PESCAN.IO - Analysis Report
File Structure:
Analysis Image
Information:
Size: 411,00 KB
SHA-256 Hash: 025134D77DCD4AB189301ED58A5C6F5046AC71E2FC3C017FCE4122529FC0D7E8
SHA-1 Hash: 7F004012C05FCA17A746629179463F6274C48055
MD5 Hash: BE36675F14FB0099896527084200CC80
Imphash: 67900E6C89DA1700AD08C2A651600941
MajorOSVersion: 6
CheckSum: 00000000
EntryPoint (rva): 40770
SizeOfHeaders: 400
SizeOfImage: 6B000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 62B74
Characteristics: 22
TimeDateStamp: 6764EDBC
Date: 20/12/2024 4:08:28
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .padding, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 46800 1000 46780
.rdata 40000040 46C00 1BC00 48000 1BBB2
.data C0000040 (Writeable) 62800 200 64000 AC0
.pdata 40000040 62A00 2C00 65000 2B74
.padding 40000040 65600 C00 68000 BBB
.rsrc 40000040 66200 200 69000 1F8
.reloc 42000040 66400 800 6A000 728
Description:
ProductName: data
FileVersion: 0.1.0
Entry Point:
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 3FB70
Code -> 4883EC28E8E30200004883C428E972FEFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC66660F1F8400000000004883
SUB RSP, 0X28
CALL 0X12EC
ADD RSP, 0X28
JMP 0XE84
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
NOP WORD PTR [RAX + RAX]
Signatures:
Rich Signature Analyzer:
Code -> 19B3616A5DD20F395DD20F395DD20F3954AA9C3953D20F394C540C3854D20F394C540B3851D20F394C540A3875D20F399AA70E384DD20F395DD20E3997D20F395DD20F3965D20F39DC54F0395CD20F39DC540D385CD20F39526963685DD20F39
Footprint md5 Hash -> 66F5C73302E86FF78D94F21CCF20FB64
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler:
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): compiler: Rust(x86_64-pc-windows-msvc)[-]
PE+(64): linker: Microsoft Linker(14.42**)[EXE64]
Entropy: 6.30918
Suspicious Functions:
Library Function Description
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
KERNEL32.DLL SleepEx Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout.
File Access:
exe\\.\NUL\cmd.exe
.exe
?@\_cmd.exe
\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exeqemu-ga.exe
\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exevboxheadless.exe
\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exevboxcontrol.exe
\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exevboxtray.exe
\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exevboxservice.exe
\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exevmware-authd.exe
\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exevmware-vmx.exe
\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exevmacthlp.exe
\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exevmwareuser.exe
\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exevmwaretray.exe
\windows\sysnative\drivers\xenvbd.sysvmtoolsd.exe
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
ntdll.dll
advapi32.dll
bcrypt.dll
kernel32.dll
bcryptprimitives.dll
api-ms-win-core-synch-l1-2-0.dll
dbghelp.dll
\windows\sysnative\vboxmrxnp.dll
\windows\sysnative\vboxhook.dll
\windows\sysnative\vboxdisp.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dllapi_log.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dlldbghelp.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dllvboxservice.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dllvboxdisp.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dllvboxhook.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dllvmusb.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dllvmrig.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dllvm3dgl.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dllvmhgfs.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dllvmsrvc.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dllvboxmrxnp.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dllcyberghostvpn.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dllcmdvrt64.dll
sbiedll.dllsf2.dllsnxhk.dllcmdvrt32.dll
sbiedll.dllsf2.dllsnxhk.dll
sbiedll.dllsf2.dll
sbiedll.dll
\windows\sysnative\drivers\xenvbd.sys
\windows\sysnative\drivers\xensvc.sys
\windows\sysnative\drivers\xennet.sys
\windows\sysnative\drivers\prlvideo.sys
\windows\sysnative\drivers\prlmouse.sys
\windows\sysnative\drivers\prlfs.sys
\windows\sysnative\drivers\prleth.sys
\windows\sysnative\drivers\qemupciserial.sys
\windows\sysnative\drivers\qemufwcfg.sys
\windows\sysnative\drivers\qemu-ga.sys
\windows\sysnative\drivers\VBoxVideo.sys
\windows\sysnative\drivers\VBoxSF.sys
\windows\sysnative\drivers\VBoxGuest.sys
\windows\sysnative\drivers\VBoxMouse.sys
\windows\sysnative\drivers\vmnet.sys
\windows\sysnative\drivers\vmx86.sys
\windows\sysnative\drivers\vmmemctl.sys
\windows\sysnative\drivers\vmrawdsk.sys
\windows\sysnative\drivers\vmusbmouse.sys
\windows\sysnative\drivers\vmhgfs.sys
\windows\sysnative\drivers\vmmouse.sys
System information saved to system_info.txt
system_info.txt
Temp
Interest's Words:
Virus
exec
tasklist
attrib
start
wmic
systeminfo
expand
getmac
sc.exe
Anti-VM/Sandbox/Debug Tricks:
VMWare - vmmouse.sys
SandBoxie Library - SbieDll.dll
VirtualBox Service - VBoxService.exe
OllyDbg Libary - dbghelp.dll
OllyDbg EXE - ollydbg.exe
VirtualBox Library - vboxmrxnp.dll
LabTools - wireshark
LabTools - procexp
LabTools - procmon
LabTools - regmon
LabTools - petools
URLs:
https://docs.rs/getrandomnodejs-es-module-support
Payloads:
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)
Possible Metasploit Payload - MSFPayload Generate (Detection with heuristic methods)
AV Services:
Antivirus name extract - (SecurityCenter2)
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): WinAPI Sockets (connect)
Rule Text (Ascii): WinAPI Sockets (send)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Ascii): Antivirus Software (avast)
Rule Text (Ascii): Antivirus Software (panda)
Rule Text (Ascii): Antivirus Software (sophos)
Rule Text (Ascii): Antivirus Software (defender)
EP Rules: Microsoft Visual C++ 8.0 (DLL)
EP Rules: Microsoft Visual C++ 8.0
EP Rules: PE-Exe Executable Image
Intelligent String:
• sbiedll.dll
• sf2.dll
• snxhk.dll
• cmdvrt32.dll
• cmdvrt64.dll
• cyberghostvpn.dll
• vboxmrxnp.dll
• vmsrvc.dll
• vmhgfs.dll
• vm3dgl.dll
• vmrig.dll
• vmusb.dll
• vboxhook.dll
• vboxdisp.dll
• vboxservice.dll
• dbghelp.dll
• api_log.dll
• dir_watch.dll
• wpespy.dll
• cigdll.dll
• pstorec.dll
• vmcheck.dll
• allerror.dll
• sample.dll
• sandbox.dll
• agent.dll
• dbgcore.dll
• avghook.dll
• avghooka.dll
• log_api.dll
• api_hook.dll
• apimon.dll
• apispy.dll
• regmon.dll
• filemon.dll
• procmon.dll
• sysmon.dll
• syscall.dll
• hooks.dll
• monitor.dll
• defense.dll
• protect.dll
• analyzer.dll
• trace.dll
• qemu-ga.dll
• parallels.dll
• prl_tools.dll
• vpcmap.dll
• vmusbmouse.dll
• vmtray.dll
• wireshark.dll
• windbg.dll
• ollydbg.dll
• immunity.dll
• ghidra.dll
• ida.dll
• x64dbg.dll
• e:\\root\SecurityCenter2pathAntivirusProductdisplayName@
• -.log
• C:\Users\acana\.cargo\registry\src\index.crates.io-6f17d22bba15001f\chrono-0.4.39\src\format\formatting.rs
• C:\Users\acana\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rand-0.8.5\src\rngs\thread.rs
• C:\Users\acana\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rand_chacha-0.3.1\src\guts.rs
• m: this target is not supportederrno: did not return a positive valueunexpected situationSecRandomCopyBytes: iOS Security framework failureRtlGenRandom: Windows system function failureRDRAND: failed multiple times: CPU issue likelyRDRAND: instruction not supportedWeb Crypto API is unavailableCalling Web API crypto.getRandomValues failedrandSecure: VxWorks RNG module is not initializedNode.js crypto CommonJS module is unavailableCalling Node.js API crypto.randomFillSync failedNode.js ES modules are not directly supported, see https://docs.rs/getrandomnodejs-es-module-support
• C:\Users\acana\.cargo\registry\src\index.crates.io-6f17d22bba15001f\chrono-0.4.39\src\offset\local\mod.rs
• C:\Users\acana\.cargo\registry\src\index.crates.io-6f17d22bba15001f\chrono-0.4.39\src/lib.rs
• NotFoundPermissionDeniedConnectionRefusedConnectionResetHostUnreachableNetworkUnreachableConnectionAbortedNotConnectedAddrInUseAddrNotAvailableNetworkDownBrokenPipeAlreadyExistsWouldBlockNotADirectoryIsADirectoryDirectoryNotEmptyReadOnlyFilesystemFilesystemLoopStaleNetworkFileHandleInvalidInputInvalidDataTimedOutWriteZeroStorageFullNotSeekableFilesystemQuotaExceededFileTooLargeResourceBusyExecutableFileBusyDeadlockCrossesDevicesTooManyLinksInvalidFilenameArgumentListTooLongInterruptedUnsupportedUnexpectedEofOutOfMemoryOtherUncategorizedlibrary\std\src\sys\pal\windows\args.rs$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid
• NTDLL.DLL
• \\.\pipe\__rust_anonymous_pipe1__.
• data.pdb
• .tls
• .bss
• ProcessPrngapi-ms-win-core-synch-l1-2-0.dll
• bcryptprimitives.dll
• kernel32.dll
• bcrypt.dll
• advapi32.dll
• wcsncmpapi-ms-win-crt-string-l1-1-0.dll
• api-ms-win-crt-runtime-l1-1-0.dll
• api-ms-win-crt-math-l1-1-0.dll
• api-ms-win-crt-stdio-l1-1-0.dll
• api-ms-win-crt-locale-l1-1-0.dll
• api-ms-win-crt-heap-l1-1-0.dll
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 239071 56,8048%
Null Byte Code 88094 20,9317%
© 2024 All rights reserved.