PESCAN.IO - Analysis Report |
|||||
| File Structure |
| Information |
| Size: 52,50 KB SHA-256 Hash: D93EE2700767B89273521287AB9E0AFB05C03E5E6D78D52A5254A84B0F2BA7F4 SHA-1 Hash: 1BDBCF0277F40DE13FCA29621FA2113347A4E703 MD5 Hash: C02A45C075CB87557F1F114B0D19B2C9 Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 CheckSum: 00000000 EntryPoint (rva): E516 SizeOfHeaders: 200 SizeOfImage: 14000 ImageBase: 400000 Architecture: x86 ImportTable: E4C4 Characteristics: 102 TimeDateStamp: 67AAE013 Date: 11/02/2025 5:28:51 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker [Incomplete Binary or Compressor Packer - 27,50 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 200 | C600 | 2000 | C530 |
| .rsrc | 40000040 | C800 | 800 | 10000 | 61C |
| .reloc | 42000040 | D000 | 200 | 12000 | C |
| Description |
| InternalName: SystemHelper.exe OriginalFilename: SystemHelper.exe CompanyName: Oracle LegalCopyright: Copyright Oracle 2024 LegalTrademarks: Copyright Oracle 2024 ProductName: Oracle FileVersion: 1.0.0.8 |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - C716 Code -> FF250020400000000000000009000A000D000B00C200A0000000000000000000000000000000000000000000000000000000 • JMP DWORD PTR [0X402000] • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • OR DWORD PTR [EAX], EAX • OR AL, BYTE PTR [EAX] • OR EAX, 0XC2000B00 • ADD BYTE PTR [EAX], AH • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: False • Version: v4.0 Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(48.0)[EXE32] • Entropy: 5.09523 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| Windows REG (UNICODE) |
| Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\RunOnce Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access |
| SystemHelper.exe mscoree.dll kernel32.dll RootDir |
| File Access (UNICODE) |
| SystemHelper.exe *.exe wscript.exe cmd.exe powershell.exe autorun.vbs |
| SQL Queries |
| Select * FROM AntivirusProductdisplayNameQError retrieving antivirus information: G Select * FROM Win32_VideoControllerEError retrieving GPU information: ; Select * FROM Win32_Processor9{0} - {1} Cores, {2} ThreadsNumberOfCores3NumberOfLogicalProcessorsEError retrieving CPU information: S |
| Interest's Words |
| Virus Encrypt Decrypt <script <main exec powershell attrib start cipher wmic systeminfo replace |
| Interest's Words (UNICODE) |
| Virus Encrypt Decrypt Encryption wscript exec createobject powershell ping |
| URLs (UNICODE) |
| http://41.216.188.198/Panel/page.php |
| AV Services (UNICODE) |
| Antivirus name extract - (SecurityCenter2) |
| IP Addresses |
| 41.216.188.198 |
| Known IP/Domains (UNICODE) |
| Cloudflare DNS - 1.1.1.1 |
| Strings/Hex Code Found With The File Rules |
| • Rule Text (Ascii): Encryption (CipherMode) • Rule Text (Ascii): Encryption (CreateDecryptor) • Rule Text (Ascii): Encryption (CryptoStream) • Rule Text (Ascii): Encryption (CryptoStreamMode) • Rule Text (Ascii): Encryption (FromBase64String) • Rule Text (Ascii): Encryption (ICryptoTransform) • Rule Text (Ascii): Encryption (RNGCryptoServiceProvider) • Rule Text (Ascii): Encryption (Rijndael) • Rule Text (Ascii): Encryption (RijndaelManaged) • Rule Text (Ascii): Encryption (ToBase64String) • Rule Text (Ascii): Stealth (VirtualAlloc) • Rule Text (Ascii): Execution (ShellExecute) • Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect) • Rule Text (Unicode): Technique used to circumvent security measures (Bypass) • EP Rules: Lotus Graphics format • EP Rules: Microsoft Visual C++ 8 • EP Rules: Microsoft Visual C++ 8.0 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\0 | 10090 | 38C | C890 | 8C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 1042C | 1EA | CC2C | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • 1.0.0.8 • SystemHelper.exe • powershell.exe • .zip • .exe • .bat • .cmd • .ps1 • .vbs • cmd.exe • wscript.exe • U/C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del " • http://41.216.188.198/Panel/page.php • autorun.vbs • *.exe • C:\Users\Badus\OneDrive\Desktop\Bot1.0.8\Bot\LiteHTTP\obj\x86\Debug\SystemHelper.pdb • _CorExeMainmscoree.dll |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 29400 | 54,6875% |
| Null Byte Code | 20058 | 37,3103% |
© 2025 All rights reserved.