PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 1,68 MB
SHA-256 Hash: A2706B773B93AEF6FED4F0937F9B2D790C17575779DF7DC5221322FB8979E2FB
SHA-1 Hash: 98E33DFAA9F6CB93168E665076491131717261D8
MD5 Hash: A16940D8C3A85D6583AA5428B3210852
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): 16D22E
SizeOfHeaders: 200
SizeOfImage: 1B4000
ImageBase: 400000
Architecture: x86
ImportTable: 16D1E0
Characteristics: 10E
TimeDateStamp: 67C05859
Date: 27/02/2025 12:19:37
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	200	16B400	2000	16B234
.rsrc	C0000040 (Writeable)	16B600	43000	16E000	42E78
.reloc	42000040	1AE600	200	1B2000	C

Description:

InternalName: palm pc.exe
OriginalFilename: palm pc.exe
LegalCopyright: Copyright 2025
ProductName: palm pc
FileVersion: 1.0.0.0

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 16B42E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
• JMP DWORD PTR [0X402000]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v2.0
--------> Agile .NET Obfuscator
Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE: Protector: Eziriz .NET Reactor(6.x.x.x)[By Dr.FarFar]
• PE: library: .NET(v2.0.50727)[-]
• PE: compiler: VB.NET(-)[-]
• PE: linker: Microsoft Linker(6.0)[EXE32]
• Entropy: 7.81077

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).

File Access:

palm pc.exe
mscoree.dll
OUWnblDhZm8JYpFuEf.vbs
Temp

File Access (UNICODE):

32.dll
palm pc.exe
KOUWnblDhZm8JYpFuEf.vbs

Interest's Words:

Encrypt
Decrypt
exec
attrib
start
cipher
replace

IP Addresses:

10.0.0.0
10.0.0.0

Strings/Hex Code Found With The File Rules:

• Rule Text (Unicode): Encryption (AesCryptoServiceProvider)
• Rule Text (Ascii): Encryption (CipherMode)
• Rule Text (Ascii): Encryption (CreateDecryptor)
• Rule Text (Ascii): Encryption (CryptoStream)
• Rule Text (Ascii): Encryption (CryptoStreamMode)
• Rule Text (Ascii): Encryption (FromBase64String)
• Rule Text (Ascii): Encryption (ICryptoTransform)
• Rule Text (Ascii): Encryption (MD5CryptoServiceProvider)
• Rule Text (Ascii): Encryption (Rijndael)
• Rule Text (Ascii): Encryption (RijndaelManaged)
• Rule Text (Ascii): Encryption (ToBase64String)
• Rule Text (Ascii): Keyboard Key (Scroll)
• Rule Text (Ascii): Technique used to make malicious code harder to analyze (Obfuscation)
• Rule Text (Ascii): Malware that monitors and collects user data (Spy)
• EP Rules: Microsoft Visual C / Basic .NET
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8.0
• EP Rules: Microsoft Visual C v7.0 / Basic .NET
• EP Rules: Microsoft Visual Studio .NET
• EP Rules: .NET executable
• EP Rules: TrueVision Targa Graphics format

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\2\0	16E2B0	1AEF6	16B8B0	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000097048597300000EC300000EC301	.PNG........IHDR.............\r.f....pHYs.........
\ICON\3\0	1891A8	10828	1867A8	2800000080000000000100000100200000000000000001000000000000000000000000000000000000000000000000000000	(............. ...................................
\ICON\4\0	1999D0	94A8	196FD0	2800000060000000C00000000100200000000000009000000000000000000000000000000000000000000000000000000000	(............ ...................................
\ICON\5\0	1A2E78	5488	1A0478	2800000048000000900000000100200000000000605400000000000000000000000000000000000000000000000000000000	(...H......... .....T............................
\ICON\6\0	1A8300	4228	1A5900	2800000040000000800000000100200000000000004000000000000000000000000000000000000000000000000000000000	(...@......... ......@............................
\ICON\7\0	1AC528	25A8	1A9B28	2800000030000000600000000100200000000000002400000000000000000000000000000000000000000000000000000000	(...0........ ......$............................
\ICON\8\0	1AEAD0	10A8	1AC0D0	2800000020000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\9\0	1AFB78	988	1AD178	2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000	(.......0..... ..................................
\ICON\10\0	1B0500	468	1ADB00	2800000010000000200000000100200000000000000400000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_ICON\32512\0	1B0968	84	1ADF68	0000010009000000000001002000F6AE0100020080800000010020002808010003006060000001002000A894000004004848	............ ............. .(......... .......HH
\VERSION\1\0	1B09EC	2A0	1ADFEC	A00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	1B0C8C	1EA	1AE28C	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String:

• 1.0.0.0
• palm pc.exe
• 32.dll
• $.Uly
• palm pc.pdb
• _CorExeMainmscoree.dll

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	1140943	64,704%
Null Byte Code	95372	5,4086%

PESCAN.IO - Analysis Report Valid Code