PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 1,50 KB SHA-256 Hash: 22E7528E56DFFAA26CFE722994655686C90824B13EB51184ABFE44D4E95D473F SHA-1 Hash: 1ED7B1E965EAB56F55EFDA975F9F7ADE95337267 MD5 Hash: ABC6379205DE2618851C4FCBF72112EB Imphash: 0B9CA80FF295945B3CF5762A07EF3D50 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 1100 SizeOfHeaders: 200 SizeOfImage: 2000 ImageBase: 400000 Architecture: x86 ImportTable: 1210 IAT: 1000 Characteristics: 10F TimeDateStamp: 42C12411 Date: 28/06/2005 10:18:57 File Type: EXE Number Of Sections: 1 ASLR: Disabled Section Names: .text Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0xE0040020 Code Executable Readable Writeable |
200 | 400 | 1000 | 2FE |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 300 Code -> 83EC5453555633ED33F6B320FF15141040008BD0803A227507B322EB038D49008A4201423AC3740684C075F4EB19803A0074 Assembler |SUB ESP, 0X54 |PUSH EBX |PUSH EBP |PUSH ESI |XOR EBP, EBP |XOR ESI, ESI |MOV BL, 0X20 |CALL DWORD PTR [0X401014] |MOV EDX, EAX |CMP BYTE PTR [EDX], 0X22 |JNE 0X1020 |MOV BL, 0X22 |JMP 0X1020 |LEA ECX, [ECX] |MOV AL, BYTE PTR [EDX + 1] |INC EDX |CMP AL, BL |JE 0X102E |TEST AL, AL |JNE 0X1020 |JMP 0X1047 |CMP BYTE PTR [EDX], 0 |
| Signatures |
| Rich Signature Analyzer: Code -> 0D26C6DF4947A88C4947A88C4947A88CB364B18C4C47A88C4947A98C4E47A88CB363B58C4847A88CB363958C4847A88C526963684947A88C Footprint md5 Hash -> 7E601A068645BE94CBD1BA73D875E357 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: Microsoft Visual C/C++(2002)[-] • PE: linker: Microsoft Linker(7.0)[-] • Entropy: 4.30594 |
| File Access |
| USER32.dll KERNEL32.dll |
| Interest's Words |
| exec start |
| Payloads |
| Possible Shellcode Embedded (Detection with heuristic methods) |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateProcessA) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 - Debug |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (MFC) |
| Entry Point | Hex Pattern | NE-Exe Executable Image |
| Entry Point | Hex Pattern | Nullsoft PiMP Install System |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 30C | 401014 | .text | CALL [static] | Indirect call to absolute memory address |
| 353 | 40101C | .text | CALL [static] | Indirect call to absolute memory address |
| 35A | 401010 | .text | CALL [static] | Indirect call to absolute memory address |
| 3C7 | 40100C | .text | CALL [static] | Indirect call to absolute memory address |
| 3DD | 401008 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F9 | 401000 | .text | CALL [static] | Indirect call to absolute memory address |
| 402 | 401010 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 688 | 44,7917% |
| Null Byte Code | 740 | 48,1771% |
| NOP Cave Found | 0x9090909090 | Block Count: 1 | Total: 0,1628% |
© 2026 All rights reserved.