDI, ESI

|JBE 0X1036

|CMP EDI, EAX

Signatures

Rich Signature Analyzer:
Code -> 167392925212FCC15212FCC15212FCC114431DC15012FCC1CCB23BC15312FCC15F4023C16112FCC15F401CC1E312FCC15F401DC16712FCC15B6A7FC15B12FCC15B6A6FC17712FCC15212FDC17210FCC1E78C16C10212FCC1E78C23C15312FCC15F4027C15312FCC152126BC15312FCC1E78C22C15312FCC1526963685212FCC1
Footprint md5 Hash -> 0A26A2E4B9E80CB78CE55B17BC970B32
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual C ++
Compiler: Microsoft Visual C ++ 6 DLL
Compiler: Autoit 3 - (You can use a decompiler for this...)
Detect It Easy (die)
• PE: library: AutoIt(3.XX)[-]
• PE: compiler: EP:Microsoft Visual C/C++(2013-2017)[EXE32]
• PE: compiler: Microsoft Visual C/C++(2013)[-]
• PE: linker: Microsoft Linker(12.0*)[-]
• Entropy: 7.37497

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	CopyFileW	Copies an existing file to a new file.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	CreateToolhelp32Snapshot	Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL	WriteProcessMemory	Writes data to an area of memory in a specified process.
KERNEL32.DLL	ReadProcessMemory	Reads data from an area of memory in a specified process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
USER32.DLL	GetAsyncKeyState	Retrieves the status of a virtual key asynchronously.
SHELL32.DLL	ShellExecuteW	Performs a run operation on a specific file.
SHELL32.DLL	ShellExecuteExW	Performs a run operation on a specific file.

Windows REG (UNICODE)

Software\AutoIt v3\AutoIt
SOFTWARE\Classes\
SYSTEM\CurrentControlSet\Control\Nls\Language

File Access

OLEAUT32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
COMDLG32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
UxTheme.dll
USERENV.dll
IPHLPAPI.DLL
PSAPI.DLL
WININET.dll
MPR.dll
COMCTL32.dll
WINMM.dll
VERSION.dll
WSOCK32.dll
@.dat
Temp
UserProfile

File Access (UNICODE)

USER32.DLL
combase.dll
Bbad allocationmscoree.dll
Temp
ProgramFiles
AppData
UserProfile

Interest's Words

PADDINGX
exec
attrib
start
shutdown
systeminfo
ping
replace

Interest's Words (UNICODE)

exec
attrib
start
pause
comspec
shutdown
ping
expand
replace

IP Addresses

255.255.255.255

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	Registry (RegDeleteKeyEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CopyFile)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Anti-Analysis VM (GlobalMemoryStatusEx)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Anti-Analysis VM (CreateToolhelp32Snapshot)
Text	Ascii	Reconnaissance (FindFirstFileW)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (ExitThread)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Stealth (ReadProcessMemory)
Text	Ascii	Execution (CreateProcessA)
Text	Ascii	Execution (CreateProcessW)
Text	Ascii	Execution (ShellExecute)
Text	Ascii	Execution (ResumeThread)
Text	Ascii	Execution (CreateEventW)
Text	Unicode	Privileges (SeAssignPrimaryTokenPrivilege)
Text	Unicode	Privileges (SeBackupPrivilege)
Text	Unicode	Privileges (SeDebugPrivilege)
Text	Unicode	Privileges (SeIncreaseQuotaPrivilege)
Text	Unicode	Privileges (SeRestorePrivilege)
Text	Unicode	Privileges (SeShutdownPrivilege)
Text	Unicode	Keyboard Key (ALTDOWN)
Text	Unicode	Keyboard Key (ALTUP)
Text	Unicode	Keyboard Key (SHIFTDOWN)
Text	Unicode	Keyboard Key (SHIFTUP)
Text	Unicode	Keyboard Key (CTRLDOWN)
Text	Unicode	Keyboard Key (CTRLUP)
Text	Unicode	Keyboard Key (LWINDOWN)
Text	Unicode	Keyboard Key (LWINUP)
Text	Unicode	Keyboard Key (RWINDOWN)
Text	Unicode	Keyboard Key (RWINUP)
Text	Unicode	Keyboard Key (LBUTTON)
Text	Unicode	Keyboard Key (MBUTTON)
Text	Unicode	Keyboard Key (RBUTTON)
Text	Unicode	Keyboard Key (NUMPAD0)
Text	Unicode	Keyboard Key (NUMPAD1)
Text	Unicode	Keyboard Key (NUMPAD2)
Text	Unicode	Keyboard Key (NUMPAD3)
Text	Unicode	Keyboard Key (NUMPAD4)
Text	Unicode	Keyboard Key (NUMPAD5)
Text	Unicode	Keyboard Key (NUMPAD6)
Text	Unicode	Keyboard Key (NUMPAD7)
Text	Unicode	Keyboard Key (NUMPAD8)
Text	Unicode	Keyboard Key (NUMPAD9)
Text	Unicode	Keyboard Key (CapsLock)
Text	Ascii	Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	VC8 - Microsoft Corporation

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\2057	C85A8	128	C39A8	2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F	(....... ...................................z..y_
\ICON\2\2057	C86D0	128	C3AD0	28000000100000002000000001000400000000008000000000000000000000001000000010000000000000007A60EB00795F	(....... ...................................z..y_
\ICON\3\2057	C87F8	128	C3BF8	2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F	(....... ...................................z..y_
\ICON\4\2057	C8920	2E8	C3D20	2800000020000000400000000100040000000000000000000000000000000000000000000000000000000000000000000080	(... ...@.........................................
\ICON\5\2057	C8C08	128	C4008	2800000010000000200000000100040000000000000000000000000000000000000000000000000000000000000000000080	(....... .........................................
\ICON\6\2057	C8D30	EA8	C4130	28000000300000006000000001000800000000000000000000000000000000000000000000000000000000009F7747000000	(...0.......................................wG...
\ICON\7\2057	C9BD8	8A8	C4FD8	2800000020000000400000000100080000000000000000000000000000000000000000000000000000000000A06A3C00AB7E	(... ...@....................................j<..~
\ICON\8\2057	CA480	568	C5880	28000000100000002000000001000800000000000000000000000000000000000000000000000000000000009E6F3E009D72	(....... ....................................o>..r
\ICON\9\2057	CA9E8	25A8	C5DE8	2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...0........ ...................................
\ICON\10\2057	CCF90	10A8	C8390	2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\11\2057	CE038	468	C9438	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\MENU\166\2057	CE4A0	50	C98A0	00000000900043006F006E007400650078007400310000000000A7005300630072006900700074002000260050006100750073006500640000000000000000008000A800450026007800690074000000	......C.o.n.t.e.x.t.1.......S.c.r.i.p.t. .&.P.a.u.s.e.d.............E.&.x.i.t...
\STRING\7\2057	CE4F0	594	C98F0	0000000000000000000009002800500061007500730065006400290020000C004100750074006F0049007400200045007200	............(.P.a.u.s.e.d.). ...A.u.t.o.I.t. .E.r.
\STRING\8\2057	CEA84	68A	C9E84	300049006E0063006F007200720065006300740020006E0075006D0062006500720020006F00660020007000610072006100	0.I.n.c.o.r.r.e.c.t. .n.u.m.b.e.r. .o.f. .p.a.r.a.
\STRING\9\2057	CF110	490	CA510	30004500780070006500630074006500640020006100200022003D00220020006F00700065007200610074006F0072002000	0.E.x.p.e.c.t.e.d. .a. .".=.". .o.p.e.r.a.t.o.r. .
\STRING\10\2057	CF5A0	5FC	CA9A0	1A0049006E00760061006C00690064002000660069006C0065002000660069006C0074006500720020006700690076006500	..I.n.v.a.l.i.d. .f.i.l.e. .f.i.l.t.e.r. .g.i.v.e.
\STRING\11\2057	CFB9C	65C	CAF9C	3E002200530065006C0065006300740022002000730074006100740065006D0065006E00740020006900730020006D006900	>.".S.e.l.e.c.t.". .s.t.a.t.e.m.e.n.t. .i.s. .m.i.
\STRING\12\2057	D01F8	466	CB5F8	4800430061006E0020007000610073007300200063006F006E007300740061006E0074007300200062007900200072006500	H.C.a.n. .p.a.s.s. .c.o.n.s.t.a.n.t.s. .b.y. .r.e.
\STRING\313\2057	D0660	158	CBA60	00000000000000000000000000000000150055006E00610062006C006500200074006F002000700061007200730065002000	..................U.n.a.b.l.e. .t.o. .p.a.r.s.e. .
\RCDATA\SCRIPT\0	D07B8	91346	CBBB8	A3484BBE986C4AA9994C530A86D6487D41553321454130364DA8FF7324A73CF67A12F167ACC193E76B43CA52A6AD0000E1BB	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R......
\GROUP_ICON\99\2057	161B00	76	15CF00	0000010008002020100001000400E8020000040010101000010004002801000005003030000001000800A80E000006002020	...... ....................(.....00............
\GROUP_ICON\162\2057	161B78	14	15CF78	0000010001001010100001000400280100000200	..............(.....
\GROUP_ICON\164\2057	161B8C	14	15CF8C	0000010001001010100001000400280100000100	..............(.....
\GROUP_ICON\169\2057	161BA0	14	15CFA0	0000010001001010100001000400280100000300	..............(.....
\VERSION\1\2057	161BB4	DC	15CFB4	DC0034000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\2057	161C90	3EF	15D090	3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122	<assembly xmlns="urn:schemas-microsoft-com:asm.v1"

Intelligent String

• RUNAS
• RUNASWAIT
• mscoree.dll
• combase.dll
• !"$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]_abcdefghijklmnopqrstuvwxyz{|}~kernel32.dll
• USER32.DLL
• COMSPEC
• runas
• 0.0.0.0
• .lnk
• 255.255.255.255
• .icl
• .exe
• .dll
• COMCTL32.dll
• KERNEL32.dll
• USER32.dll
• COMDLG32.dll

Flow Anomalies

Offset	RVA	Section	Description
657	48F734	.text	CALL [static] \| Indirect call to absolute memory address
6D8	48F584	.text	CALL [static] \| Indirect call to absolute memory address
74D	48F0D0	.text	CALL [static] \| Indirect call to absolute memory address
75C	48F0EC	.text	CALL [static] \| Indirect call to absolute memory address
773	48F128	.text	CALL [static] \| Indirect call to absolute memory address
79C	48F0EC	.text	CALL [static] \| Indirect call to absolute memory address
7BF	48F0D8	.text	CALL [static] \| Indirect call to absolute memory address
7DB	48F14C	.text	CALL [static] \| Indirect call to absolute memory address
7EE	48F0EC	.text	CALL [static] \| Indirect call to absolute memory address
801	48F0C8	.text	CALL [static] \| Indirect call to absolute memory address
81C	48F0C4	.text	CALL [static] \| Indirect call to absolute memory address
94C	48F128	.text	CALL [static] \| Indirect call to absolute memory address
9C3	48F124	.text	CALL [static] \| Indirect call to absolute memory address
A02	48F124	.text	CALL [static] \| Indirect call to absolute memory address
AAB	48F584	.text	CALL [static] \| Indirect call to absolute memory address
AD4	48F584	.text	CALL [static] \| Indirect call to absolute memory address
B9A	48F630	.text	CALL [static] \| Indirect call to absolute memory address
BFE	48F694	.text	CALL [static] \| Indirect call to absolute memory address
C1B	48F670	.text	CALL [static] \| Indirect call to absolute memory address
C2C	48F130	.text	CALL [static] \| Indirect call to absolute memory address
C76	48F62C	.text	CALL [static] \| Indirect call to absolute memory address
CE2	48F584	.text	CALL [static] \| Indirect call to absolute memory address
DFA	48F584	.text	CALL [static] \| Indirect call to absolute memory address
E4E	48F528	.text	CALL [static] \| Indirect call to absolute memory address
E61	48F140	.text	CALL [static] \| Indirect call to absolute memory address
F9A	48F658	.text	CALL [static] \| Indirect call to absolute memory address
1173	48F720	.text	CALL [static] \| Indirect call to absolute memory address
1187	48F114	.text	CALL [static] \| Indirect call to absolute memory address
1191	48F688	.text	CALL [static] \| Indirect call to absolute memory address
11DC	48F634	.text	CALL [static] \| Indirect call to absolute memory address
121D	48F694	.text	CALL [static] \| Indirect call to absolute memory address
1245	48F670	.text	CALL [static] \| Indirect call to absolute memory address
1374	48F634	.text	CALL [static] \| Indirect call to absolute memory address
138D	48F694	.text	CALL [static] \| Indirect call to absolute memory address
14D3	48F63C	.text	CALL [static] \| Indirect call to absolute memory address
156E	48F70C	.text	CALL [static] \| Indirect call to absolute memory address
15D3	48F528	.text	CALL [static] \| Indirect call to absolute memory address
1631	48F528	.text	CALL [static] \| Indirect call to absolute memory address
163B	48F120	.text	CALL [static] \| Indirect call to absolute memory address
1650	48F138	.text	CALL [static] \| Indirect call to absolute memory address
1658	48F114	.text	CALL [static] \| Indirect call to absolute memory address
170B	48F148	.text	CALL [static] \| Indirect call to absolute memory address
1757	48F5BC	.text	CALL [static] \| Indirect call to absolute memory address
1774	48F670	.text	CALL [static] \| Indirect call to absolute memory address
19EC	48F65C	.text	CALL [static] \| Indirect call to absolute memory address
1A23	48F65C	.text	CALL [static] \| Indirect call to absolute memory address
1CBC	48F740	.text	CALL [static] \| Indirect call to absolute memory address
1CC4	48F558	.text	CALL [static] \| Indirect call to absolute memory address
1CEF	48F740	.text	CALL [static] \| Indirect call to absolute memory address
1CF7	48F558	.text	CALL [static] \| Indirect call to absolute memory address
1D1C	48F558	.text	CALL [static] \| Indirect call to absolute memory address
1D39	48F5C4	.text	CALL [static] \| Indirect call to absolute memory address
1D49	48F4CC	.text	CALL [static] \| Indirect call to absolute memory address
1D7C	48F720	.text	CALL [static] \| Indirect call to absolute memory address
1D90	48F510	.text	CALL [static] \| Indirect call to absolute memory address
1DAE	48F634	.text	CALL [static] \| Indirect call to absolute memory address
1DCA	48F114	.text	CALL [static] \| Indirect call to absolute memory address
1DD5	48F688	.text	CALL [static] \| Indirect call to absolute memory address
1DFC	48F718	.text	CALL [static] \| Indirect call to absolute memory address
1ECF	48F71C	.text	CALL [static] \| Indirect call to absolute memory address
1F17	48F71C	.text	CALL [static] \| Indirect call to absolute memory address
20A2	48F63C	.text	CALL [static] \| Indirect call to absolute memory address
20E8	48F0C8	.text	CALL [static] \| Indirect call to absolute memory address
20F3	48F0C8	.text	CALL [static] \| Indirect call to absolute memory address
20FE	48F73C	.text	CALL [static] \| Indirect call to absolute memory address
2109	48F63C	.text	CALL [static] \| Indirect call to absolute memory address
22AE	48F510	.text	CALL [static] \| Indirect call to absolute memory address
2474	48F730	.text	CALL [static] \| Indirect call to absolute memory address
249E	48F724	.text	CALL [static] \| Indirect call to absolute memory address
24AF	48F714	.text	CALL [static] \| Indirect call to absolute memory address
24CC	48F0AC	.text	CALL [static] \| Indirect call to absolute memory address
24DC	48F0B0	.text	CALL [static] \| Indirect call to absolute memory address
24F2	48F728	.text	CALL [static] \| Indirect call to absolute memory address
2501	48F088	.text	CALL [static] \| Indirect call to absolute memory address
254D	48F0C8	.text	CALL [static] \| Indirect call to absolute memory address
25A6	48F63C	.text	CALL [static] \| Indirect call to absolute memory address
2608	48F524	.text	CALL [static] \| Indirect call to absolute memory address
29D4	48F018	.text	CALL [static] \| Indirect call to absolute memory address
29F5	48F020	.text	CALL [static] \| Indirect call to absolute memory address
2A17	48F01C	.text	CALL [static] \| Indirect call to absolute memory address
2A46	48F73C	.text	CALL [static] \| Indirect call to absolute memory address
2AD2	48F6BC	.text	CALL [static] \| Indirect call to absolute memory address
2AFC	48F70C	.text	CALL [static] \| Indirect call to absolute memory address
2B1F	48F718	.text	CALL [static] \| Indirect call to absolute memory address
2B2A	48F714	.text	CALL [static] \| Indirect call to absolute memory address
2B3E	48F710	.text	CALL [static] \| Indirect call to absolute memory address
2B5F	48F708	.text	CALL [static] \| Indirect call to absolute memory address
2E62	48F730	.text	CALL [static] \| Indirect call to absolute memory address
2E71	48F72C	.text	CALL [static] \| Indirect call to absolute memory address
2ED2	48F744	.text	CALL [static] \| Indirect call to absolute memory address
2F28	48F724	.text	CALL [static] \| Indirect call to absolute memory address
2F7A	48F334	.text	CALL [static] \| Indirect call to absolute memory address
2F8C	48F330	.text	CALL [static] \| Indirect call to absolute memory address
2FFD	48F360	.text	CALL [static] \| Indirect call to absolute memory address
3081	48F208	.text	CALL [static] \| Indirect call to absolute memory address
35F1	48F4BC	.text	CALL [static] \| Indirect call to absolute memory address
38A6	48F4BC	.text	CALL [static] \| Indirect call to absolute memory address
38C3	48F4BC	.text	CALL [static] \| Indirect call to absolute memory address
3927	48F4BC	.text	CALL [static] \| Indirect call to absolute memory address
39B5	48F70C	.text	CALL [static] \| Indirect call to absolute memory address
A6038-A6045	N/A	.rdata	Potential obfuscated jump sequence detected, count: 7
A60C2-A60F1	N/A	.rdata	Potential obfuscated jump sequence detected, count: 24
AB140-AB257	N/A	.rdata	Potential obfuscated jump sequence detected, count: 140
AB294-AB2BF	N/A	.rdata	Potential obfuscated jump sequence detected, count: 22

Extra Analysis

Metric	Value	Percentage
Ascii Code	893106	61,1623%
Null Byte Code	161204	11,0397%

PESCAN.IO - Analysis Report Basic