PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 65,50 KB
SHA-256 Hash: 8C10609AD89999CAF0B90A7B3072AD6A9ECE2C9DDEB4E1DD748466F04B2729F6
SHA-1 Hash: 8B7B8B01F8C28A14993EC4CCDC9588389CF3E156
MD5 Hash: E82008555E6C163A1B4B354EBB1D0940
Imphash: D41D8CD98F00B204E9800998ECF8427E
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 0001C652
EntryPoint (rva): 0
SizeOfHeaders: 200
SizeOfImage: 14000
ImageBase: 0000000000400000
Architecture: x64
Characteristics: 22
TimeDateStamp: 971C44D0
Date: 03/05/2050 17:37:20
File Type: EXE
Number Of Sections: 2
ASLR: Disabled
Section Names (Optional Header): .text, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows Console

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	200	EE00	2000	EDF4	5,4806	1571621,59
.rsrc	40000040 (Initialized Data, Readable)	F000	1600	12000	14B0	6,0626	104292,91

Description

OriginalFilename: Hotmail.exe
LegalCopyright: Copyright 2023
ProductName: Hotmail
FileVersion: 1.0.0.0
FileDescription: Hotmail
ProductVersion: 1.0.0.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Signatures

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v4.0
Detect It Easy (die)
• PE+(64): library: .NET(v4.0.30319)[-]
• PE+(64): linker: Microsoft Linker(48.0)[-]
• PE+(64): archive: Resources(-)[-]
• Entropy: 5.62207

File Access

Hotmail.exe
rpcrt4.dll

File Access (UNICODE)

Hotmail.exe
keywords.txt
Temp

Interest's Words

Decrypt
exec
unescape
attrib
start
cipher
replace

Interest's Words (UNICODE)

outlook
Encrypt
PassWord
<form
<input
start

URLs (UNICODE)

https://outlook.live.com/owa/
https://login.live.com/
https://outlook.live.com/owa/?nlp=1
https://login.live.com
https://account.live.com/ResetPassword.aspx
https://outlook.live.com/owa
https://privacynotice.account.microsoft.com/notice
https://account.live.com/proofs/Add
https://account.live.com/proofs/Verify
https://account.live.com/proofs/remind
https://privacynotice.account.microsoft.com/notice?ru=
https://privacynotice.account.microsoft.com/
https://account.live.com/identity/confirm
https://account.live.com/recover
https://account.live.com/ar/cancel
https://account.live.com/RecoverAccount
https://account.live.com/Abuse
https://outlook.live.com/owa/0/service.svc?action=GetAccessTokenforResource&UA=0&app=Mail&n=12
https://outlook.live.com/search/api/v1/query
https://login.live.com/GetCredentialType.srf
https://account.live.com/Email/Confirm
https://account.live.com/profile/accrue
https://account.live.com/Agreement
https://outlook.live.com/owa/?nlp=1&RpsCsrfState
https://outlook.live.com/owa/auth/dt.aspxaccess_token=
https://substrate.office.com/profileb2/v2.0/me/V1Profile

Emails

no-reply@coinbase.com

IP Addresses

114.0.0.0

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Unicode	WinAPI Sockets (accept)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	Encryption (Base64Decode)
Text	Ascii	Encryption (Base64Encode)
Text	Ascii	Encryption (CipherMode)
Text	Ascii	Encryption (CreateDecryptor)
Text	Ascii	Encryption (FromBase64String)
Text	Ascii	Encryption (ICryptoTransform)
Text	Ascii	Encryption (Rijndael)
Text	Ascii	Encryption (RijndaelManaged)
Text	Ascii	Encryption (ToBase64String)
Text	Ascii	Encryption (base64EncodedData)
Text	Unicode	Information used to authenticate a user's identity (Credential)
Text	Unicode	Information used for user authentication (Credential)
Text	Ascii	Malicious rerouting of traffic to an attacker-controlled site (Redirect)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	120E8	10A8	F0E8	280000002000000040000000010020000000000000100000251600002516000000000000000000007E7B75FF51493EFF2820	(... ...@..... .........%...%...........~{u.QI>.(
\GROUP_ICON\32512\0	13190	14	10190	0000010001002020000001002000A81000000100	...... .... .......
\VERSION\1\0	131A4	30C	101A4	0C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String

• 1.0.0.0
• Hotmail.exe
• https://account.live.com/Abuse
• https://account.live.com/RecoverAccount
• https://account.live.com/ar/cancel
• https://account.live.com/recover
• https://outlook.live.com/owa/?nlp=1
• https://login.live.com
• W","isOtherIdpSupported":true,"checkPhones":false,"isRemoteNGCSupported":true,"isCookieBannerShown":false,"isFidoSupported":true,"forceotclogin":false,"otclogindisallowed":false,"isExternalFederationDisallowed":false,"isRemoteConnectSupported":false,"federationFlags":3,"isSignup":false,"flowToken":"
• https://account.live.com/ResetPassword.aspx
• https://outlook.live.com/owa
• https://privacynotice.account.microsoft.com/notice
• https://account.live.com/proofs/Add
• https://account.live.com/proofs/Verify
• https://account.live.com/proofs/remind
• https://account.live.com/identity/confirm
• BAD_IP_LOGIN
• https://outlook.live.com/owa/0/service.svc?action=GetAccessTokenforResource&UA=0&app=Mail&n=12
• keywords.txt
• https://outlook.live.com/search/api/v1/query
• https://login.live.com/GetCredentialType.srf
• https://account.live.com/Email/Confirm
• https://account.live.com/profile/accrue
• https://account.live.com/Agreement
• https://outlook.live.com/owa/?nlp=1&RpsCsrfState
• https://login.live.com/oauth20_authorize.srf?response_type=token&prompt=none&redirect_uri=https%3A%2F%2Foutlook.live.com%2Fowa%2Fauth%2Fdt.aspx&scope=https%3A%2F%2Foutlook.office.com%2FM365.Access&client_id=292841
• https://substrate.office.com/profileb2/v2.0/me/V1Profile
• .txt
• \proxies.txt

Flow Anomalies

Offset	RVA	Section	Description
F99F	N/A	.rsrc	JMP QWORD PTR [RIP+0x69FF171D]
F9F3	N/A	.rsrc	JMP QWORD PTR [RIP+0x67FF111C]
FBAF	N/A	.rsrc	JMP QWORD PTR [RIP+0x2BFF151D]

Extra Analysis

Metric	Value	Percentage
Ascii Code	37964	56,6019%
Null Byte Code	20433	30,4643%

PESCAN.IO - Analysis Report Basic