PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 11,00 KB SHA-256 Hash: 00AD2D7A4E9BEC38AC628326A53C196C7F8D396588A1235D9D5C3921C6D9ECFE SHA-1 Hash: 66862757FE6C0BC55FFB8F2A98356A709C118649 MD5 Hash: E58A4A8BED24DF371F7BC7F4267CE687 Imphash: 42CF01D41EF6DC0627982490AFC9CDDD MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 00009FD7 EntryPoint (rva): 1875 SizeOfHeaders: 400 SizeOfImage: 6000 ImageBase: 400000 Architecture: x86 ImportTable: 256C IAT: 2000 Characteristics: 102 TimeDateStamp: 69E7E1B9 Date: 21/04/2026 20:44:41 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | E00 | 1000 | DDA |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
1200 | C00 | 2000 | B84 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
1E00 | 600 | 3000 | 94C |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
2400 | 400 | 4000 | 2B0 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
2800 | 400 | 5000 | 222 |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - C75 Code -> E87E030000E937FDFFFF8BFF558BEC8B45088B00813863736DE0752A8378100375248B40143D2005931974153D2105931974 Assembler |CALL 0X1383 |JMP 0XD41 |MOV EDI, EDI |PUSH EBP |MOV EBP, ESP |MOV EAX, DWORD PTR [EBP + 8] |MOV EAX, DWORD PTR [EAX] |CMP DWORD PTR [EAX], 0XE06D7363 |JNE 0X1046 |CMP DWORD PTR [EAX + 0X10], 3 |JNE 0X1046 |MOV EAX, DWORD PTR [EAX + 0X14] |CMP EAX, 0X19930520 |JE 0X1041 |CMP EAX, 0X19930521 |
| Signatures |
| Rich Signature Analyzer: Code -> 194464015D250A525D250A525D250A527AE3715251250A52545D99525E250A525D250B5260250A52545D9F525F250A52545D895248250A52545D8E525E250A52545D9B525C250A52526963685D250A52 Footprint md5 Hash -> 7FDE775A6CA57A24AB5C19F650D533F8 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[EXE32] • PE: compiler: Microsoft Visual C/C++(2008 SP1)[msvcrt,wWinMain] • PE: linker: Microsoft Linker(9.0)[-] • Entropy: 5.4494 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| URLMON.DLL | URLDownloadToFileW | Download a file from the internet and save it to a local file. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| File Access |
| SHELL32.dll USER32.dll KERNEL32.dll urlmon.dll SHLWAPI.dll WININET.dll MSVCR90.dll @.dat |
| File Access (UNICODE) |
| 109/peinf.exe 109/xmr.exe 109/xmrget.exe 109/grab.exe 109/grabb.exe %s\%d%d.exe ntdll.dll 758585585788585785.txt d3333333333333333333.txt Temp AppData |
| Interest's Words |
| PADDINGX exec start expand |
| URLs (UNICODE) |
| http://178.16.54.109/grabb.exe http://178.16.54.109/grab.exe http://178.16.54.109/xmrget.exe http://178.16.54.109/xmr.exe http://178.16.54.109/peinf.exe |
| IP Addresses |
| 128.0.0.0 178.16.54.109 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v7.0 |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\1\1033 | 4058 | 256 | 2458 | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" |
| Intelligent String |
| • %s\%d%d.exe • d3333333333333333333.txt • 758585585788585785.txt • ntdll.dll • http://178.16.54.109/grabb.exe • http://178.16.54.109/grab.exe • http://178.16.54.109/xmrget.exe • http://178.16.54.109/xmr.exe • http://178.16.54.109/peinf.exe • urlmon.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 455 | 402024 | .text | CALL [static] | Indirect call to absolute memory address |
| 465 | 402028 | .text | CALL [static] | Indirect call to absolute memory address |
| 48B | 4020D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 49B | 402028 | .text | CALL [static] | Indirect call to absolute memory address |
| 4B8 | 402010 | .text | CALL [static] | Indirect call to absolute memory address |
| 4DC | 402014 | .text | CALL [static] | Indirect call to absolute memory address |
| 532 | 4020F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 54B | 402100 | .text | CALL [static] | Indirect call to absolute memory address |
| 56E | 402018 | .text | CALL [static] | Indirect call to absolute memory address |
| 599 | 40201C | .text | CALL [static] | Indirect call to absolute memory address |
| 5B2 | 4020F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 5BF | 40202C | .text | CALL [static] | Indirect call to absolute memory address |
| 5F1 | 402020 | .text | CALL [static] | Indirect call to absolute memory address |
| 5FC | 402028 | .text | CALL [static] | Indirect call to absolute memory address |
| 61A | 4020FC | .text | CALL [static] | Indirect call to absolute memory address |
| 623 | 4020FC | .text | CALL [static] | Indirect call to absolute memory address |
| 62E | 402028 | .text | CALL [static] | Indirect call to absolute memory address |
| 64E | 402028 | .text | CALL [static] | Indirect call to absolute memory address |
| 6D8 | 402020 | .text | CALL [static] | Indirect call to absolute memory address |
| 6E3 | 402028 | .text | CALL [static] | Indirect call to absolute memory address |
| 715 | 402014 | .text | CALL [static] | Indirect call to absolute memory address |
| 730 | 4020E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 73D | 4020E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 75A | 402018 | .text | CALL [static] | Indirect call to absolute memory address |
| 766 | 40202C | .text | CALL [static] | Indirect call to absolute memory address |
| 78A | 402014 | .text | CALL [static] | Indirect call to absolute memory address |
| 7A5 | 4020E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 7B2 | 4020E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 7CF | 402018 | .text | CALL [static] | Indirect call to absolute memory address |
| 7DB | 40202C | .text | CALL [static] | Indirect call to absolute memory address |
| 7FF | 402014 | .text | CALL [static] | Indirect call to absolute memory address |
| 818 | 4020EC | .text | CALL [static] | Indirect call to absolute memory address |
| 828 | 4020E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 844 | 402008 | .text | CALL [static] | Indirect call to absolute memory address |
| 854 | 40200C | .text | CALL [static] | Indirect call to absolute memory address |
| 8B8 | 402028 | .text | CALL [static] | Indirect call to absolute memory address |
| 920 | 4020D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 926 | 4020C8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 92C | 4020C4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 932 | 4020C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 99B | 4020B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 9CE | 402048 | .text | CALL [static] | Indirect call to absolute memory address |
| 9F6 | 402054 | .text | CALL [static] | Indirect call to absolute memory address |
| A11 | 402028 | .text | CALL [static] | Indirect call to absolute memory address |
| A89 | 402004 | .text | CALL [static] | Indirect call to absolute memory address |
| AAA | 403948 | .text | CALL [static] | Indirect call to absolute memory address |
| B14 | 4020A8 | .text | CALL [static] | Indirect call to absolute memory address |
| B59 | 4020B0 | .text | CALL [static] | Indirect call to absolute memory address |
| B67 | 4020B4 | .text | CALL [static] | Indirect call to absolute memory address |
| BFA | 402080 | .text | CALL [static] | Indirect call to absolute memory address |
| C02 | 402084 | .text | CALL [static] | Indirect call to absolute memory address |
| C14 | 402088 | .text | CALL [static] | Indirect call to absolute memory address |
| C22 | 40208C | .text | CALL [static] | Indirect call to absolute memory address |
| C54 | 402094 | .text | CALL [static] | Indirect call to absolute memory address |
| C6B | 402098 | .text | CALL [static] | Indirect call to absolute memory address |
| CC6 | 402050 | .text | CALL [static] | Indirect call to absolute memory address |
| CD0 | 4020BC | .text | JMP [static] | Indirect jump to absolute memory address |
| CFC | 402064 | .text | CALL [static] | Indirect call to absolute memory address |
| DDE | 4020AC | .text | JMP [static] | Indirect jump to absolute memory address |
| F3E | 4020A0 | .text | JMP [static] | Indirect jump to absolute memory address |
| F44 | 40209C | .text | JMP [static] | Indirect jump to absolute memory address |
| 102F | 402038 | .text | CALL [static] | Indirect call to absolute memory address |
| 103B | 402034 | .text | CALL [static] | Indirect call to absolute memory address |
| 1043 | 402030 | .text | CALL [static] | Indirect call to absolute memory address |
| 104B | 402010 | .text | CALL [static] | Indirect call to absolute memory address |
| 1057 | 402000 | .text | CALL [static] | Indirect call to absolute memory address |
| 108E | 40207C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1094 | 402068 | .text | JMP [static] | Indirect jump to absolute memory address |
| 109A | 40205C | .text | JMP [static] | Indirect jump to absolute memory address |
| 10A0 | 402060 | .text | JMP [static] | Indirect jump to absolute memory address |
| 10B6 | 40206C | .text | JMP [static] | Indirect jump to absolute memory address |
| 10BC | 402070 | .text | JMP [static] | Indirect jump to absolute memory address |
| 10C2 | 402074 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1183 | 40204C | .text | CALL [static] | Indirect call to absolute memory address |
| 1198 | 402050 | .text | CALL [static] | Indirect call to absolute memory address |
| 11A3 | 402044 | .text | CALL [static] | Indirect call to absolute memory address |
| 11BF | 402040 | .text | CALL [static] | Indirect call to absolute memory address |
| 11C6 | 40203C | .text | CALL [static] | Indirect call to absolute memory address |
| 11CE | 402078 | .text | JMP [static] | Indirect jump to absolute memory address |
| 11D4 | 402108 | .text | JMP [static] | Indirect jump to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 6841 | 60,7333% |
| Null Byte Code | 3299 | 29,288% |
© 2026 All rights reserved.