PESCAN.IO - Analysis Report Valid Code
File Structure:
Analysis Image
Information:
Icon: Icon
Size: 590,77 KB
SHA-256 Hash: 089E6ADC54E2946D88FDC9297DCE09E7B9D53AE9ED4A7BD7D940068DD6DFC92A
SHA-1 Hash: B9C8C65BEAD513E4C83CE7C3CF293A9B439E18C4
MD5 Hash: A0CA814730B7E9135683C8D6154B90DD
Imphash: 214DFB115B7E6022DD305EE96A6B0623
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): 6FAD0
SizeOfHeaders: 1000
SizeOfImage: 94000
ImageBase: 400000
Architecture: x86
ImportTable: 8D000
Characteristics: 10E
TimeDateStamp: 5D1E21DD
Date: 04/07/2019 15:57:17
File Type: EXE
Number Of Sections: 5
ASLR: Disabled
Section Names: .bss, .data, .idata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.bss C0000080 (Writeable) 0 0 1000 19A8
.data E0000040 (Executable) (Writeable) 1000 8A000 3000 89670
.idata C0000040 (Writeable) 8B000 1000 8D000 85B
.rsrc 40000040 8C000 4000 8E000 341C
.reloc 42000040 90000 2000 92000 125C
Description:
InternalName: Server.exe
OriginalFilename: Server.exe
CompanyName: Labeter 2005-2017
LegalCopyright: Proteug (C) OYu@bgCg)R0>
ProductName: TODO: <NTT>
FileVersion: 7, 10, 33, 380
Language: Chinese (People's Republic of China) (ID=0x804)
CodePage: Unknown (0x3A8) (0x3A8)
Entry Point:
The section number (2) - (.data) have the Entry Point
Information -> EntryPoint (calculated) - 6DAD0
Code -> 558BEC6AFF6868B84600684C51470064A100000000506489250000000083C4A45356578965E8FF15E8D14800A33C104000A1
PUSH EBP
MOV EBP, ESP
PUSH -1
PUSH 0X46B868
PUSH 0X47514C
MOV EAX, DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0], ESP
ADD ESP, -0X5C
PUSH EBX
PUSH ESI
PUSH EDI
MOV DWORD PTR [EBP - 0X18], ESP
CALL DWORD PTR [0X48D1E8]
MOV DWORD PTR [0X40103C], EAX
EP changed to another address -> (Address Of EntryPoint > Base Of Data)
Signatures:
Rich Signature Analyzer:
Code -> D613511A92723F4992723F4992723F49FD6D3B4990723F49E96E334993723F49A454344991723F49116E31499C723F49A4543549AA723F49517D624991723F4992723E49AA723F497A6D344991723F495574394993723F495269636892723F49
Footprint md5 Hash -> BE5AF8A304423ABD4169773F1825C312
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed but has been modified
Packer/Compiler:
Compiler: Microsoft Visual C ++
Detect It Easy (die)
PE: compiler: EP:Microsoft Visual C/C++(5.0-6.0 (1720-9049))[EXE32]
PE: compiler: Microsoft Visual C/C++(6.0)[libcd]
PE: linker: Microsoft Linker(6.0*)[EXE32,signed]
PE: overlay: PDB 2.0 file link(-)[-]
Entropy: 6.37427
Suspicious Functions:
Library Function Description
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
File Access:
MSVCRT.dll
KERNEL32.dll
user32.dll
File Access (UNICODE):
Server.exe
Interest's Words:
start
ping
URLs:
http://www.usertrust.com10
http://crl.usertrust.com/UTN-USERFirst-Object.crl
http://ocsp.usertrust.com
http://crl.verisign.com/pca3.crl
http://logo.verisign.com/vslogo.gif04
http://ocsp.verisign.com
http://csc3-2010-crl.verisign.com/CSC3-2010.crl
http://csc3-2010-aia.verisign.com/CSC3-2010.cer
http://crl.verisign.com/pca3-g5.crl
http://www.360.cn
https://www.verisign.com/cps0
https://www.verisign.com/rpa
https://www.verisign.com/rpa0
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Stealth (VirtualProtect)
EP Rules: Microsoft Visual C++ 5.0
EP Rules: Microsoft Visual C++
Resources:
Path DataRVA Size FileOffset CodeText
\ICON\1\2052 8E240 25A8 8C240 2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000(...0........ ...................................
\GROUP_ICON\IDI_SERVER\2052 907E8 14 8E7E8 0000010001003030000001002000A82500000100......00.... ..%....
\VERSION\1\2052 90800 2F8 8E800 F80234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000A00..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
Intelligent String:
• Server.exe
• .bss
• Object dump complete.
• File Error(%d) : Dumping objects ->
• dbgdel.cpp
• user32.dll
• KERNEL32.dll
• MSVCRT.dll
Flow Anomalies:
Offset RVA Section Description
1005-102C ?? .data Potential obfuscated jump sequence detected, count: 8
102D-1057 ?? .data Unusual BP Cave, count: 43
6A601-6A69F ?? .data Unusual BP Cave, count: 159
6A7CC-6A81F ?? .data Unusual BP Cave, count: 84
6A9AE-6AA1F ?? .data Unusual BP Cave, count: 114
6AB0D-6AB4F ?? .data Unusual BP Cave, count: 67
6AD44-6ADCF ?? .data Unusual BP Cave, count: 140
6AEE9-6AF2F ?? .data Unusual BP Cave, count: 71
6B051-6B09F ?? .data Unusual BP Cave, count: 79
6B12F-6B15F ?? .data Unusual BP Cave, count: 49
6B268-6B2AF ?? .data Unusual BP Cave, count: 72
6B3A9-6B3EF ?? .data Unusual BP Cave, count: 71
6B497-6B4BF ?? .data Unusual BP Cave, count: 41
6B623-6B67B ?? .data Unusual BP Cave, count: 89
77E1E-7A66F ?? .data Unusual BP Cave, count: 10322
92000 ?? *Overlay* 4E423130000000000C8A175D0E000000443A5CB4 | NB10.......]....D:\.
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 296238 48,9695%
Null Byte Code 184250 30,4574%
© 2025 All rights reserved.