PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 5,73 MBSHA-256 Hash: A1A6F390BC0E89C78D6FD9FE7561C18F9EC94A586997C73F85FB674F0886AA9D SHA-1 Hash: CC3FFAA9F43287811932BC3B3275963830F7EB9C MD5 Hash: DCB5B75DE7E7C8596011FEB01358FDD6 Imphash: 7D03A66A3630475A0F63630FA4E99A1C MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 0002579A EntryPoint (rva): 14F0 SizeOfHeaders: 400 SizeOfImage: 30000 ImageBase: 400000 Architecture: x86 ImportTable: 1E000 IAT: 1E208 Characteristics: 32F TimeDateStamp: 62206E6F Date: 03/03/2022 7:29:51 File Type: EXE Number Of Sections: 8 ASLR: Disabled Section Names: .text, .data, .rdata, .bss, .idata, .CRT, .tls, .rsrc Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60500020 (Code, Executable, Readable) | 400 | 9A00 | 1000 | 9960 | 6,1182 | 366043,09 |
| .data | C0300040 (Initialized Data, Readable, Writeable) | 9E00 | 200 | B000 | 38 | 0,6651 | 109711,00 |
| .rdata | 40700040 (Initialized Data, Readable) | A000 | 5000 | C000 | 4FC8 | 7,0195 | 72779,73 |
| .bss | C0700080 (Uninitialized Data, Readable, Writeable) | 0 | 0 | 11000 | C698 | N/A | N/A |
| .idata | C0300040 (Initialized Data, Readable, Writeable) | F000 | C00 | 1E000 | B90 | 5,0938 | 61545,67 |
| .CRT | C0300040 (Initialized Data, Readable, Writeable) | FC00 | 200 | 1F000 | 34 | 0,2748 | 123012,00 |
| .tls | C0300040 (Initialized Data, Readable, Writeable) | FE00 | 200 | 20000 | 20 | 0,1755 | 125999,00 |
| .rsrc | C0300040 (Initialized Data, Readable, Writeable) | 10000 | EC00 | 21000 | EA34 | 7,2971 | 322279,33 |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 5,54 MB |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 8F0 Code -> 83EC0CC705D8D2410000000000E87E89000083C40CE976FCFFFF9090909090905383EC18A1B4E241008B5C24208B00894424 • SUB ESP, 0XC • MOV DWORD PTR [0X41D2D8], 0 • CALL 0X9990 • ADD ESP, 0XC • JMP 0XC90 • NOP • NOP • NOP • NOP • NOP • NOP • PUSH EBX • SUB ESP, 0X18 • MOV EAX, DWORD PTR [0X41E2B4] • MOV EBX, DWORD PTR [ESP + 0X20] • MOV EAX, DWORD PTR [EAX] |
| Signatures |
| CheckSum Integrity Problem: • Header: 153498 • Calculated: 6024138 Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: MinGW(GCC: (x86_64-posix-sjlj-rev0, Built by MinGW-W64 project) 4.8.3)[-] • PE: linker: GNU linker ld (GNU Binutils)(2.24)[-] • PE: overlay: zlib archive(-)[-] • Entropy: 7.99739 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| File Access |
| bExport_FileHistory.exe %s%s%s.exe python35.dll bsqlite3.dll bpython35.dll bmsvcr120.dll blibesedb.dll bVCRUNTIME140.dll WS2_32.dll msvcrt.dll KERNEL32.dll python%02d.dll .dat enum\doc\enum.pdf xbase_library.zip .zip Temp |
| Interest's Words |
| exec start ping expand |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV) |
| Entry Point | Hex Pattern | Win.Trojan.Peed-422 |
| Entry Point | Hex Pattern | Win.Trojan.Peed-423 |
| Entry Point | Hex Pattern | Win.Trojan.Peed-426 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Entry Point | Hex Pattern | Windows or OS/2 Graphics format |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 211C0 | EA8 | 101C0 | 28000000300000006000000001000800000000000000000000000000000000000000000000000000000000000B0702000005 | (...0............................................ |
| \ICON\2\0 | 22068 | 8A8 | 11068 | 2800000020000000400000000100080000000000000000000000000000000000000000000000000000000000050302000606 | (... ...@......................................... |
| \ICON\3\0 | 22910 | 568 | 11910 | 2800000010000000200000000100080000000000000000000000000000000000000000000000000000000000080400000C08 | (....... ......................................... |
| \ICON\4\0 | 22E78 | 909B | 11E78 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000090624944415478DAEC5D07601CC5D5 | .PNG........IHDR.............\r.f...bIDATx..].... |
| \ICON\5\0 | 2BF14 | 25A8 | 1AF14 | 2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (...0........ ................................... |
| \ICON\6\0 | 2E4BC | 10A8 | 1D4BC | 2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\7\0 | 2F564 | 468 | 1E564 | 28000000100000002000000001002000000000000000000000000000000000000000000000000000000000000F0800175838 | (....... ..... .................................X8 |
| \GROUP_ICON\101\0 | 2F9CC | 68 | 1E9CC | 0000010007003030000001000800A80E000001002020000001000800A8080000020010100000010008006805000003000000 | ......00............ ....................h....... |
| Intelligent String |
| • @p@.bss • .CRT • .tls • :\..%s%s%s%s%s%s%s%s%s%s.pkg%s%s%s.exe%s%s%sArchive not found: %s • KERNEL32.dll • msvcrt.dll • WS2_32.dll • .Clf • YN.kLu • V.AwL • )sqlite3.dump)r • b_bz2.cp35-win32.pyd • b_ctypes.cp35-win32.pyd • b_hashlib.cp35-win32.pyd • b_lzma.cp35-win32.pyd • b_socket.cp35-win32.pyd • b_sqlite3.cp35-win32.pyd • b_ssl.cp35-win32.pyd • blibesedb.dll • bmsvcr120.dll • bpyesedb.cp35-win32.pyd • bpyexpat.cp35-win32.pyd • bpython35.dll • bselect.cp35-win32.pyd • bsqlite3.dll • bunicodedata.cp35-win32.pyd • xbase_library.zip • python35.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 692 | 41E278 | .text | CALL [static] | Indirect call to absolute memory address |
| 88A | 41E248 | .text | CALL [static] | Indirect call to absolute memory address |
| 9E2 | 41E3B8 | .text | CALL [static] | Indirect call to absolute memory address |
| C97 | 41E3B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 10FD | 41E3B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 112D | 41E3B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 17A5 | 411078 | .text | CALL [static] | Indirect call to absolute memory address |
| 1840 | 411050 | .text | CALL [static] | Indirect call to absolute memory address |
| 185F | 411058 | .text | CALL [static] | Indirect call to absolute memory address |
| 186C | 4110B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1875 | 411054 | .text | CALL [static] | Indirect call to absolute memory address |
| 1890 | 411034 | .text | CALL [static] | Indirect call to absolute memory address |
| 18ED | 411078 | .text | CALL [static] | Indirect call to absolute memory address |
| 18FE | 411060 | .text | CALL [static] | Indirect call to absolute memory address |
| 190F | 411094 | .text | CALL [static] | Indirect call to absolute memory address |
| 192A | 41105C | .text | CALL [static] | Indirect call to absolute memory address |
| 193A | 411090 | .text | CALL [static] | Indirect call to absolute memory address |
| 1948 | 411064 | .text | CALL [static] | Indirect call to absolute memory address |
| 1954 | 41108C | .text | CALL [static] | Indirect call to absolute memory address |
| 1961 | 4110B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 196A | 4110B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1970 | 411088 | .text | CALL [static] | Indirect call to absolute memory address |
| 1976 | 411090 | .text | CALL [static] | Indirect call to absolute memory address |
| 198A | 4110B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1993 | 4110B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1999 | 411090 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BD2 | 41E270 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D8D | 41E270 | .text | CALL [static] | Indirect call to absolute memory address |
| 1FDA | 41E2DC | .text | CALL [static] | Indirect call to absolute memory address |
| 2027 | 41E320 | .text | CALL [static] | Indirect call to absolute memory address |
| 2174 | 41E238 | .text | CALL [static] | Indirect call to absolute memory address |
| 227D | 41E31C | .text | CALL [static] | Indirect call to absolute memory address |
| 2ED7 | 41104C | .text | CALL [static] | Indirect call to absolute memory address |
| 2F1C | 41E3B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F87 | 41E234 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FCC | 41E3B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FF2 | 41E23C | .text | CALL [static] | Indirect call to absolute memory address |
| 30D5 | 411030 | .text | CALL [static] | Indirect call to absolute memory address |
| 31FE | 41109C | .text | CALL [static] | Indirect call to absolute memory address |
| 3266 | 4110A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 32FC | 41108C | .text | CALL [static] | Indirect call to absolute memory address |
| 33E4 | 4110A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 341E | 411098 | .text | CALL [static] | Indirect call to absolute memory address |
| 3454 | 411048 | .text | CALL [static] | Indirect call to absolute memory address |
| 3477 | 41103C | .text | CALL [static] | Indirect call to absolute memory address |
| 3570 | 411050 | .text | CALL [static] | Indirect call to absolute memory address |
| 35A7 | 411020 | .text | CALL [static] | Indirect call to absolute memory address |
| 35C2 | 411040 | .text | CALL [static] | Indirect call to absolute memory address |
| 35CF | 411070 | .text | CALL [static] | Indirect call to absolute memory address |
| 35D8 | 411060 | .text | CALL [static] | Indirect call to absolute memory address |
| 35E9 | 411094 | .text | CALL [static] | Indirect call to absolute memory address |
| 368A | 411074 | .text | CALL [static] | Indirect call to absolute memory address |
| 3694 | 41108C | .text | CALL [static] | Indirect call to absolute memory address |
| 369E | 411088 | .text | CALL [static] | Indirect call to absolute memory address |
| 36A4 | 411090 | .text | CALL [static] | Indirect call to absolute memory address |
| 36C0 | 41E3B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 375A | 41E3B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 379F | 41102C | .text | CALL [static] | Indirect call to absolute memory address |
| 37D4 | 411020 | .text | CALL [static] | Indirect call to absolute memory address |
| 37EB | 411028 | .text | CALL [static] | Indirect call to absolute memory address |
| 37F6 | 4110B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3803 | 411044 | .text | CALL [static] | Indirect call to absolute memory address |
| 3814 | 41106C | .text | CALL [static] | Indirect call to absolute memory address |
| 386B | 4110B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 38FD | 41E27C | .text | CALL [static] | Indirect call to absolute memory address |
| 395F | 41E22C | .text | CALL [static] | Indirect call to absolute memory address |
| 3996 | 41E214 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A19 | 41E274 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A6E | 41E274 | .text | CALL [static] | Indirect call to absolute memory address |
| 3AB6 | 41E250 | .text | CALL [static] | Indirect call to absolute memory address |
| 3AFC | 41E30C | .text | CALL [static] | Indirect call to absolute memory address |
| 3C29 | 41E2CC | .text | CALL [static] | Indirect call to absolute memory address |
| 3C87 | 41E2D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3C9B | 41E2C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4006 | 41E264 | .text | CALL [static] | Indirect call to absolute memory address |
| 40E8 | 41E248 | .text | CALL [static] | Indirect call to absolute memory address |
| 4178 | 41E21C | .text | CALL [static] | Indirect call to absolute memory address |
| 41C1 | 41E208 | .text | CALL [static] | Indirect call to absolute memory address |
| 41FF | 41E294 | .text | CALL [static] | Indirect call to absolute memory address |
| 4217 | 41E230 | .text | CALL [static] | Indirect call to absolute memory address |
| 4233 | 41E234 | .text | CALL [static] | Indirect call to absolute memory address |
| 4274 | 41E218 | .text | CALL [static] | Indirect call to absolute memory address |
| 4469 | 41E298 | .text | CALL [static] | Indirect call to absolute memory address |
| 44BB | 41E298 | .text | CALL [static] | Indirect call to absolute memory address |
| 45F9 | 41E268 | .text | CALL [static] | Indirect call to absolute memory address |
| 463B | 41E268 | .text | CALL [static] | Indirect call to absolute memory address |
| 46CC | 41E260 | .text | CALL [static] | Indirect call to absolute memory address |
| 8B37 | 41E2F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 8E7A | 41E290 | .text | CALL [static] | Indirect call to absolute memory address |
| 8ED0 | 41E28C | .text | CALL [static] | Indirect call to absolute memory address |
| 8EDD | 41E234 | .text | CALL [static] | Indirect call to absolute memory address |
| 90B7 | 41E290 | .text | CALL [static] | Indirect call to absolute memory address |
| 90E8 | 41E28C | .text | CALL [static] | Indirect call to absolute memory address |
| 92B8 | 41E24C | .text | CALL [static] | Indirect call to absolute memory address |
| 92C9 | 41E224 | .text | CALL [static] | Indirect call to absolute memory address |
| 92D1 | 41E228 | .text | CALL [static] | Indirect call to absolute memory address |
| 92DA | 41E254 | .text | CALL [static] | Indirect call to absolute memory address |
| 92E9 | 41E26C | .text | CALL [static] | Indirect call to absolute memory address |
| 937F | 41E278 | .text | CALL [static] | Indirect call to absolute memory address |
| 938F | 41E288 | .text | CALL [static] | Indirect call to absolute memory address |
| 166E8A-166EB7 | N/A | *padding* | Potential obfuscated jump sequence detected, count: 23 |
| 1AA36F-1AA3A2 | N/A | *padding* | Potential obfuscated jump sequence detected, count: 26 |
| 1B6F8B-1B6FEC | N/A | *padding* | Potential obfuscated jump sequence detected, count: 49 |
| 32886D-3288AB | N/A | *padding* | Potential obfuscated jump sequence detected, count: 30 |
| 351C79-351CB0 | N/A | *padding* | Potential obfuscated jump sequence detected, count: 28 |
| 425291-4252A1 | N/A | *padding* | Potential obfuscated jump sequence detected, count: 7 |
| FC20 | 95D0 | .CRT | TLS Callback | Pointer to 4095D0 - 0x89D0 .text |
| FC24 | 9580 | .CRT | TLS Callback | Pointer to 409580 - 0x8980 .text |
| 1EC00 | N/A | *Overlay* | 78DA4D90CF4AC43010C6274D77B77FB6EC9EC4E3 | x.M..J.0..'Mw....... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 4108336 | 68,3573% |
| Null Byte Code | 40805 | 0,6789% |
| NOP Cave Found | 0x9090909090 | Block Count: 63 | Total: 0,0026% |
© 2026 All rights reserved.