PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 161,00 KB SHA-256 Hash: 0A0BD696EC0D98B6DC7CB655AE58370D4D13F08B91A92EEF52A0ED1EFBB8577E SHA-1 Hash: 186F448B56678A3CA845BB204C2CF92A881AF607 MD5 Hash: AEF67F5FA937282139975B13FE9211D7 Imphash: F5FCB94000F27252FBD5A80E8C920956 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): AD90 SizeOfHeaders: 400 SizeOfImage: 30000 ImageBase: 10000000 Architecture: x86 ImportTable: 258B4 IAT: 1F000 Characteristics: 2102 TimeDateStamp: 59E55D18 Date: 17/10/2017 1:30:00 File Type: DLL Number Of Sections: 6 ASLR: Enabled Section Names: .text, .rdata, .data, .gfids, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 1DA00 | 1000 | 1D8ED |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
1DE00 | 7200 | 1F000 | 715E |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
25000 | 1400 | 27000 | 4230 |
|
|
| .gfids | 0x40000040 Initialized Data Readable |
26400 | 200 | 2C000 | E4 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
26600 | 400 | 2D000 | 338 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
26A00 | 1A00 | 2E000 | 1844 |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - A190 Code -> 558BEC837D0C017505E840040000FF7510FF750CFF7508E8BEFEFFFF83C40C5DC20C00E951510000558BEC56FF75088BF1E8 Assembler |PUSH EBP |MOV EBP, ESP |CMP DWORD PTR [EBP + 0XC], 1 |JNE 0X100E |CALL 0X144E |PUSH DWORD PTR [EBP + 0X10] |PUSH DWORD PTR [EBP + 0XC] |PUSH DWORD PTR [EBP + 8] |CALL 0XEDA |ADD ESP, 0XC |POP EBP |RET 0XC |JMP 0X6179 |PUSH EBP |MOV EBP, ESP |PUSH ESI |PUSH DWORD PTR [EBP + 8] |MOV ESI, ECX |
| Signatures |
| Rich Signature Analyzer: Code -> 3FCE33FD7BAF5DAE7BAF5DAE7BAF5DAECF33ACAE71AF5DAECF33AEAEFBAF5DAECF33AFAE63AF5DAEE50F9AAE7AAF5DAE40F15EAF69AF5DAE40F158AF67AF5DAE40F159AF6BAF5DAEA65096AE72AF5DAE7BAF5CAE09AF5DAEECF154AF7CAF5DAEE9F1A2AE7AAF5DAE7BAFCAAE7AAF5DAEECF15FAF7AAF5DAE526963687BAF5DAE Footprint md5 Hash -> CA34055B5F3122C62991394AB1B5B18F • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2013)[DLL32] • PE: linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[-] • Entropy: 6.55684 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| Windows REG |
| SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "%s" /f Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access |
| WINHTTP.dll USER32.dll KERNEL32.dll wtsapi32.dll ntdll.dll urlmon.dll wininet.dll Advapi32.dll iphlpapi.dll ole32.dll oleaut32.dll wsock32.dll ws2_32.dll msvcru32.bat .dat @.dat |
| File Access (UNICODE) |
| mscoree.dll |
| Interest's Words |
| exec start ping |
| IP Addresses |
| 127.0.0.1 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \AFX_DIALOG_LAYOUT\108\1042 | 2D1B0 | 2 | 267B0 | 0000 | .. |
| \DIALOG\108\1042 | 2D110 | 9C | 26710 | 0100FFFF0000000000000000C800C8800200000000003501B000000000004400690061006C006F0067000000080090010001 | ......................5.......D.i.a.l.o.g......... |
| \24\2\1033 | 2D1B8 | 17D | 267B8 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • wtsapi32.dll • kernel32.dll • wsock32.dll • mscoree.dll • ws2_32.dll • oleaut32.dll • ole32.dll • iphlpapi.dll • Advapi32.dll • wininet.dll • winhttp.dll • urlmon.dll • ntdll.dll • A:\Cxwkewk-Drjyxjrkrxw: fxiv-daka; wave="frue1"; fruewave="hy01.amr" • bremaicemakers.co.kr/include/ban_inc.asp • avsolution.co.kr/include/bottom.aspbilling.malgum.com/common/commonDatabase.asp • WM*.tmpFM*.tmpmsvcru32.bat • reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "%s" /f • reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "%s" /f • ping -n 2 127.0.0.1 • .bss • KERNEL32.dll • USER32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 4DD | 10028EC4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4F9 | 1001F008 | .text | CALL [static] | Indirect call to absolute memory address |
| 50D | 1001F008 | .text | CALL [static] | Indirect call to absolute memory address |
| 709 | 1001F008 | .text | CALL [static] | Indirect call to absolute memory address |
| 725 | 1001F00C | .text | CALL [static] | Indirect call to absolute memory address |
| D39 | 1001F008 | .text | CALL [static] | Indirect call to absolute memory address |
| D89 | 1001F008 | .text | CALL [static] | Indirect call to absolute memory address |
| DC9 | 1001F008 | .text | CALL [static] | Indirect call to absolute memory address |
| 10F9 | 1001F008 | .text | CALL [static] | Indirect call to absolute memory address |
| 171C | 1001F018 | .text | CALL [static] | Indirect call to absolute memory address |
| 1732 | 1001F15C | .text | CALL [static] | Indirect call to absolute memory address |
| 1752 | 1001F15C | .text | CALL [static] | Indirect call to absolute memory address |
| 1772 | 1001F15C | .text | CALL [static] | Indirect call to absolute memory address |
| 18AF | 1001F154 | .text | CALL [static] | Indirect call to absolute memory address |
| 18FC | 1001F154 | .text | CALL [static] | Indirect call to absolute memory address |
| 194F | 1001F154 | .text | CALL [static] | Indirect call to absolute memory address |
| 1AB2 | 1001F154 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B06 | 1001F154 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B1F | 1001F010 | .text | CALL [static] | Indirect call to absolute memory address |
| 2307 | 1001F168 | .text | CALL [static] | Indirect call to absolute memory address |
| 2330 | 1001F018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2352 | 1001F01C | .text | CALL [static] | Indirect call to absolute memory address |
| 23CD | 1001F000 | .text | CALL [static] | Indirect call to absolute memory address |
| 23E5 | 1001F164 | .text | CALL [static] | Indirect call to absolute memory address |
| 246E | 1001F000 | .text | CALL [static] | Indirect call to absolute memory address |
| 24B9 | 1001F004 | .text | CALL [static] | Indirect call to absolute memory address |
| 25C5 | 1001F164 | .text | CALL [static] | Indirect call to absolute memory address |
| 26D6 | 1001F174 | .text | CALL [static] | Indirect call to absolute memory address |
| 26F6 | 1001F14C | .text | CALL [static] | Indirect call to absolute memory address |
| 274E | 1001F158 | .text | CALL [static] | Indirect call to absolute memory address |
| 2806 | 1001F14C | .text | CALL [static] | Indirect call to absolute memory address |
| 2866 | 1001F014 | .text | CALL [static] | Indirect call to absolute memory address |
| 28B0 | 1001F014 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A09 | 1001F15C | .text | CALL [static] | Indirect call to absolute memory address |
| 2A32 | 1001F15C | .text | CALL [static] | Indirect call to absolute memory address |
| 2A5B | 1001F15C | .text | CALL [static] | Indirect call to absolute memory address |
| 2A88 | 10028ED8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2B1F | 1001F150 | .text | CALL [static] | Indirect call to absolute memory address |
| 2B58 | 1001F160 | .text | CALL [static] | Indirect call to absolute memory address |
| 2B95 | 1001F150 | .text | CALL [static] | Indirect call to absolute memory address |
| 2BBA | 1001F150 | .text | CALL [static] | Indirect call to absolute memory address |
| 2BF3 | 1001F16C | .text | CALL [static] | Indirect call to absolute memory address |
| 2C56 | 1001F170 | .text | CALL [static] | Indirect call to absolute memory address |
| 2CB4 | 1001F178 | .text | CALL [static] | Indirect call to absolute memory address |
| 326B | 10028E8C | .text | CALL [static] | Indirect call to absolute memory address |
| 3388 | 10028D9C | .text | CALL [static] | Indirect call to absolute memory address |
| 33E4 | 10028E98 | .text | CALL [static] | Indirect call to absolute memory address |
| 3524 | 10028F34 | .text | CALL [static] | Indirect call to absolute memory address |
| 3539 | 10028E08 | .text | CALL [static] | Indirect call to absolute memory address |
| 354E | 10028E88 | .text | CALL [static] | Indirect call to absolute memory address |
| 366C | 10028DD0 | .text | CALL [static] | Indirect call to absolute memory address |
| 367B | 1001F030 | .text | CALL [static] | Indirect call to absolute memory address |
| 3696 | 10028EE8 | .text | CALL [static] | Indirect call to absolute memory address |
| 36A4 | 10028E88 | .text | CALL [static] | Indirect call to absolute memory address |
| 36AA | 1001F030 | .text | CALL [static] | Indirect call to absolute memory address |
| 36B6 | 10028E88 | .text | CALL [static] | Indirect call to absolute memory address |
| 36D2 | 10028DD0 | .text | CALL [static] | Indirect call to absolute memory address |
| 36E1 | 1001F030 | .text | CALL [static] | Indirect call to absolute memory address |
| 36F9 | 10028EE0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3707 | 10028E88 | .text | CALL [static] | Indirect call to absolute memory address |
| 370D | 1001F030 | .text | CALL [static] | Indirect call to absolute memory address |
| 3719 | 10028E88 | .text | CALL [static] | Indirect call to absolute memory address |
| 37C2 | 10028F0C | .text | CALL [static] | Indirect call to absolute memory address |
| 38DC | 10028E78 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A18 | 10028E2C | .text | CALL [static] | Indirect call to absolute memory address |
| 3A2C | 10028D80 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A41 | 10028E84 | .text | CALL [static] | Indirect call to absolute memory address |
| 3BDC | 10028E78 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F22 | 10028D80 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F37 | 10028E84 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F6A | 10028E2C | .text | CALL [static] | Indirect call to absolute memory address |
| 411A | 10028DD8 | .text | CALL [static] | Indirect call to absolute memory address |
| 415F | 10028E38 | .text | CALL [static] | Indirect call to absolute memory address |
| 41ED | 10028F0C | .text | CALL [static] | Indirect call to absolute memory address |
| 4207 | 10028EC0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4214 | 10028E2C | .text | CALL [static] | Indirect call to absolute memory address |
| 4243 | 10028DD0 | .text | CALL [static] | Indirect call to absolute memory address |
| 425F | 10028ECC | .text | CALL [static] | Indirect call to absolute memory address |
| 4277 | 10028E78 | .text | CALL [static] | Indirect call to absolute memory address |
| 43D7 | 1001F004 | .text | CALL [static] | Indirect call to absolute memory address |
| 43EB | 1001F004 | .text | CALL [static] | Indirect call to absolute memory address |
| 441D | 1001F034 | .text | CALL [static] | Indirect call to absolute memory address |
| 4442 | 1001F000 | .text | CALL [static] | Indirect call to absolute memory address |
| 4466 | 1001F004 | .text | CALL [static] | Indirect call to absolute memory address |
| 447C | 1001F000 | .text | CALL [static] | Indirect call to absolute memory address |
| 4494 | 10028DD4 | .text | CALL [static] | Indirect call to absolute memory address |
| 44A8 | 10028D80 | .text | CALL [static] | Indirect call to absolute memory address |
| 44C5 | 1001F004 | .text | CALL [static] | Indirect call to absolute memory address |
| 44E4 | 10028DD4 | .text | CALL [static] | Indirect call to absolute memory address |
| 44FA | 10028E84 | .text | CALL [static] | Indirect call to absolute memory address |
| 450D | 10028F24 | .text | CALL [static] | Indirect call to absolute memory address |
| 451C | 10028D94 | .text | CALL [static] | Indirect call to absolute memory address |
| 4598 | 10028D84 | .text | CALL [static] | Indirect call to absolute memory address |
| 46A6 | 10028E88 | .text | CALL [static] | Indirect call to absolute memory address |
| 46CB | 10028ECC | .text | CALL [static] | Indirect call to absolute memory address |
| 4912 | 10028D74 | .text | CALL [static] | Indirect call to absolute memory address |
| 4949 | 10028D70 | .text | CALL [static] | Indirect call to absolute memory address |
| 49B2 | 10028D68 | .text | CALL [static] | Indirect call to absolute memory address |
| 49BE | 10028D58 | .text | CALL [static] | Indirect call to absolute memory address |
| 49D6 | 10028D5C | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 92999 | 56,4095% |
| Null Byte Code | 24588 | 14,9141% |
© 2026 All rights reserved.