PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 14,00 KB SHA-256 Hash: BA6D68BBB99C6237C983D491ABF42245E8A0D7A993CA3D27E59907288FD836C5 SHA-1 Hash: 33B07FA13472C02FDBE0ED27AD57041FCC00114C MD5 Hash: A27FF9AF761982647EF383A5782652E1 Imphash: 2337EAD6FD78AD2AAE587AA37663D13C MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00011C5C EntryPoint (rva): 1269 SizeOfHeaders: 400 SizeOfImage: B000 ImageBase: 69D40000 Architecture: x86 ExportTable: 7000 ImportTable: 8000 IAT: 815C Characteristics: 230E TimeDateStamp: 69ECC390 Date: 25/04/2026 13:37:20 File Type: DLL Number Of Sections: 9 ASLR: Enabled Section Names: .text, .data, .rdata, .eh_fram, .bss, .edata, .idata, .tls, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 1800 | 1000 | 1730 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
1C00 | 200 | 3000 | 44 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
1E00 | 400 | 4000 | 334 |
|
|
| .eh_fram | 0x40000040 Initialized Data Readable |
2200 | 800 | 5000 | 69C |
|
|
| .bss | 0xC0000080 Uninitialized Data Readable Writeable |
0 | 0 | 6000 | 8C |
|
|
| .edata | 0x40000040 Initialized Data Readable |
2A00 | 200 | 7000 | 7A |
|
|
| .idata | 0x40000040 Initialized Data Readable |
2C00 | 800 | 8000 | 608 |
|
|
| .tls | 0xC0000040 Initialized Data Readable Writeable |
3400 | 200 | 9000 | 8 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
3600 | 200 | A000 | 18C |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 669 Code -> 8D4C240483E4F0FF71FC5589E5535183EC2089CBC745F401000000837B0401750AC7054860D469000000008B4304A32830D4 Assembler |LEA ECX, [ESP + 4] |AND ESP, 0XFFFFFFF0 |PUSH DWORD PTR [ECX - 4] |PUSH EBP |MOV EBP, ESP |PUSH EBX |PUSH ECX |SUB ESP, 0X20 |MOV EBX, ECX |MOV DWORD PTR [EBP - 0XC], 1 |CMP DWORD PTR [EBX + 4], 1 |JNE 0X102B |MOV DWORD PTR [0X69D46048], 0 |MOV EAX, DWORD PTR [EBX + 4] |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • Entropy: 5.08142 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| Ws2_32.DLL | socket | Create a communication endpoint for networking applications. |
| ET Functions (carving) |
| Original Name -> victim.dll _p1 _p2 _p3 _p4 _x@4 |
| File Access |
| cmd.exe WS2_32.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-private-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll KERNEL32.dll victim.dll libgcc_s_dw2-1.dll .dat |
| Interest's Words |
| exec start |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (WSACleanup) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessA) |
| Intelligent String |
| • @.bss • @.tls • cmd.exe • KERNEL32.dll • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-private-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll • WS2_32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 7CE | 69D48178 | .text | CALL [static] | Indirect call to absolute memory address |
| 7E4 | 69D48188 | .text | CALL [static] | Indirect call to absolute memory address |
| 884 | 69D48170 | .text | CALL [static] | Indirect call to absolute memory address |
| 8EF | 69D48204 | .text | CALL [static] | Indirect call to absolute memory address |
| 927 | 69D48200 | .text | CALL [static] | Indirect call to absolute memory address |
| 943 | 69D4820C | .text | CALL [static] | Indirect call to absolute memory address |
| 954 | 69D48210 | .text | CALL [static] | Indirect call to absolute memory address |
| 994 | 69D481FC | .text | CALL [static] | Indirect call to absolute memory address |
| A24 | 69D4815C | .text | CALL [static] | Indirect call to absolute memory address |
| A3C | 69D4819C | .text | CALL [static] | Indirect call to absolute memory address |
| A48 | 69D48208 | .text | CALL [static] | Indirect call to absolute memory address |
| A51 | 69D481F8 | .text | CALL [static] | Indirect call to absolute memory address |
| A8F | 69D48168 | .text | CALL [static] | Indirect call to absolute memory address |
| AC7 | 69D48160 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A98 | 69D481E4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AA0 | 69D481E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AA8 | 69D481EC | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AB0 | 69D481F0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AB8 | 69D481D8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AC0 | 69D481DC | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AC8 | 69D481B8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AD0 | 69D481BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AD8 | 69D481C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AE0 | 69D481C4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AE8 | 69D481C8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AF0 | 69D481CC | .text | JMP [static] | Indirect jump to absolute memory address |
| 1AF8 | 69D481D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1B00 | 69D481B0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1B08 | 69D481A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1B10 | 69D481A8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2120 | 1790 | .rdata | TLS Callback | Pointer to 69D41790 - 0xB90 .text |
| 2124 | 1820 | .rdata | TLS Callback | Pointer to 69D41820 - 0xC20 .text |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 6714 | 46,8331% |
| Null Byte Code | 5598 | 39,0485% |
| NOP Cave Found | 0x9090909090 | Block Count: 3 | Total: 0,0523% |
© 2026 All rights reserved.