PESCAN.IO - Analysis Report Valid Code
File Structure:
Analysis Image
Information:
Size: 1,03 MB
SHA-256 Hash: FE9CE5213926FE31B6D7F6F9411ECBAD6E088F122B2D33D4CEB54410CCF8182F
SHA-1 Hash: 40EAEAD549DD070BEB25E79206F1D5252A481A58
MD5 Hash: A97BD3C5D045B8EDC01415E6024ED47D
Imphash: F89D971F855E5743DD4D1E73A5DA5699
MajorOSVersion: 6
CheckSum: 00000000
EntryPoint (rva): 8DD38
SizeOfHeaders: 400
SizeOfImage: 110000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: F6584
Characteristics: 22
TimeDateStamp: 67DB048D
Date: 19/03/2025 17:53:17
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, _RDATA, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 CC800 1000 CC64E
.rdata 40000040 CCC00 29800 CE000 29742
.data C0000040 (Writeable) F6400 8400 F8000 A20C
.pdata 40000040 FE800 8200 103000 8058
_RDATA 40000040 106A00 200 10C000 15C
.rsrc 40000040 106C00 200 10D000 1E0
.reloc 42000040 106E00 1400 10E000 138C
Entry Point:
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 8D138
Code -> 4883EC28E81B0800004883C428E97AFEFFFFCCCC4883EC284D8B4138488BCA498BD1E80D000000B8010000004883C428C3CC
SUB RSP, 0X28
CALL 0X1824
ADD RSP, 0X28
JMP 0XE8C
INT3
INT3
SUB RSP, 0X28
MOV R8, QWORD PTR [R9 + 0X38]
MOV RCX, RDX
MOV RDX, R9
CALL 0X1034
MOV EAX, 1
ADD RSP, 0X28
RET
INT3

Signatures:
Rich Signature Analyzer:
Code -> 0256FFA5463791F6463791F6463791F6525C92F7403791F6525C95F7553791F6525C94F7F33791F6525C97F7473791F6534895F7563791F6534892F74C3791F670B794F7453791F670B795F7513791F6534894F7223791F6525C90F7553791F6463790F6883791F670B798F74F3791F670B76EF6473791F670B793F7473791F652696368463791F6
Footprint md5 Hash -> E96D94C781840B2EA3AFDABF0992C081
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler:
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): linker: Microsoft Linker(14.37**)[EXE64]
Entropy: 6.4406
Suspicious Functions:
Library Function Description
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
KERNEL32.DLL SleepEx Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout.
Ws2_32.DLL socket Create a communication endpoint for networking applications.
SHELL32.DLL ShellExecuteW Performs a run operation on a specific file.
File Access:
powershell.exe
RstrtMgr.DLL
WTSAPI32.dll
MPR.dll
SHLWAPI.dll
WS2_32.dll
OLEAUT32.dll
ole32.dll
SHELL32.dll
KERNEL32.dll
asio.sys
akira_readme.txt
?.txt
Temp
File Access (UNICODE):
kernel32.dll
mscoree.dll
wininit.exe
conhost.exe
smss.exe
csrss.exe
services.exe
winlogon.exe
LogonUI.exe
dwm.exe
lsass.exe
SearchUI.exe
sihost.exe
explorer.exe
cmd.exe
fontdrvhost.exe
spoolsv.exe
powershell.exe
Exec - powershell.exe
Temp
Interest's Words:
shadowcopy
Encrypt
Decrypt
Encryption
exec
powershell
attrib
start
cipher
shutdown
systeminfo
expand
Interest's Words (UNICODE):
Encrypt
Encryption
powershell
start
URLs:
https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/8034649433-LMUXK
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): WinAPI Sockets (connect)
Rule Text (Ascii): File (GetTempPath)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
Rule Text (Ascii): Stealth (QueueUserAPC)
Rule Text (Ascii): Execution (ShellExecute)
Rule Text (Unicode): WMI execution (ROOT\CIMV2)
EP Rules: Microsoft Visual C++ 8.0 (DLL)
Resources:
Path DataRVA Size FileOffset CodeText
\24\1\1033 10D060 17D 106C60 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String:
• .kdb
• kernel32.dll
• mscoree.dll
• powershell.exe
• $Recycle.Bin
• $RECYCLE.BIN
• .dll
• .lnk
• .exe
• need filter file error:.sys
• .msi
• spoolsv.exe
• fontdrvhost.exe
• cmd.exe
• explorer.exe
• sihost.exe
• SearchUI.exe
• lsass.exe
• dwm.exe
• LogonUI.exe
• winlogon.exe
• services.exe
• csrss.exe
• smss.exe
• conhost.exe
• wininit.exe
• powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
• .adb
• .arc
• .adp
• .adf
• .ade
• .btr
• .ask
• .alf
• .ora
• .ckp
• .cdb
• .cat
• .bdf
• .dad
• .cpd
• .cma
• .dbf
• .dbc
• .dbx
• .dbv
• .dbt
• .dbs
• .ddl
• .dcx
• .dct
• .dcb
• .dsk
• .dqy
• .eco
• .dxl
• .dsn
• .exb
• .edb
• .ecx
• .fmp
• .fic
• .fdb
• .fcd
• .fol
• .fpt
• .gwi
• .gdb
• .frm
• .idb
• .his
• .hdb
• .jet
• .itw
• .ihx
• .jtx
• .maf
• .lwx
• .lgc
• .mav
• .mas
• .mar
• .maq
• .mrg
• .mpd
• .mdf
• .mdb
• .ndf
• .myd
• .mwb
• .mud
• .nnt
• .nsf
• .oqy
• .odb
• .nyf
• .owc
• .orx
• .pnz
• .pdm
• .pdb
• .pan
• .rbf
• .qvd
• .qry
• .rsd
• .rpd
• .rod
• .sdb
• .scx
• .sbf
• .spq
• .sis
• .sdf
• .sdc
• .sql
• .tps
• .tmd
• .udl
• .udb
• .trm
• .trc
• .vpd
• .vis
• .usr
• .wrk
• .wdb
• .vvv
• .xld
• .xdb
• .adn
• .abx
• .abs
• .icg
• .hjt
• .maw
• .lut
• .icr
• .vhd
• .vdi
• .mdt
• .mdn
• .pvm
• .raw
• .vmx
• .vsv
• .bin
• .iso
• .tls
• .bss
• WS2_32.dll
• WTSAPI32.dll
• akira_readme.txt
• 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/8034649433-LMUXK .
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 651619 60,2316%
Null Byte Code 176549 16,3191%
© 2025 All rights reserved.