PESCAN.IO — Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

Information

Icon:

Size: 1,68 MB
SHA-256 Hash: A2706B773B93AEF6FED4F0937F9B2D790C17575779DF7DC5221322FB8979E2FB
SHA-1 Hash: 98E33DFAA9F6CB93168E665076491131717261D8
MD5 Hash: A16940D8C3A85D6583AA5428B3210852
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): 16D22E
SizeOfHeaders: 200
SizeOfImage: 1B4000
ImageBase: 400000
Architecture: x86
ImportTable: 16D1E0
Characteristics: 10E
TimeDateStamp: 67C05859
Date: 27/02/2025 12:19:37
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	200	16B400	2000	16B234
.rsrc	C0000040 (Writeable)	16B600	43000	16E000	42E78
.reloc	42000040	1AE600	200	1B2000	C

Description

InternalName: palm pc.exe
OriginalFilename: palm pc.exe
LegalCopyright: Copyright 2025
ProductName: palm pc
FileVersion: 1.0.0.0

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 16B42E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
• JMP DWORD PTR [0X402000]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL

Signatures

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v2.0
--------> Agile .NET Obfuscator
Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE: Protector: Eziriz .NET Reactor(6.x.x.x)[By Dr.FarFar]
• PE: library: .NET(v2.0.50727)[-]
• PE: compiler: VB.NET(-)[-]
• PE: linker: Microsoft Linker(6.0)[EXE32]
• Entropy: 7.81077

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).

File Access

palm pc.exe
mscoree.dll
OUWnblDhZm8JYpFuEf.vbs
Temp

File Access (UNICODE)

32.dll
palm pc.exe
KOUWnblDhZm8JYpFuEf.vbs

Interest's Words

Encrypt
Decrypt
exec
attrib
start
cipher
replace

IP Addresses

10.0.0.0
10.0.0.0

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Unicode	Encryption (AesCryptoServiceProvider)
Text	Ascii	Encryption (CipherMode)
Text	Ascii	Encryption (CreateDecryptor)
Text	Ascii	Encryption (CryptoStream)
Text	Ascii	Encryption (CryptoStreamMode)
Text	Ascii	Encryption (FromBase64String)
Text	Ascii	Encryption (ICryptoTransform)
Text	Ascii	Encryption (MD5CryptoServiceProvider)
Text	Ascii	Encryption (Rijndael)
Text	Ascii	Encryption (RijndaelManaged)
Text	Ascii	Encryption (ToBase64String)
Text	Ascii	Keyboard Key (Scroll)
Text	Ascii	Technique used to make malicious code harder to analyze (Obfuscation)
Text	Ascii	Malware that monitors and collects user data (Spy)
Entry Point	Hex Pattern	Microsoft Visual C / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	Microsoft Visual C v7.0 / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual Studio .NET
Entry Point	Hex Pattern	.NET executable
Entry Point	Hex Pattern	TrueVision Targa Graphics format

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\2\0	16E2B0	1AEF6	16B8B0	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000097048597300000EC300000EC301	.PNG........IHDR.............\r.f....pHYs.........
\ICON\3\0	1891A8	10828	1867A8	2800000080000000000100000100200000000000000001000000000000000000000000000000000000000000000000000000	(............. ...................................
\ICON\4\0	1999D0	94A8	196FD0	2800000060000000C00000000100200000000000009000000000000000000000000000000000000000000000000000000000	(............ ...................................
\ICON\5\0	1A2E78	5488	1A0478	2800000048000000900000000100200000000000605400000000000000000000000000000000000000000000000000000000	(...H......... .....T............................
\ICON\6\0	1A8300	4228	1A5900	2800000040000000800000000100200000000000004000000000000000000000000000000000000000000000000000000000	(...@......... ......@............................
\ICON\7\0	1AC528	25A8	1A9B28	2800000030000000600000000100200000000000002400000000000000000000000000000000000000000000000000000000	(...0........ ......$............................
\ICON\8\0	1AEAD0	10A8	1AC0D0	2800000020000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\9\0	1AFB78	988	1AD178	2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000	(.......0..... ..................................
\ICON\10\0	1B0500	468	1ADB00	2800000010000000200000000100200000000000000400000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_ICON\32512\0	1B0968	84	1ADF68	0000010009000000000001002000F6AE0100020080800000010020002808010003006060000001002000A894000004004848	............ ............. .(......... .......HH
\VERSION\1\0	1B09EC	2A0	1ADFEC	A00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	1B0C8C	1EA	1AE28C	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String

• 1.0.0.0
• palm pc.exe
• 32.dll
• $.Uly
• palm pc.pdb
• _CorExeMainmscoree.dll

Extra Analysis

Metric	Value	Percentage
Ascii Code	1140943	64,704%
Null Byte Code	95372	5,4086%

PREMIUM PESCAN.IO - Analysis Report