PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 2,09 MB
SHA-256 Hash: 9861B4A602EEE6742BFCB24F2D262A67F0DC768826E1BE1ACC3BA84C4A15D0F5
SHA-1 Hash: A24C29B88AB0CFCAA4B5B0185120E179756A3938
MD5 Hash: C5DEA5538D2E0AAA5F3242FE638DC3EB
Imphash: 81B21463D07FCCAE3334DDDE819E1970
MajorOSVersion: 6
CheckSum: 0018B04D
EntryPoint (rva): C94FF
SizeOfHeaders: 400
SizeOfImage: 222000
ImageBase: 400000
Architecture: x86
ImportTable: 17625C
Characteristics: 103
TimeDateStamp: 6798E3AF
Date: 28/01/2025 14:03:27
File Type: EXE
Number Of Sections: 8
ASLR: Disabled
Section Names: .text, .rdata, .data, .rsrc, .itext, xldpmez, mvr, gn
Number Of Executable Sections: 2
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	125C00	1000	125AC8
.rdata	40000040	126000	50600	127000	505AE
.data	C0000040 (Writeable)	176600	3C00	178000	52F4
.rsrc	40000040	17A200	C600	17E000	C488
.itext	60000020 (Executable)	186800	90C00	18B000	90A09
xldpmez	42000040	217400	200	21C000	1044
mvr	C0000040 (Writeable)	217600	200	21E000	10AD
gn	40000040	217800	200	220000	10B0

Description:

InternalName: SteganosBrowserMonitor.exe
OriginalFilename: SteganosBrowserMonitor.exe
CompanyName: Steganos Software GmbH
LegalCopyright: Copyright (c) 2018 Steganos Software GmbH
LegalTrademarks: Steganos Safe is a trademark of Steganos Software GmbH
ProductName: Steganos Safe
FileVersion: 22.5.4.14015

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - C88FF
Code -> E8280B0000E97AFEFFFF8B4DF464890D00000000595F5F5E5B8BE55D51C38B4DF033CDE87FFCFFFFE9DDFFFFFF5064FF3500
• CALL 0X1B2D
• JMP 0XE84
• MOV ECX, DWORD PTR [EBP - 0XC]
• MOV DWORD PTR FS:[0], ECX
• POP ECX
• POP EDI
• POP EDI
• POP ESI
• POP EBX
• MOV ESP, EBP
• POP EBP
• PUSH ECX
• RET
• MOV ECX, DWORD PTR [EBP - 0X10]
• XOR ECX, EBP
• CALL 0XCA7
• JMP 0X100A
• PUSH EAX

Signatures:

CheckSum Integrity Problem:
• Header: 1617997
• Calculated: 2215697
Rich Signature Analyzer:
Code -> 5674D4FE1215BAAD1215BAAD1215BAADC167B9AC0015BAADC167BFACF215BAADB66BBEAC0115BAADB66BB9AC0815BAAD056ABEAC1A15BAAD766FBFAC4215BAAD766FBEAC1115BAADB66BBFAC4A15BAADC167BEAC0A15BAADC167BCAC1315BAADC167BBAC1D15BAAD1215BBAD1E14BAAD056ABFAC1015BAAD056A45AD1315BAAD12152DAD1015BAAD056AB8AC1315BAAD526963681215BAAD
Footprint md5 Hash -> DC215454799C9EE192A5CDF14F90EB2C
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Detect It Easy (die)
• PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32]
• PE: compiler: Microsoft Visual C/C++(-)[-]
• PE: linker: Microsoft Linker(14.36**)[EXE32]
• Entropy: 7.014

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	CopyFileW	Copies an existing file to a new file.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	CreateToolhelp32Snapshot	Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
SHELL32.DLL	ShellExecuteW	Performs a run operation on a specific file.

Windows REG (UNICODE):

Software\Steganos\SOS
Software\Microsoft\Windows\CurrentVersion\
Software\Steganos\
SYSTEM\CurrentControlSet\Control\Session Manager\Environment

File Access:

browsermonitor.exe
ole32.dll
SHELL32.dll
ADVAPI32.dll
USER32.dll
KERNEL32.dll
.dll
wx.sys
Temp

File Access (UNICODE):

kernel32.dll
ntdll.dll
\wxWidgets-3.2.0\src\msw\stdpaths.cppFailed to load %s.dll
dbghelp.dll
Please update your dbghelp.dll
Please install dbghelp.dll
Latest dbghelp.dll
api-ms-win-core-synch-l1-2-0.dll
mscoree.dll
PasswordManager.exe
Suite.exe
Safe.exe
iexplore.exe
OnlineShieldClient.exe
SteganosBrowserMonitor.exe
TraceDestructor.exe
opera.exe
chrome.exe
MicrosoftEdge.exe
firefox.exe
OkayFreedomClient.exe
about this certificate.txt
Temp
ProgramFiles
AppData
UserProfile

Interest's Words:

exec
attrib
start
xcopy
expand
replace

Interest's Words (UNICODE):

PassWord
exec
start
shutdown
expand
replace

Anti-VM/Sandbox/Debug Tricks (UNICODE):

OllyDbg Libary - dbghelp.dll

URLs:

http://www.winimage.com/zLibDll
http://www.w3.org/XML/1998/namespace
http://www.w3.org/2000/xmlns/
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings

URLs (UNICODE):

http://www.microsoft.com/whdc/ddk/debugging/

Payloads:

Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): WinAPI Sockets (connect)
• Rule Text (Unicode): WinAPI Sockets (connect)
• Rule Text (Ascii): WinAPI Sockets (send)
• Rule Text (Ascii): Registry (RegCreateKeyEx)
• Rule Text (Ascii): Registry (RegOpenKeyEx)
• Rule Text (Ascii): Registry (RegSetValueEx)
• Rule Text (Ascii): Registry (RegDeleteKeyEx)
• Rule Text (Ascii): File (GetTempPath)
• Rule Text (Unicode): File (GetTempPath)
• Rule Text (Ascii): File (CopyFile)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Encryption (Base64Decode)
• Rule Text (Ascii): Encryption (Base64Encode)
• Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
• Rule Text (Ascii): Anti-Analysis VM (GetVersion)
• Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot)
• Rule Text (Ascii): Execution (ShellExecute)
• Rule Text (Ascii): Malicious code executed after exploiting a vulnerability (Payload)
• Rule Text (Ascii): Software that records user activity (Logger)
• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8
• EP Rules: VC8 -> Microsoft Corporation

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1033	17E380	668	17A580	2800000030000000600000000100040000000000000000000000000000000000000000000000000000000000000080000080	(...0............................................
\ICON\2\1033	17E9E8	2E8	17ABE8	2800000020000000400000000100040000000000000000000000000000000000000000000000000000000000000080000080	(... ...@.........................................
\ICON\3\1033	17ECD0	1E8	17AED0	2800000018000000300000000100040000000000000000000000000000000000000000000000000000000000000080000080	(.......0.........................................
\ICON\4\1033	17EEB8	128	17B0B8	2800000010000000200000000100040000000000000000000000000000000000000000000000000000000000000080000080	(....... .........................................
\ICON\5\1033	17EFE0	EA8	17B1E0	2800000030000000600000000100080000000000000000000000000000000000000000000000000000000000B75D4100C162	(...0.......................................]A..b
\ICON\6\1033	17FE88	8A8	17C088	2800000020000000400000000100080000000000000000000000000000000000000000000000000000000000B85F4400C867	(... ...@...................................._D..g
\ICON\7\1033	180730	6C8	17C930	2800000018000000300000000100080000000000000000000000000000000000000000000000000000000000CA674800D66D	(.......0....................................gH..m
\ICON\8\1033	180DF8	568	17CFF8	2800000010000000200000000100080000000000000000000000000000000000000000000000000000000000DE745300DE78	(....... ....................................tS..x
\ICON\9\1033	181360	3E0D	17D560	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A86600003DD44944415478DAED5D079C13D5D6	.PNG........IHDR.............\r.f..=.IDATx..].....
\ICON\10\1033	185170	25A8	181370	2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...0........ ...................................
\ICON\11\1033	187718	10A8	183918	2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\12\1033	1887C0	988	1849C0	2800000018000000300000000100200000000000000000000000000000000000000000000000000000000000000000000000	(.......0..... ...................................
\ICON\13\1033	189148	468	185348	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_ICON\WXICON\1033	1895B0	BC	1857B0	000001000D0030301000010004006806000001002020100001000400E802000002001818100001000400E801000003001010	......00......h..... ............................
\VERSION\1\1033	18A028	45C	186228	5C0434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000500	\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	189670	9B3	185870	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String:

• SteganosBrowserMonitor.exe
• http://www.w3.org/XML/1998/namespace
• .exe
• res/XMLPRODUCT/PRODUCT_%S.sxp
• %S.res
• kernel32.dll
• iexplore.exe
• .log
• OnlineShieldClient.exe
• Safe.exe
• Suite.exe
• PasswordManager.exe
• OkayFreedomClient.exe
• steganosproductsv3.crt
• about this certificate.txt
• ntdll.dll
• .npf
• browsermonitor.exe
• firefox.exe
• MicrosoftEdge.exe
• chrome.exe
• opera.exe
• TraceDestructor.exe
• D:\wxWidgets-3.2.0\include\wx\strvararg.h
• D:\wxWidgets-3.2.0\include\wx\string.h
• D:\wxWidgets-3.2.0\src\xml\xml.cpp
• unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
• D:\wxWidgets-3.2.0\src\common\string.cpp
• D:\wxWidgets-3.2.0\include\wx\vector.h
• D:\wxWidgets-3.2.0\include\wx\buffer.h
• D:\wxWidgets-3.2.0\include\wx\unichar.h
• D:\wxWidgets-3.2.0\src\common\strconv.cpp
• g::ItemD:\wxWidgets-3.2.0\include\wx\arrstr.h
• g::BinarySearchD:\wxWidgets-3.2.0\src\common\arrstr.cpp
• D:\wxWidgets-3.2.0\include\wx\longlong.h
• D:\wxWidgets-3.2.0\include\wx\log.h
• D:\wxWidgets-3.2.0\include\wx\datetime.h
• D:\wxWidgets-3.2.0\src\common\filefn.cpp
• D:\wxWidgets-3.2.0\include\wx\scopedptr.h
• D:\wxWidgets-3.2.0\src\common\sstream.cpp
• D:\wxWidgets-3.2.0\src\common\stdpbase.cpp
• >::wxArgNormalizerNarrowCharwxOleInitializeD:\wxWidgets-3.2.0\include\wx\msw\ole\oleutils.h
• D:\wxWidgets-3.2.0\src\common\filename.cpp
• D:\wxWidgets-3.2.0\include\wx\msw\private\comptr.h
• D:\wxWidgets-3.2.0\src\common\config.cpp
• D:\wxWidgets-3.2.0\src\msw\regconf.cpp
• D:\wxWidgets-3.2.0\src\common\object.cpp
• d::~wxRecursionGuardD:\wxWidgets-3.2.0\include\wx\recguard.h
• D:\wxWidgets-3.2.0\src\common\appbase.cpp
• D:\wxWidgets-3.2.0\include\wx\dynarray.h
• D:\wxWidgets-3.2.0\src\common\unichar.cpp
• D:\wxWidgets-3.2.0\src\common\strvararg.cppunreachable code
• >::wxPrintfConvSpecParserD:\wxWidgets-3.2.0\include\wx\private\wxprintf.h
• 2::GetNextPrimeD:\wxWidgets-3.2.0\src\common\hashmap.cpp
• D:\wxWidgets-3.2.0\src\msw\thread.cpp
• D:\wxWidgets-3.2.0\src\common\log.cpp
• D:\wxWidgets-3.2.0\include\wx\translation.hwxPluralFormsCalculatorPtr::operator ->D:\wxWidgets-3.2.0\src\common\translation.cpp
• D:\wxWidgets-3.2.0\src\common\textbuf.cpp
• D:\wxWidgets-3.2.0\src\common\intl.cpp
• D:\wxWidgets-3.2.0\src\common\encconv.cpp
• D:\wxWidgets-3.2.0\src\common\fmapbase.cpp
• D:\wxWidgets-3.2.0\include\wx\msw\private.hGetModuleFileName
• D:\wxWidgets-3.2.0\src\msw\utils.cpp
• D:\wxWidgets-3.2.0\src\common\tokenzr.cpp
• D:\wxWidgets-3.2.0\src\common\file.cpp
• '::FreeFindDataD:\wxWidgets-3.2.0\src\msw\dir.cpp
• D:\wxWidgets-3.2.0\src\common\datetime.cpp
• D:\wxWidgets-3.2.0\src\msw\stdpaths.cppFailed to load %s.dll
• D:\wxWidgets-3.2.0\src\common\ffile.cppwxFFile::Close
• D:\wxWidgets-3.2.0\src\msw\registry.cppinvalid key prefix in wxRegKey::ExtractKeyName.
• D:\wxWidgets-3.2.0\src\common\hash.cpp
• D:\wxWidgets-3.2.0\include\wx\list.h
• D:\wxWidgets-3.2.0\src\common\list.cpp
• I@8V
• D:\wxWidgets-3.2.0\src\common\event.cppNULL event can't be posted
• D:\wxWidgets-3.2.0\src\common\evtloopcmn.cpp
• r::WalkFromD:\wxWidgets-3.2.0\src\msw\stackwalk.cpp
• D:\wxWidgets-3.2.0\src\common\dynlib.cpp
• .dll
• D:\wxWidgets-3.2.0\src\msw\dlmsw.cpp
• D:\wxWidgets-3.2.0\src\common\datetimefmt.cpp
• D:\wxWidgets-3.2.0\src\msw\uilocale.cppGetLocaleInfoExGetUserDefaultLocaleName
• QuechuaRunasimi
• Runasimi (Bolivia)
• Runasimi (Ecuador)
• D:\wxWidgets-3.2.0\src\common\convauto.cpp
• D:\wxWidgets-3.2.0\src\common\fileconf.cpp
• D:\wxWidgets-3.2.0\include\wx\msw\private\event.h
• EB 5KwxExecuteModule::OnExitFailed to set shutdown event in wxExecuteModule
• D:\wxWidgets-3.2.0\src\common\txtstrm.cpp
• mKyes
• D:\wxWidgets-3.2.0\src\msw\evtloopconsole.cpp
• D:\wxWidgets-3.2.0\src\common\timerimpl.cppwxTimerHiddenWindowModule
• D:\wxWidgets-3.2.0\src\msw\timer.cpp
• MiniDumpWriteDump
• Function MiniDumpWriteDump() not found.
• dbghelp.dll
• D:\wxWidgets-3.2.0\src\common\textfile.cpp
• D:\wxWidgets-3.2.0\src\common\base64.cpp
• EB LFailed to initialize DDE
• D:\wxWidgets-3.2.0\src\msw\dde.cpp
• D:\wxWidgets-3.2.0\src\common\variant.cpp
• D:\wxWidgets-3.2.0\src\common\ipcbase.cpp
• api-ms-win-core-synch-l1-2-0.dll
• .cmd
• .bat
• .com
• mscoree.dll
• .tls
• .bss
• ADVAPI32.dll
• <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/PM</dpiAware>
• <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness>

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	1285238	58,5818%
Null Byte Code	295540	13,4709%

PESCAN.IO - Analysis Report Valid Code