PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 4,31 MB
SHA-256 Hash: 1A01F2419924E350BE3A61F5530DFB9B587B93DA199DA7E86A55DD7B0BBC126F
SHA-1 Hash: B730171060EF699098811FA2546C8A906803415E
MD5 Hash: CB530B87C1003C5C01839849856F0D2E
Imphash: 46CE5C12B293FEBBEB513B196AA7F843
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 369F
SizeOfHeaders: 400
SizeOfImage: 6C000
ImageBase: 400000
Architecture: x86
ImportTable: 84FC
IAT: 8000
Characteristics: 10F
TimeDateStamp: 67CCCD30
Date: 08/03/2025 23:05:20
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .ndata, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	400	6800	1000	6711	6,4543	200805,71
.rdata	40000040 (Initialized Data, Readable)	6C00	1400	8000	1358	5,0997	139135,80
.data	C0000040 (Initialized Data, Readable, Writeable)	8000	600	A000	1FB78	4,1230	80450,00
.ndata	C0000080 (Uninitialized Data, Readable, Writeable)	0	0	2A000	2E000	N/A	N/A
.rsrc	40000040 (Initialized Data, Readable)	8600	14000	58000	13E10	3,0586	5002357,13

Description

LegalCopyright: Copyright 2025 Unknown
ProductName: Launcher
FileVersion: 0.3.2
FileDescription: Launcher
ProductVersion: 0.3.2
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Binder/Joiner/Crypter

Dropper code detected (EOF) - 3,89 MB

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 2A9F
Code -> 81ECF80300005556576A205F33ED6801800000896C2420C744241830A24000896C2414FF159C8040008B35A08040008D4424
• SUB ESP, 0X3F8
• PUSH EBP
• PUSH ESI
• PUSH EDI
• PUSH 0X20
• POP EDI
• XOR EBP, EBP
• PUSH 0X8001
• MOV DWORD PTR [ESP + 0X20], EBP
• MOV DWORD PTR [ESP + 0X18], 0X40A230
• MOV DWORD PTR [ESP + 0X14], EBP
• CALL DWORD PTR [0X40809C]
• MOV ESI, DWORD PTR [0X4080A0]

Signatures

Rich Signature Analyzer:
Code -> AD312081E9504ED2E9504ED2E9504ED22A5F11D2EB504ED2E9504FD24A504ED22A5F13D2E6504ED2BD737ED2E3504ED22E5648D2E8504ED252696368E9504ED2
Footprint md5 Hash -> 082F1D2C935AFD7F2772501AF0260BC8
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Nullsoft Install System - Version: v3.11
Detect It Easy (die)
• PE: installer: Nullsoft Scriptable Install System(3.11)[lzma,solid]
• PE: linker: Microsoft Linker(6.0*)[-]
• PE: overlay: NSIS data(-)[-]
• Entropy: 7.98705

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	CopyFileW	Copies an existing file to a new file.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
SHELL32.DLL	ShellExecuteExW	Performs a run operation on a specific file.

Windows REG (UNICODE)

Software\Microsoft\Windows\CurrentVersion

File Access

Nullsoft.NSIS.exe
KERNEL32.dll
GDI32.dll
USER32.dll
COMCTL32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
@.dat
Temp

File Access (UNICODE)

%s%S.dll
Temp

Interest's Words

exec
attrib
shutdown
expand

Interest's Words (UNICODE)

shutdown

URLs

http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings

URLs (UNICODE)

http://nsis.sf.net/NSIS_Error

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	Registry (RegDeleteKeyEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CopyFile)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindFirstFileW)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Execution (CreateProcessW)
Text	Ascii	Execution (ShellExecute)
Text	Unicode	Privileges (SeShutdownPrivilege)
Text	Ascii	Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1033	58358	10828	8958	2800000080000000000100000100200000000000000001000000000000000000000000000000000000000000000000000000	(............. ...................................
\ICON\2\1033	68B80	EA8	19180	0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	..................................................
\ICON\3\1033	69A28	8A8	1A028	0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	..................................................
\ICON\4\1033	6A2D0	568	1A8D0	0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	..................................................
\ICON\5\1033	6A838	468	1AE38	0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	..................................................
\ICON\6\1033	6ACA0	2E8	1B2A0	0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	..................................................
\ICON\7\1033	6AF88	128	1B588	0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	..................................................
\DIALOG\103\1033	6B0B0	120	1B6B0	0100FFFF0000000000000000480400400700000000002C018C000000000000000800000000014D0053002000530068006500	............H..@......,...............M.S. .S.h.e.
\DIALOG\105\1033	6B1D0	202	1B7D0	0100FFFF00000000000000004808CA800E00000000004B01DE000000000000000800000000014D0053002000530068006500	............H.........K...............M.S. .S.h.e.
\DIALOG\106\1033	6B3D8	F8	1B9D8	0100FFFF0000000000000000480400400400000000002C018C000000000000000800000000014D0053002000530068006500	............H..@......,...............M.S. .S.h.e.
\DIALOG\107\1033	6B4D0	A0	1BAD0	0100FFFF0000000000000000480400400300000000002C018C000000000000000800000000014D0053002000530068006500	............H..@......,...............M.S. .S.h.e.
\DIALOG\111\1033	6B570	EE	1BB70	0100FFFF0000000000000000C8080080030000000000A7002B000000000000000800000000014D0053002000530068006500	........................+.............M.S. .S.h.e.
\GROUP_ICON\103\1033	6B660	68	1BC60	0000010001008080000001002000280801000100000000000000000000000000000000000000000000000000000000000000	............ .(...................................
\VERSION\1\1033	6B6C8	200	1BCC8	000234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000000000300	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	6B8C8	548	1BEC8	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String

• COMCTL32.dll
• USER32.dll
• http://nsis.sf.net/NSIS_Error
• ~nsu%X.tmp
• .exe
• %s%S.dll

Flow Anomalies

Offset	RVA	Section	Description
42C	40825C	.text	CALL [static] \| Indirect call to absolute memory address
447	408260	.text	CALL [static] \| Indirect call to absolute memory address
45B	408264	.text	CALL [static] \| Indirect call to absolute memory address
4CF	408058	.text	CALL [static] \| Indirect call to absolute memory address
4E4	408268	.text	CALL [static] \| Indirect call to absolute memory address
505	40805C	.text	CALL [static] \| Indirect call to absolute memory address
526	408060	.text	CALL [static] \| Indirect call to absolute memory address
530	408064	.text	CALL [static] \| Indirect call to absolute memory address
556	40826C	.text	CALL [static] \| Indirect call to absolute memory address
56E	408270	.text	CALL [static] \| Indirect call to absolute memory address
7E4	408148	.text	CALL [static] \| Indirect call to absolute memory address
7F4	408258	.text	CALL [static] \| Indirect call to absolute memory address
8AD	408220	.text	CALL [static] \| Indirect call to absolute memory address
8EA	4080D4	.text	CALL [static] \| Indirect call to absolute memory address
8F8	408224	.text	CALL [static] \| Indirect call to absolute memory address
9D3	4080D8	.text	CALL [static] \| Indirect call to absolute memory address
A46	4080DC	.text	CALL [static] \| Indirect call to absolute memory address
A79	4080E0	.text	CALL [static] \| Indirect call to absolute memory address
AC2	4080E4	.text	CALL [static] \| Indirect call to absolute memory address
B0E	4080E8	.text	CALL [static] \| Indirect call to absolute memory address
B56	4080EC	.text	CALL [static] \| Indirect call to absolute memory address
B75	4080F0	.text	CALL [static] \| Indirect call to absolute memory address
C01	4080F4	.text	CALL [static] \| Indirect call to absolute memory address
CF6	4080F8	.text	CALL [static] \| Indirect call to absolute memory address
CFF	4080FC	.text	CALL [static] \| Indirect call to absolute memory address
E42	408100	.text	CALL [static] \| Indirect call to absolute memory address
E54	408104	.text	CALL [static] \| Indirect call to absolute memory address
E6F	408108	.text	CALL [static] \| Indirect call to absolute memory address
E82	408104	.text	CALL [static] \| Indirect call to absolute memory address
FB9	40822C	.text	CALL [static] \| Indirect call to absolute memory address
1037	40810C	.text	CALL [static] \| Indirect call to absolute memory address
1049	408110	.text	CALL [static] \| Indirect call to absolute memory address
10DF	408230	.text	CALL [static] \| Indirect call to absolute memory address
10F7	408258	.text	CALL [static] \| Indirect call to absolute memory address
1129	408234	.text	CALL [static] \| Indirect call to absolute memory address
114E	408238	.text	CALL [static] \| Indirect call to absolute memory address
117E	40823C	.text	CALL [static] \| Indirect call to absolute memory address
11A2	408240	.text	CALL [static] \| Indirect call to absolute memory address
11C6	40823C	.text	CALL [static] \| Indirect call to absolute memory address
1211	408264	.text	CALL [static] \| Indirect call to absolute memory address
1241	408244	.text	CALL [static] \| Indirect call to absolute memory address
1255	408258	.text	CALL [static] \| Indirect call to absolute memory address
1265	408054	.text	CALL [static] \| Indirect call to absolute memory address
127D	408248	.text	CALL [static] \| Indirect call to absolute memory address
1297	408048	.text	CALL [static] \| Indirect call to absolute memory address
129F	408148	.text	CALL [static] \| Indirect call to absolute memory address
12B0	40824C	.text	CALL [static] \| Indirect call to absolute memory address
12FF	40805C	.text	CALL [static] \| Indirect call to absolute memory address
1328	408228	.text	CALL [static] \| Indirect call to absolute memory address
1333	408250	.text	CALL [static] \| Indirect call to absolute memory address
1417	4080FC	.text	CALL [static] \| Indirect call to absolute memory address
148B	408110	.text	CALL [static] \| Indirect call to absolute memory address
152F	408114	.text	CALL [static] \| Indirect call to absolute memory address
1540	408118	.text	CALL [static] \| Indirect call to absolute memory address
15BD	40811C	.text	CALL [static] \| Indirect call to absolute memory address
1655	408290	.text	CALL [static] \| Indirect call to absolute memory address
179F	408180	.text	CALL [static] \| Indirect call to absolute memory address
1815	408120	.text	CALL [static] \| Indirect call to absolute memory address
1851	408124	.text	CALL [static] \| Indirect call to absolute memory address
1882	408014	.text	CALL [static] \| Indirect call to absolute memory address
188B	408010	.text	CALL [static] \| Indirect call to absolute memory address
1941	40800C	.text	CALL [static] \| Indirect call to absolute memory address
1987	408008	.text	CALL [static] \| Indirect call to absolute memory address
19FD	408004	.text	CALL [static] \| Indirect call to absolute memory address
1A10	408000	.text	CALL [static] \| Indirect call to absolute memory address
1A29	408010	.text	CALL [static] \| Indirect call to absolute memory address
1AC1	408128	.text	CALL [static] \| Indirect call to absolute memory address
1B84	408130	.text	CALL [static] \| Indirect call to absolute memory address
1BE2	408134	.text	CALL [static] \| Indirect call to absolute memory address
1CA4	408134	.text	CALL [static] \| Indirect call to absolute memory address
1CDB	408134	.text	CALL [static] \| Indirect call to absolute memory address
1CFF	408138	.text	CALL [static] \| Indirect call to absolute memory address
1D1E	40813C	.text	CALL [static] \| Indirect call to absolute memory address
1D46	408140	.text	CALL [static] \| Indirect call to absolute memory address
1E32	40810C	.text	CALL [static] \| Indirect call to absolute memory address
1E45	40810C	.text	CALL [static] \| Indirect call to absolute memory address
1E61	4080FC	.text	CALL [static] \| Indirect call to absolute memory address
1E74	408144	.text	CALL [static] \| Indirect call to absolute memory address
1FF0	40829C	.text	CALL [static] \| Indirect call to absolute memory address
201A	4082A0	.text	CALL [static] \| Indirect call to absolute memory address
2040	408258	.text	CALL [static] \| Indirect call to absolute memory address
2050	408254	.text	CALL [static] \| Indirect call to absolute memory address
2329	408000	.text	CALL [static] \| Indirect call to absolute memory address
237E	408010	.text	CALL [static] \| Indirect call to absolute memory address
2395	408018	.text	CALL [static] \| Indirect call to absolute memory address
23A0	408010	.text	CALL [static] \| Indirect call to absolute memory address
23DD	408218	.text	CALL [static] \| Indirect call to absolute memory address
2411	40822C	.text	CALL [static] \| Indirect call to absolute memory address
2421	40821C	.text	CALL [static] \| Indirect call to absolute memory address
2453	408148	.text	CALL [static] \| Indirect call to absolute memory address
2475	408210	.text	CALL [static] \| Indirect call to absolute memory address
2493	4080D0	.text	CALL [static] \| Indirect call to absolute memory address
24C1	40822C	.text	CALL [static] \| Indirect call to absolute memory address
24E5	408214	.text	CALL [static] \| Indirect call to absolute memory address
24F3	408228	.text	CALL [static] \| Indirect call to absolute memory address
2513	4080D0	.text	CALL [static] \| Indirect call to absolute memory address
252F	4080C0	.text	CALL [static] \| Indirect call to absolute memory address
253C	4080C4	.text	CALL [static] \| Indirect call to absolute memory address
255D	4080D4	.text	CALL [static] \| Indirect call to absolute memory address
259A	4080C8	.text	CALL [static] \| Indirect call to absolute memory address
1C600	N/A	Overlay	00000000EFBEADDE4E756C6C736F6674496E7374 \| ........NullsoftInst

Extra Analysis

Metric	Value	Percentage
Ascii Code	3077780	68,0828%
Null Byte Code	60381	1,3357%

PESCAN.IO - Analysis Report Basic