PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 356,07 KB SHA-256 Hash: 48B9F78899B8A3DAAEB9CBF7245350A6222CBF0468CD5C2BAB954C8DBBCE3995 SHA-1 Hash: A4A5AEDEC4E5C392D0C12CA774D92FC747187C5F MD5 Hash: D4ED6ECED759BAD5757C5C0BDA13D878 Imphash: 64BE7641A660F28B6D53E98B0BB9A5E9 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00063762 EntryPoint (rva): 13F0 SizeOfHeaders: 600 SizeOfImage: 50000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 1F000 IAT: 1F370 Characteristics: 26 TimeDateStamp: 691C16F9 Date: 18/11/2025 6:49:29 File Type: DLL Number Of Sections: 19 ASLR: Disabled Section Names (Optional Header): .text, .data, .rdata, .pdata, .xdata, .bss, .idata, .CRT, .tls, .reloc, /4, /19, /31, /45, /57, /70, /81, /97, /113 Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000060 (Code, Initialized Data, Executable, Readable) | 600 | 15E00 | 1000 | 15C90 | 6,0279 | 1041112,23 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 16400 | 200 | 17000 | 1A0 | 1,2347 | 90812,00 |
| .rdata | 40000040 (Initialized Data, Readable) | 16600 | 3600 | 18000 | 3500 | 4,8454 | 498693,81 |
| .pdata | 40000040 (Initialized Data, Readable) | 19C00 | E00 | 1C000 | D44 | 4,7574 | 151953,71 |
| .xdata | 40000040 (Initialized Data, Readable) | 1AA00 | C00 | 1D000 | BDC | 4,1842 | 84494,33 |
| .bss | C0000080 (Uninitialized Data, Readable, Writeable) | 0 | 0 | 1E000 | BE0 | N/A | N/A |
| .idata | C0000040 (Initialized Data, Readable, Writeable) | 1B600 | E00 | 1F000 | D88 | 4,3506 | 166414,43 |
| .CRT | C0000040 (Initialized Data, Readable, Writeable) | 1C400 | 200 | 20000 | 60 | 0,2866 | 122518,00 |
| .tls | C0000040 (Initialized Data, Readable, Writeable) | 1C600 | 200 | 21000 | 10 | 0,0000 | 130560,00 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 1C800 | 400 | 22000 | 304 | 4,6384 | 25400,50 |
| /4 | 42000040 (Initialized Data, GP-Relative, Readable) | 1CC00 | 800 | 23000 | 6B0 | 1,6163 | 350612,50 |
| /19 | 42000040 (Initialized Data, GP-Relative, Readable) | 1D400 | 12C00 | 24000 | 12A69 | 5,8022 | 1375012,29 |
| /31 | 42000040 (Initialized Data, GP-Relative, Readable) | 30000 | 3600 | 37000 | 3551 | 4,8369 | 224059,59 |
| /45 | 42000040 (Initialized Data, GP-Relative, Readable) | 33600 | 7000 | 3B000 | 6FF2 | 5,0573 | 538614,11 |
| /57 | 42000040 (Initialized Data, GP-Relative, Readable) | 3A600 | 1800 | 42000 | 17C8 | 4,5651 | 200877,00 |
| /70 | 42000040 (Initialized Data, GP-Relative, Readable) | 3BE00 | 400 | 44000 | 3B6 | 4,6802 | 14096,00 |
| /81 | 42000040 (Initialized Data, GP-Relative, Readable) | 3C200 | 1A00 | 45000 | 1801 | 4,5861 | 83863,38 |
| /97 | 42000040 (Initialized Data, GP-Relative, Readable) | 3DC00 | 7C00 | 47000 | 7BE5 | 5,8332 | 526041,15 |
| /113 | 42000040 (Initialized Data, GP-Relative, Readable) | 45800 | 600 | 4F000 | 554 | 5,4363 | 33168,67 |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 36,07 KB |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 9F0 Code -> 4883EC28488B0525920100C70000000000E87AFDFFFF90904883C428C30F1F004883EC28E86F3301004883F80119C04883C4 • SUB RSP, 0X28 • MOV RAX, QWORD PTR [RIP + 0X19225] • MOV DWORD PTR [RAX], 0 • CALL 0XD90 • NOP • NOP • ADD RSP, 0X28 • RET • NOP DWORD PTR [RAX] • SUB RSP, 0X28 • CALL 0X14398 • CMP RAX, 1 • SBB EAX, EAX |
| Signatures |
| CheckSum Integrity Problem: • Header: 407394 • Calculated: 419353 Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • Entropy: 5.91699 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | CreateRemoteThread | Creates a thread in the address space of another process. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| WININET.DLL | InternetConnectA | Opens an File Transfer Protocol (FTP) or HTTP session for a given site. |
| File Access |
| msedge.exe notepad.exe explorer.exe WININET.dll USER32.dll SHELL32.dll msvcrt.dll KERNEL32.dll .dat %sdocument_%04d%02d%02d_%02d%02d%02d.pdf Temp |
| File Access (UNICODE) |
| msvcrt.dll |
| Interest's Words |
| exec start ping |
| IP Addresses |
| 46.149.71.230 105.0.0.0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealth (CreateRemoteThread) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Small piece of code used as the payload in an exploit (Shellcode) |
| Text | Ascii | Technique used to insert malicious code into legitimate processes (Inject) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Intelligent String |
| • .bss • msvcrt.dll • .tls • @.bss • .CRT • 46.149.71.230 • %sdocument_%04d%02d%02d_%02d%02d%02d.pdfopen/fontawesome.woffexplorer.exenotepad.exemsedge.exe • KERNEL32.dll • USER32.dll • WININET.dll • stager_pdf.cpp |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 82F | N/A | .text | CALL QWORD PTR [RIP+0x1E20B] |
| 1500 | N/A | .text | JMP QWORD PTR [RIP+0x1D752] |
| 1508 | N/A | .text | JMP QWORD PTR [RIP+0x1D742] |
| 1510 | N/A | .text | JMP QWORD PTR [RIP+0x1D732] |
| 1518 | N/A | .text | JMP QWORD PTR [RIP+0x1D722] |
| 1520 | N/A | .text | JMP QWORD PTR [RIP+0x1D712] |
| 1528 | N/A | .text | JMP QWORD PTR [RIP+0x1D702] |
| CF1B | N/A | .text | CALL QWORD PTR [RIP+0x11B67] |
| CF7E | N/A | .text | CALL QWORD PTR [RIP+0x11AFC] |
| CF88 | N/A | .text | CALL QWORD PTR [RIP+0x11A1A] |
| D564 | N/A | .text | CALL QWORD PTR [RIP+0x1142E] |
| D5BA | N/A | .text | JMP QWORD PTR [RIP+0x11428] |
| D607 | N/A | .text | CALL QWORD PTR [RIP+0x1138B] |
| D622 | N/A | .text | CALL QWORD PTR [RIP+0x113C0] |
| D65A | N/A | .text | CALL QWORD PTR [RIP+0x11338] |
| D696 | N/A | .text | CALL QWORD PTR [RIP+0x1134C] |
| D775 | N/A | .text | CALL QWORD PTR [RIP+0x11215] |
| D7A7 | N/A | .text | CALL QWORD PTR [RIP+0x1122B] |
| DC04 | N/A | .text | CALL QWORD PTR [RIP+0x10D66] |
| DC56 | N/A | .text | CALL QWORD PTR [RIP+0x10DEC] |
| DCEC | N/A | .text | CALL QWORD PTR [RIP+0x10D5E] |
| DD17 | N/A | .text | JMP QWORD PTR [RIP+0x10C8B] |
| DD24 | N/A | .text | CALL QWORD PTR [RIP+0x10D2E] |
| DD3D | N/A | .text | JMP QWORD PTR [RIP+0x10C65] |
| DD58 | N/A | .text | CALL QWORD PTR [RIP+0x10C4A] |
| DD62 | N/A | .text | CALL QWORD PTR [RIP+0x10CF8] |
| DD6D | N/A | .text | CALL QWORD PTR [RIP+0x10CC5] |
| DD84 | N/A | .text | CALL QWORD PTR [RIP+0x10CDE] |
| DD9D | N/A | .text | JMP QWORD PTR [RIP+0x10C05] |
| DDB1 | N/A | .text | JMP QWORD PTR [RIP+0x10C21] |
| DDC1 | N/A | .text | JMP QWORD PTR [RIP+0x10BC9] |
| DDD4 | N/A | .text | CALL QWORD PTR [RIP+0x10BBE] |
| DDF8 | N/A | .text | CALL QWORD PTR [RIP+0x10C72] |
| DE13 | N/A | .text | CALL QWORD PTR [RIP+0x10BCF] |
| DE34 | N/A | .text | CALL QWORD PTR [RIP+0x10BAE] |
| DE54 | N/A | .text | CALL QWORD PTR [RIP+0x10C16] |
| DE8B | N/A | .text | CALL QWORD PTR [RIP+0x10B7F] |
| DF6C | N/A | .text | CALL QWORD PTR [RIP+0x10AAE] |
| E085 | N/A | .text | CALL QWORD PTR [RIP+0x10985] |
| E1A1 | N/A | .text | CALL QWORD PTR [RIP+0x10881] |
| E1C7 | N/A | .text | CALL QWORD PTR [RIP+0x1085B] |
| E20B | N/A | .text | CALL QWORD PTR [RIP+0x107FF] |
| E2B2 | N/A | .text | CALL QWORD PTR [RIP+0x10760] |
| E2EF | N/A | .text | CALL QWORD PTR [RIP+0x10733] |
| E332 | N/A | .text | CALL QWORD PTR [RIP+0x106D8] |
| E41F | N/A | .text | CALL QWORD PTR [RIP+0x105F3] |
| E685 | N/A | .text | CALL QWORD PTR [RIP+0x103D5] |
| E690 | N/A | .text | CALL QWORD PTR [RIP+0x103A2] |
| E703 | N/A | .text | CALL QWORD PTR [RIP+0x1028F] |
| E727 | N/A | .text | CALL QWORD PTR [RIP+0x102BB] |
| E764 | N/A | .text | CALL QWORD PTR [RIP+0x102FE] |
| E7D0 | N/A | .text | CALL QWORD PTR [RIP+0x10202] |
| E7D6 | N/A | .text | CALL QWORD PTR [RIP+0x10274] |
| E86C | N/A | .text | CALL QWORD PTR [RIP+0x10136] |
| 11369 | N/A | .text | JMP QWORD PTR [RIP+0xFFFFF] |
| 12B5A | N/A | .text | JMP QWORD PTR [RIP+0xBE38] |
| 12C23 | N/A | .text | CALL QWORD PTR [RIP+0xBDBF] |
| 12D2D | N/A | .text | JMP QWORD PTR [RIP+0xBCB5] |
| 12E9C | N/A | .text | CALL QWORD PTR [RIP+0xBB46] |
| 130C2 | N/A | .text | CALL QWORD PTR [RIP+0xB920] |
| 1314A | N/A | .text | CALL QWORD PTR [RIP+0xB898] |
| 13882 | N/A | .text | CALL QWORD PTR [RIP+0xB210] |
| 13A4A | N/A | .text | CALL QWORD PTR [RIP+0xAF90] |
| 13A8A | N/A | .text | CALL QWORD PTR [RIP+0xAF60] |
| 13B22 | N/A | .text | CALL QWORD PTR [RIP+0xAEC8] |
| 13D30 | N/A | .text | JMP QWORD PTR [RIP+0xAD8A] |
| 13D38 | N/A | .text | JMP QWORD PTR [RIP+0xAD8A] |
| 13D40 | N/A | .text | JMP QWORD PTR [RIP+0xAD8A] |
| 13D48 | N/A | .text | JMP QWORD PTR [RIP+0xAD8A] |
| 13D50 | N/A | .text | JMP QWORD PTR [RIP+0xAD92] |
| 13D58 | N/A | .text | JMP QWORD PTR [RIP+0xAD92] |
| 13D60 | N/A | .text | JMP QWORD PTR [RIP+0xAD92] |
| 13D68 | N/A | .text | JMP QWORD PTR [RIP+0xAD92] |
| 13D70 | N/A | .text | JMP QWORD PTR [RIP+0xAD92] |
| 13D78 | N/A | .text | JMP QWORD PTR [RIP+0xAD9A] |
| 13D80 | N/A | .text | JMP QWORD PTR [RIP+0xADA2] |
| 13D88 | N/A | .text | JMP QWORD PTR [RIP+0xADA2] |
| 13D90 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13D98 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DA0 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DA8 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DB0 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DB8 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DC0 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DC8 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DD0 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DD8 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DE0 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DE8 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DF0 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13DF8 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13E00 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13E08 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13E10 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13E18 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13E20 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13E28 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13E30 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13E38 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 13E40 | N/A | .text | JMP QWORD PTR [RIP+0xADB2] |
| 45E00 | N/A | *Overlay* | 2E66696C6500000061000000FEFF000067016372 | .file...a.......g.cr |
| 1C438 | D650 | .CRT | TLS Callback | Pointer to 14000D650 - 0xCC50 .text |
| 1C440 | D620 | .CRT | TLS Callback | Pointer to 14000D620 - 0xCC20 .text |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 187134 | 51,3243% |
| Null Byte Code | 100153 | 27,4685% |
| NOP Cave Found | 0x9090909090 | Block Count: 165 | Total: 0,1131% |
© 2026 All rights reserved.