PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 52,50 KB
SHA-256 Hash: D93EE2700767B89273521287AB9E0AFB05C03E5E6D78D52A5254A84B0F2BA7F4
SHA-1 Hash: 1BDBCF0277F40DE13FCA29621FA2113347A4E703
MD5 Hash: C02A45C075CB87557F1F114B0D19B2C9
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): E516
SizeOfHeaders: 200
SizeOfImage: 14000
ImageBase: 400000
Architecture: x86
ImportTable: E4C4
Characteristics: 102
TimeDateStamp: 67AAE013
Date: 11/02/2025 5:28:51
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 27,50 KB Missing]

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	200	C600	2000	C530
.rsrc	40000040	C800	800	10000	61C
.reloc	42000040	D000	200	12000	C

Description:

InternalName: SystemHelper.exe
OriginalFilename: SystemHelper.exe
CompanyName: Oracle
LegalCopyright: Copyright Oracle 2024
LegalTrademarks: Copyright Oracle 2024
ProductName: Oracle
FileVersion: 1.0.0.8

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - C716
Code -> FF250020400000000000000009000A000D000B00C200A0000000000000000000000000000000000000000000000000000000
• JMP DWORD PTR [0X402000]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• OR DWORD PTR [EAX], EAX
• OR AL, BYTE PTR [EAX]
• OR EAX, 0XC2000B00
• ADD BYTE PTR [EAX], AH
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v4.0
Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE: library: .NET(v4.0.30319)[-]
• PE: linker: Microsoft Linker(48.0)[EXE32]
• Entropy: 5.09523

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.

Windows REG (UNICODE):

Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run

File Access:

SystemHelper.exe
mscoree.dll
kernel32.dll
RootDir

File Access (UNICODE):

SystemHelper.exe
*.exe
wscript.exe
cmd.exe
powershell.exe
autorun.vbs

SQL Queries:

Select * FROM AntivirusProductdisplayNameQError retrieving antivirus information: G
Select * FROM Win32_VideoControllerEError retrieving GPU information: ;
Select * FROM Win32_Processor9{0} - {1} Cores, {2} ThreadsNumberOfCores3NumberOfLogicalProcessorsEError retrieving CPU information: S

Interest's Words:

Virus
Encrypt
Decrypt
<script
<main
exec
powershell
attrib
start
cipher
wmic
systeminfo
replace

Interest's Words (UNICODE):

Virus
Encrypt
Decrypt
Encryption
wscript
exec
createobject
powershell
ping

URLs (UNICODE):

http://41.216.188.198/Panel/page.php

AV Services (UNICODE):

Antivirus name extract - (SecurityCenter2)

IP Addresses:

41.216.188.198

Known IP/Domains (UNICODE):

Cloudflare DNS - 1.1.1.1

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Encryption (CipherMode)
• Rule Text (Ascii): Encryption (CreateDecryptor)
• Rule Text (Ascii): Encryption (CryptoStream)
• Rule Text (Ascii): Encryption (CryptoStreamMode)
• Rule Text (Ascii): Encryption (FromBase64String)
• Rule Text (Ascii): Encryption (ICryptoTransform)
• Rule Text (Ascii): Encryption (RNGCryptoServiceProvider)
• Rule Text (Ascii): Encryption (Rijndael)
• Rule Text (Ascii): Encryption (RijndaelManaged)
• Rule Text (Ascii): Encryption (ToBase64String)
• Rule Text (Ascii): Stealth (VirtualAlloc)
• Rule Text (Ascii): Execution (ShellExecute)
• Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
• Rule Text (Unicode): Technique used to circumvent security measures (Bypass)
• EP Rules: Lotus Graphics format
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8.0

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\0	10090	38C	C890	8C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	1042C	1EA	CC2C	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String:

• 1.0.0.8
• SystemHelper.exe
• powershell.exe
• .zip
• .exe
• .bat
• .cmd
• .ps1
• .vbs
• .pdf
• cmd.exe
• wscript.exe
• U/C ping 1.1.1.1 -n 1 -w 4000 > Nul & Del "
• http://41.216.188.198/Panel/page.php
• autorun.vbs
• *.exe
• C:\Users\Badus\OneDrive\Desktop\Bot1.0.8\Bot\LiteHTTP\obj\x86\Debug\SystemHelper.pdb
• _CorExeMainmscoree.dll

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	29400	54,6875%
Null Byte Code	20058	37,3103%

PESCAN.IO - Analysis Report Valid Code