PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 1,89 MB
SHA-256 Hash: 0AC3387B6E0283C972722C2A6664EE23AC5BA10640D18B827E8732F5C57E7D2C
SHA-1 Hash: 6A780C9F1C15E555B72640299B9C10E7927252F6
MD5 Hash: C4394FB4DAAF350CDBF5303D812E917E
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 1E0C1E
SizeOfHeaders: 200
SizeOfImage: 1EA000
ImageBase: 400000
Architecture: x86
ImportTable: 1E0BC4
IAT: 2000
Characteristics: 102
TimeDateStamp: 59ED3393
Date: 23/10/2017 0:10:59
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	200	1DEE00	2000	1DEC24	7,2623	7217825,80
.rsrc	40000040 (Initialized Data, Readable)	1DF000	4C00	1E2000	4B98	5,0407	915443,71
.reloc	42000040 (Initialized Data, GP-Relative, Readable)	1E3C00	200	1E8000	C	0,0815	128522,00

Description

OriginalFilename: Extreme Injector.exe
CompanyName: master131
LegalCopyright: Copyright 2017
LegalTrademarks: master131
ProductName: Extreme Injector
FileVersion: 3.7.2.0
FileDescription: Extreme Injector
ProductVersion: 3.7.2.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1DEE1E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
• JMP DWORD PTR [0X402000]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL

Signatures

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: True
• Version: v4.0
Detect It Easy (die)
• PE: library: .NET(v4.0.30319)[-]
• PE: linker: Microsoft Linker(8.0)[-]
• Entropy: 7.24721

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	GetModuleHandle	Retrieves a handle to the specified module.
KERNEL32.DLL	CreateToolhelp32Snapshot	Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL	CreateRemoteThread	Creates a thread in the address space of another process.
KERNEL32.DLL	WriteProcessMemory	Writes data to an area of memory in a specified process.
KERNEL32.DLL	ReadProcessMemory	Reads data from an area of memory in a specified process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).

File Access

Extreme Injector.exe
mscoree.dll
shlwapi.dll
Kernel32.dll
shell32.dll
ntdll.dll
user32.dll
psapi.dll
advapi32.dll
Ionic.Zip
Temp

File Access (UNICODE)

Extreme Injector.exe

Interest's Words

Encrypt
Decrypt
exec
unescape
attrib
start
systeminfo
replace

URLs

http://www.w3.org/2001/XMLSchema-instance

IP Addresses

12.0.0.0

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	File (GetTempPath)
Text	Ascii	Encryption (CreateDecryptor)
Text	Ascii	Encryption (DESCryptoServiceProvider)
Text	Ascii	Encryption (DotfuscatorAttribute)
Text	Ascii	Encryption (FromBase64String)
Text	Ascii	Encryption (ICryptoTransform)
Text	Ascii	Encryption (RNGCryptoServiceProvider)
Text	Ascii	Encryption (Rijndael)
Text	Ascii	Encryption (RijndaelManaged)
Text	Ascii	Encryption (ToBase64String)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Anti-Analysis VM (CreateToolhelp32Snapshot)
Text	Ascii	Stealth (GetThreadContext)
Text	Ascii	Stealth (SetThreadContext)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Stealth (ReadProcessMemory)
Text	Ascii	Stealth (CreateRemoteThread)
Text	Ascii	Execution (ShellExecute)
Text	Ascii	Execution (ResumeThread)
Text	Ascii	Malware that injects malicious code into a process (Injector)
Text	Unicode	Malware that injects malicious code into a process (Injector)
Text	Ascii	Technique used to insert malicious code into legitimate processes (Inject)
Text	Unicode	Technique used to insert malicious code into legitimate processes (Inject)
Text	Ascii	Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Entry Point	Hex Pattern	Microsoft Visual C / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	Microsoft Visual C v7.0 / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual Studio .NET
Entry Point	Hex Pattern	Microsoft Windows Enhanced Metafile
Entry Point	Hex Pattern	.NET executable

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	1E2190	25A8	1DF190	2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000	(...0........ ......%............................
\ICON\2\0	1E4738	10A8	1E1738	2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\3\0	1E57E0	468	1E27E0	2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000	(....... ..... .....@.............................
\GROUP_ICON\32512\0	1E5C48	30	1E2C48	0000010003003030000001002000A825000001002020000001002000A810000002001010000001002000680400000300	......00.... ..%.... .... ............. .h.....
\VERSION\1\0	1E5C78	37C	1E2C78	7C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000700	\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	1E5FF4	B9F	1E2FF4	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D227574662D38223F3E0D0A3C61736D76313A	...<?xml version="1.0" encoding="utf-8"?>..<asmv1:

Intelligent String

• 3.7.2.0
• Extreme Injector.exe
• _CorExeMainmscoree.dll
• <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

Flow Anomalies

Offset	RVA	Section	Description
8CD0	3320062B	.text	JMP [static] \| Indirect jump to absolute memory address
AB4C	5020062B	.text	JMP [static] \| Indirect jump to absolute memory address
16161	5020062B	.text	JMP [static] \| Indirect jump to absolute memory address
17D8C	2000000	.text	JMP [static] \| Indirect jump to absolute memory address
21B18	2000000	.text	CALL [static] \| Indirect call to absolute memory address
24637	2000000	.text	JMP [static] \| Indirect jump to absolute memory address
27DA9	2000000	.text	JMP [static] \| Indirect jump to absolute memory address
2A29A	9B128	.text	CALL [static] \| Indirect call to absolute memory address
2D995	7B020613	.text	CALL [static] \| Indirect call to absolute memory address
2E12C	F201113	.text	CALL [static] \| Indirect call to absolute memory address
2E1B8	22110F13	.text	CALL [static] \| Indirect call to absolute memory address
2E662	C201013	.text	CALL [static] \| Indirect call to absolute memory address
318CC	C201013	.text	JMP [static] \| Indirect jump to absolute memory address
3479F	2120062B	.text	JMP [static] \| Indirect jump to absolute memory address
361F7	110A136A	.text	CALL [static] \| Indirect call to absolute memory address
40A37	C20062B	.text	JMP [static] \| Indirect jump to absolute memory address
4147F	C20062B	.text	JMP [static] \| Indirect jump to absolute memory address
4FBDC	200B1126	.text	JMP [static] \| Indirect jump to absolute memory address
59F54	2000000	.text	JMP [static] \| Indirect jump to absolute memory address
5E3B4	200A112A	.text	CALL [static] \| Indirect call to absolute memory address
5E427	200A112A	.text	CALL [static] \| Indirect call to absolute memory address
5E4F8	3013002A	.text	CALL [static] \| Indirect call to absolute memory address
60B36	2A6A	.text	CALL [static] \| Indirect call to absolute memory address
682D2	200E112A	.text	CALL [static] \| Indirect call to absolute memory address
68474	200E112A	.text	CALL [static] \| Indirect call to absolute memory address
6850B	1B00002A	.text	CALL [static] \| Indirect call to absolute memory address
6CFBE	C13160D	.text	CALL [static] \| Indirect call to absolute memory address
7956B	1300002A	.text	CALL [static] \| Indirect call to absolute memory address
7CD87	1300002A	.text	CALL [static] \| Indirect call to absolute memory address
7CE6F	1300002A	.text	CALL [static] \| Indirect call to absolute memory address
860D7	4A20082A	.text	CALL [static] \| Indirect call to absolute memory address
866E4	2020062B	.text	JMP [static] \| Indirect jump to absolute memory address
8C407	200A112A	.text	CALL [static] \| Indirect call to absolute memory address
8C4B3	200A112A	.text	JMP [static] \| Indirect jump to absolute memory address
8C50C	3013002A	.text	CALL [static] \| Indirect call to absolute memory address
92CEB	3013002A	.text	CALL [static] \| Indirect call to absolute memory address
9A4B3	B110713	.text	CALL [static] \| Indirect call to absolute memory address
9B2E4	B110713	.text	CALL [static] \| Indirect call to absolute memory address
A98CE	2DFFF177	.text	CALL [static] \| Indirect call to absolute memory address
A990E	3FFEA68	.text	CALL [static] \| Indirect call to absolute memory address
AD5F6	2DFFF177	.text	CALL [static] \| Indirect call to absolute memory address
AD636	3FFEA68	.text	CALL [static] \| Indirect call to absolute memory address
B131E	2DFFF177	.text	CALL [static] \| Indirect call to absolute memory address
B135E	3FFEA68	.text	CALL [static] \| Indirect call to absolute memory address
B5046	2DFFF177	.text	CALL [static] \| Indirect call to absolute memory address
B5086	3FFEA68	.text	CALL [static] \| Indirect call to absolute memory address
B8D6E	2DFFF177	.text	CALL [static] \| Indirect call to absolute memory address
B8DAE	3FFEA68	.text	CALL [static] \| Indirect call to absolute memory address
BCA96	2DFFF177	.text	CALL [static] \| Indirect call to absolute memory address
BCAD6	3FFEA68	.text	CALL [static] \| Indirect call to absolute memory address
C07BE	2DFFF177	.text	CALL [static] \| Indirect call to absolute memory address
C07FE	3FFEA68	.text	CALL [static] \| Indirect call to absolute memory address
C8DEF	2113D66D	.text	CALL [static] \| Indirect call to absolute memory address
CAD1C	2113D66D	.text	JMP [static] \| Indirect jump to absolute memory address
E3881	2113D66D	.text	JMP [static] \| Indirect jump to absolute memory address
E5B48	37526EE5	.text	CALL [static] \| Indirect call to absolute memory address
EDAE3	37526EE5	.text	CALL [static] \| Indirect call to absolute memory address
EFF15	37526EE5	.text	CALL [static] \| Indirect call to absolute memory address
F1C1C	37526EE5	.text	JMP [static] \| Indirect jump to absolute memory address
10613A	37526EE5	.text	CALL [static] \| Indirect call to absolute memory address
108A5C	37526EE5	.text	JMP [static] \| Indirect jump to absolute memory address
10B302	570B6047	.text	JMP [static] \| Indirect jump to absolute memory address
10B7C8	29CF1345	.text	JMP [static] \| Indirect jump to absolute memory address
129C05	2CDD53B6	.text	JMP [static] \| Indirect jump to absolute memory address
13504C	2CDD53B6	.text	JMP [static] \| Indirect jump to absolute memory address
1383B1	2CDD53B6	.text	JMP [static] \| Indirect jump to absolute memory address
13CF7E	4C733D6B	.text	CALL [static] \| Indirect call to absolute memory address
143EF4	4C733D6B	.text	JMP [static] \| Indirect jump to absolute memory address
153972	5DF56487	.text	JMP [static] \| Indirect jump to absolute memory address
1591C0	1838504F	.text	CALL [static] \| Indirect call to absolute memory address
161D36	1838504F	.text	JMP [static] \| Indirect jump to absolute memory address
1634F0	2983A62D	.text	CALL [static] \| Indirect call to absolute memory address
165874	999FE97	.text	CALL [static] \| Indirect call to absolute memory address
1C6A07	999FE97	.text	JMP [static] \| Indirect jump to absolute memory address
1C7814	999FE97	.text	JMP [static] \| Indirect jump to absolute memory address
1CA0E1	999FE97	.text	JMP [static] \| Indirect jump to absolute memory address
1CCE75	2ABC156F	.text	JMP [static] \| Indirect jump to absolute memory address
1DA3AE	32241DFC	.text	JMP [static] \| Indirect jump to absolute memory address
1DEE1E	402000	.text	JMP [static] \| Indirect jump to absolute memory address
1DF58F	2DFFF177	.rsrc	CALL [static] \| Indirect call to absolute memory address
1DF5CF	3FFEA68	.rsrc	CALL [static] \| Indirect call to absolute memory address

Extra Analysis

Metric	Value	Percentage
Ascii Code	1200423	60,5677%
Null Byte Code	222305	11,2165%

PESCAN.IO - Analysis Report Basic