PESCAN.IO - Analysis Report
File Structure:
Analysis Image
Information:
Size: 1,63 MB
SHA-256 Hash: F650D6BC321BCDA3FC3AC3DEC3AC4E473FB0B7B68B6C948581BCFC54653E6768
SHA-1 Hash: 5BE6736B645ED12E97B9462B77E5A43482673D90
MD5 Hash: C0B23815701DBAE2A359CB8ADB9AE730
Imphash: 7B2018981C1C048BA26AEE4764DAEADF
MajorOSVersion: 6
CheckSum: 001A62D4
EntryPoint (rva): 146830
SizeOfHeaders: 400
SizeOfImage: 1A4000
ImageBase: 0000000180000000
Architecture: x64
ExportTable: 187000
ImportTable: 18CFC8
Characteristics: 2022
TimeDateStamp: 5C12D592
Date: 13/12/2018 21:56:34
File Type: DLL
Number Of Sections: 6
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 146400 1000 1462F3
.rdata 40000040 146800 46C00 148000 46BB6
.data C0000040 (Writeable) 18D400 400 18F000 2290
.pdata 40000040 18D800 F000 192000 EED4
.rsrc 40000040 19C800 400 1A1000 330
.reloc 42000040 19CC00 1E00 1A2000 1CDC
Description:
OriginalFilename: tcl86.dll
CompanyName: ActiveState Corporation
LegalCopyright: Copyright 2001 by ActiveState Corporation, et al
ProductName: Tcl 8.6 for Windows
FileVersion: 8.6.9
Entry Point:
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 145C30
Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E81F0000004C8BC78BD3488BCE488B5C2430488B7424
MOV QWORD PTR [RSP + 8], RBX
MOV QWORD PTR [RSP + 0X10], RSI
PUSH RDI
SUB RSP, 0X20
MOV RDI, R8
MOV EBX, EDX
MOV RSI, RCX
CMP EDX, 1
JNE 0X1021
CALL 0X1040
MOV R8, RDI
MOV EDX, EBX
MOV RCX, RSI
MOV RBX, QWORD PTR [RSP + 0X30]
Signatures:
Rich Signature Analyzer:
Code -> E36B2917A70A4744A70A4744A70A4744F5624645A50A474439AA8044A30A4744F5624445A40A4744F5624245AB0A4744F5624345AF0A4744AE72D444B50A4744856A4145A60A4744856A4645AA0A4744A70A4644BF0B4744CB624F45080A4744CB624745A60A4744CB62B844A60A4744CB624545A60A474452696368A70A4744
Footprint md5 Hash -> BEFEFC2F3EE3C90C2E79B93552C88888
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct
Packer/Compiler:
Compiler: Pure Basic 4.x
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(2017 v.15.8)[-]
PE+(64): linker: Microsoft Linker(14.15, Visual Studio 2017 15.8*)[DLL64,signed]
PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7]
Entropy: 6.49651
Suspicious Functions:
Library Function Description
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL CopyFileW Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
KERNEL32.DLL SleepEx Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout.
Ws2_32.DLL socket Create a communication endpoint for networking applications.
ET Functions (carving):
TclAddLiteralObj
TclAllocateFreeObjects
TclBNInitBignumFromLong
TclBNInitBignumFromWideInt
TclBNInitBignumFromWideUInt
TclBN_epoch
TclBN_fast_s_mp_mul_digs
TclBN_fast_s_mp_sqr
TclBN_mp_add
TclBN_mp_add_d
TclBN_mp_and
TclBN_mp_clamp
TclBN_mp_clear
TclBN_mp_clear_multi
TclBN_mp_cmp
TclBN_mp_cmp_d
TclBN_mp_cmp_mag
TclBN_mp_cnt_lsb
TclBN_mp_copy
TclBN_mp_count_bits
TclBN_mp_div
TclBN_mp_div_2
TclBN_mp_div_2d
TclBN_mp_div_3
TclBN_mp_div_d
TclBN_mp_exch
TclBN_mp_expt_d
TclBN_mp_grow
TclBN_mp_init
TclBN_mp_init_copy
TclBN_mp_init_multi
TclBN_mp_init_set
TclBN_mp_init_set_int
TclBN_mp_init_size
TclBN_mp_karatsuba_mul
TclBN_mp_karatsuba_sqr
TclBN_mp_lshd
TclBN_mp_mod
TclBN_mp_mod_2d
TclBN_mp_mul
TclBN_mp_mul_2
TclBN_mp_mul_2d
TclBN_mp_mul_d
TclBN_mp_neg
TclBN_mp_or
TclBN_mp_radix_size
TclBN_mp_read_radix
TclBN_mp_rshd
TclBN_mp_set
TclBN_mp_set_int
TclBN_mp_shrink
TclBN_mp_sqr
TclBN_mp_sqrt
TclBN_mp_sub
TclBN_mp_sub_d
TclBN_mp_to_unsigned_bin
TclBN_mp_to_unsigned_bin_n
TclBN_mp_toom_mul
TclBN_mp_toom_sqr
TclBN_mp_toradix_n
TclBN_mp_unsigned_bin_size
TclBN_mp_xor
TclBN_mp_zero
TclBN_reverse
TclBN_revision
TclBN_s_mp_add
TclBN_s_mp_mul_digs
TclBN_s_mp_sqr
TclBN_s_mp_sub
TclCallVarTraces
TclChannelEventScriptInvoker
TclChannelTransform
TclCheckExecutionTraces
TclCheckInterpTraces
TclCleanupChildren
TclCleanupCommand
TclCleanupVar
TclCopyAndCollapse
TclCopyChannel
TclCopyChannelOld
TclCreatePipeline
TclCreateProc
TclDbDumpActiveObjects
TclDeleteCompiledLocalVars
TclDeleteVars
TclDoubleDigits
TclDumpMemoryInfo
TclEvalObjEx
TclExpandCodeArray
TclExprFloatError
TclFindElement
TclFindProc
TclFormatInt
TclFreeObj
TclFreePackageInfo
TclGetAndDetachPids
TclGetAuxDataType
TclGetEnv
TclGetExtension
TclGetFrame
TclGetInstructionTable
TclGetIntForIndex
TclGetLibraryPath
TclGetLoadedPackages
TclGetNamespaceChildTable
TclGetNamespaceCommandTable
TclGetNamespaceForQualName
TclGetNamespaceFromObj
TclGetObjInterpProc
TclGetObjNameOfExecutable
TclGetOpenMode
TclGetOriginalCommand
TclGetPlatform
TclGetSrcInfoForPc
TclGuessPackageName
TclHandleCreate
TclHandleFree
TclHandlePreserve
TclHandleRelease
TclHideLiteral
TclHideUnsafeCommands
TclInExit
TclInThreadExit
TclInitCompiledLocals
TclInitRewriteEnsemble
TclInitVarHashTable
TclInterpInit
TclInvokeObjectCommand
TclInvokeStringCommand
TclIsProc
TclListObjSetElement
TclLookupVar
TclNREvalObjEx
TclNREvalObjv
TclNRInterpProc
TclNRInterpProcCore
TclNRRunCallbacks
TclNeedSpace
TclNewProcBodyObj
TclObjBeingDeleted
TclObjCommandComplete
TclObjGetFrame
TclObjInterpProc
TclObjInvoke
TclObjLookupVar
TclPopStackFrame
TclPrecTraceProc
TclPreventAliasLoop
TclProcCleanupProc
TclProcCompileProc
TclProcDeleteProc
TclPtrGetVar
TclPtrIncrObjVar
TclPtrMakeUpvar
TclPtrObjMakeUpvar
TclPtrSetVar
TclPtrUnsetVar
TclPushStackFrame
TclRegAbout
TclRegError
TclRegExpRangeUniChar
TclRegisterLiteral
TclRenameCommand
TclResetCancellation
TclResetRewriteEnsemble
TclResetShadowedCmdRefs
TclServiceIdle
TclSetByteCodeFromAny
TclSetLibraryPath
TclSetNsPath
TclSetObjNameOfExecutable
TclSetPreInitScript
TclSetSlaveCancelFlags
TclSetupEnv
TclSockGetPort
TclSockMinimumBuffers
TclStackAlloc
TclStackFree
TclTeardownNamespace
TclTraceDictPath
TclUniCharMatch
TclUpdateReturnInfo
TclVarErrMsg
TclVarHashCreateVar
TclVarTraceExists
TclWinAddProcess
TclWinCPUID
TclWinConvertError
TclWinFlushDirtyChannels
TclWinGetPlatformId
TclWinGetServByName
TclWinGetSockOpt
TclWinGetTclInstance
TclWinNoBackslash
TclWinResetInterfaces
TclWinSetInterfaces
TclWinSetSockOpt
Tcl_Access
Tcl_AddErrorInfo
Tcl_AddInterpResolvers
Tcl_AddObjErrorInfo
Tcl_AlertNotifier
Tcl_Alloc
Tcl_AllocStatBuf
Tcl_AllowExceptions
Tcl_AppendAllObjTypes
Tcl_AppendElement
Tcl_AppendExportList
Tcl_AppendFormatToObj
Tcl_AppendLimitedToObj
Tcl_AppendObjToErrorInfo
Tcl_AppendObjToObj
Tcl_AppendPrintfToObj
Tcl_AppendResult
Tcl_AppendResultVA
Tcl_AppendStringsToObj
Tcl_AppendStringsToObjVA
Tcl_AppendToObj
Tcl_AppendUnicodeToObj
Tcl_AsyncCreate
Tcl_AsyncDelete
Tcl_AsyncInvoke
Tcl_AsyncMark
Tcl_AsyncReady
Tcl_AttemptAlloc
Tcl_AttemptDbCkalloc
Tcl_AttemptDbCkrealloc
Tcl_AttemptRealloc
Tcl_AttemptSetObjLength
Tcl_BackgroundError
Tcl_BackgroundException
Tcl_Backslash
Tcl_BadChannelOption
Tcl_CallWhenDeleted
Tcl_CancelEval
Tcl_CancelIdleCall
Tcl_Canceled
Tcl_ChannelBlockModeProc
Tcl_ChannelBuffered
Tcl_ChannelClose2Proc
Tcl_ChannelCloseProc
Tcl_ChannelFlushProc
Tcl_ChannelGetHandleProc
Tcl_ChannelGetOptionProc
Tcl_ChannelHandlerProc
Tcl_ChannelInputProc
Tcl_ChannelName
Tcl_ChannelOutputProc
Tcl_ChannelSeekProc
Tcl_ChannelSetOptionProc
Tcl_ChannelThreadActionProc
Tcl_ChannelTruncateProc
Tcl_ChannelVersion
Tcl_ChannelWatchProc
Tcl_ChannelWideSeekProc
Tcl_Chdir
Tcl_ClearChannelHandlers
Tcl_Close
Tcl_CloseEx
Tcl_CommandComplete
Tcl_CommandTraceInfo
Tcl_Concat
Tcl_ConcatObj
Tcl_ConditionFinalize
Tcl_ConditionNotify
Tcl_ConditionWait
Tcl_ConvertCountedElement
Tcl_ConvertElement
Tcl_ConvertToType
Tcl_CreateAlias
Tcl_CreateAliasObj
Tcl_CreateChannel
Tcl_CreateChannelHandler
Tcl_CreateCloseHandler
Tcl_CreateCommand
Tcl_CreateEncoding
Tcl_CreateEnsemble
Tcl_CreateEventSource
Tcl_CreateExitHandler
Tcl_CreateHashEntry
Tcl_CreateInterp
Tcl_CreateMathFunc
Tcl_CreateNamespace
Tcl_CreateObjCommand
Tcl_CreateObjTrace
Tcl_CreatePipe
Tcl_CreateSlave
Tcl_CreateThread
Tcl_CreateThreadExitHandler
Tcl_CreateTimerHandler
Tcl_CreateTrace
Tcl_CutChannel
Tcl_DStringAppend
Tcl_DStringAppendElement
Tcl_DStringEndSublist
Tcl_DStringFree
Tcl_DStringGetResult
Tcl_DStringInit
Tcl_DStringResult
Tcl_DStringSetLength
Tcl_DStringStartSublist
Tcl_DbCkalloc
Tcl_DbCkfree
Tcl_DbCkrealloc
Tcl_DbDecrRefCount
Tcl_DbIncrRefCount
Tcl_DbIsShared
Tcl_DbNewBignumObj
Tcl_DbNewBooleanObj
Tcl_DbNewByteArrayObj
Tcl_DbNewDictObj
Tcl_DbNewDoubleObj
Tcl_DbNewListObj
Tcl_DbNewLongObj
Tcl_DbNewObj
Tcl_DbNewStringObj
Tcl_DbNewWideIntObj
Tcl_DeleteAssocData
Tcl_DeleteChannelHandler
Tcl_DeleteCloseHandler
Tcl_DeleteCommand
Tcl_DeleteCommandFromToken
Tcl_DeleteEventSource
Tcl_DeleteEvents
Tcl_DeleteExitHandler
Tcl_DeleteHashEntry
Tcl_DeleteHashTable
Tcl_DeleteInterp
Tcl_DeleteNamespace
Tcl_DeleteThreadExitHandler
Tcl_DeleteTimerHandler
Tcl_DeleteTrace
Tcl_DetachChannel
Tcl_DetachPids
Tcl_DictObjDone
Tcl_DictObjFirst
Tcl_DictObjGet
Tcl_DictObjNext
Tcl_DictObjPut
Tcl_DictObjPutKeyList
Tcl_DictObjRemove
Tcl_DictObjRemoveKeyList
Tcl_DictObjSize
Tcl_DiscardInterpState
Tcl_DiscardResult
Tcl_DoOneEvent
Tcl_DoWhenIdle
Tcl_DontCallWhenDeleted
Tcl_DumpActiveMemory
Tcl_DuplicateObj
Tcl_Eof
Tcl_ErrnoId
Tcl_ErrnoMsg
Tcl_Eval
Tcl_EvalEx
Tcl_EvalFile
Tcl_EvalObj
Tcl_EvalObjEx
Tcl_EvalObjv
Tcl_EvalTokens
Tcl_EvalTokensStandard
Tcl_EventuallyFree
Tcl_Exit
Tcl_ExitThread
Tcl_Export
Tcl_ExposeCommand
Tcl_ExprBoolean
Tcl_ExprBooleanObj
Tcl_ExprDouble
Tcl_ExprDoubleObj
Tcl_ExprLong
Tcl_ExprLongObj
Tcl_ExprObj
Tcl_ExprString
Tcl_ExternalToUtf
Tcl_ExternalToUtfDString
Tcl_FSAccess
Tcl_FSChdir
Tcl_FSConvertToPathType
Tcl_FSCopyDirectory
Tcl_FSCopyFile
Tcl_FSCreateDirectory
Tcl_FSData
Tcl_FSDeleteFile
Tcl_FSEqualPaths
Tcl_FSEvalFile
Tcl_FSEvalFileEx
Tcl_FSFileAttrStrings
Tcl_FSFileAttrsGet
Tcl_FSFileAttrsSet
Tcl_FSFileSystemInfo
Tcl_FSGetCwd
Tcl_FSGetFileSystemForPath
Tcl_FSGetInternalRep
Tcl_FSGetNativePath
Tcl_FSGetNormalizedPath
Tcl_FSGetPathType
Tcl_FSGetTranslatedPath
Tcl_FSGetTranslatedStringPath
Tcl_FSJoinPath
Tcl_FSJoinToPath
• EXPORT FUNCTIONS > 400
File Access:
cmd.exe
.exe
VCRUNTIME140.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
WS2_32.dll
USERENV.dll
USER32.dll
NETAPI32.dll
ADVAPI32.dll
KERNEL32.dll
tcl86t.dll
.dll
.bat
system.ini
Temp
File Access (UNICODE):
tcl86.dll
SQL Queries:
Select an element from any list
Interest's Words:
PassWord
exec
attrib
start
hostname
sdelete
shutdown
systeminfo
ping
expand
replace
URLs:
http://ocsp.thawte.com
http://crl.thawte.com/ThawteTimestampingCA.crl
http://ts-ocsp.ws.symantec.com
http://ts-aia.ws.symantec.com/tss-ca-g2.cer
http://ts-crl.ws.symantec.com/tss-ca-g2.crl
http://crl.startssl.com/sfsca.crl
http://ocsp.startssl.com
http://aia.startssl.com/certs/ca.crt
http://www.startssl.com/policy0
http://aia.startssl.com/certs/sca.code3.crt
http://crl.startssl.com/sca-code3.crl
http://www.startssl.com/0P
Payloads:
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): WinAPI Sockets (bind)
Rule Text (Ascii): WinAPI Sockets (accept)
Rule Text (Ascii): WinAPI Sockets (connect)
Rule Text (Ascii): WinAPI Sockets (send)
Rule Text (Ascii): File (GetTempPath)
Rule Text (Ascii): File (CopyFile)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Ascii): Antivirus Software (Symantec)
Rule Text (Ascii): Unauthorized movement of funds or data (Transfer)
Rule Text (Ascii): Technique used to circumvent security measures (Bypass)
EP Rules: Microsoft Visual C++ 8.0 (DLL)
Resources:
Path DataRVA Size FileOffset CodeText
\VERSION\1\1033 1A1060 2D0 19C860 D00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000600..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
Intelligent String:
• .com.exe.bat.cmd
• ::set cmd [::namespace tail $cmd]
• .dll
• TclInitByteCodeObj() called on uninitialized CompileEnvEnterCmdStartData: bad command index %dEnterCmdStartData: cmd map not sorted by code offset
• next cmd at pc %u
• .%d.end
• *.enc
• .enc
• DeleteImportedCmd: did not find cmd in real cmd's list of import references
• C:\_work\11\b\tcltk-8.6.9.0\amd64\lib
• C:\_work\11\b\tcltk-8.6.9.0\amd64\bin
• C:\_work\11\b\tcltk-8.6.9.0\amd64\lib\tcl8.6
• C:\_work\11\b\tcltk-8.6.9.0\amd64\include
• C:\_work\11\b\tcltk-8.6.9.0\amd64\doc
• prnnulauxsystem.ini
• cmd.exe /c
• CONOUT$.cmd
• .bat
• .com
• ?channelId?%d.TMP
• .bss
• ADVAPI32.dll
• NETAPI32.dll
• WS2_32.dll
• _gmtime64api-ms-win-crt-stdio-l1-1-0.dll
• api-ms-win-crt-utility-l1-1-0.dll
• api-ms-win-crt-string-l1-1-0.dll
• api-ms-win-crt-convert-l1-1-0.dll
• api-ms-win-crt-math-l1-1-0.dll
• api-ms-win-crt-runtime-l1-1-0.dll
• api-ms-win-crt-environment-l1-1-0.dll
• api-ms-win-crt-time-l1-1-0.dll
• api-ms-win-crt-heap-l1-1-0.dll
• VCRUNTIME140.dll
• tcl86.dll
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 1056146 61,9397%
Null Byte Code 248291 14,5615%
© 2025 All rights reserved.