PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 258,00 KB SHA-256 Hash: 7C5970DF4AA6ED5BA90AC5923899B3CB0B5B941D009C4A51F24ACB7F1EAA69CE SHA-1 Hash: 14444241B404B5E25A5A30EF5A3603D46052D178 MD5 Hash: B5C30030AF2B5318668BA9CB73C6A03F Imphash: 02427E5C714AA6DDF166E21FC2D69692 MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 0003FC5D EntryPoint (rva): 12C78 SizeOfHeaders: 400 SizeOfImage: 35000 ImageBase: 10000000 Architecture: x86 ExportTable: 2B610 ImportTable: 2B648 IAT: 25000 Characteristics: 2102 TimeDateStamp: 69D02BCB Date: 03/04/2026 21:06:19 File Type: DLL Number Of Sections: 4 ASLR: Disabled Section Names: .text, .rdata, .data, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 23800 | 1000 | 237B4 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
23C00 | 7600 | 25000 | 755A |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
2B200 | 3800 | 2D000 | 5C88 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
2EA00 | 1C00 | 33000 | 1A24 |
|
|
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 46,00 KB |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 12078 Code -> 558BEC837D0C017505E833020000FF7510FF750CFF7508E8AEFEFFFF83C40C5DC20C00558BEC8325EC2103100083EC24830D Assembler |PUSH EBP |MOV EBP, ESP |CMP DWORD PTR [EBP + 0XC], 1 |JNE 0X100E |CALL 0X1241 |PUSH DWORD PTR [EBP + 0X10] |PUSH DWORD PTR [EBP + 0XC] |PUSH DWORD PTR [EBP + 8] |CALL 0XECA |ADD ESP, 0XC |POP EBP |RET 0XC |PUSH EBP |MOV EBP, ESP |AND DWORD PTR [0X100321EC], 0 |SUB ESP, 0X24 |
| Signatures |
| CheckSum Integrity Problem: • Header: 261213 • Calculated: 274084 Rich Signature Analyzer: Code -> 4BCBBCDE0FAAD28D0FAAD28D0FAAD28DBB36238D03AAD28DBB36218D8EAAD28DBB36208D17AAD28D5DDFD78C12AAD28D5DDFD68C1DAAD28D5DDFD18C18AAD28D0FAAD38DB5AAD28D06D2418D1EAAD28D06D2518D0EAAD28DC5DFD68C11AAD28DC5DFD18C0EAAD28DC5DFD28C0EAAD28DC5DFD08C0EAAD28D526963680FAAD28D Footprint md5 Hash -> CFD126AC1E909C2146298ECF1F07C215 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: linker: Microsoft Linker(14.29**)[-] • Entropy: 5.36357 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateRemoteThread | Creates a thread in the address space of another process. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ADVAPI32.DLL | CryptEncrypt | Performs a cryptographic operation on data in a data block. |
| ADVAPI32.DLL | CryptDecrypt | Performs a cryptographic operation on data in a data block. |
| File Access |
| rundll32.exe winhttp.dll rpcrt4.dll wininet.dll ws2_32.dll user32.dll crypt32.dll advapi32.dll kernel32.dll ntdll.dll ole32.dll server.dll .dat @.dat |
| File Access (UNICODE) |
| mscoree.dll |
| Interest's Words |
| Encrypt Decrypt attrib start rundll32 rundll |
| URLs (UNICODE) |
| https://5.252.177.38:443/tn3dmIAc9i_AeMF5qYRW_w0K_RTXVgnoItHX5JMx_tjWAMiIPqisUPzgUJRSns-KK90zt2H5tsnoA1BhYgFtDhOyFdErzmarrpxc19ic/ |
| IP Addresses |
| 5.252.177.38 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Unicode | Encryption (Microsoft Enhanced Cryptographic Provider v1.0) |
| Text | Unicode | Encryption (Microsoft Enhanced RSA and AES Cryptographic Provider) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptDecrypt) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealth (CreateRemoteThread) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Unicode | Privileges (SeDebugPrivilege) |
| Text | Unicode | Privileges (SeSecurityPrivilege) |
| Intelligent String |
| • winhttp.dll • wininet.dll • crypt32.dll • rpcrt4.dll • user32.dll • ntdll.dll • kernel32.dll • advapi32.dll • mscoree.dll • .bss • server.dll • WS2_32.dll • KERNEL32.dll • ws2_32.dll • rundll32.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 798 | 1002504C | .text | CALL [static] | Indirect call to absolute memory address |
| 1044 | 1002509C | .text | CALL [static] | Indirect call to absolute memory address |
| 104B | 10025048 | .text | CALL [static] | Indirect call to absolute memory address |
| 1073 | 10025040 | .text | CALL [static] | Indirect call to absolute memory address |
| 1088 | 10025044 | .text | CALL [static] | Indirect call to absolute memory address |
| 10BE | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1117 | 100250A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1134 | 1002509C | .text | CALL [static] | Indirect call to absolute memory address |
| 1148 | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BC0 | 100250A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BEB | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CF7 | 100250B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CFD | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D37 | 100250B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DAA | 100250B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E0E | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E4A | 100250B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E62 | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E7C | 100250B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E88 | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EB0 | 100250AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1F0F | 100250A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F34 | 1002509C | .text | CALL [static] | Indirect call to absolute memory address |
| 1FAF | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2029 | 100250B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2032 | 100250B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2039 | 100250B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 208A | 100250BC | .text | CALL [static] | Indirect call to absolute memory address |
| 2094 | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 20B5 | 100250B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 20DE | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2108 | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2159 | 100250B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2215 | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 224D | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 258A | 1002525C | .text | CALL [static] | Indirect call to absolute memory address |
| 2C98 | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D0A | 1002525C | .text | CALL [static] | Indirect call to absolute memory address |
| 2D16 | 1002525C | .text | CALL [static] | Indirect call to absolute memory address |
| 2F42 | 1002525C | .text | CALL [static] | Indirect call to absolute memory address |
| 2F68 | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F73 | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 3001 | 1002525C | .text | CALL [static] | Indirect call to absolute memory address |
| 300D | 1002525C | .text | CALL [static] | Indirect call to absolute memory address |
| 313B | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 3184 | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 323E | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 3379 | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 3386 | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 33D7 | 1002525C | .text | CALL [static] | Indirect call to absolute memory address |
| 3509 | 100250B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 350F | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 37F0 | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 37FC | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 3896 | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A2E | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 3DDA | 100250C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 40AE | 100250C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 40B5 | 100250A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 483B | 1002519C | .text | CALL [static] | Indirect call to absolute memory address |
| 4862 | 1002519C | .text | CALL [static] | Indirect call to absolute memory address |
| 488C | 1002519C | .text | CALL [static] | Indirect call to absolute memory address |
| 48EC | 100250CC | .text | CALL [static] | Indirect call to absolute memory address |
| 4910 | 100250E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4927 | 100250D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4940 | 100250D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4957 | 100250D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 497E | 100250E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 499A | 100250D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CE8 | 100250B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D03 | 100250B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D15 | 100250EC | .text | CALL [static] | Indirect call to absolute memory address |
| 4D23 | 100250F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4FB6 | 100250F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4FFD | 100250DC | .text | CALL [static] | Indirect call to absolute memory address |
| 5007 | 100250E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 5011 | 100250D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 5A8B | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 5AB3 | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 5ACE | 1002501C | .text | CALL [static] | Indirect call to absolute memory address |
| 5AE9 | 10025030 | .text | CALL [static] | Indirect call to absolute memory address |
| 5AFD | 10025030 | .text | CALL [static] | Indirect call to absolute memory address |
| 5B16 | 10025020 | .text | CALL [static] | Indirect call to absolute memory address |
| 5B20 | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5B6B | 1002525C | .text | CALL [static] | Indirect call to absolute memory address |
| 5B81 | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 5BCA | 10025034 | .text | CALL [static] | Indirect call to absolute memory address |
| 5C33 | 1002501C | .text | CALL [static] | Indirect call to absolute memory address |
| 5C3D | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5C73 | 1002502C | .text | CALL [static] | Indirect call to absolute memory address |
| 5C9F | 1002525C | .text | CALL [static] | Indirect call to absolute memory address |
| 5CF3 | 10025024 | .text | CALL [static] | Indirect call to absolute memory address |
| 5CFD | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5D13 | 10025258 | .text | CALL [static] | Indirect call to absolute memory address |
| 5D6C | 1002525C | .text | CALL [static] | Indirect call to absolute memory address |
| 5DB9 | 10025034 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E25 | 1002503C | .text | CALL [static] | Indirect call to absolute memory address |
| 5E2F | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E7D | 1002502C | .text | CALL [static] | Indirect call to absolute memory address |
| 5E87 | 100250A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30600 | N/A | *Overlay* | 0000000000000000CD649F68803A0900B67DDD98 | .........d.h.:...}.. |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 116925 | 44,2574% |
| Null Byte Code | 99183 | 37,5419% |
© 2026 All rights reserved.