PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 4,24 MB
SHA-256 Hash: 25BD97305446A8F0EAA101753F7F9A812E04D5C6C76B8069033CB95611A73E66
SHA-1 Hash: B5B857F9E5086A0B79A891484CE46BFF31B58366
MD5 Hash: A684DFAD74D1920B65EB2AA3D74A0C1F
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): 44200A
SizeOfHeaders: 400
SizeOfImage: 446000
ImageBase: 400000
Architecture: x86
ImportTable: 3FC2F8
Characteristics: 22
TimeDateStamp: A83E5124
Date: 12/06/2059 15:11:32
File Type: EXE
Number Of Sections: 5
ASLR: Disabled
Section Names (Optional Header): \>{58]d, .text, .rsrc, , .reloc
Number Of Executable Sections: 2
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
\>{58]d	E0000040 (Executable) (Writeable)	400	3F7800	2000	3F7640
.text	60000020 (Executable)	3F7C00	44A00	3FA000	448BC
.rsrc	40000040	43C600	1E00	440000	1C0A
	60000020 (Executable)	43E400	200	442000	10
.reloc	42000040	43E600	200	444000	C

Description:

InternalName: Combo Editor DarkChiper.exe
OriginalFilename: Combo Editor DarkChiper.exe
LegalCopyright: Copyright 2025
ProductName: Combo Editor DarkChiper
FileVersion: 1.0.0.0

Entry Point:

The section number (4) have the Entry Point
Information -> EntryPoint (calculated) - 43E40A
Code -> FF25002084000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
• JMP DWORD PTR [0X842000]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
EP changed to another address -> (Address Of EntryPoint > Base Of Data)

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v4.0
Detect It Easy (die)
• PE: protector: Confuser(1.X)[-]
• PE: library: .NET(v4.0.30319)[-]
• PE: linker: Microsoft Linker(48.0)[EXE32]
• Entropy: 7.94932

File Access:

Combo Editor DarkChiper.exe
kernel32.dll
mscoree.dll

File Access (UNICODE):

Combo Editor DarkChiper.exe

Interest's Words:

exec
attrib
start
setx

IP Addresses:

17.0.0.0
11.0.0.0

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (send)
• Rule Text (Ascii): Stealth (VirtualProtect)
• Rule Text (Ascii): Execution (ShellExecute)
• EP Rules: Microsoft Visual C / Basic .NET
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8.0

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	440160	468	43C760	2800000010000000200000000100200000000000300400000000000000000000000000000000000000000000000000000000	(....... ..... .....0.............................
\ICON\2\0	4405C8	10A8	43CBC8	2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\GROUP_ICON\32512\0	441670	22	43DC70	00000100020010100000010020006804000001002020000001002000A8100000020000008C0334000000560053005F005600	............ .h..... .... ...........4...V.S._.V.
\VERSION\1\0	441694	38C	43DC94	8C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	441A20	1EA	43E020	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String:

• 1.0.0.0
• Combo Editor DarkChiper.exe
• _CorExeMainmscoree.dll

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	3025772	67,9902%
Null Byte Code	40139	0,9019%