PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 11,50 KB SHA-256 Hash: D08E658268829D195F5C2621DFB2B99EB03F4CAEACBA67B462AA908416DA49D1 SHA-1 Hash: 421C6AE3902F7363AA708E61CBF64257A26F4F10 MD5 Hash: B0D13FB92171A04210283BEC65DE1E19 Imphash: 94DFCB980C8D4ED2D51E1F4CEB72B39A MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 13C0 SizeOfHeaders: 400 SizeOfImage: 7000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 28D4 IAT: 2000 Characteristics: 22 TimeDateStamp: 69873679 Date: 07/02/2026 12:56:25 File Type: EXE Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 1000 | 1000 | E2C | 5,6301 | 82911,63 |
| .rdata | 40000040 (Initialized Data, Readable) | 1400 | 1000 | 2000 | FEC | 4,2652 | 247929,25 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 2400 | 400 | 3000 | 9C8 | 6,7454 | 6392,50 |
| .pdata | 40000040 (Initialized Data, Readable) | 2800 | 200 | 4000 | 174 | 2,7107 | 56449,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | 2A00 | 200 | 5000 | 1E0 | 4,6961 | 9408,00 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 2C00 | 200 | 6000 | 30 | 0,6896 | 111416,00 |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 7C0 Code -> 4883EC28E8D70300004883C428E972FEFFFFCCCC40534883EC20488BD933C9FF158B0C0000488BCBFF158A0C0000FF15740C • SUB RSP, 0X28 • CALL 0X13E0 • ADD RSP, 0X28 • JMP 0XE84 • INT3 • INT3 • PUSH RBX • SUB RSP, 0X20 • MOV RBX, RCX • XOR ECX, ECX • CALL QWORD PTR [RIP + 0XC8B] • MOV RCX, RBX • CALL QWORD PTR [RIP + 0XC8A] |
| Signatures |
| Rich Signature Analyzer: Code -> B70FF836F36E9665F36E9665F36E9665FA160565F96E9665A11B9764F16E9665A11B9364E26E9665A11B9264F96E9665A11B9564F06E9665E7059764F46E9665F36E9765C76E96653C1B9F64F26E96653C1B6965F26E96653C1B9464F26E966552696368F36E9665 Footprint md5 Hash -> AD54DF9ECDB2D752EB4BFC23B8F7F354 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.29**)[-] • Entropy: 5.14506 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll VCRUNTIME140.dll GDI32.dll USER32.dll KERNEL32.dll .dat @.dat |
| Interest's Words |
| exec |
| IP Addresses |
| 192.168.139.141 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Hex | Hex Pattern | Metasploit Shellcode 1 (Reverse TCP x64 - FC4883E4F0) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\1\1033 | 5060 | 17D | 2A60 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • api-ms-win-crt-math-l1-1-0.dll • <_register_onexit_function_crt_atexitgterminateapi-ms-win-crt-runtime-l1-1-0.dll • Kernel32.dll • \apito\x64\Release\apito.pdb • .bss • KERNEL32.dll • VCRUNTIME140.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-locale-l1-1-0.dll • api-ms-win-crt-heap-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 40B | N/A | .text | CALL QWORD PTR [RIP+0x1017] |
| 420 | N/A | .text | JMP QWORD PTR [RIP+0xFFA] |
| 447 | N/A | .text | CALL QWORD PTR [RIP+0xFE3] |
| 508 | N/A | .text | CALL QWORD PTR [RIP+0xF9A] |
| 519 | N/A | .text | CALL QWORD PTR [RIP+0xEE1] |
| 706 | N/A | .text | CALL QWORD PTR [RIP+0xEC4] |
| 7DF | N/A | .text | CALL QWORD PTR [RIP+0xC8B] |
| 7E8 | N/A | .text | CALL QWORD PTR [RIP+0xC8A] |
| 7EE | N/A | .text | CALL QWORD PTR [RIP+0xC74] |
| 802 | N/A | .text | JMP QWORD PTR [RIP+0xC58] |
| 816 | N/A | .text | CALL QWORD PTR [RIP+0xC3C] |
| 8E7 | N/A | .text | CALL QWORD PTR [RIP+0xBA3] |
| 901 | N/A | .text | CALL QWORD PTR [RIP+0xB81] |
| 938 | N/A | .text | CALL QWORD PTR [RIP+0xB42] |
| BCC | N/A | .text | CALL QWORD PTR [RIP+0x866] |
| BDA | N/A | .text | CALL QWORD PTR [RIP+0x860] |
| BE6 | N/A | .text | CALL QWORD PTR [RIP+0x85C] |
| BF6 | N/A | .text | CALL QWORD PTR [RIP+0x854] |
| C68 | N/A | .text | JMP QWORD PTR [RIP+0x7AA] |
| CE4 | N/A | .text | CALL QWORD PTR [RIP+0x76E] |
| D11 | N/A | .text | CALL QWORD PTR [RIP+0x779] |
| D2B | N/A | .text | CALL QWORD PTR [RIP+0x757] |
| D6C | N/A | .text | CALL QWORD PTR [RIP+0x70E] |
| DC0 | N/A | .text | CALL QWORD PTR [RIP+0x64A] |
| DE1 | N/A | .text | CALL QWORD PTR [RIP+0x689] |
| DEC | N/A | .text | CALL QWORD PTR [RIP+0x686] |
| E22 | N/A | .text | CALL QWORD PTR [RIP+0x670] |
| E78 | N/A | .text | JMP QWORD PTR [RIP+0x5F2] |
| EFE | N/A | .text | CALL QWORD PTR [RIP+0x6CC] |
| F3A | N/A | .text | CALL QWORD PTR [RIP+0x690] |
| FB4 | N/A | .text | JMP QWORD PTR [RIP+0xFFF3FF0] |
| 1110 | N/A | .text | JMP QWORD PTR [RIP+0x3AA] |
| 1116 | N/A | .text | JMP QWORD PTR [RIP+0x3AC] |
| 111C | N/A | .text | JMP QWORD PTR [RIP+0x396] |
| 1122 | N/A | .text | JMP QWORD PTR [RIP+0x3A8] |
| 1128 | N/A | .text | JMP QWORD PTR [RIP+0x43A] |
| 112E | N/A | .text | JMP QWORD PTR [RIP+0x42C] |
| 1134 | N/A | .text | JMP QWORD PTR [RIP+0x3C6] |
| 113A | N/A | .text | JMP QWORD PTR [RIP+0x410] |
| 1140 | N/A | .text | JMP QWORD PTR [RIP+0x402] |
| 1146 | N/A | .text | JMP QWORD PTR [RIP+0x3F4] |
| 114C | N/A | .text | JMP QWORD PTR [RIP+0x41E] |
| 1152 | N/A | .text | JMP QWORD PTR [RIP+0x400] |
| 1158 | N/A | .text | JMP QWORD PTR [RIP+0x3C2] |
| 115E | N/A | .text | JMP QWORD PTR [RIP+0x3CC] |
| 1164 | N/A | .text | JMP QWORD PTR [RIP+0x446] |
| 116A | N/A | .text | JMP QWORD PTR [RIP+0x428] |
| 1170 | N/A | .text | JMP QWORD PTR [RIP+0x41A] |
| 1176 | N/A | .text | JMP QWORD PTR [RIP+0x40C] |
| 117C | N/A | .text | JMP QWORD PTR [RIP+0x3FE] |
| 1182 | N/A | .text | JMP QWORD PTR [RIP+0x3F0] |
| 1188 | N/A | .text | JMP QWORD PTR [RIP+0x362] |
| 118E | N/A | .text | JMP QWORD PTR [RIP+0x34C] |
| 1194 | N/A | .text | JMP QWORD PTR [RIP+0x40E] |
| 119A | N/A | .text | JMP QWORD PTR [RIP+0x398] |
| 11A0 | N/A | .text | JMP QWORD PTR [RIP+0x382] |
| 11A6 | N/A | .text | JMP QWORD PTR [RIP+0x364] |
| 11AC | N/A | .text | JMP QWORD PTR [RIP+0x366] |
| 11F0 | N/A | .text | JMP QWORD PTR [RIP+0x3DA] |
| 2440 | N/A | .data | Rule match: FC4883E4F0E8 - Cobalt Strike shellcode start (CobaltStrike) |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 5568 | 47,2826% |
| Null Byte Code | 4873 | 41,3808% |
© 2026 All rights reserved.