PESCAN.IO - Analysis Report Valid Code
File Structure:
Analysis Image
Information:
Icon: Icon
Size: 529,00 KB
SHA-256 Hash: A9B045BBFAAA6D86731E1A38306F5731DC684994DB789F89D524F18540333478
SHA-1 Hash: F5EA316A450C8E73EE8236BC81E44A944279932E
MD5 Hash: A74EB163AD5ADE1D1CC23C1D2C27FCF6
Imphash: 295AB1F69E6BF3827F008B4BAEB119DE
MajorOSVersion: 4
CheckSum: 0008E0D8
EntryPoint (rva): 84000
SizeOfHeaders: 310
SizeOfImage: 89E90
ImageBase: 400000
Architecture: x86
ImportTable: 85000
Characteristics: 10F
TimeDateStamp: 56D4A437
Date: 29/02/2016 20:04:07
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names: .text, .rdata, .data, .rsrc, .text, .idata, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows GUI
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 5C000 1000 5BF81
.rdata 40000040 5C400 1E000 5D000 1D47A
.data C0000040 (Writeable) 7A400 2000 7B000 5944
.rsrc 40000040 7C400 3000 81000 2EC0
.text E0000020 (Executable) (Writeable) 7F400 400 84000 204
.idata C2000040 (Writeable) 7F800 1C00 85000 1B5B
.rsrc 40000040 81400 3000 87000 2E90
Description:
OriginalFilename: PuTTY
CompanyName: Simon Tatham
LegalCopyright: Copyright 1997-2016 Simon Tatham.
ProductName: PuTTY suite
FileVersion: Release 0.67
FileDescription: SSH, Telnet and Rlogin client
ProductVersion: Release 0.67
Language: English (United Kingdom) (ID=0x809)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point:
The section number (5) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 7F400
Code -> 606831404800FF1584D24500683A40480050FF15E4D245008D15474048006A006A006A00526A006A00FFD061E9BF10FDFF6B
PUSHAD
PUSH 0X484031
CALL DWORD PTR [0X45D284]
PUSH 0X48403A
PUSH EAX
CALL DWORD PTR [0X45D2E4]
LEA EDX, [0X484047]
PUSH 0
PUSH 0
PUSH 0
PUSH EDX
PUSH 0
PUSH 0
CALL EAX
POPAL
JMP 0XFFFD20F0
EP changed to another address -> (Address Of EntryPoint > Base Of Data)
Signatures:
CheckSum Integrity Problem:
Header: 581848
Calculated: 582088
Rich Signature Analyzer:
Code -> EDAFDDB3A9CEB3E0A9CEB3E0A9CEB3E0BAC6DAE0ABCEB3E0ACC2D3E0ABCEB3E0ACC2BCE0B2CEB3E0BAC6EEE0ABCEB3E053EDAAE0ADCEB3E02AC6EEE0B8CEB3E0A9CEB2E097CFB3E0ACC2ECE06FCEB3E045C5EDE0A8CEB3E0ACC2E9E0A8CEB3E052696368A9CEB3E0
Footprint md5 Hash -> F2F03AE079DC98074A9DB3DB07624C54
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Duplicate Sections:
Section .text duplicate 2 times
Section .rsrc duplicate 2 times
Packer/Compiler:
Compiler: Microsoft Visual C ++
Compiler: Microsoft Visual C ++ 6-8
Compiler: Microsoft Visual C ++ 6 DLL
Detect It Easy (die)
PE: linker: Microsoft Linker(7.10)[EXE32]
Entropy: 6.6633
Suspicious Functions:
Library Function Description
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL DeleteFileA Deletes an existing file.
Ws2_32.DLL socket Create a communication endpoint for networking applications.
Ws2_32.DLL connect Establish a connection to a specified socket.
ADVAPI32.DLL RegCreateKeyExA Creates a new registry key or opens an existing one.
ADVAPI32.DLL RegDeleteKeyA Used to delete a subkey and its values from the Windows registry.
ADVAPI32.DLL RegSetValueExA Sets the data and type of a specified value under a registry key.
ADVAPI32.DLL RegDeleteValueA Removes a named value from the specified registry key. Note that value names are not case sensitive.
SHELL32.DLL ShellExecuteA Performs a run operation on a specific file.
Windows REG:
SOFTWARE\MIT\Kerberos
Software\SimonTatham\PuTTY\Sessions
Software\SimonTatham\PuTTY\Jumplist
Software\SimonTatham\PuTTY\SshHostKeys
Software\SimonTatham\PuTTY
Software\SimonTatham
File Access:
PuTTYgen.exe
Pageant.exe
KERNEL32.dll
WINMM.dll
USER32.dll
SHELL32.dll
ole32.dll
IMM32.dll
GDI32.dll
comdlg32.dll
COMCTL32.dll
ADVAPI32.dll
mscoree.dll
ws2_32.dll
wsock32.dll
wship6.dll
\bin\gssapi32.dll
Using GSSAPI from GSSAPI32.DLL
secur32.dll
Using SSPI from SECUR32.DLL
MIT Kerberos GSSAPI32.DLL
Microsoft SSPI SECUR32.DLL
crypt32.dll
*.dll
Dynamic Library Files (*.dll
window.scr
colours.sys
Temp
SQL Queries:
Select a colour from the list, and then click the Modify button to change its appearance.
Interest's Words:
Encrypt
Decrypt
Encryption
PassWord
exec
attrib
start
cipher
hostname
sdelete
shutdown
systeminfo
ping
route
URLs:
http://www.chiark.greenend.org.uk/~sgtatham/putty/
http://schemas.microsoft.com/SMI/2005/WindowsSettings
Payloads:
Possible Metasploit Payload - MSFPayload Generate (Detection with heuristic methods)
Emails:
enabledauth-agent@openssh.com
auth-agent-req@openssh.com
winadj@putty.projects.tartarus.org
simple@putty.projects.tartarus.org
des-cbc@ssh.comsingle-DES
zlib@openssh.com
putty@projects.tartarus.org
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): WinAPI Sockets (WSACleanup)
Rule Text (Ascii): WinAPI Sockets (bind)
Rule Text (Ascii): WinAPI Sockets (listen)
Rule Text (Ascii): WinAPI Sockets (accept)
Rule Text (Ascii): WinAPI Sockets (connect)
Rule Text (Ascii): WinAPI Sockets (recv)
Rule Text (Ascii): WinAPI Sockets (send)
Rule Text (Ascii): Registry (RegCreateKeyEx)
Rule Text (Ascii): Registry (RegSetValueEx)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Encryption (Blowfish)
Rule Text (Ascii): Encryption API (CryptAcquireContext)
Rule Text (Ascii): Encryption API (CryptReleaseContext)
Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Stealth (VirtualProtect)
Rule Text (Ascii): Execution (CreateProcessA)
Rule Text (Ascii): Execution (ShellExecute)
Rule Text (Ascii): Antivirus Software (gdata)
Rule Text (Ascii): Keyboard Key (Alt+)
Rule Text (Ascii): Keyboard Key (Scroll)
Rule Text (Ascii): Keyboard Key (CapsLock)
Rule Text (Ascii): Keyboard Key (Backspace)
Rule Text (Ascii): Information used to authenticate a users identity (Credential)
Rule Text (Ascii): Information used for user authentication (Credential)
Rule Text (Ascii): Technique used to circumvent security measures (Bypass)
EP Rules: Microsoft Visual C++ 8
EP Rules: Microsoft Visual C++ 8.0
Resources:
Path DataRVA Size FileOffset CodeText
\ICON\1\1033 87448 128 81848 2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080(....... .........................................
\ICON\2\1033 87570 2E8 81970 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080(... ...@.........................................
\ICON\3\1033 87858 668 81C58 2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080(...0............................................
\ICON\4\1033 87EC0 B0 822C0 2800000010000000200000000100010000000000400000000000000000000000000000000000000000000000FFFFFF000000(....... ...........@.............................
\ICON\5\1033 87F70 130 82370 2800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFFFF000000(... ...@.........................................
\ICON\6\1033 880A0 330 824A0 2800000030000000600000000100010000000000800100000000000000000000000000000000000000000000FFFFFF000000(...0............................................
\ICON\7\1033 883D0 128 827D0 2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080(....... .........................................
\ICON\8\1033 884F8 2E8 828F8 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080(... ...@.........................................
\ICON\9\1033 887E0 668 82BE0 2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080(...0............................................
\ICON\10\1033 88E48 B0 83248 2800000010000000200000000100010000000000400000000000000000000000000000000000000000000000FFFFFF000000(....... ...........@.............................
\ICON\11\1033 88EF8 130 832F8 2800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFFFF000000(... ...@.........................................
\ICON\12\1033 89028 330 83428 2800000030000000600000000100010000000000800100000000000000000000000000000000000000000000FFFFFF000000(...0............................................
\DIALOG\102\1033 89358 76 83758 C000C880000000000000000000002C01FC0000005000750054005400590043006F006E0066006900670042006F0078000000..............,.....P.u.T.T.Y.C.o.n.f.i.g.B.o.x...
\DIALOG\110\1033 893CE BA 837CE C000C880000000000300640014002C017700000000005000750054005400590020004500760065006E00740020004C006F00..........d...,.w.....P.u.T.T.Y. .E.v.e.n.t. .L.o.
\DIALOG\111\1033 89488 FA 83888 C000C8800000000004008C002800D6004A0000000000410062006F0075007400200050007500540054005900000008004D00............(...J.....A.b.o.u.t. .P.u.T.T.Y.....M.
\DIALOG\113\1033 89582 8A 83982 C000C880000000000200320032004601E700000000005000750054005400590020004C006900630065006E00630065000000..........2.2.F.......P.u.T.T.Y. .L.i.c.e.n.c.e...
\GROUP_ICON\200\1033 8960C 5A 83A0C 00000100060010101000010004002801000001002020100001000400E8020000020030301000010004006806000003001010020001000100B0000000040020200200010001003001000005003030020001000100300300000600..............(..... ............00......h................... ......0.....00......0.....
\GROUP_ICON\201\1033 89666 5A 83A66 00000100060010101000010004002801000007002020100001000400E8020000080030301000010004006806000009001010020001000100B00000000A002020020001000100300100000B003030020001000100300300000C00..............(..... ............00......h................... ......0.....00......0.....
\VERSION\1\1033 896C0 2FC 83AC0 FC0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001004300..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............C.
\24\1\1033 899BC 4D4 83DBC 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279<?xml version="1.0" encoding="UTF-8" standalone="y
Intelligent String:
• xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
• SSH, Telnet and Rlogin client
• -rlogin-telnet-ssh
• Options controlling SSH connectionsLocal username:rlogin.localuser:config-rlogin-localuser
• Connection/Rlogin
• Options controlling Rlogin connections
• Auto-login usernameconnection.username:config-usernamelogin
• Login details
• Rlogin
• (IPv6) (IPv4)rlogin
• rlogin username:
• Rlogin login name
• ScrollbarOnLeftLoginShell
• SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ
• Agent forwarding is not enabledauth-agent@openssh.com
• auth-agent-req@openssh.com
• Key refusedlogin as:
• SSH login name
• winadj@putty.projects.tartarus.org
• (core dumped)
• simple@putty.projects.tartarus.org
• zlib@openssh.com
• Courier Newputty.log
• user32.dll
• HL.FIG
• \bin\gssapi32.dll
• hhctrl.ocx
• putty.chm
• putty.cnt
• putty.hlp
• Pageant.exePuTTYgen.exe
• wship6.dll
• wsock32.dll
• ws2_32.dll
• advapi32.dll
• strncmp(pipename, "\\\\.\\pipe\\", 9) == 0
• \\.\pipe\putty-connshare
• \PUTTY.RND
• COMCTL32.dll
• comdlg32.dll
• WINSPOOL.DRV
• KERNEL32.dll
• ADVAPI32.dll
Flow Anomalies:
Offset RVA Section Description
D1B6 ?? .text CALL DWORD PTR [ECX -17h] | Displacement form
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 334709 61,7891%
Null Byte Code 86850 16,033%
© 2025 All rights reserved.