PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 148,50 KB
SHA-256 Hash: 8CECEEF8531EB89E4AEDDB1615CEB6A31FD7EE8630715A19C2D80B390C0F5955
SHA-1 Hash: D8B564F6350E42287F3DB62C976421DD816ED80D
MD5 Hash: CB950C9ABC76FAA1938B4FAD01C7F4F9
Imphash: DAE02F32A21E03CE65412F6E56942DAA
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 268D6
SizeOfHeaders: 200
SizeOfImage: 2C000
ImageBase: 10000000
Architecture: x86
ImportTable: 26882
IAT: 2000
Characteristics: 2022
TimeDateStamp: FA88488D
Date: 13/03/2103 13:24:29
File Type: DLL
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	200	24A00	2000	248F8	6.1307	2037087.54
.rsrc	0x40000040 Initialized Data Readable	24C00	400	28000	3AC	3.0286	100668.5
.reloc	0x42000040 Initialized Data GP-Relative Readable	25000	200	2A000	C	0.1019	128015

Description

OriginalFilename: AimAssistPlugin.dll
CompanyName: AimAssistPlugin
ProductName: AimAssistPlugin
FileVersion: 1.0.0.0
FileDescription: AimAssistPlugin
ProductVersion: 1.0.0+a952e78753ac0726c6ac30b9838f741916cfa4de
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 24AD6
Code -> FF250020001000000000010000000500000006000000070000000C0000000000000000000000000000000000000000000000

Assembler

|JMP DWORD PTR [0X10002000]

|ADD BYTE PTR [EAX], AL

|ADD DWORD PTR [EAX], EAX

|ADD BYTE PTR [EAX], AL

|ADD EAX, 0X6000000

|ADD BYTE PTR [EAX], AL

|ADD BYTE PTR [EDI], AL

|ADD BYTE PTR [EAX], AL

|ADD BYTE PTR [EAX + EAX], CL

|ADD BYTE PTR [EAX], AL

Signatures

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: True
• Version: v4.0
Detect It Easy (die)
• PE: library: .NET(v4.0.30319)[-]
• PE: linker: Microsoft Linker(48.0)[-]
• Entropy: 6.09642

File Access

mscoree.dll
AimAssistPlugin.dll
user32.dll
OsuParsers.Dat
OsuParsers.Enums.Dat
System.IO.Compression.Zip
Temp

File Access (UNICODE)

AimAssistPlugin.dll
tosu.exe
tosu_latest.zip

Interest's Words

Interest's Words (UNICODE)

start

URLs (UNICODE)

http://localhost:24050/json/v2
http://localhost:24050/json/v2/precise
https://api.github.com/repos/tosuapp/tosu/releases/latest

IP Addresses

127.0.0.1

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (ReadFile)
Text	Ascii	Keyboard Key (Scroll)
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 - Debug
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (MFC)
Entry Point	Hex Pattern	TrueVision Targa Graphics format

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\0	28058	350	24C58	500334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	P.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String

• AimAssistPlugin.dll
• 1.0.0.0
• .zip
• https://api.github.com/repos/tosuapp/tosu/releases/latest
• tosu_latest.zip
• tosu.exe
• tosu.env
• http://localhost:24050/json/v2
• http://localhost:24050/json/v2/precise
• _CorDllMainmscoree.dll

Flow Anomalies

Offset	RVA	Section	Description
24AD6	10002000	.text	JMP [static] \| Indirect jump to absolute memory address

Extra Analysis

Metric	Value	Percentage
Ascii Code	92724	60,977%
Null Byte Code	34255	22,5267%

PESCAN.IO - Analysis Report Basic