PREMIUM PESCAN.IO - Analysis Report |
|||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 135,98 KB SHA-256 Hash: 3036746D9E62F29EC5A6CE8B44BB6BAC183ED8126FDAE3B64C01D86D2A27D428 SHA-1 Hash: C64242F9CC1EA7AD03DA46B9F7E70437D8D5CBBB MD5 Hash: AC433C7A0FEAFBF08AFEE01CF212EEA5 Imphash: 4B776BD26F313F172A18C5EB16A5CD4D MajorOSVersion: 4 CheckSum: 000229EA EntryPoint (rva): 13E0 SizeOfHeaders: 600 SizeOfImage: 26000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 8000 Characteristics: 26 TimeDateStamp: 67D067A3 Date: 11/03/2025 16:41:07 File Type: DLL Number Of Sections: 20 ASLR: Disabled Section Names (Optional Header): .text, .data, .rdata, .pdata, .xdata, .bss, .idata, .CRT, .tls, .rsrc, .reloc, /4, /19, /31, /45, /57, /70, /81, /97, /113 Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 0x60000060 Executable |
600 | 1C00 | 1000 | 1BA8 |
| .data | 0xC0000040 Writeable |
2200 | 200 | 3000 | A0 |
| .rdata | 0x40000040 |
2400 | C00 | 4000 | B90 |
| .pdata | 0x40000040 |
3000 | 400 | 5000 | 234 |
| .xdata | 0x40000040 |
3400 | 200 | 6000 | 1B8 |
| .bss | 0xC0000080 Writeable |
0 | 0 | 7000 | 180 |
| .idata | 0xC0000040 Writeable |
3600 | C00 | 8000 | A08 |
| .CRT | 0xC0000040 Writeable |
4200 | 200 | 9000 | 60 |
| .tls | 0xC0000040 Writeable |
4400 | 200 | A000 | 10 |
| .rsrc | 0x40000040 |
4600 | 600 | B000 | 4E8 |
| .reloc | 0x42000040 |
4C00 | 200 | C000 | 78 |
| /4 | 0x42000040 |
4E00 | 600 | D000 | 490 |
| /19 | 0x42000040 |
5400 | B400 | E000 | B224 |
| /31 | 0x42000040 |
10800 | 2200 | 1A000 | 2106 |
| /45 | 0x42000040 |
12A00 | 1E00 | 1D000 | 1DF3 |
| /57 | 0x42000040 |
14800 | A00 | 1F000 | 8F8 |
| /70 | 0x42000040 |
15200 | 400 | 20000 | 2D2 |
| /81 | 0x42000040 |
15600 | 1A00 | 21000 | 1815 |
| /97 | 0x42000040 |
17000 | 1400 | 23000 | 12F1 |
| /113 | 0x42000040 |
18400 | 200 | 25000 | 16E |
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 9E0 Code -> 4883EC28488B05C5300000C70000000000E88AFDFFFF90904883C428C30F1F00E92B1600009090909090909090909090488D Assembler |SUB RSP, 0X28 |MOV RAX, QWORD PTR [RIP + 0X30C5] |MOV DWORD PTR [RAX], 0 |CALL 0XDA0 |NOP |NOP |ADD RSP, 0X28 |RET |NOP DWORD PTR [RAX] |JMP 0X2650 |NOP |NOP |NOP |NOP |NOP |NOP |NOP |NOP |NOP |NOP |NOP |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • Entropy: 5.32056 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| Windows REG |
| Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System |
| File Access |
| \Windows\System32\cmd.exe cmd.exe /c start Proxima.exe WININET.dll SHELL32.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-private-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-filesystem-l1-1-0.dll api-ms-win-crt-environment-l1-1-0.dll KERNEL32.dll \$S1llyOwO\calc.bat |
| Interest's Words |
| BotNet exec attrib start expand |
| URLs |
| https://anonymfile.com/f/d1fa9be9-2399-4594-ba6e-44efd3609476 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Malicious code executed after exploiting a vulnerability (Payload) |
| Text | Ascii | Network of compromised computers controlled by an attacker (Botnet) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\1\0 | B058 | 48F | 4658 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • .bss • .tls • @.bss • .CRT • https://anonymfile.com/f/d1fa9be9-2399-4594-ba6e-44efd3609476C:\$S1llyOwO\calc.bat/c start Proxima.execmd.exerunasC:\$S1llyOwO/c "C:\$S1llyOwO\calc.bat"C:\Windows\System32\cmd.exe • KERNEL32.dll • api-ms-win-crt-environment-l1-1-0.dll • api-ms-win-crt-filesystem-l1-1-0.dll • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-private-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll • WININET.dll |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 70912 | 50,9272% |
| Null Byte Code | 48200 | 34,616% |
| NOP Cave Found | 0x9090909090 | Block Count: 30 | Total: 0,0539% |
© 2026 All rights reserved.