PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
| Information |
| Size: 11,50 KB SHA-256 Hash: F5EC65B652A9B9D969996F05819EB6DF32BBFCBA437465E229FDBBDAD6AC621F SHA-1 Hash: 544415A362CCC64A6B09EE3826610CAB9D09CC0B MD5 Hash: C93B1A2F7690F2D7D5584FAC163515EA Imphash: DAE02F32A21E03CE65412F6E56942DAA MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 452E SizeOfHeaders: 200 SizeOfImage: A000 ImageBase: 400000 Architecture: x86 ImportTable: 44E0 IAT: 2000 Characteristics: 2102 TimeDateStamp: 0 Date: 01/01/1970 File Type: DLL Number Of Sections: 3 ASLR: Enabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 200 | 2600 | 2000 | 2534 | 5,2460 | 298194,53 |
| .rsrc | 40000040 (Initialized Data, Readable) | 2800 | 400 | 6000 | 2E8 | 2,3830 | 134352,00 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 2C00 | 200 | 8000 | C | 0,0815 | 128522,00 |
| Description |
| OriginalFilename: MyLibrary.dll FileVersion: 0.0.0.0 Language: Unknown (ID=0x7F) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 272E Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 • JMP DWORD PTR [0X402000] • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: True • Version: v4.0 Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(8.0)[-] • Entropy: 4.80049 |
| Windows REG (UNICODE) |
| SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall |
| File Access |
| mscoree.dll MyLibrary.dll |
| File Access (UNICODE) |
| MyLibrary.dll Temp |
| SQL Queries |
| SELECT * FROM Win32_OperatingSystem SELECT * FROM Win32_UserAccount WHERE Status='OK' SELECT HotFixID FROM Win32_QuickFixEngineering SELECT * FROM Win32_ComputerSystem SELECT * FROM Win32_BIOS SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=true SELECT ExecutablePath, ProcessId, SessionId FROM Win32_Process SELECT Name, State FROM Win32_Service |
| Interest's Words |
| exec attrib start replace |
| Interest's Words (UNICODE) |
| exec start |
| URLs (UNICODE) |
| https://ethereum.publicnode.com https://verysypname.com/auth |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Encryption (FromBase64String) |
| Text | Ascii | Execution (ShellExecute) |
| Entry Point | Hex Pattern | Microsoft Visual C / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C v7.0 / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual Studio .NET |
| Entry Point | Hex Pattern | .NET executable |
| Entry Point | Hex Pattern | TrueVision Targa Graphics format |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\0 | 6058 | 290 | 2858 | 900234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • https://ethereum.publicnode.com • https://verysypname.com/auth • _CorDllMainmscoree.dll • 0.0.0.0 • MyLibrary.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 272E | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 5710 | 48,4885% |
| Null Byte Code | 4920 | 41,7799% |
© 2025 All rights reserved.