PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 909,50 KBSHA-256 Hash: 82ED343927F7491A86905569502FDD0B549BFB403B876773F48385DBA4EC9D8E SHA-1 Hash: 78B440262803332C5E92233544D470E8796E5364 MD5 Hash: AB7F965497DE66727A221DCCD6175F3B Imphash: 4BF9D6E6469EBA82B7EA0DCF78D6A5F4 MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 00018B6D EntryPoint (rva): 24D0 SizeOfHeaders: 400 SizeOfImage: E9000 ImageBase: 400000 Architecture: x86 ExportTable: CFC0 ImportTable: C894 IAT: 9000 Characteristics: 123 TimeDateStamp: 54C5032E Date: 25/01/2015 14:52:30 File Type: EXE Number Of Sections: 4 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 7600 | 1000 | 75D4 | 6,5921 | 171927,08 |
| .rdata | 40000040 (Initialized Data, Readable) | 7A00 | 4200 | 9000 | 4009 | 6,0707 | 186376,12 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | BC00 | 1000 | E000 | 34FC | 2,8823 | 501700,50 |
| .rsrc | 40000040 (Initialized Data, Readable) | CC00 | D6A00 | 12000 | D6904 | 7,9764 | 47817,95 |
| Description |
| OriginalFilename: Simply Modbus Master 8.1.2.exe CompanyName: Simply Modbus LegalCopyright: Copyright 2019 Simply Modbus ProductName: SMM8.1.2 - Application FileVersion: 8.1.2 FileDescription: SMM8.1.2 - Application ProductVersion: 8.1.2 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 18D0 Code -> E847240000E978FEFFFF8BFF558BEC83EC145333DB568B7508395D1475103BF37510395D0C751033C0E9E70100003BF37405 • CALL 0X344C • JMP 0XE82 • MOV EDI, EDI • PUSH EBP • MOV EBP, ESP • SUB ESP, 0X14 • PUSH EBX • XOR EBX, EBX • PUSH ESI • MOV ESI, DWORD PTR [EBP + 8] • CMP DWORD PTR [EBP + 0X14], EBX • JNE 0X102E • CMP ESI, EBX • JNE 0X1032 • CMP DWORD PTR [EBP + 0XC], EBX • JNE 0X1037 • XOR EAX, EAX • JMP 0X1215 • CMP ESI, EBX • JE 0X1037 |
| Signatures |
| CheckSum Integrity Problem: • Header: 101229 • Calculated: 963018 Rich Signature Analyzer: Code -> E962ECF4AD0382A7AD0382A7AD0382A7A47B17A7BD0382A7A47B01A7E40382A7A47B11A7A60382A7AD0383A7FA0382A7A47B06A78C0382A7A47B10A7AC0382A7B35116A7AC0382A7A47B13A7AC0382A752696368AD0382A7 Footprint md5 Hash -> 33AB30EB097970C12F59BFAD6FE6E692 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[EXE32] • PE: compiler: Microsoft Visual C/C++(2008)[libcmt] • PE: linker: Microsoft Linker(9.0)[-] • Entropy: 7.94645 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| Windows REG |
| SOFTWARE\National Instruments\LabVIEW Run-Time Software\Microsoft\Windows\CurrentVersion |
| File Access |
| appshell.exe VERSION.dll KERNEL32.dll COMCTL32.dll ADVAPI32.dll USER32.dll shell32.dll lvrt.dll @.dat .ini Temp ProgramFiles |
| File Access (UNICODE) |
| 2.exe CorExitProcessmscoree.dll KERNEL32.DLL |
| Interest's Words |
| PADDINGX exec attrib start expand |
| URLs |
| http://www.ni.com/rteFinder?dest=lvrte |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Related to a particular nation or its government (National) |
| Entry Point | Hex Pattern | MEW 10 packer v1.0 - Northfox |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\100\1033 | 12580 | 128 | D180 | 2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \ICON\101\1033 | 126A8 | 568 | D2A8 | 2800000010000000200000000100080000000000000100000000000000000000000100000001000000000000000080000080 | (....... ......................................... |
| \ICON\102\1033 | 12C10 | 2E8 | D810 | 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\103\1033 | 12EF8 | 8A8 | DAF8 | 2800000020000000400000000100080000000000000400000000000000000000000100000001000000000000000080000080 | (... ...@......................................... |
| \ICON\104\1033 | 137A0 | 668 | E3A0 | 2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080 | (...0............................................ |
| \ICON\105\1033 | 13E08 | EA8 | EA08 | 2800000030000000600000000100080000000000000900000000000000000000000100000001000000000000000080000080 | (...0............................................ |
| \ICON\106\1033 | 14CB0 | 46F1 | F8B0 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000200049444154789CED7DED99EC2A0E | .PNG........IHDR.............\r.f.. .IDATx..}...*. |
| \ICON\107\1033 | 193A4 | A96A | 13FA4 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000200049444154789CECBD6F8C5BC795 | .PNG........IHDR.............\r.f.. .IDATx...o.[.. |
| \ICON\108\1033 | 23D10 | 468 | 1E910 | 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000 | (....... ..... .....@............................. |
| \ICON\109\1033 | 24178 | 10A8 | 1ED78 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\110\1033 | 25220 | 25A8 | 1FE20 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\111\1033 | 277C8 | 67B3 | 223C8 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000200049444154789CEC9D779C15D5F9 | .PNG........IHDR.............\r.f.. .IDATx...w.... |
| \STRING\1\1033 | 2DF7C | 2A4 | 28B7C | 00007F002200250031002200200072006500710075006900720065007300200061002000760065007200730069006F006E00 | ....".%.1.". .r.e.q.u.i.r.e.s. .a. .v.e.r.s.i.o.n. |
| \STRING\7\1041 | 2E220 | 1F6 | 28E20 | 000000000000000000005700220025003100220020006F308AFF9EFF70FF7CFF9EFF6EFF9DFF200025003200200028007E30 | ..........W.".%.1.". .o0....p.|...n... .%.2. .(.~0 |
| \STRING\13\1036 | 2E418 | 32A | 29018 | 0000000000000000000000000000000000008E00220025003100220020007200650071007500690065007200740020006C00 | ....................".%.1.". .r.e.q.u.i.e.r.t. .l. |
| \STRING\19\1031 | 2E744 | 266 | 29344 | 0000000000000000000000000000000000000000000000000000A900220025003100220020006500720066006F0072006400 | ............................".%.1.". .e.r.f.o.r.d. |
| \STRING\20\1031 | 2E9AC | C2 | 295AC | 51004400690065002000560065007200730069006F006E00200025003100200064006500720020004C006100620056004900 | Q.D.i.e. .V.e.r.s.i.o.n. .%.1. .d.e.r. .L.a.b.V.I. |
| \STRING\26\1042 | 2EA70 | 1CC | 29670 | 00005300220025003100220040C7200020004C006100620056004900450057002000F0B7C0D084C72000D4C5C4C9200084BC | ..S.".%.1.".@. . .L.a.b.V.I.E.W. ....... ..... ... |
| \STRING\32\2052 | 2EC3C | 130 | 2983C | 0000000000000000000032002200250031002200C55F7B987F4F28754C00610062005600490045005700D08F4C88155FCE64 | ..........2.".%.1.".._{..O(uL.a.b.V.I.E.W...L.._.d |
| \RCDATA\1\0 | 2ED6C | 10 | 2996C | 41505042000000040000000100000000 | APPB............ |
| \RCDATA\2\0 | 2ED7C | B9274 | 2997C | 525352430D0A00034C5641524C425657000B91B8000000BC00000020000B9198000000010000000000000001050000000000 | RSRC....LVARLBVW........... ...................... |
| \RCDATA\14567\0 | E7FF0 | 24 | E2BF0 | 33444443433732442D454532312D343563312D423342412D414239453645343537364534 | 3DDCC72D-EE21-45c1-B3BA-AB9E6E4576E4 |
| \RCDATA\55340\0 | E8014 | 4 | E2C14 | 31342E30 | 14.0 |
| \GROUP_ICON\1\1033 | E8018 | AE | E2C18 | 000001000C00101010000100040028010000640010100000010008006805000065002020100001000400E802000066002020 | ..............(...d.........h...e. ..........f. |
| \VERSION\1\1033 | E80C8 | 338 | E2CC8 | 380334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100 | 8.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | E8400 | 503 | E3000 | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" |
| Intelligent String |
| • c:\Program Files\National Instruments\Shared\LabVIEW Run-Time • lvrt.dll • Failed to open webpage. Please visit ni.com/updates and search for version %1 of the LabVIEW Run-Time Engine. • ffnet werden. Besuchen Sie ni.com/updates und suchen Sie nach der Version %1 der LabVIEW Run-Time Engine. • partir du site Web de National Instruments. • http://www.ni.com/rteFinder?dest=lvrte • .ini • KERNEL32.DLL • mscoree.dll • COMCTL32.dll • KERNEL32.dll • plat\win\appsrc\exemain.cpp • plat\win\appsrc\lvshell.cpp • Simply Modbus Master 8.1.2.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 7E6 | 409038 | .text | CALL [static] | Indirect call to absolute memory address |
| 86F | 409034 | .text | CALL [static] | Indirect call to absolute memory address |
| 8A2 | 409030 | .text | CALL [static] | Indirect call to absolute memory address |
| 9F0 | 409010 | .text | CALL [static] | Indirect call to absolute memory address |
| AD8 | 409028 | .text | CALL [static] | Indirect call to absolute memory address |
| AE8 | 409020 | .text | CALL [static] | Indirect call to absolute memory address |
| B90 | 40911C | .text | CALL [static] | Indirect call to absolute memory address |
| BF3 | 409044 | .text | CALL [static] | Indirect call to absolute memory address |
| D4D | 409044 | .text | CALL [static] | Indirect call to absolute memory address |
| DBC | 40904C | .text | CALL [static] | Indirect call to absolute memory address |
| E1C | 409044 | .text | CALL [static] | Indirect call to absolute memory address |
| EAE | 409044 | .text | CALL [static] | Indirect call to absolute memory address |
| F77 | 409008 | .text | CALL [static] | Indirect call to absolute memory address |
| F8A | 409004 | .text | CALL [static] | Indirect call to absolute memory address |
| 1016 | 409044 | .text | CALL [static] | Indirect call to absolute memory address |
| 1036 | 409004 | .text | CALL [static] | Indirect call to absolute memory address |
| 114C | 409008 | .text | CALL [static] | Indirect call to absolute memory address |
| 11F1 | 409044 | .text | CALL [static] | Indirect call to absolute memory address |
| 1209 | 409004 | .text | CALL [static] | Indirect call to absolute memory address |
| 1221 | 409004 | .text | CALL [static] | Indirect call to absolute memory address |
| 12B7 | 409044 | .text | CALL [static] | Indirect call to absolute memory address |
| 1362 | 409040 | .text | CALL [static] | Indirect call to absolute memory address |
| 136E | 40901C | .text | CALL [static] | Indirect call to absolute memory address |
| 1426 | 409124 | .text | JMP [static] | Indirect jump to absolute memory address |
| 142C | 409128 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1432 | 40912C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1767 | 409058 | .text | CALL [static] | Indirect call to absolute memory address |
| 17FC | 409054 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B9D | 40905C | .text | CALL [static] | Indirect call to absolute memory address |
| 1D68 | 409064 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D93 | 409060 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DDC | 40906C | .text | CALL [static] | Indirect call to absolute memory address |
| 1DFF | 409068 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EA2 | 409070 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EB5 | 40905C | .text | CALL [static] | Indirect call to absolute memory address |
| 208A | 409064 | .text | CALL [static] | Indirect call to absolute memory address |
| 2141 | 409064 | .text | CALL [static] | Indirect call to absolute memory address |
| 2530 | 409074 | .text | CALL [static] | Indirect call to absolute memory address |
| 254B | 409020 | .text | CALL [static] | Indirect call to absolute memory address |
| 25AB | 409074 | .text | CALL [static] | Indirect call to absolute memory address |
| 25C6 | 409020 | .text | CALL [static] | Indirect call to absolute memory address |
| 25DE | 40907C | .text | CALL [static] | Indirect call to absolute memory address |
| 25F0 | 409078 | .text | CALL [static] | Indirect call to absolute memory address |
| 2611 | 409080 | .text | CALL [static] | Indirect call to absolute memory address |
| 2646 | 409084 | .text | CALL [static] | Indirect call to absolute memory address |
| 266A | 409074 | .text | CALL [static] | Indirect call to absolute memory address |
| 26DD | 409060 | .text | CALL [static] | Indirect call to absolute memory address |
| 2743 | 40901C | .text | CALL [static] | Indirect call to absolute memory address |
| 2795 | 40908C | .text | CALL [static] | Indirect call to absolute memory address |
| 27AD | 409088 | .text | CALL [static] | Indirect call to absolute memory address |
| 2870 | 409064 | .text | CALL [static] | Indirect call to absolute memory address |
| 290B | 409074 | .text | CALL [static] | Indirect call to absolute memory address |
| 29A9 | 40907C | .text | CALL [static] | Indirect call to absolute memory address |
| 2A73 | 40908C | .text | CALL [static] | Indirect call to absolute memory address |
| 2C03 | 409018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C0D | 40909C | .text | CALL [static] | Indirect call to absolute memory address |
| 2C1A | 409098 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C35 | 409094 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C3C | 409090 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D11 | 40909C | .text | CALL [static] | Indirect call to absolute memory address |
| 2D26 | 4090A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D2F | 409074 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D7D | 409074 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D8D | 409020 | .text | CALL [static] | Indirect call to absolute memory address |
| 2DAF | 4090A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E29 | 4114F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E84 | 4114F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 30F5 | 40903C | .text | CALL [static] | Indirect call to absolute memory address |
| 31C8 | 4090AC | .text | CALL [static] | Indirect call to absolute memory address |
| 31F2 | 4090A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 369A | 40903C | .text | CALL [static] | Indirect call to absolute memory address |
| 375B | 40901C | .text | CALL [static] | Indirect call to absolute memory address |
| 37F5 | 4090B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3808 | 4090B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 383A | 4090B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3853 | 4090B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3875 | 409058 | .text | CALL [static] | Indirect call to absolute memory address |
| 399F | 4090C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A29 | 4090AC | .text | CALL [static] | Indirect call to absolute memory address |
| 3A3B | 4090C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A93 | 4090C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B15 | 4090D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3C9A | 4113D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D53 | 4090E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D5F | 4090E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D67 | 40908C | .text | CALL [static] | Indirect call to absolute memory address |
| 3D6F | 4090DC | .text | CALL [static] | Indirect call to absolute memory address |
| 3D7B | 4090D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3FBC | 4090F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3FCE | 40901C | .text | CALL [static] | Indirect call to absolute memory address |
| 4180 | 4090F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 41A3 | 4090BC | .text | CALL [static] | Indirect call to absolute memory address |
| 42F2 | 4090E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 43A3 | 4090F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 43B5 | 40901C | .text | CALL [static] | Indirect call to absolute memory address |
| 4492 | 4090F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4507 | 4090F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4630 | 4090FC | .text | CALL [static] | Indirect call to absolute memory address |
| 4725 | 409100 | .text | CALL [static] | Indirect call to absolute memory address |
| 4796 | 4090D4 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 624068 | 67,0084% |
| Null Byte Code | 24661 | 2,6479% |
© 2026 All rights reserved.