PESCAN.IO - Analysis Report
File Structure:
Analysis Image
Information:
Icon: Icon
Size: 272,00 KB
SHA-256 Hash: 21B0089AB1C3581247B32060A3F129BFF3A97F15EB749883CD2B654B64A5A10F
SHA-1 Hash: 542728E600CD856EE9F1C186DEFF1F3D95300401
MD5 Hash: B6129700128E27EB7B235710CC4B2492
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): 3DA6E
SizeOfHeaders: 1000
SizeOfImage: 46000
ImageBase: 11000000
Architecture: x86
ImportTable: 3DA20
Characteristics: 102
TimeDateStamp: 4C7BADEC
Date: 30/08/2010 13:11:08
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 1000 3C000 2000 3BA74
.rsrc 40000040 3D000 6000 3E000 5EA8
.reloc 42000040 43000 1000 44000 C
Description:
InternalName: RM.exe
OriginalFilename: RM.exe
CompanyName: www.moofdev.net
ProductName: RatioMaster
FileVersion: 1.9.1.0
Entry Point:
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 3CA6E
Code -> FF25002000110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
JMP DWORD PTR [0X11002000]
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
Signatures:
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler:
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: True
Version: v2.0
Detect It Easy (die)
PE: Protector: Eziriz .NET Reactor(6.x.x.x)[By Dr.FarFar]
PE: library: .NET(v2.0.50727)[-]
PE: linker: Microsoft Linker(8.0)[EXE32]
Entropy: 5.05846
Suspicious Functions:
Library Function Description
KERNEL32.DLL ReadProcessMemory Reads data from an area of memory in a specified process.
Windows REG (UNICODE):
Software\JavaSoft\Java Runtime Environment
File Access:
RM.exe
mscoree.dll
KERNEL32.DLL
Temp
File Access (UNICODE):
RM.exe
Temp
Interest's Words:
PassWord
exec
attrib
start
hostname
systeminfo
ping
replace
Interest's Words (UNICODE):
PassWord
exec
start
ping
URLs (UNICODE):
http://www.moofdev.net/vercheck.php
http://www.moofdev.net/updates
http://www.moofdev.net/forums/
http://www.moofdev.net/
http://www.moofdev.net?
http://www.moofdev.net/RatioMaster/downloads
http://?Waiting for tracker response...
http://www.moofdev.net/ratiomaster/proxy-helpballonUploaded
Known IP/Domains (UNICODE):
yahoo.com
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): WinAPI Sockets (bind)
Rule Text (Unicode): WinAPI Sockets (listen)
Rule Text (Unicode): WinAPI Sockets (accept)
Rule Text (Unicode): WinAPI Sockets (connect)
Rule Text (Ascii): WinAPI Sockets (send)
Rule Text (Unicode): WinAPI Sockets (send)
Rule Text (Ascii): Encryption (MD5CryptoServiceProvider)
Rule Text (Ascii): Encryption (SHA1CryptoServiceProvider)
Rule Text (Ascii): Stealth (ReadProcessMemory)
Rule Text (Ascii): Keyboard Key (Scroll)
Rule Text (Ascii): Process of gathering information about network resources (Enumeration)
Rule Text (Unicode): Unauthorized movement of funds or data (Transfer)
Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
EP Rules: Microsoft Visual C / Basic .NET
EP Rules: Microsoft Visual C++ 8
EP Rules: Microsoft Visual C++ 8.0
Resources:
Path DataRVA Size FileOffset CodeText
\ICON\2\0 3E4E8 EA8 3D4E8 28000000300000006000000001000800000000000000000000000000000000000000000000000000FFFFFF00CCFFFF0099FF(...0............................................
\ICON\3\0 3F390 8A8 3E390 28000000200000004000000001000800000000000000000000000000000000000000000000000000FFFFFF00CCFFFF0099FF(... ...@.........................................
\ICON\4\0 3FC38 568 3EC38 28000000100000002000000001000800000000000000000000000000000000000000000000000000FFFFFF00CCFFFF0099FF(....... .........................................
\ICON\5\0 401A0 25A8 3F1A0 28000000300000006000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF(...0........ ...................................
\ICON\6\0 42748 10A8 41748 28000000200000004000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF(... ...@..... ...................................
\ICON\7\0 437F0 468 427F0 28000000100000002000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF(....... ..... ...................................
\GROUP_ICON\32512\0 43C58 5A 42C58 0000010006003030000001000800A80E000002002020000001000800A8080000030010100000010008006805000004003030......00............ ....................h.....00
\VERSION\1\0 3E220 2C4 3D220 C40234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000900..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0 43CB8 1EA 42CB8 EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65...<?xml version="1.0" encoding="UTF-8" standalone
Intelligent String:
• 1.9.1.0
• RM.exe
• www.moofdev.net
• r).poQ
• ry.poQ
• .poQ
• http://www.moofdev.net/vercheck.php
• .txt
• rm_updates.xml
• http://www.moofdev.net/updates
• 1ratiomaster_06@yahoo.com
• http://www.moofdev.net/RatioMaster/downloads
• http://www.moofdev.net/ratiomaster/proxy-help
• ratiomaster.log
• www.google.com
• *.lng
• _CorExeMainmscoree.dll
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 123097 44,1956%
Null Byte Code 83605 30,0167%
© 2025 All rights reserved.