PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 95,50 KB
SHA-256 Hash: 3E8D997C6E26DCD0AAD2BA74C99B5B46FBEE0DB1D0D46088AE5C8155FB827C33
SHA-1 Hash: BAFE2763B84644CBAFCB974F72CBC57E44CE2AF4
MD5 Hash: BA69008A5C5E0096D3765EC7471EA066
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 1932E
SizeOfHeaders: 200
SizeOfImage: 1E000
ImageBase: 400000
Architecture: x86
ImportTable: 192D8
IAT: 2000
Characteristics: 102
TimeDateStamp: F00CA9A2
Date: 14/08/2097 23:34:58
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 200 17400 2000 17334
6.0152
1542460.19
.rsrc 40000040 (Initialized Data, Readable) 17600 600 1A000 4DE
3.7239
99254
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 17C00 200 1C000 C
0.1019
128015
Description
OriginalFilename: Implosions.exe
FileVersion: 0.0.0.0
ProductVersion: 0.0.0.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1752E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
EP changed to another address -> (Address Of EntryPoint > Base Of Data)
Assembler
|JMP DWORD PTR [0X402000]
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
Signatures
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: False
Version: v4.0
Detect It Easy (die)
PE: library: .NET(v4.0.30319)[-]
PE: linker: Microsoft Linker(48.0)[-]
Entropy: 5.9602
Suspicious Functions
Library Function Description
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
ADVAPI32.DLL CryptDecrypt Performs a cryptographic operation on data in a data block.
Windows REG (UNICODE)
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
SOFTWARE\Microsoft\Windows NT\CurrentVersion
File Access
Happy.exe
mscoree.dll
bcrypt.dll
kernel32.dll
gdi32.dll
System.Web.Scr
Temp
File Access (UNICODE)
Implosions.exe
egram.exe
user32.dll
AppData
SQL Queries
SELECT * FROM Win32_Processor
SELECT * FROM Win32_VideoController
SELECT * FROM
SELECT * FROM Win32_DiskDrive
SELECT * FROM Win32_OperatingSystem
Interest's Words
shadowcopy
Encrypt
Decrypt
RunPE
PassWord
<body
exec
attrib
start
cipher
systeminfo
ping
expand
replace
Interest's Words (UNICODE)
Virus
Encrypt
exec
start
replace
URLs (UNICODE)
https://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN
IP Addresses
45.88.91.67
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Unicode Unicode escape - \u00 - (Common Unicode escape sequences)
Text Ascii WinAPI Sockets (send)
Text Ascii File (CopyFile)
Text Ascii Encryption (FromBase64String)
Text Ascii Encryption (MD5CryptoServiceProvider)
Text Ascii Encryption API (CryptDecrypt)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Execution (ShellExecute)
Text Ascii Information used to authenticate a user&#39;s identity (Credential)
Text Unicode Malware that monitors and collects user data (Spy)
Text Ascii Information used for user authentication (Credential)
Text Ascii Unauthorized movement of funds or data (Transfer)
Entry Point Hex Pattern Microsoft Visual C / Basic .NET
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern Microsoft Visual C++ 8.0
Entry Point Hex Pattern Microsoft Visual C v7.0 / Basic .NET
Entry Point Hex Pattern Microsoft Visual Studio .NET
Entry Point Hex Pattern .NET executable
Resources
Path DataRVA Size FileOffset CodeText
\VERSION\1\0 1A0A0 254 176A0 540234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000T.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0 1A2F4 1EA 178F4 EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65...<?xml version="1.0" encoding="UTF-8" standalone
Intelligent String
• 0.0.0.0
• Implosions.exe
• *autofillexpiraas21tion_yas21earffnbelfdoeiohenkjibnmadjiehjhajbProfilesTotal of RAMhttps://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN
• [\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
• 45.88.91.67:23288
• egram.exe
• user32.dll
• _CorExeMainmscoree.dll
Flow Anomalies
Offset RVA Section Description
1752E 402000 .text JMP [static] | Indirect jump to absolute memory address
Extra Analysis
Metric Value Percentage
Ascii Code 57474 58,7717%
Null Byte Code 24795 25,3548%
© 2026 All rights reserved.