PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 4,40 MBSHA-256 Hash: BDC7E080296A3CE66C66F020F03DC32A2257F3EBD61B81B0F7C5A3CF46B4DF54 SHA-1 Hash: 0E88EB17FAF470D6BAE8FE6554A8B4D3F46FFD76 MD5 Hash: A8255DBBC59611DC90F8A5C79BC21406 Imphash: 9ACCC748A9D89A334D2FC419EC39655A MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 16478 SizeOfHeaders: 400 SizeOfImage: 2D000 ImageBase: 400000 Architecture: x86 ImportTable: 1E000 IAT: 1E350 Characteristics: 818F TimeDateStamp: 506A75C4 Date: 02/10/2012 5:04:04 File Type: EXE Number Of Sections: 8 ASLR: Disabled Section Names: .text, .itext, .data, .bss, .idata, .tls, .rdata, .rsrc Number Of Executable Sections: 2 Subsystem: Windows GUI UAC Execution Level Manifest: requireAdministrator |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 14400 | 1000 | 143F8 |
|
|
| .itext | 0x60000020 Code Executable Readable |
14800 | C00 | 16000 | BE8 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
15400 | E00 | 17000 | D9C |
|
|
| .bss | 0xC0000000 Readable Writeable |
16200 | 0 | 18000 | 5750 |
|
|
| .idata | 0xC0000040 Initialized Data Readable Writeable |
16200 | 1000 | 1E000 | F9E |
|
|
| .tls | 0xC0000000 Readable Writeable |
17200 | 0 | 1F000 | 8 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
17200 | 200 | 20000 | 18 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
17400 | B200 | 21000 | B200 |
|
|
| Description |
| LegalCopyright: FitGirl ProductName: Stolen Realm FileDescription: Stolen Realm Setup Comments: This installation was built with Inno Setup. Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 4,22 MB |
| Entry Point |
The section number (2) - (.itext) have the Entry Point Information -> EntryPoint (calculated) - 14C78 Code -> 558BEC83C4A453565733C08945C48945C08945A48945D08945C88945CC8945D48945D88945ECB8B8524100E8AC03FFFF33C0 Assembler |PUSH EBP |MOV EBP, ESP |ADD ESP, -0X5C |PUSH EBX |PUSH ESI |PUSH EDI |XOR EAX, EAX |MOV DWORD PTR [EBP - 0X3C], EAX |MOV DWORD PTR [EBP - 0X40], EAX |MOV DWORD PTR [EBP - 0X5C], EAX |MOV DWORD PTR [EBP - 0X30], EAX |MOV DWORD PTR [EBP - 0X38], EAX |MOV DWORD PTR [EBP - 0X34], EAX |MOV DWORD PTR [EBP - 0X2C], EAX |MOV DWORD PTR [EBP - 0X28], EAX |MOV DWORD PTR [EBP - 0X14], EAX |MOV EAX, 0X4152B8 |CALL 0XFFFF13DC |XOR EAX, EAX |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Borland Delphi 7 Detect It Easy (die) • PE: installer: Inno Setup Module(5.5.0)[unicode] • PE: compiler: Embarcadero Delphi(2009-2010)[-] • PE: linker: Turbo Linker(2.25*,Delphi)[-] • PE: overlay: Inno Setup Installer data(-)[-] • Entropy: 7.98568 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| Windows REG (UNICODE) |
| SOFTWARE\Borland\Delphi\RTL Software\CodeGear\Locales Software\Borland\Locales Software\Borland\Delphi\Locales |
| File Access |
| oleaut32.dll advapi32.dll kernel32.dll comctl32.dll user32.dll .dat |
| File Access (UNICODE) |
| kernel32.dll shell32.dll oleaut32.dll Temp UserProfile |
| Interest's Words |
| exec attrib start systeminfo |
| Interest's Words (UNICODE) |
| shutdown |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Unicode | Privileges (SeShutdownPrivilege) |
| Text | Ascii | Malware that monitors and collects user data (Spy) |
| Text | Unicode | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Borland Delphi 4.0 |
| Entry Point | Hex Pattern | fasm - Tomasz Grysztar |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\2052 | 2141C | 128 | 1781C | 2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000008000008000 | (....... ......................................... |
| \ICON\2\2052 | 21544 | 568 | 17944 | 2800000010000000200000000100080000000000400100000000000000000000000000000000000000000000800000000080 | (....... ...........@............................. |
| \ICON\3\2052 | 21AAC | 2E8 | 17EAC | 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000008000008000 | (... ...@......................................... |
| \ICON\4\2052 | 21D94 | 8A8 | 18194 | 2800000020000000400000000100080000000000800400000000000000000000000000000000000000000000800000000080 | (... ...@......................................... |
| \STRING\4091\0 | 2263C | C4 | 18A3C | 0300540068007500030046007200690003005300610074000600530075006E0064006100790006004D006F006E0064006100 | ..T.h.u...F.r.i...S.a.t...S.u.n.d.a.y...M.o.n.d.a. |
| \STRING\4092\0 | 22700 | CC | 18B00 | 07004A0061006E00750061007200790008004600650062007200750061007200790005004D00610072006300680005004100 | ..J.a.n.u.a.r.y...F.e.b.r.u.a.r.y...M.a.r.c.h...A. |
| \STRING\4093\0 | 227CC | 174 | 18BCC | 28004D006F006E00690074006F007200200073007500700070006F00720074002000660075006E006300740069006F006E00 | (.M.o.n.i.t.o.r. .s.u.p.p.o.r.t. .f.u.n.c.t.i.o.n. |
| \STRING\4094\0 | 22940 | 39C | 18D40 | 1F00560061007200690061006E00740020006F00720020007300610066006500200061007200720061007900200069007300 | ..V.a.r.i.a.n.t. .o.r. .s.a.f.e. .a.r.r.a.y. .i.s. |
| \STRING\4095\0 | 22CDC | 34C | 190DC | 160049006E00760061006C0069006400200063006C0061007300730020007400790070006500630061007300740030004100 | ..I.n.v.a.l.i.d. .c.l.a.s.s. .t.y.p.e.c.a.s.t.0.A. |
| \STRING\4096\0 | 23028 | 294 | 19428 | 0D004F007500740020006F00660020006D0065006D006F00720079000C0049002F004F0020006500720072006F0072002000 | ..O.u.t. .o.f. .m.e.m.o.r.y...I./.O. .e.r.r.o.r. . |
| \RCDATA\CHARTABLE\1033 | 232BC | 82E8 | 196BC | 1800000018220000B82C0000C8420000C8640000E86800000000100020003000400050006000700080009000A000B000C000 | ....."...,...B...d...h...... .0.@.P..p........... |
| \RCDATA\DVCLAL\0 | 2B5A4 | 10 | 219A4 | 263D4F38C28237B8F3244203179B3A83 | &=O8..7..$B...:. |
| \RCDATA\PACKAGEINFO\0 | 2B5B4 | 1B0 | 219B4 | 000010CC0000000027000000010553657475704C64725F44323030395F46756C6C56434C0010245661725574696C73000C4B | ........'.....SetupLdr_D2009_FullVCL..$VarUtils..K |
| \RCDATA\11111\0 | 2B764 | 2C | 21B64 | 72446C507453CDE6D77B0B2A010000005C524600A0353F0000CA160012BE9DE450F23C000026020001BCD194 | rDlPtS...{.*....\RF..5?.........P.<..&...... |
| \GROUP_ICON\MAINICON\2052 | 2B790 | 3E | 21B90 | 000001000400101010000100040028010000010010100000010008006805000002002020100001000400E802000003002020000001000800A80800000400 | ..............(.............h..... ............ ............ |
| \VERSION\1\1033 | 2B7D0 | 4B8 | 21BD0 | B80434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 2BC88 | 560 | 22088 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • kernel32.dll • oleaut32.dll • .tmp • .bss • .tls • shell32.dll • RegCloseKeyuser32.dll • CharNextWkernel32.dll • CloseHandlekernel32.dll • user32.dll • CloseHandleadvapi32.dll • Sleepadvapi32.dll • AdjustTokenPrivilegesoleaut32.dll • <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> • R.qYC • PPP0 |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 4B8 | 41E400 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4C0 | 41E3FC | .text | JMP [static] | Indirect jump to absolute memory address |
| 4C8 | 41E3F8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D0 | 41E3F4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D8 | 41E3F0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4E0 | 41E3EC | .text | JMP [static] | Indirect jump to absolute memory address |
| 4E8 | 41E37C | .text | JMP [static] | Indirect jump to absolute memory address |
| 4F0 | 41E3E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4F8 | 41E378 | .text | JMP [static] | Indirect jump to absolute memory address |
| 500 | 41E3E4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 508 | 41E3E0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 510 | 41E3DC | .text | JMP [static] | Indirect jump to absolute memory address |
| 518 | 41E3D8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 520 | 41E3D4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 528 | 41E3D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 530 | 41E3CC | .text | JMP [static] | Indirect jump to absolute memory address |
| 538 | 41E3C8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 540 | 41E3C4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 548 | 41E3C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 550 | 41E3BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 558 | 41E374 | .text | JMP [static] | Indirect jump to absolute memory address |
| 560 | 41E3B8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 568 | 41E3B4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 570 | 41E3B0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 578 | 41E368 | .text | JMP [static] | Indirect jump to absolute memory address |
| 580 | 41E364 | .text | JMP [static] | Indirect jump to absolute memory address |
| 588 | 41E360 | .text | JMP [static] | Indirect jump to absolute memory address |
| 590 | 41E3AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 598 | 41E3A8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A0 | 41E358 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A8 | 41E354 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5B0 | 41E350 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5B8 | 41E3A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5C0 | 41E3A0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5C8 | 41E39C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D0 | 41E398 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D8 | 41E394 | .text | JMP [static] | Indirect jump to absolute memory address |
| 60C | 41E390 | .text | JMP [static] | Indirect jump to absolute memory address |
| 614 | 41E38C | .text | JMP [static] | Indirect jump to absolute memory address |
| 61C | 41E388 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2210 | 417750 | .text | CALL [static] | Indirect call to absolute memory address |
| 2228 | 417744 | .text | CALL [static] | Indirect call to absolute memory address |
| 2244 | 417748 | .text | CALL [static] | Indirect call to absolute memory address |
| 2265 | 41774C | .text | CALL [static] | Indirect call to absolute memory address |
| 227E | 417748 | .text | CALL [static] | Indirect call to absolute memory address |
| 2297 | 417744 | .text | CALL [static] | Indirect call to absolute memory address |
| 230B | 418020 | .text | CALL [static] | Indirect call to absolute memory address |
| 234A | 418008 | .text | CALL [static] | Indirect call to absolute memory address |
| 2541 | 418030 | .text | CALL [static] | Indirect call to absolute memory address |
| 2AFC | 41E370 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2B19 | FF00 | .text | JMP [static] | Indirect jump to absolute memory address |
| 302C | 418014 | .text | CALL [static] | Indirect call to absolute memory address |
| 304A | 418014 | .text | CALL [static] | Indirect call to absolute memory address |
| 3062 | 418014 | .text | CALL [static] | Indirect call to absolute memory address |
| 30D4 | 418014 | .text | CALL [static] | Indirect call to absolute memory address |
| 30F4 | 418014 | .text | CALL [static] | Indirect call to absolute memory address |
| 3111 | 418014 | .text | CALL [static] | Indirect call to absolute memory address |
| 31EE | 418018 | .text | CALL [static] | Indirect call to absolute memory address |
| 32F3 | 418010 | .text | CALL [static] | Indirect call to absolute memory address |
| 3376 | 418018 | .text | CALL [static] | Indirect call to absolute memory address |
| 3516 | 418014 | .text | JMP [static] | Indirect jump to absolute memory address |
| 3684 | 418018 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A3B | 418340 | .text | CALL [static] | Indirect call to absolute memory address |
| 3BAA | 41802C | .text | CALL [static] | Indirect call to absolute memory address |
| 4BB9 | 417010 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CED | 417018 | .text | CALL [static] | Indirect call to absolute memory address |
| 5AD0 | 41E384 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5B90 | 41E414 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5B98 | 41E410 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5BA0 | 41E40C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5BA8 | 41E408 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5C98 | 41E558 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CA0 | 41E554 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CA8 | 41E550 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CB0 | 41E54C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CB8 | 41E548 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CC0 | 41E540 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CC8 | 41E53C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CD0 | 41E538 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CD8 | 41E534 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CE0 | 41E530 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CE8 | 41E52C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CF0 | 41E528 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5CF8 | 41E524 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D00 | 41E520 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D08 | 41E51C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D10 | 41E518 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D18 | 41E514 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D20 | 41E510 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D28 | 41E50C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D48 | 41E508 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D50 | 41E504 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D58 | 41E500 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D60 | 41E4FC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D68 | 41E4F8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D70 | 41E4F4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D78 | 41E4F0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D80 | 41E4EC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D88 | 41E4E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5D90 | 41E4E4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 22600 | N/A | *Overlay* | 7A6C621A1CE226A3E0035D0026968E700017F7EC | zlb...&...].&..p.... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3147403 | 68,2941% |
| Null Byte Code | 62928 | 1,3654% |
© 2026 All rights reserved.