PESCAN.IO - Analysis Report |
|||||
| File Structure |
|
| Information |
| Size: 135,98 KB SHA-256 Hash: 3036746D9E62F29EC5A6CE8B44BB6BAC183ED8126FDAE3B64C01D86D2A27D428 SHA-1 Hash: C64242F9CC1EA7AD03DA46B9F7E70437D8D5CBBB MD5 Hash: AC433C7A0FEAFBF08AFEE01CF212EEA5 Imphash: 4B776BD26F313F172A18C5EB16A5CD4D MajorOSVersion: 4 CheckSum: 000229EA EntryPoint (rva): 13E0 SizeOfHeaders: 600 SizeOfImage: 26000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 8000 Characteristics: 26 TimeDateStamp: 67D067A3 Date: 11/03/2025 16:41:07 File Type: DLL Number Of Sections: 20 ASLR: Disabled Section Names (Optional Header): .text, .data, .rdata, .pdata, .xdata, .bss, .idata, .CRT, .tls, .rsrc, .reloc, /4, /19, /31, /45, /57, /70, /81, /97, /113 Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000060 (Executable) | 600 | 1C00 | 1000 | 1BA8 |
| .data | C0000040 (Writeable) | 2200 | 200 | 3000 | A0 |
| .rdata | 40000040 | 2400 | C00 | 4000 | B90 |
| .pdata | 40000040 | 3000 | 400 | 5000 | 234 |
| .xdata | 40000040 | 3400 | 200 | 6000 | 1B8 |
| .bss | C0000080 (Writeable) | 0 | 0 | 7000 | 180 |
| .idata | C0000040 (Writeable) | 3600 | C00 | 8000 | A08 |
| .CRT | C0000040 (Writeable) | 4200 | 200 | 9000 | 60 |
| .tls | C0000040 (Writeable) | 4400 | 200 | A000 | 10 |
| .rsrc | 40000040 | 4600 | 600 | B000 | 4E8 |
| .reloc | 42000040 | 4C00 | 200 | C000 | 78 |
| /4 | 42000040 | 4E00 | 600 | D000 | 490 |
| /19 | 42000040 | 5400 | B400 | E000 | B224 |
| /31 | 42000040 | 10800 | 2200 | 1A000 | 2106 |
| /45 | 42000040 | 12A00 | 1E00 | 1D000 | 1DF3 |
| /57 | 42000040 | 14800 | A00 | 1F000 | 8F8 |
| /70 | 42000040 | 15200 | 400 | 20000 | 2D2 |
| /81 | 42000040 | 15600 | 1A00 | 21000 | 1815 |
| /97 | 42000040 | 17000 | 1400 | 23000 | 12F1 |
| /113 | 42000040 | 18400 | 200 | 25000 | 16E |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 9E0 Code -> 4883EC28488B05C5300000C70000000000E88AFDFFFF90904883C428C30F1F00E92B1600009090909090909090909090488D • SUB RSP, 0X28 • MOV RAX, QWORD PTR [RIP + 0X30C5] • MOV DWORD PTR [RAX], 0 • CALL 0XDA0 • NOP • NOP • ADD RSP, 0X28 • RET • NOP DWORD PTR [RAX] • JMP 0X2650 • NOP • NOP • NOP • NOP • NOP • NOP • NOP • NOP • NOP • NOP • NOP |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • Entropy: 5.32056 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| Windows REG |
| Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System |
| File Access |
| \Windows\System32\cmd.exe cmd.exe /c start Proxima.exe WININET.dll SHELL32.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-private-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-filesystem-l1-1-0.dll api-ms-win-crt-environment-l1-1-0.dll KERNEL32.dll \$S1llyOwO\calc.bat |
| Interest's Words |
| BotNet exec attrib start expand |
| URLs |
| https://anonymfile.com/f/d1fa9be9-2399-4594-ba6e-44efd3609476 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Malicious code executed after exploiting a vulnerability (Payload) |
| Text | Ascii | Network of compromised computers controlled by an attacker (Botnet) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\1\0 | B058 | 48F | 4658 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • .bss • .tls • @.bss • .CRT • https://anonymfile.com/f/d1fa9be9-2399-4594-ba6e-44efd3609476C:\$S1llyOwO\calc.bat/c start Proxima.execmd.exerunasC:\$S1llyOwO/c "C:\$S1llyOwO\calc.bat"C:\Windows\System32\cmd.exe • KERNEL32.dll • api-ms-win-crt-environment-l1-1-0.dll • api-ms-win-crt-filesystem-l1-1-0.dll • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-private-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll • WININET.dll |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 70912 | 50,9272% |
| Null Byte Code | 48200 | 34,616% |
| NOP Cave Found | 0x9090909090 | Block Count: 30 | Total: 0,0539% |
© 2025 All rights reserved.