PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 2,24 MBSHA-256 Hash: B59A08D26DCF05DEC4FC5AAB69DA4F8F8C3D9F53A8942C5B4C0EF9999BC90211 SHA-1 Hash: 921EB4B6CA6147D57B6443171AC7DCB5DBCE31D1 MD5 Hash: F83C51F3E6538A13DEF50E5F20985D29 Imphash: B34F154EC913D2D2C435CBD644E91687 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 0023F45F EntryPoint (rva): 338F SizeOfHeaders: 400 SizeOfImage: AA000 ImageBase: 400000 Architecture: x86 ImportTable: 8608 IAT: 8000 Characteristics: 10F TimeDateStamp: 5A6FED3C Date: 30/01/2018 3:57:48 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .ndata, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: requireAdministrator |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 6800 | 1000 | 6627 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
6C00 | 1600 | 8000 | 149A |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
8200 | 600 | A000 | 2AFF8 |
|
|
| .ndata | 0xC0000080 Uninitialized Data Readable Writeable |
0 | 0 | 35000 | 10000 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
8800 | 65000 | 45000 | 64F48 |
|
|
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 1,57 MB |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 278F Code -> 81ECD40200005356576A205F33DB6801800000895C2414C7442410E0A24000895C241CFF15A8804000FF15A480400025FFFF Assembler |SUB ESP, 0X2D4 |PUSH EBX |PUSH ESI |PUSH EDI |PUSH 0X20 |POP EDI |XOR EBX, EBX |PUSH 0X8001 |MOV DWORD PTR [ESP + 0X14], EBX |MOV DWORD PTR [ESP + 0X10], 0X40A2E0 |MOV DWORD PTR [ESP + 0X1C], EBX |CALL DWORD PTR [0X4080A8] |CALL DWORD PTR [0X4080A4] |
| Signatures |
| Rich Signature Analyzer: Code -> AD310881E95066D2E95066D2E95066D22A5F39D2EB5066D2E95067D24C5066D22A5F3BD2E65066D2BD7356D2E35066D22E5660D2E85066D252696368E95066D2 Footprint md5 Hash -> 8D248B46736E162BA0D0DEE443AD4BB3 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Nullsoft Install System - Version: v3.03 Detect It Easy (die) • PE: installer: Nullsoft Scriptable Install System(3.03)[zlib] • PE: linker: Microsoft Linker(6.0*)[-] • PE: overlay: NSIS data(-)[-] • Entropy: 7.80825 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| Windows REG (UNICODE) |
| Software\Microsoft\Windows\CurrentVersion |
| File Access |
| Nullsoft.NSIS.exe ole32.dll COMCTL32.dll ADVAPI32.dll SHELL32.dll GDI32.dll USER32.dll KERNEL32.dll @.dat Temp |
| File Access (UNICODE) |
| %s%S.dll Temp |
| Interest's Words |
| exec attrib shutdown ping expand |
| Interest's Words (UNICODE) |
| shutdown |
| URLs |
| http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://www.digicert.com/CPS0 http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl |
| URLs (UNICODE) |
| http://nsis.sf.net/NSIS_Error |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Registry (RegDeleteKeyEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Unicode | Privileges (SeShutdownPrivilege) |
| Entry Point | Hex Pattern | fasm - Tomasz Grysztar |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 453A0 | 278F8 | 8BA0 | 28000000B4000000680100000100200000000000D07802000000000000000000000000000000000000000000000000000000 | (.......h..... ......x............................ |
| \ICON\2\1033 | 6CC98 | 14028 | 30498 | 2800000080000000000100000100200000000000004001000000000000000000000000000000000000000000000000000000 | (............. ......@............................ |
| \ICON\3\1033 | 80CC0 | B428 | 444C0 | 2800000060000000C0000000010020000000000000B400000000000000000000000000000000000000000000000000000000 | (............ ................................... |
| \ICON\4\1033 | 8C0E8 | A90D | 4F8E8 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000017352474200AECE1CE900000038 | .PNG........IHDR.............\r.f....sRGB........8 |
| \ICON\5\1033 | 969F8 | 6568 | 5A1F8 | 2800000048000000900000000100200000000000406500000000000000000000000000000000000000000000000000000000 | (...H......... .....@e............................ |
| \ICON\6\1033 | 9CF60 | 5028 | 60760 | 2800000040000000800000000100200000000000005000000000000000000000000000000000000000000000000000000000 | (...@......... ......P............................ |
| \ICON\7\1033 | A1F88 | 2D28 | 65788 | 2800000030000000600000000100200000000000002D00000000000000000000000000000000000000000000000000000000 | (...0........ ......-............................ |
| \ICON\8\1033 | A4CB0 | 1F68 | 684B0 | 2800000028000000500000000100200000000000401F00000000000000000000000000000000000000000000000000000000 | (...(...P..... .....@............................. |
| \ICON\9\1033 | A6C18 | 1428 | 6A418 | 2800000020000000400000000100200000000000001400000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\10\1033 | A8040 | B68 | 6B840 | 2800000018000000300000000100200000000000400B0000000000000000000000000000000000000000000000000000D43F | (.......0..... .....@............................? |
| \ICON\11\1033 | A8BA8 | 7F8 | 6C3A8 | 2800000014000000280000000100200000000000D0070000000000000000000000000000000000000000000000000000CE48 | (.......(..... ..................................H |
| \ICON\12\1033 | A93A0 | 528 | 6CBA0 | 2800000010000000200000000100200000000000000500000000000000000000000000000000000000000000CC44220FD547 | (....... ..... ..............................D"..G |
| \DIALOG\105\1033 | A98C8 | 100 | 6D0C8 | 0100FFFF00000000000000004808CA800600000000001801A2000000000000000800000000014D0053002000530068006500 | ............H.........................M.S. .S.h.e. |
| \DIALOG\106\1033 | A99C8 | 11C | 6D1C8 | 0100FFFF0000000000000000480400400500000000000A0182000000000000000800000000014D0053002000530068006500 | ............H..@......................M.S. .S.h.e. |
| \DIALOG\111\1033 | A9AE8 | 60 | 6D2E8 | 0100FFFF0000000000000000C8080080010000000000A20016000000000000000800000000014D00530020005300680065006C006C00200044006C0067000000000000000000000001000250070007009400080006040000FFFF820000000000 | ......................................M.S. .S.h.e.l.l. .D.l.g..............P.................... |
| \GROUP_ICON\103\1033 | A9B48 | AE | 6D348 | 000001000C001010000001002000280500000C001414000001002000F80700000B001818000001002000680B00000A002020 | ............ .(........... ............. .h..... |
| \24\1\1033 | A9BF8 | 349 | 6D3F8 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • USER32.dll • COMCTL32.dll • http://nsis.sf.net/NSIS_Error • .tmp • .exe • %s%S.dll • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 42C | 40821C | .text | CALL [static] | Indirect call to absolute memory address |
| 447 | 408220 | .text | CALL [static] | Indirect call to absolute memory address |
| 45B | 408224 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CF | 408064 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E4 | 408228 | .text | CALL [static] | Indirect call to absolute memory address |
| 505 | 408054 | .text | CALL [static] | Indirect call to absolute memory address |
| 526 | 408050 | .text | CALL [static] | Indirect call to absolute memory address |
| 530 | 408058 | .text | CALL [static] | Indirect call to absolute memory address |
| 556 | 40822C | .text | CALL [static] | Indirect call to absolute memory address |
| 56E | 408284 | .text | CALL [static] | Indirect call to absolute memory address |
| 7E4 | 408154 | .text | CALL [static] | Indirect call to absolute memory address |
| 7F4 | 408218 | .text | CALL [static] | Indirect call to absolute memory address |
| 8AD | 408294 | .text | CALL [static] | Indirect call to absolute memory address |
| 8EA | 408078 | .text | CALL [static] | Indirect call to absolute memory address |
| 8F8 | 408264 | .text | CALL [static] | Indirect call to absolute memory address |
| 9AE | 408074 | .text | CALL [static] | Indirect call to absolute memory address |
| A1A | 408094 | .text | CALL [static] | Indirect call to absolute memory address |
| A4D | 408090 | .text | CALL [static] | Indirect call to absolute memory address |
| A96 | 408108 | .text | CALL [static] | Indirect call to absolute memory address |
| AE2 | 40810C | .text | CALL [static] | Indirect call to absolute memory address |
| B2A | 4080BC | .text | CALL [static] | Indirect call to absolute memory address |
| B49 | 408114 | .text | CALL [static] | Indirect call to absolute memory address |
| BD5 | 408118 | .text | CALL [static] | Indirect call to absolute memory address |
| CCA | 408110 | .text | CALL [static] | Indirect call to absolute memory address |
| CD3 | 408120 | .text | CALL [static] | Indirect call to absolute memory address |
| E16 | 408104 | .text | CALL [static] | Indirect call to absolute memory address |
| E28 | 40811C | .text | CALL [static] | Indirect call to absolute memory address |
| E43 | 408124 | .text | CALL [static] | Indirect call to absolute memory address |
| E56 | 40811C | .text | CALL [static] | Indirect call to absolute memory address |
| F69 | 408290 | .text | CALL [static] | Indirect call to absolute memory address |
| FE7 | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| FF9 | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| 108F | 40828C | .text | CALL [static] | Indirect call to absolute memory address |
| 10A7 | 408218 | .text | CALL [static] | Indirect call to absolute memory address |
| 10D9 | 408274 | .text | CALL [static] | Indirect call to absolute memory address |
| 10FE | 40826C | .text | CALL [static] | Indirect call to absolute memory address |
| 112E | 4081E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1152 | 408270 | .text | CALL [static] | Indirect call to absolute memory address |
| 1163 | 4081E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1170 | 408224 | .text | CALL [static] | Indirect call to absolute memory address |
| 1191 | 408260 | .text | CALL [static] | Indirect call to absolute memory address |
| 119F | 408218 | .text | CALL [static] | Indirect call to absolute memory address |
| 11AE | 40805C | .text | CALL [static] | Indirect call to absolute memory address |
| 11BC | 408254 | .text | CALL [static] | Indirect call to absolute memory address |
| 11D6 | 408060 | .text | CALL [static] | Indirect call to absolute memory address |
| 11DE | 408154 | .text | CALL [static] | Indirect call to absolute memory address |
| 11EF | 40820C | .text | CALL [static] | Indirect call to absolute memory address |
| 123E | 408054 | .text | CALL [static] | Indirect call to absolute memory address |
| 1267 | 408268 | .text | CALL [static] | Indirect call to absolute memory address |
| 1272 | 408210 | .text | CALL [static] | Indirect call to absolute memory address |
| 134D | 408120 | .text | CALL [static] | Indirect call to absolute memory address |
| 13C1 | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| 145D | 408170 | .text | CALL [static] | Indirect call to absolute memory address |
| 146E | 40816C | .text | CALL [static] | Indirect call to absolute memory address |
| 14EB | 408168 | .text | CALL [static] | Indirect call to absolute memory address |
| 1583 | 4082A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 16CD | 40818C | .text | CALL [static] | Indirect call to absolute memory address |
| 1743 | 408164 | .text | CALL [static] | Indirect call to absolute memory address |
| 177F | 408160 | .text | CALL [static] | Indirect call to absolute memory address |
| 17B0 | 408020 | .text | CALL [static] | Indirect call to absolute memory address |
| 17B9 | 408024 | .text | CALL [static] | Indirect call to absolute memory address |
| 186F | 408028 | .text | CALL [static] | Indirect call to absolute memory address |
| 18B5 | 40802C | .text | CALL [static] | Indirect call to absolute memory address |
| 192B | 408030 | .text | CALL [static] | Indirect call to absolute memory address |
| 193E | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 1957 | 408024 | .text | CALL [static] | Indirect call to absolute memory address |
| 19E8 | 40815C | .text | CALL [static] | Indirect call to absolute memory address |
| 19F3 | 408150 | .text | CALL [static] | Indirect call to absolute memory address |
| 1AB6 | 408148 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B14 | 408144 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BD6 | 408144 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C0D | 408144 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C30 | 40814C | .text | CALL [static] | Indirect call to absolute memory address |
| 1C4F | 40813C | .text | CALL [static] | Indirect call to absolute memory address |
| 1C77 | 408138 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D56 | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D69 | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D81 | 408120 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D95 | 408140 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EAF | 408218 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EBF | 408214 | .text | CALL [static] | Indirect call to absolute memory address |
| 21B2 | 408024 | .text | CALL [static] | Indirect call to absolute memory address |
| 21D3 | 408024 | .text | CALL [static] | Indirect call to absolute memory address |
| 21E6 | 40801C | .text | CALL [static] | Indirect call to absolute memory address |
| 2211 | 408258 | .text | CALL [static] | Indirect call to absolute memory address |
| 223C | 408154 | .text | CALL [static] | Indirect call to absolute memory address |
| 224C | 408290 | .text | CALL [static] | Indirect call to absolute memory address |
| 225C | 40825C | .text | CALL [static] | Indirect call to absolute memory address |
| 228C | 408250 | .text | CALL [static] | Indirect call to absolute memory address |
| 22AA | 40807C | .text | CALL [static] | Indirect call to absolute memory address |
| 22C7 | 408288 | .text | CALL [static] | Indirect call to absolute memory address |
| 22D5 | 408268 | .text | CALL [static] | Indirect call to absolute memory address |
| 22EE | 40807C | .text | CALL [static] | Indirect call to absolute memory address |
| 230A | 408084 | .text | CALL [static] | Indirect call to absolute memory address |
| 2356 | 408080 | .text | CALL [static] | Indirect call to absolute memory address |
| 248E | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| 24F4 | 408144 | .text | CALL [static] | Indirect call to absolute memory address |
| 2650 | 408154 | .text | CALL [static] | Indirect call to absolute memory address |
| 2663 | 408290 | .text | CALL [static] | Indirect call to absolute memory address |
| 2755 | 408144 | .text | CALL [static] | Indirect call to absolute memory address |
| 6D800 | N/A | *Overlay* | 06000000EFBEADDE4E756C6C736F6674496E7374 | ........NullsoftInst |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1500847 | 64,0079% |
| Null Byte Code | 97624 | 4,1635% |
© 2026 All rights reserved.