PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 4,00 MB SHA-256 Hash: C9C51610BC565DDF19CB306AF51A5D8DD7E81647972C82B82AE75BCB294704EC SHA-1 Hash: 3BF41F7308506FCEF70ADBC4C02B29DA3A78CD6F MD5 Hash: F8F4627656BCDD5EEF301934BCB21603 Imphash: 61F7454037465DD136BB9B8B990650CF MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 0003CF12 EntryPoint (rva): 164D0 SizeOfHeaders: 400 SizeOfImage: 39000 ImageBase: 0000000180000000 Architecture: x64 ExportTable: 2B1F0 ImportTable: 2B228 IAT: 23000 Characteristics: 2022 TimeDateStamp: 67531862 Date: 06/12/2024 15:29:38 File Type: DLL Number Of Sections: 5 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 22000 | 1000 | 21F87 | 6,4238 | 877365,88 |
| .rdata | 40000040 (Initialized Data, Readable) | 22400 | 9600 | 23000 | 95B8 | 4,5594 | 2076978,84 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 2BA00 | 3C00 | 2D000 | 8A60 | 2,5067 | 2192257,03 |
| .pdata | 40000040 (Initialized Data, Readable) | 2F600 | 1A00 | 36000 | 19B0 | 5,3017 | 224518,77 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 31000 | 800 | 38000 | 6A4 | 5,0043 | 29782,50 |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 3,78 MB |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 158D0 Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8274B00004C8BC78BD3488BCE488B5C2430488B7424 • MOV QWORD PTR [RSP + 8], RBX • MOV QWORD PTR [RSP + 0X10], RSI • PUSH RDI • SUB RSP, 0X20 • MOV RDI, R8 • MOV EBX, EDX • MOV RSI, RCX • CMP EDX, 1 • JNE 0X1021 • CALL 0X5B48 • MOV R8, RDI • MOV EDX, EBX • MOV RCX, RSI • MOV RBX, QWORD PTR [RSP + 0X30] |
| Signatures |
| CheckSum Integrity Problem: • Header: 249618 • Calculated: 4230711 Rich Signature Analyzer: Code -> 8F554A59CB34240ACB34240ACB34240A8D65C50AEF34240A8D65C40AB034240A8D65FB0AC134240AC24CA30ACA34240AC24CB70ADA34240ACB34250A0F34240AB64DC40AD734240AB64DFB0ACA34240AB64DF80ACA34240AB64DFA0ACA34240A52696368CB34240A Footprint md5 Hash -> 29BE454AFA907BA2FF23E59B884E64FF • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(2013)[-] • PE+(64): linker: Microsoft Linker(12.0*)[-] • Entropy: 0.486335 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | CreateRemoteThread | Creates a thread in the address space of another process. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ADVAPI32.DLL | CryptEncrypt | Performs a cryptographic operation on data in a data block. |
| ADVAPI32.DLL | CryptDecrypt | Performs a cryptographic operation on data in a data block. |
| File Access |
| ole32.dll ADVAPI32.dll USER32.dll KERNEL32.dll WINHTTP.dll WININET.dll CRYPT32.dll WS2_32.dll server.dll ntdll.dll @.dat |
| File Access (UNICODE) |
| USER32.DLL kernel32.dll mscoree.dll Temp |
| Interest's Words |
| Encrypt Decrypt attrib start |
| URLs (UNICODE) |
| https://100.68.20.103:443/BVPdzYtqp_gCfwN9ZZNm_ge5GXsglcVL0mfGMyAcp9zY5WHmdEKqx6_FffVM-gmr9xzcmSEuu7mmrXqpzPfYkOeK9LxNRvae8UNhu6nXHL_-gYa6DUqInD_L8t1/ |
| IP Addresses |
| 100.68.20.103 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Hex | Hex Pattern | SYSCALL (SYSCALL - 4C8BD1B8) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Unicode | Encryption (Microsoft Enhanced Cryptographic Provider v1.0) |
| Text | Unicode | Encryption (Microsoft Enhanced RSA and AES Cryptographic Provider) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptDecrypt) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealth (CreateRemoteThread) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Unicode | Privileges (SeDebugPrivilege) |
| Text | Unicode | Privileges (SeSecurityPrivilege) |
| Hex | Hex Pattern | Metasploit (Header PE MZARUH - 4D5A4152554889E54883EC204883E4F0E8) |
| Entry Point | Hex Pattern | MEW 10 packer v1.0 - Northfox |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Intelligent String |
| • kernel32.dll • advapi32.dll • ntdll.dll • mscoree.dll • USER32.DLL • server.dll • WS2_32.dll • KERNEL32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 8FB | N/A | .text | CALL QWORD PTR [RIP+0x21B8F] |
| 140A | N/A | .text | CALL QWORD PTR [RIP+0x21178] |
| 141A | N/A | .text | CALL QWORD PTR [RIP+0x21068] |
| 1444 | N/A | .text | CALL QWORD PTR [RIP+0x2102E] |
| 1465 | N/A | .text | CALL QWORD PTR [RIP+0x21015] |
| 146F | N/A | .text | CALL QWORD PTR [RIP+0x2112B] |
| 1482 | N/A | .text | CALL QWORD PTR [RIP+0x210F8] |
| 1490 | N/A | .text | CALL QWORD PTR [RIP+0x210FA] |
| 14F0 | N/A | .text | CALL QWORD PTR [RIP+0x210BA] |
| 14FE | N/A | .text | CALL QWORD PTR [RIP+0x21084] |
| 1525 | N/A | .text | CALL QWORD PTR [RIP+0x2107D] |
| 1556 | N/A | .text | CALL QWORD PTR [RIP+0x2101C] |
| 158F | N/A | .text | CALL QWORD PTR [RIP+0x21003] |
| 15B3 | N/A | .text | CALL QWORD PTR [RIP+0x20FDF] |
| 15D9 | N/A | .text | CALL QWORD PTR [RIP+0x20FB9] |
| 1602 | N/A | .text | CALL QWORD PTR [RIP+0x20F90] |
| 16AC | N/A | .text | CALL QWORD PTR [RIP+0x20EDE] |
| 16E8 | N/A | .text | CALL QWORD PTR [RIP+0x20EB2] |
| 16F6 | N/A | .text | CALL QWORD PTR [RIP+0x20EA4] |
| 21AE | N/A | .text | CALL QWORD PTR [RIP+0x2045C] |
| 21CE | N/A | .text | CALL QWORD PTR [RIP+0x203EC] |
| 2224 | N/A | .text | CALL QWORD PTR [RIP+0x2034E] |
| 2232 | N/A | .text | CALL QWORD PTR [RIP+0x20358] |
| 2261 | N/A | .text | CALL QWORD PTR [RIP+0x20331] |
| 226B | N/A | .text | CALL QWORD PTR [RIP+0x2031F] |
| 228D | N/A | .text | CALL QWORD PTR [RIP+0x20305] |
| 22AE | N/A | .text | CALL QWORD PTR [RIP+0x2032C] |
| 22BF | N/A | .text | CALL QWORD PTR [RIP+0x2032B] |
| 22F5 | N/A | .text | CALL QWORD PTR [RIP+0x202A5] |
| 231E | N/A | .text | CALL QWORD PTR [RIP+0x202C4] |
| 2324 | N/A | .text | CALL QWORD PTR [RIP+0x20266] |
| 235D | N/A | .text | CALL QWORD PTR [RIP+0x202A5] |
| 2368 | N/A | .text | CALL QWORD PTR [RIP+0x2028A] |
| 2371 | N/A | .text | CALL QWORD PTR [RIP+0x20229] |
| 2397 | N/A | .text | CALL QWORD PTR [RIP+0x20203] |
| 23A5 | N/A | .text | CALL QWORD PTR [RIP+0x2020D] |
| 23AD | N/A | .text | CALL QWORD PTR [RIP+0x20235] |
| 2422 | N/A | .text | CALL QWORD PTR [RIP+0x20168] |
| 2458 | N/A | .text | CALL QWORD PTR [RIP+0x201AA] |
| 2461 | N/A | .text | CALL QWORD PTR [RIP+0x20191] |
| 246C | N/A | .text | CALL QWORD PTR [RIP+0x2011E] |
| 2477 | N/A | .text | CALL QWORD PTR [RIP+0x20123] |
| 247F | N/A | .text | CALL QWORD PTR [RIP+0x20163] |
| 24F2 | N/A | .text | CALL QWORD PTR [RIP+0x200E0] |
| 2537 | N/A | .text | CALL QWORD PTR [RIP+0x20073] |
| 2546 | N/A | .text | CALL QWORD PTR [RIP+0x20044] |
| 2553 | N/A | .text | CALL QWORD PTR [RIP+0x2002F] |
| 2574 | N/A | .text | CALL QWORD PTR [RIP+0x2002E] |
| 2597 | N/A | .text | CALL QWORD PTR [RIP+0x1FFDB] |
| 25BD | N/A | .text | CALL QWORD PTR [RIP+0x1FFD5] |
| 25E4 | N/A | .text | CALL QWORD PTR [RIP+0x1FFAE] |
| 266E | N/A | .text | CALL QWORD PTR [RIP+0x1FF94] |
| 2678 | N/A | .text | CALL QWORD PTR [RIP+0x1FF82] |
| 2680 | N/A | .text | CALL QWORD PTR [RIP+0x1FF62] |
| 268A | N/A | .text | CALL QWORD PTR [RIP+0x1FF10] |
| 270C | N/A | .text | CALL QWORD PTR [RIP+0x1FF06] |
| 2716 | N/A | .text | CALL QWORD PTR [RIP+0x1FE74] |
| 2736 | N/A | .text | CALL QWORD PTR [RIP+0x1FEAC] |
| 2753 | N/A | .text | CALL QWORD PTR [RIP+0x1FE6F] |
| 276E | N/A | .text | CALL QWORD PTR [RIP+0x1FE54] |
| 277C | N/A | .text | CALL QWORD PTR [RIP+0x1FE0E] |
| 27D4 | N/A | .text | CALL QWORD PTR [RIP+0x1FE0E] |
| 27FA | N/A | .text | CALL QWORD PTR [RIP+0x1FDD0] |
| 280D | N/A | .text | CALL QWORD PTR [RIP+0x1FDBD] |
| 28B8 | N/A | .text | CALL QWORD PTR [RIP+0x1FCC2] |
| 28C6 | N/A | .text | CALL QWORD PTR [RIP+0x1FCC4] |
| 2903 | N/A | .text | CALL QWORD PTR [RIP+0x1FC6F] |
| 2911 | N/A | .text | CALL QWORD PTR [RIP+0x1FC79] |
| 2930 | N/A | .text | CALL QWORD PTR [RIP+0x1FC62] |
| 2958 | N/A | .text | CALL QWORD PTR [RIP+0x1FC1A] |
| 297F | N/A | .text | CALL QWORD PTR [RIP+0x1FC13] |
| 2A0F | N/A | .text | CALL QWORD PTR [RIP+0x1FB8B] |
| 2D70 | N/A | .text | CALL QWORD PTR [RIP+0x1FBCA] |
| 3723 | N/A | .text | CALL QWORD PTR [RIP+0x1F20F] |
| 37CC | N/A | .text | CALL QWORD PTR [RIP+0x1F16E] |
| 37D7 | N/A | .text | CALL QWORD PTR [RIP+0x1F163] |
| 3AFF | N/A | .text | CALL QWORD PTR [RIP+0x1EE3B] |
| 3B50 | N/A | .text | CALL QWORD PTR [RIP+0x1EDE2] |
| 3B5C | N/A | .text | CALL QWORD PTR [RIP+0x1EDD6] |
| 3C2C | N/A | .text | CALL QWORD PTR [RIP+0x1ED0E] |
| 3C3A | N/A | .text | CALL QWORD PTR [RIP+0x1ED00] |
| 3D7C | N/A | .text | CALL QWORD PTR [RIP+0x1EBBE] |
| 3D8B | N/A | .text | CALL QWORD PTR [RIP+0x1EBAF] |
| 3DB0 | N/A | .text | CALL QWORD PTR [RIP+0x1EB82] |
| 3DBA | N/A | .text | CALL QWORD PTR [RIP+0x1EB80] |
| 3E1C | N/A | .text | JMP QWORD PTR [RIP+0x1EB16] |
| 3EF1 | N/A | .text | CALL QWORD PTR [RIP+0x1EA41] |
| 4067 | N/A | .text | CALL QWORD PTR [RIP+0x1E8CB] |
| 4076 | N/A | .text | CALL QWORD PTR [RIP+0x1E8BC] |
| 40EA | N/A | .text | CALL QWORD PTR [RIP+0x1E850] |
| 4277 | N/A | .text | CALL QWORD PTR [RIP+0x1E36B] |
| 427D | N/A | .text | CALL QWORD PTR [RIP+0x1E30D] |
| 45A6 | N/A | .text | CALL QWORD PTR [RIP+0x1DFF4] |
| 46F3 | N/A | .text | CALL QWORD PTR [RIP+0x1E23F] |
| 46FE | N/A | .text | CALL QWORD PTR [RIP+0x1E234] |
| 4747 | N/A | .text | CALL QWORD PTR [RIP+0x1E1EB] |
| 4753 | N/A | .text | CALL QWORD PTR [RIP+0x1E1DF] |
| 4795 | N/A | .text | CALL QWORD PTR [RIP+0x1E19D] |
| 493C | N/A | .text | CALL QWORD PTR [RIP+0x1DFFE] |
| 494B | N/A | .text | CALL QWORD PTR [RIP+0x1DFEF] |
| 31800 | N/A | *Overlay* | F0FA8783E3000000F0B5A256803A09000553DDCD | ...........V.:...S.. |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 113419 | 2,7041% |
| Null Byte Code | 4038296 | 96,2805% |
© 2026 All rights reserved.