PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 57,50 KBSHA-256 Hash: D276524D5272EDED185B322B171BBDC2EC2BEFC5F975B3A4DE2F0933F8D3DFC7 SHA-1 Hash: 7380CFA98AEBDEF0D5776874AF8BCEB601230E26 MD5 Hash: E27E504B151750BE2122A6E44B9872C7 Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): BDEE SizeOfHeaders: 200 SizeOfImage: 14000 ImageBase: 400000 Architecture: x86 ImportTable: BDA0 IAT: 2000 Characteristics: 102 TimeDateStamp: 6227456F Date: 08/03/2022 12:00:47 File Type: EXE Number Of Sections: 3 ASLR: Enabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker [Incomplete Binary or Compressor Packer - 22,50 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
200 | 9E00 | 2000 | 9DF4 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
A000 | 4400 | C000 | 4358 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
E400 | 200 | 12000 | C |
|
|
| Description |
| OriginalFilename: GS_Sinc_Recursos_compartidos_Azure_con_Autopilot_Gasib.exe LegalCopyright: Aplicacion desarrollada por Gunther Saldivia para Imagar Solutions Company ProductName: Sinc FileVersion: 2.0 FileDescription: Sinc ProductVersion: 2.0 Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 9FEE Code -> FF25002040000000000000000000000000000000000000000000000000000000040003000000300000800E00000048000080 Assembler |JMP DWORD PTR [0X402000] |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD AL, 0 |ADD EAX, DWORD PTR [EAX] |ADD BYTE PTR [EAX], AL |XOR BYTE PTR [EAX], AL |ADD BYTE PTR [EAX + 0XE], AL |DEC EAX |ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: True • Version: v4.0 Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(11.0)[-] • Entropy: 6.45331 |
| File Access |
| mscoree.dll Kernel32.dll user32.dll Temp |
| Interest's Words |
| PassWord <main exec powershell attrib start replace |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Encryption (FromBase64String) |
| Text | Ascii | Keyboard Key (Scroll) |
| Text | Ascii | Information used for user authentication (Credential) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | TrueVision Targa Graphics format |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\2\0 | C4F0 | 3C60 | A4F0 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A86600003C274944415478DAEDDD777C1475FE | .PNG........IHDR.............\r.f..<'IDATx...w|.u. |
| \GROUP_ICON\32512\0 | 10150 | 14 | E150 | 0000010001000000000001002000603C00000200 | ............ .<.... |
| \VERSION\1\0 | C130 | 3BC | A130 | BC0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 10168 | 1EA | E168 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • GS_Sinc_Recursos_compartidos_Azure_con_Autopilot_Gasib.exe • _CorExeMainmscoree.dll • 2.0.0.0 |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 9FEE | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| B8F9 | 402000 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| BBDD | 402000 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 36021 | 61,177% |
| Null Byte Code | 14038 | 23,8417% |
© 2026 All rights reserved.