PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 17,82 KB
SHA-256 Hash: 837F0C9D7069281230ED067D68E2A79DB3323659D4EC7BF7ED7B47CE5E3E2EE7
SHA-1 Hash: E07F44ED0A137AE6787784686B2F418EA7E4E957
MD5 Hash: BE64A61B3E16EF4FFA669D5455A76EA6
Imphash: 616463A21585E6E3BC2864678A78CD5C
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): 3730
SizeOfHeaders: 400
SizeOfImage: A000
ImageBase: 400000
Architecture: x86
ExportTable: 7000
ImportTable: 6000
Characteristics: A18E
TimeDateStamp: 2A425E19
Date: 19/06/1992 22:22:17
File Type: DLL
Number Of Sections: 7
ASLR: Disabled
Section Names: CODE, DATA, BSS, .idata, .edata, .reloc, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
CODE	60000020 (Executable)	400	2800	1000	2748
DATA	C0000040 (Writeable)	2C00	200	4000	B0
BSS	C0000000 (Writeable)	2E00	0	5000	685
.idata	C0000040 (Writeable)	2E00	600	6000	43C
.edata	50000040	3400	200	7000	55
.reloc	50000040	3600	400	8000	358
.rsrc	50000040	3A00	200	9000	200

Entry Point:

The section number (1) - (CODE) have the Entry Point
Information -> EntryPoint (calculated) - 2B30
Code -> 558BEC83C4C4B8F8364000E898FCFFFFE83FF7FFFF8D40000000000000000000000000000000000000000000000000000000
• PUSH EBP
• MOV EBP, ESP
• ADD ESP, -0X3C
• MOV EAX, 0X4036F8
• CALL 0XCA8
• CALL 0X754
• LEA EAX, [EAX]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Borland Delphi 7
Detect It Easy (die)
• PE: compiler: Borland Delphi(6-7 or 2005)[-]
• PE: linker: Turbo Linker(2.25*,Delphi)[DLL32]
• Entropy: 5.95968

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.

ET Functions (carving):

Original Name -> KBHks.dll
HookOff
HookOn

Windows REG:

SOFTWARE\Borland\Delphi\RTL

File Access:

KBHks.dll
user32.dll
kernel32.dll
advapi32.dll

Interest's Words:

smtp
Encrypt
start
ping

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Registry (RegOpenKeyEx)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): Anti-Analysis VM (GetVersion)
• Rule Text (Ascii): Stealth (VirtualAlloc)
• Rule Text (Ascii): Software that records user activity (Logger)
• Rule Text (Ascii): Technique used to capture communications between systems (Intercept)
• EP Rules: Borland Delphi 4.0
• EP Rules: Borland Delphi v3.0
• EP Rules: Borland Delphi v3.0
• EP Rules: Borland Delphi v6.0 - v7.0
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8.0
• EP Rules: Stranik 1.3 Modula/C/Pascal

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\RCDATA\DVCLAL\0	90B0	10	3AB0	263D4F38C28237B8F3244203179B3A83	&=O8..7..$B...:.
\RCDATA\PACKAGEINFO\0	90C0	44	3AC0	0100008C0000000006000000013D4B42486B7300105554797065730000C753797374656D000081537973496E6974000C334D65737361676573000C4B57696E646F777300	.............=KBHks..UTypes...System...SysInit..3Messages..KWindows.

Intelligent String:

• kernel32.dll
• user32.dll
• MessageBoxAadvapi32.dll
• RegCloseKeykernel32.dll
• CloseHandleuser32.dll

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	9838	53,9039%
Null Byte Code	5049	27,6642%

PESCAN.IO - Analysis Report Valid Code