PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 193,50 KBSHA-256 Hash: 38D4A7D6E5B27327EA833CA54F125E0AFE86E2E1BFC47BFD0984049221F7258D SHA-1 Hash: 5028EEC50A290557B64E94818AF272178F296EA4 MD5 Hash: D4367E343E16C4C15040A62690FD14B6 Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 2DEBA SizeOfHeaders: 200 SizeOfImage: 36000 ImageBase: 400000 Architecture: x86 ImportTable: 2DE6C IAT: 2DEC8 Characteristics: 2 TimeDateStamp: 5C0E0656 Date: 10/12/2018 6:23:18 File Type: DLL Number Of Sections: 3 ASLR: Enabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 200 | 2C000 | 2000 | 2BF3D | 6,0545 | 2762864,08 |
| .rsrc | 40000040 (Initialized Data, Readable) | 2C200 | 4200 | 2E000 | 418E | 4,3547 | 615927,82 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 30400 | 200 | 34000 | C | 0,1019 | 128015,00 |
| Description |
| OriginalFilename: KickassUndelete.exe CompanyName: Joey Scarr LegalCopyright: Copyright Joey Scarr 2018 ProductName: KickassUndelete FileVersion: 1.5.5.0 FileDescription: KickassUndelete ProductVersion: 1.5.5.0 Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 2C0BA Code -> FF25C8DE420000000000000000009CDE0200000000000000000056060E5C000000000200000051000000ECDE0200ECC00200 • JMP DWORD PTR [0X42DEC8] • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • PUSHFD • FIADD WORD PTR [EDX] • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [ESI + 6], DL • PUSH CS • POP ESP • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD AL, BYTE PTR [EAX] • ADD BYTE PTR [EAX], AL • PUSH ECX • ADD BYTE PTR [EAX], AL • ADD AH, CH • FIADD WORD PTR [EDX] • ADD AH, CH • ROL BYTE PTR [EDX], 0 |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: True • Version: v4.0 Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(8.0)[-] • Entropy: 6.01722 |
| ET Functions (carving) |
| pov pow |
| File Access |
| KickassUndelete.exe mscoree.dll kernel32.dll shell32.dll KFS.Dat Temp RootDir |
| File Access (UNICODE) |
| KickassUndelete.exe explorer.exe Temp |
| SQL Queries |
| SELECT * FROM Win32_DiskPartition WHERE DiskIndex = {0} AND Index = {1} SELECT * FROM Win32_DiskDrive SELECT * FROM Win32_LogicalDisk |
| Interest's Words |
| Encrypt Encryption exec attrib start diskpart systeminfo diskperf ping dism expand replace |
| Interest's Words (UNICODE) |
| PassWord attrib start diskpart ping |
| IP Addresses |
| 15.3.0.0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\2\0 | 2E140 | 25A8 | 2C340 | 2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (...0........ ................................... |
| \ICON\3\0 | 306F8 | 10A8 | 2E8F8 | 2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\4\0 | 317B0 | 468 | 2F9B0 | 280000001000000020000000010020000000000000000000000000000000000000000000000000008BBCAC3F7EB1A07F7EB0 | (....... ..... ............................?~...~. |
| \GROUP_ICON\32512\0 | 31C28 | 30 | 2FE28 | 0000010003003030000001002000A825000002002020000001002000A810000003001010000001002000680400000400 | ......00.... ..%.... .... ............. .h..... |
| \VERSION\1\0 | 31C68 | 32C | 2FE68 | 2C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000500 | ,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 31FA4 | 1EA | 301A4 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • 1.5.5.0 • KickassUndelete.exe • .DLL • .TMP • .CAB • .LNK • .LOG • .EXE • .XML • .INI • explorer.exe • -dumpfile <FS> <File>: Write the contents of file <File> on disk <FS> to stdout. • -dumpfile • runas • .cat • .mum • _CorExeMainmscoree.dll • F:\Projects\kickassundelete-git\temp\KickassUndelete.pdb |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| ED2B | EFF1943 | .text | CALL [static] | Indirect call to absolute memory address |
| EF3F | 7DFF1B45 | .text | CALL [static] | Indirect call to absolute memory address |
| F70F | 21FF194A | .text | CALL [static] | Indirect call to absolute memory address |
| F75F | 21FF194A | .text | JMP [static] | Indirect jump to absolute memory address |
| F893 | 21FF194A | .text | CALL [static] | Indirect call to absolute memory address |
| 2C0BA | 42DEC8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2CF87 | 24FF295A | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 2CFB3 | 19FF295A | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 2D077 | 19FF295A | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 2D14F | 1BFF1548 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 2D1F3 | 1BFF1548 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 2D303 | 1BFF1548 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 2F137 | EFF1943 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 2F34B | 7DFF1B45 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 2FB2B | 21FF194A | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 2FB7B | 21FF194A | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 2FCAF | 21FF194A | .rsrc | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 110227 | 55,6297% |
| Null Byte Code | 48273 | 24,3626% |
© 2026 All rights reserved.