PESCAN.IO - Analysis Report
File Structure:
Analysis Image
Information:
Icon: Icon
Size: 201,00 KB
SHA-256 Hash: 93255A9121AC58B18C4AA2749FB5C908E178CC026C34035C6B049D272F7E1D92
SHA-1 Hash: D123DD6168AA3B2E47B75B8A5EDC14A0B196E19F
MD5 Hash: BF23318BB24B73E807AF865FA072B910
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): 277D6
SizeOfHeaders: 200
SizeOfImage: 38000
ImageBase: 400000
Architecture: x86
ImportTable: 27784
Characteristics: 22
TimeDateStamp: 58094FFB
Date: 20/10/2016 23:15:07
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 200 25800 2000 257DC
.rsrc 40000040 25A00 C800 28000 C624
.reloc 42000040 32200 200 36000 C
Description:
LegalCopyright: Copyright 2016
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Unusual Chars Found In Description File - (Polymorphic Patterns)
Entry Point:
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 259D6
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
JMP DWORD PTR [0X402000]
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
Signatures:
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler:
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: True
Version: v4.0
--------> Agile .NET Obfuscator
Detect It Easy (die)
PE: protector: Yano(1.X)[-]
PE: library: .NET(v4.0.30319)[-]
PE: compiler: VB.NET(-)[-]
PE: linker: Microsoft Linker(11.0)[EXE32]
Entropy: 7.50625
File Access:
.exe
mscoree.dll
Interest's Words:
Decrypt
exec
attrib
start
shutdown
IP Addresses:
1.0.15.0
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): Encryption (CreateDecryptor)
Rule Text (Ascii): Encryption (CryptoStream)
Rule Text (Ascii): Encryption (CryptoStreamMode)
Rule Text (Ascii): Encryption (DESCryptoServiceProvider)
Rule Text (Ascii): Encryption (FromBase64String)
Rule Text (Ascii): Encryption (ICryptoTransform)
Rule Text (Ascii): Technique used to make malicious code harder to analyze (Obfuscation)
Rule Text (Ascii): Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
EP Rules: Microsoft Visual C / Basic .NET
EP Rules: Microsoft Visual C v7.0 / Basic .NET
EP Rules: Microsoft Visual Studio .NET
EP Rules: .NET executable
EP Rules: PNG Graphics format
Resources:
Path DataRVA Size FileOffset CodeText
\ICON\2\0 28260 E2B 25C60 89504E470D0A1A0A0000000D4948445200000100000001000403000000AE5CB55500000030504C5445000000000000373737.PNG........IHDR..............\.U...0PLTE......777
\ICON\3\0 2909C 1C52 26A9C 89504E470D0A1A0A0000000D49484452000001000000010008030000006BAC585400000300504C5445000000000000FEFEFE.PNG........IHDR.............k.XT....PLTE.........
\ICON\4\0 2AD00 2FBB 28700 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000200049444154789CED9D79745455B6.PNG........IHDR.............\r.f.. .IDATx...ytTU.
\ICON\5\0 2DCCC 128 2B6CC 280000001000000020000000010004000000000080000000000000000000000000000000000000000000000000000000A8A8(....... .........................................
\ICON\6\0 2DE04 2E8 2B804 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000000002A2A(... ...@.......................................**
\ICON\7\0 2E0FC 668 2BAFC 280000003000000060000000010004000000000080040000000000000000000000000000000000000000000000000000F8F8(...0............................................
\ICON\8\0 2E774 568 2C174 2800000010000000200000000100080000000000000100000000000000000000000000000000000000000000000000009999(....... .........................................
\ICON\9\0 2ECEC 8A8 2C6EC 280000002000000040000000010008000000000000040000000000000000000000000000000000000000000000000000F9F9(... ...@.........................................
\ICON\10\0 2F5A4 EA8 2CFA4 2800000030000000600000000100080000000000000900000000000000000000000000000000000000000000000000000101(...0............................................
\ICON\11\0 3045C 468 2DE5C 28000000100000002000000001002000000000004004000000000000000000000000000000000000000000FF000000FF0000(....... ..... .....@.............................
\ICON\12\0 308D4 10A8 2E2D4 28000000200000004000000001002000000000008010000000000000000000000000000000000000000000FF000000FF0000(... ...@..... ...................................
\ICON\13\0 3198C 25A8 2F38C 28000000300000006000000001002000000000008025000000000000000000000000000000000000000000FF000000FF0000(...0........ ......%............................
\GROUP_ICON\32512\0 33F44 AE 31944 000001000C0000001000010004002B0E000002000000000001000800521C000003000000000001002000BB2F000004001010..............+.............R........... ../......
\VERSION\1\0 34004 420 31A04 200434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0 34434 1EA 31E34 EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65...<?xml version="1.0" encoding="UTF-8" standalone
Intelligent String:
• 1.0.0.0
• rt"v1x
• _CorExeMainmscoree.dll
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 127115 61,7591%
Null Byte Code 21032 10,2184%
© 2025 All rights reserved.