PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 367,10 KBSHA-256 Hash: F83B9D7945BFE1D4494280BB8A26A04875E79DBE9B61B8A8219E52EF7E892282 SHA-1 Hash: B01D16BBB0F1EBF90A2D9F9B94EDFE8A81465313 MD5 Hash: E2FC0AF7D39C68F5AFDDB054E0ECCF4D Imphash: 09D0478591D4F788CB3E5EA416C25237 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 0005E4BD EntryPoint (rva): 1284 SizeOfHeaders: 200 SizeOfImage: E3000 ImageBase: 400000 Architecture: x86 ImportTable: E14D4 Characteristics: 30F TimeDateStamp: 534A53FE Date: 13/04/2014 9:08:14 File Type: EXE Number Of Sections: 2 ASLR: Disabled Section Names: .text, .rsrc Number Of Executable Sections: 2 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 540,90 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | E0300060 (Code, Initialized Data, Executable, Readable, Writeable) | 200 | 20800 | 1000 | A6000 | 7,9982 | 338,05 |
| .rsrc | E0000020 (Code, Executable, Readable, Writeable) | 20A00 | 3B267 | A7000 | 3C000 | 5,4680 | 8155032,67 |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 484 Code -> B878214E005064FF35000000006489250000000033C089085045436F6D706163743200BF4BC5238C2C3993BF68A408F16DC4 • MOV EAX, 0X4E2178 • PUSH EAX • PUSH DWORD PTR FS:[0] • MOV DWORD PTR FS:[0], ESP • XOR EAX, EAX • MOV DWORD PTR [EAX], ECX • PUSH EAX • INC EBP • INC EBX • OUTSD DX, DWORD PTR [ESI] • INSD DWORD PTR ES:[EDI], DX • JO 0X1080 • ARPL WORD PTR [EDX + ESI], SI • MOV EDI, 0X8C23C54B • SUB AL, 0X39 • XCHG EAX, EBX • MOV EDI, 0XF108A468 • INSD DWORD PTR ES:[EDI], DX |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: packer: PECompact(3.02.2)[-] • PE: compiler: MinGW(-)[-] • PE: linker: GNU linker ld (GNU Binutils)(2.21)[-] • Entropy: 6.62401 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| File Access |
| kernel32.dll |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Stealth (VirtualAlloc) |
| Entry Point | Hex Pattern | PECompact 2.0x Heuristic Mode - Jeremy Collake |
| Entry Point | Hex Pattern | PeCompact 2.53 DLL - BitSum Technologies |
| Entry Point | Hex Pattern | PECompact 2.x - Jeremy Collake |
| Entry Point | Hex Pattern | PECompact v2.0 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | A7328 | 5D2A | 20D28 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000097048597300000EC300000EC301 | .PNG........IHDR.............\r.f....pHYs......... |
| \ICON\2\1033 | AD058 | 8271 | 26A58 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000097048597300000EC300000EC301 | .PNG........IHDR.............\r.f....pHYs......... |
| \ICON\3\1033 | B52D0 | EA8 | 2ECD0 | 28000000300000006000000001000800000000000009000000000000000000000001000000010000000000002E2D2B003030 | (...0.......................................-+.00 |
| \ICON\4\1033 | B6178 | 8A8 | 2FB78 | 2800000020000000400000000100080000000000000400000000000000000000000100000001000000000000302F2F003230 | (... ...@...................................0//.20 |
| \ICON\5\1033 | B6A20 | 6C8 | 30420 | 2800000018000000300000000100080000000000400200000000000000000000000100000001000000000000333332003433 | (.......0...........@.......................332.43 |
| \ICON\6\1033 | B70E8 | 568 | 30AE8 | 2800000010000000200000000100080000000000000100000000000000000000000100000001000000000000323232003433 | (....... ...................................222.43 |
| \ICON\7\1033 | B7650 | 10828 | 31050 | 2800000080000000000100000100200000000000000801000000000000000000000000000000000000000000000000000000 | (............. ................................... |
| \ICON\8\1033 | C7E78 | 94A8 | 41878 | 2800000060000000C00000000100200000000000809400000000000000000000000000000000000000000000000000000000 | (............ ................................... |
| \ICON\9\1033 | D1320 | 67E8 | 4AD20 | 2800000050000000A00000000100200000000000C06700000000000000000000000000000000000000000000000000000000 | (...P......... ......g............................ |
| \ICON\10\1033 | D7B08 | 5488 | 51508 | 2800000048000000900000000100200000000000605400000000000000000000000000000000000000000000000000000000 | (...H......... .....T............................ |
| \ICON\11\1033 | DCF90 | 25A8 | 56990 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\12\1033 | DF538 | 10A8 | 58F38 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\13\1033 | E05E0 | 988 | 59FE0 | 280000001800000030000000010020000000000060090000000000000000000000000000000000000000000000000000100C | (.......0..... .................................. |
| \ICON\14\1033 | E0F68 | 468 | 5A968 | 28000000100000002000000001002000000000004004000000000000000000000000000000000000000000000D0A0103221A | (....... ..... .....@...........................". |
| \GROUP_ICON\IDI_ICON\1033 | E13D0 | CA | 5ADD0 | 000001000E0000001000010004002A5D0000010000000000010008007182000002003030000001000800A80E000003002020 | ..............*]............q.....00............ |
| Intelligent String |
| • kernel32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 8539 | E13D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EDA7 | E13D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 22050 | E13D0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 22460 | 2CFE53E0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 27E07 | 2CFE53E0 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 2E1DF | 2CFE53E0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 20A00-5BC66 | A7000 | .rsrc | Executable section anomaly, first bytes: 00000000FD534A53 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 193954 | 51,5957% |
| Null Byte Code | 86496 | 23,0097% |
© 2026 All rights reserved.