PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 1,64 MB
SHA-256 Hash: AF3137574DCAB29DD9AC9AE05DEB4EB4863816A0CA635DE21D89645B6DD0113F
SHA-1 Hash: F71E032A95F8DB9879DCC843111848F6FF64BD65
MD5 Hash: D14C9BE736E48475BEAD063E25480A27
Imphash: 8E73F0B1BA8E9EA271385585FB4D5C02
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 000677D8
EntryPoint (rva): 1CF10
SizeOfHeaders: 400
SizeOfImage: 79000
ImageBase: 0000000000400000
Architecture: x64
ImportTable: 55630
IAT: 43000
Characteristics: 23
TimeDateStamp: 5E7232A8
Date: 18/03/2020 14:39:36
File Type: EXE
Number Of Sections: 5
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: requireAdministrator

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	400	41A00	1000	418B8	6,3906	1844854,00
.rdata	40000040 (Initialized Data, Readable)	41E00	13800	43000	137D4	6,3634	992006,14
.data	C0000040 (Initialized Data, Readable, Writeable)	55600	2400	57000	12588	4,1225	786635,61
.pdata	40000040 (Initialized Data, Readable)	57A00	3200	6A000	306C	5,5895	343423,68
.rsrc	40000040 (Initialized Data, Readable)	5AC00	A400	6E000	A2CD	6,2957	842125,44

Description

CompanyName: SimpleHelp Ltd
LegalCopyright: Copyright (c) 2020
ProductName: Remote Access
FileVersion: 5.2.11.0
FileDescription: SimpleHelp Remote Access Client
ProductVersion: 5.2.11.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Binder/Joiner/Crypter

Dropper code detected (EOF) - 1,17 MB

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 1C310
Code -> 4883EC28E8B7BC00004883C428E93EFDFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCC4883EC28498B49384D8BD14C8BC28B01448B
• SUB RSP, 0X28
• CALL 0XCCC0
• ADD RSP, 0X28
• JMP 0XD50
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• SUB RSP, 0X28
• MOV RCX, QWORD PTR [R9 + 0X38]
• MOV R10, R9
• MOV R8, RDX
• MOV EAX, DWORD PTR [RCX]

Signatures

CheckSum Integrity Problem:
• Header: 423896
• Calculated: 1735765
Rich Signature Analyzer:
Code -> 0FB85B424BD935114BD935114BD935116C1F481140D935116C1F5B117AD93511D987311069D935116C1F581165D835116C1F4E1149D935113D444E1144D935114BD934118FD935116C1F47115BD935116C1F49114AD935116C1F4D114AD93511526963684BD93511
Footprint md5 Hash -> 0CF81D20EF22925A878C3C67540BE690
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is signed and the signature is correct

Packer/Compiler

Compiler: Microsoft Visual C ++
Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(2005)[-]
• PE+(64): linker: Microsoft Linker(8.0 or 11.0)[-]
• Entropy: 7.85063

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	CreateMutexA	Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
WININET.DLL	InternetConnectA	Opens an File Transfer Protocol (FTP) or HTTP session for a given site.

File Access

verpatch.exe
.exe
unpack200.exe
java.exe
javaw.exe
windowslauncher.exe
ADVAPI32.dll
USER32.dll
KERNEL32.dll
COMCTL32.dll
WINHTTP.dll
VERSION.dll
WININET.dll
WINMM.dll
jvm.dll
shell32.dll
mscoree.dll
gdiplus.dll
rt.jar
.bat
@.dat
%s-%03d.log
JWrapper-JWrapper-version.txt
-version.txt
HJ.XLS
Temp
ProgramFiles
AppData
UserProfile

Interest's Words

PassWord
exec
attrib
start
hostname
shutdown
ping

URLs

http://0.0.254.254
http://crl.globalsign.net/root.crl
http://tl.symcb.com/tl.crl
http://tl.symcd.com
http://tl.symcb.com/tl.crt
http://crl.globalsign.com/gs/gstimestampingg2.crl
http://secure.globalsign.com/cacert/gstimestampingg2.crt
http://144.172.107.27:8008/access
https://www.globalsign.com/repository/03
https://www.thawte.com/cps0/
https://www.thawte.com/repository0W
https://www.globalsign.com/repository/

IP Addresses

0.0.254.254
5.2.11.0
144.172.107.27

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindFirstFileA)
Text	Ascii	Reconnaissance (FindNextFileA)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (ExitThread)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Execution (CreateProcessA)
Text	Ascii	Execution (CreateEventA)
Text	Ascii	Technique used to circumvent security measures (Bypass)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\50\0	6E1F0	528	5ADF0	2800000010000000200000000100200000000000000500000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\ICON\51\0	6E718	B68	5B318	2800000018000000300000000100200000000000400B00000000000000000000000000000000000000000000000000000000	(.......0..... .....@.............................
\ICON\52\0	6F280	1428	5BE80	2800000020000000400000000100200000000000001400000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\53\0	706A8	2D28	5D2A8	2800000030000000600000000100200000000000002D00000000000000000000000000000000000000000000000000000000	(...0........ ......-............................
\ICON\54\0	733D0	4890	5FFD0	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000048574944415478DAED7D075C5457DA	.PNG........IHDR.............\r.f..HWIDATx..}.\TW.
\GROUP_ICON\1000\0	77C60	4C	64860	00000100050010100000010020002805000032001818000001002000680B0000330020200000010020002814000034003030000001002000282D000035000000000000000000904800003600	............ .(...2....... .h...3. .... .(...4.00.... .(-..5..........H..6.
\VERSION\1\0	77CAC	49C	648AC	9C0434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000200	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	78148	185	64D48	3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122	<assembly xmlns="urn:schemas-microsoft-com:asm.v1"

Intelligent String

• c:\users\simplehelp\workspace\runner\native\libtom\libtomcrypt\src\hashes\sha2\sha224.cltc_mp.name != NULL
• mscoree.dll
• KERNEL32.DLL
• kernel32.dll
• .com
• .bat
• .cmd
• USER32.DLL
• windowslauncher.exebinjavaw.exe
• java.exe
• unpack200.exe
• .exe
• http://0.0.254.254
• -version.txt
• shell32.dll
• rt.jar
• nativesplash.png
• verpatch.exe
• -Xshare:dump
• runner.cfg
• [TestSplash] Configure splash to use sh_logo.png
• sh_logo.png
• C:\TEMPCould not open test.p2.l2
• C:\Users\simplehelp\AppData\Local\Temp
• deleteme.tmp
• WININET.dll
• COMCTL32.dll
• USER32.dll
• ADVAPI32.dll

Flow Anomalies

Offset	RVA	Section	Description
654	N/A	.text	CALL QWORD PTR [RIP+0x41E76]
816	N/A	.text	CALL QWORD PTR [RIP+0x41C9C]
834	N/A	.text	CALL QWORD PTR [RIP+0x41C6E]
856	N/A	.text	CALL QWORD PTR [RIP+0x41C5C]
168B	N/A	.text	CALL QWORD PTR [RIP+0x40E27]
18E8	N/A	.text	CALL QWORD PTR [RIP+0x40BCA]
3013	N/A	.text	CALL QWORD PTR [RIP+0x3F4AF]
303B	N/A	.text	CALL QWORD PTR [RIP+0x3F47F]
309C	N/A	.text	CALL QWORD PTR [RIP+0x3F40E]
3600	N/A	.text	CALL QWORD PTR [RIP+0x3EF9A]
49A1	N/A	.text	CALL QWORD PTR [RIP+0x3DBA1]
4C42	N/A	.text	CALL QWORD PTR [RIP+0x3DBA0]
4C54	N/A	.text	CALL QWORD PTR [RIP+0x3D87E]
4C6D	N/A	.text	CALL QWORD PTR [RIP+0x3D875]
4C7A	N/A	.text	CALL QWORD PTR [RIP+0x3D888]
4C87	N/A	.text	CALL QWORD PTR [RIP+0x3D87B]
4CDB	N/A	.text	CALL QWORD PTR [RIP+0x3D81F]
4CF0	N/A	.text	CALL QWORD PTR [RIP+0x3DB62]
4D26	N/A	.text	CALL QWORD PTR [RIP+0x3DACC]
4D3C	N/A	.text	CALL QWORD PTR [RIP+0x3DB26]
4D47	N/A	.text	CALL QWORD PTR [RIP+0x3D7AB]
4DB3	N/A	.text	CALL QWORD PTR [RIP+0x3DA77]
4DC6	N/A	.text	CALL QWORD PTR [RIP+0x3DA24]
4DD4	N/A	.text	CALL QWORD PTR [RIP+0x3DA2E]
4E0F	N/A	.text	CALL QWORD PTR [RIP+0x3DA3B]
4E6E	N/A	.text	CALL QWORD PTR [RIP+0x3D59C]
4ED8	N/A	.text	CALL QWORD PTR [RIP+0x3D93A]
4F04	N/A	.text	CALL QWORD PTR [RIP+0x3D8F6]
4F16	N/A	.text	CALL QWORD PTR [RIP+0x3D924]
4F25	N/A	.text	CALL QWORD PTR [RIP+0x3D90D]
4F43	N/A	.text	CALL QWORD PTR [RIP+0x3D8D7]
4F4D	N/A	.text	CALL QWORD PTR [RIP+0x3D58D]
4F6C	N/A	.text	CALL QWORD PTR [RIP+0x3D89E]
4F7A	N/A	.text	CALL QWORD PTR [RIP+0x3D8C8]
4F90	N/A	.text	CALL QWORD PTR [RIP+0x3D842]
4F9E	N/A	.text	CALL QWORD PTR [RIP+0x3D82C]
4FC9	N/A	.text	CALL QWORD PTR [RIP+0x3D811]
4FDF	N/A	.text	CALL QWORD PTR [RIP+0x3D843]
4FEE	N/A	.text	CALL QWORD PTR [RIP+0x3D86C]
50D0	N/A	.text	CALL QWORD PTR [RIP+0x3D842]
5102	N/A	.text	CALL QWORD PTR [RIP+0x3D7C0]
5110	N/A	.text	CALL QWORD PTR [RIP+0x3D7B2]
511E	N/A	.text	CALL QWORD PTR [RIP+0x3D7A4]
51F9	N/A	.text	CALL QWORD PTR [RIP+0x3D6C1]
5237	N/A	.text	CALL QWORD PTR [RIP+0x3D683]
5241	N/A	.text	CALL QWORD PTR [RIP+0x3D2B1]
53B1	N/A	.text	CALL QWORD PTR [RIP+0x3D519]
542A	N/A	.text	CALL QWORD PTR [RIP+0x3D4D0]
5545	N/A	.text	CALL QWORD PTR [RIP+0x3D3BD]
55B3	N/A	.text	CALL QWORD PTR [RIP+0x3D32F]
55E9	N/A	.text	CALL QWORD PTR [RIP+0x3D321]
5621	N/A	.text	CALL QWORD PTR [RIP+0x3D2B1]
564B	N/A	.text	CALL QWORD PTR [RIP+0x3D26F]
5667	N/A	.text	CALL QWORD PTR [RIP+0x3D283]
569F	N/A	.text	CALL QWORD PTR [RIP+0x3D233]
5707	N/A	.text	CALL QWORD PTR [RIP+0x3CDCB]
5732	N/A	.text	CALL QWORD PTR [RIP+0x3D090]
574F	N/A	.text	CALL QWORD PTR [RIP+0x3D18B]
5784	N/A	.text	CALL QWORD PTR [RIP+0x3D14E]
57C6	N/A	.text	CALL QWORD PTR [RIP+0x3CD4C]
57E6	N/A	.text	CALL QWORD PTR [RIP+0x3CD2C]
581D	N/A	.text	CALL QWORD PTR [RIP+0x3D0F5]
5847	N/A	.text	CALL QWORD PTR [RIP+0x3CCCB]
592B	N/A	.text	CALL QWORD PTR [RIP+0x3CFC7]
595D	N/A	.text	CALL QWORD PTR [RIP+0x3CB75]
5A4A	N/A	.text	CALL QWORD PTR [RIP+0x3CAC8]
5B3C	N/A	.text	CALL QWORD PTR [RIP+0x3C99E]
5C90	N/A	.text	CALL QWORD PTR [RIP+0x3C85A]
5CF1	N/A	.text	CALL QWORD PTR [RIP+0x3C7F9]
5D3C	N/A	.text	CALL QWORD PTR [RIP+0x3C796]
5D67	N/A	.text	CALL QWORD PTR [RIP+0x3CA7B]
5DAE	N/A	.text	CALL QWORD PTR [RIP+0x3CA4C]
5DE3	N/A	.text	CALL QWORD PTR [RIP+0x3C6EF]
5DF6	N/A	.text	CALL QWORD PTR [RIP+0x3C6E4]
5E1B	N/A	.text	CALL QWORD PTR [RIP+0x3C6F7]
5E2A	N/A	.text	CALL QWORD PTR [RIP+0x3C688]
5E38	N/A	.text	CALL QWORD PTR [RIP+0x3C6CA]
5E47	N/A	.text	CALL QWORD PTR [RIP+0x3C6BB]
5E81	N/A	.text	CALL QWORD PTR [RIP+0x3C651]
5E96	N/A	.text	CALL QWORD PTR [RIP+0x3C67C]
5F4D	N/A	.text	CALL QWORD PTR [RIP+0x3C585]
5F62	N/A	.text	CALL QWORD PTR [RIP+0x3C5B0]
603D	N/A	.text	CALL QWORD PTR [RIP+0x3C495]
6052	N/A	.text	CALL QWORD PTR [RIP+0x3C4C0]
60CD	N/A	.text	CALL QWORD PTR [RIP+0x3C405]
60E2	N/A	.text	CALL QWORD PTR [RIP+0x3C430]
615D	N/A	.text	CALL QWORD PTR [RIP+0x3C375]
6172	N/A	.text	CALL QWORD PTR [RIP+0x3C3A0]
61F2	N/A	.text	CALL QWORD PTR [RIP+0x3C318]
6202	N/A	.text	CALL QWORD PTR [RIP+0x3C308]
6241	N/A	.text	CALL QWORD PTR [RIP+0x3C2A9]
6255	N/A	.text	CALL QWORD PTR [RIP+0x3C27D]
627B	N/A	.text	CALL QWORD PTR [RIP+0x3C29F]
62A6	N/A	.text	CALL QWORD PTR [RIP+0x3C274]
62D1	N/A	.text	CALL QWORD PTR [RIP+0x3C249]
62FC	N/A	.text	CALL QWORD PTR [RIP+0x3C21E]
6327	N/A	.text	CALL QWORD PTR [RIP+0x3C1F3]
633C	N/A	.text	CALL QWORD PTR [RIP+0x3C1D6]
6348	N/A	.text	CALL QWORD PTR [RIP+0x3C18A]
6380	N/A	.text	CALL QWORD PTR [RIP+0x3C182]
65000	N/A	Overlay	1D432A505B7A1F642347212417323C50216C0466 \| .C*P[z.dG!$.2<P!l.f

Extra Analysis

Metric	Value	Percentage
Ascii Code	1147389	66,634%
Null Byte Code	76498	4,4426%

PESCAN.IO - Analysis Report Basic