PESCAN.IO - Analysis Report Valid Code

File Structure:
Analysis Image
Information:
Icon: Icon
Size: 1,68 MB
SHA-256 Hash: A2706B773B93AEF6FED4F0937F9B2D790C17575779DF7DC5221322FB8979E2FB
SHA-1 Hash: 98E33DFAA9F6CB93168E665076491131717261D8
MD5 Hash: A16940D8C3A85D6583AA5428B3210852
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): 16D22E
SizeOfHeaders: 200
SizeOfImage: 1B4000
ImageBase: 400000
Architecture: x86
ImportTable: 16D1E0
Characteristics: 10E
TimeDateStamp: 67C05859
Date: 27/02/2025 12:19:37
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 200 16B400 2000 16B234
.rsrc C0000040 (Writeable) 16B600 43000 16E000 42E78
.reloc 42000040 1AE600 200 1B2000 C
Description:
InternalName: palm pc.exe
OriginalFilename: palm pc.exe
LegalCopyright: Copyright 2025
ProductName: palm pc
FileVersion: 1.0.0.0

Entry Point:
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 16B42E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
JMP DWORD PTR [0X402000]
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL

Signatures:
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: False
Version: v2.0
--------> Agile .NET Obfuscator
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE: Protector: Eziriz .NET Reactor(6.x.x.x)[By Dr.FarFar]
PE: library: .NET(v2.0.50727)[-]
PE: compiler: VB.NET(-)[-]
PE: linker: Microsoft Linker(6.0)[EXE32]
Entropy: 7.81077

Suspicious Functions:
Library Function Description
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
File Access:
palm pc.exe
mscoree.dll
OUWnblDhZm8JYpFuEf.vbs
Temp

File Access (UNICODE):
32.dll
palm pc.exe
KOUWnblDhZm8JYpFuEf.vbs

Interest's Words:
Encrypt
Decrypt
exec
attrib
start
cipher
replace

IP Addresses:
10.0.0.0
10.0.0.0

Strings/Hex Code Found With The File Rules:
Rule Text (Unicode): Encryption (AesCryptoServiceProvider)
Rule Text (Ascii): Encryption (CipherMode)
Rule Text (Ascii): Encryption (CreateDecryptor)
Rule Text (Ascii): Encryption (CryptoStream)
Rule Text (Ascii): Encryption (CryptoStreamMode)
Rule Text (Ascii): Encryption (FromBase64String)
Rule Text (Ascii): Encryption (ICryptoTransform)
Rule Text (Ascii): Encryption (MD5CryptoServiceProvider)
Rule Text (Ascii): Encryption (Rijndael)
Rule Text (Ascii): Encryption (RijndaelManaged)
Rule Text (Ascii): Encryption (ToBase64String)
Rule Text (Ascii): Keyboard Key (Scroll)
Rule Text (Ascii): Technique used to make malicious code harder to analyze (Obfuscation)
Rule Text (Ascii): Malware that monitors and collects user data (Spy)
EP Rules: Microsoft Visual C / Basic .NET
EP Rules: Microsoft Visual C++ 8
EP Rules: Microsoft Visual C++ 8.0
EP Rules: Microsoft Visual C v7.0 / Basic .NET
EP Rules: Microsoft Visual Studio .NET
EP Rules: .NET executable
EP Rules: TrueVision Targa Graphics format

Resources:
Path DataRVA Size FileOffset CodeText
\ICON\2\0 16E2B0 1AEF6 16B8B0 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000097048597300000EC300000EC301.PNG........IHDR.............\r.f....pHYs.........
\ICON\3\0 1891A8 10828 1867A8 2800000080000000000100000100200000000000000001000000000000000000000000000000000000000000000000000000(............. ...................................
\ICON\4\0 1999D0 94A8 196FD0 2800000060000000C00000000100200000000000009000000000000000000000000000000000000000000000000000000000(............ ...................................
\ICON\5\0 1A2E78 5488 1A0478 2800000048000000900000000100200000000000605400000000000000000000000000000000000000000000000000000000(...H......... .....T............................
\ICON\6\0 1A8300 4228 1A5900 2800000040000000800000000100200000000000004000000000000000000000000000000000000000000000000000000000(...@......... ......@............................
\ICON\7\0 1AC528 25A8 1A9B28 2800000030000000600000000100200000000000002400000000000000000000000000000000000000000000000000000000(...0........ ......$............................
\ICON\8\0 1AEAD0 10A8 1AC0D0 2800000020000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000(... ...@..... ...................................
\ICON\9\0 1AFB78 988 1AD178 2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000(.......0..... ..................................
\ICON\10\0 1B0500 468 1ADB00 2800000010000000200000000100200000000000000400000000000000000000000000000000000000000000000000000000(....... ..... ...................................
\GROUP_ICON\32512\0 1B0968 84 1ADF68 0000010009000000000001002000F6AE0100020080800000010020002808010003006060000001002000A894000004004848............ ............. .(......... .......HH
\VERSION\1\0 1B09EC 2A0 1ADFEC A00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0 1B0C8C 1EA 1AE28C EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65...<?xml version="1.0" encoding="UTF-8" standalone
Intelligent String:
• 1.0.0.0
• palm pc.exe
• 32.dll
• $.Uly
• palm pc.pdb
• _CorExeMainmscoree.dll

Extra 4n4lysis:
Metric Value Percentage
Ascii Code 1140943 64,704%
Null Byte Code 95372 5,4086%
© 2025 All rights reserved.