PESCAN.IO - Analysis Report
File Structure:
Analysis Image
Information:
Icon: Icon
Size: 3,00 MB
SHA-256 Hash: 77A5E50EF090CCF5D2E83D089A75388F63F47148DD79F5F220FCFBE01FAE8CAF
SHA-1 Hash: 5533AFBA0BFCED82B4F7B938372BC74C3345497B
MD5 Hash: C81871143A798146C6C75AC96C8BACE5
Imphash: 9ACCC748A9D89A334D2FC419EC39655A
MajorOSVersion: 5
CheckSum: 00000000
EntryPoint (rva): 113BC
SizeOfHeaders: 400
SizeOfImage: 2C000
ImageBase: 400000
Architecture: x86
ImportTable: 19000
Characteristics: 818F
TimeDateStamp: 53BCF615
Date: 09/07/2014 7:58:13
File Type: EXE
Number Of Sections: 8
ASLR: Disabled
Section Names: .text, .itext, .data, .bss, .idata, .tls, .rdata, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 F200 1000 F12C
.itext 60000020 (Executable) F600 C00 11000 B44
.data C0000040 (Writeable) 10200 E00 12000 C88
.bss C0000000 (Writeable) 11000 0 13000 56B4
.idata C0000040 (Writeable) 11000 E00 19000 DD0
.tls C0000000 (Writeable) 11E00 0 1A000 8
.rdata 40000040 11E00 200 1B000 18
.rsrc 40000040 12000 F800 1C000 F604
Description:
CompanyName: Decompiler-vb.net
LegalCopyright: Copyright Decompiler-VB.net - Sylvain Bruyere, Inc.
ProductName: VBReFormer 2015 Professional

Binder/Joiner/Crypter:
Dropper code detected (EOF) - 2,82 MB
Entry Point:
The section number (2) - (.itext) have the Entry Point
Information -> EntryPoint (calculated) - F9BC
Code -> 558BEC83C4A453565733C08945C48945C08945A48945D08945C88945CC8945D48945D88945ECB82C004100E8E851FFFF33C0
PUSH EBP
MOV EBP, ESP
ADD ESP, -0X5C
PUSH EBX
PUSH ESI
PUSH EDI
XOR EAX, EAX
MOV DWORD PTR [EBP - 0X3C], EAX
MOV DWORD PTR [EBP - 0X40], EAX
MOV DWORD PTR [EBP - 0X5C], EAX
MOV DWORD PTR [EBP - 0X30], EAX
MOV DWORD PTR [EBP - 0X38], EAX
MOV DWORD PTR [EBP - 0X34], EAX
MOV DWORD PTR [EBP - 0X2C], EAX
MOV DWORD PTR [EBP - 0X28], EAX
MOV DWORD PTR [EBP - 0X14], EAX
MOV EAX, 0X41002C
CALL 0XFFFF6218
XOR EAX, EAX
Signatures:
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler:
Compiler: Borland Delphi 7
Detect It Easy (die)
PE: installer: Inno Setup Module(5.5.0)[unicode]
PE: compiler: Embarcadero Delphi(2009-2010)[-]
PE: linker: Turbo Linker(2.25*,Delphi)[EXE32]
PE: overlay: Inno Setup Installer data(-)[-]
Entropy: 7.98023
Suspicious Functions:
Library Function Description
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
Windows REG (UNICODE):
SOFTWARE\Borland\Delphi\RTL
Software\CodeGear\Locales
Software\Borland\Locales
Software\Borland\Delphi\Locales
File Access:
advapi32.dll
kernel32.dll
comctl32.dll
user32.dll
oleaut32.dll
File Access (UNICODE):
kernel32.dll
shell32.dll
Temp
UserProfile
Interest's Words:
PADDINGX
exec
attrib
start
systeminfo
Interest's Words (UNICODE):
PassWord
start
shutdown
URLs:
http://schemas.microsoft.com/SMI/2005/WindowsSettings
URLs (UNICODE):
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Strings/Hex Code Found With The File Rules:
Rule Text (Unicode): WinAPI Sockets (accept)
Rule Text (Ascii): Registry (RegOpenKeyEx)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Stealth (VirtualProtect)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Unicode): Privileges (SeShutdownPrivilege)
Rule Text (Unicode): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
EP Rules: Borland Delphi 4.0
EP Rules: fasm -> Tomasz Grysztar
EP Rules: Stranik 1.3 Modula/C/Pascal
Resources:
Path DataRVA Size FileOffset CodeText
\ICON\1\1033 1C47C EA8 1247C 2800000030000000600000000100080000000000000900000000000000000000000100000001000000000000555353005654(...0......................................USS.VT
\ICON\2\1033 1D324 8A8 13324 2800000020000000400000000100080000000000000400000000000000000000000100000001000000000000575555005856(... ...@...................................WUU.XV
\ICON\3\1033 1DBCC 568 13BCC 28000000100000002000000001000800000000000001000000000000000000000001000000010000000000007B7D7B008486(....... ...................................{}{...
\ICON\4\1033 1E134 25A8 14134 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000(...0........ ......%............................
\ICON\5\1033 206DC 10A8 166DC 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000(... ...@..... ...................................
\ICON\6\1033 21784 468 17784 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000(....... ..... .....@.............................
\STRING\4091\0 21BEC 68 17BEC 0600460072006900640061007900080053006100740075007200640061007900160049006E00760061006C00690064002000..F.r.i.d.a.y...S.a.t.u.r.d.a.y...I.n.v.a.l.i.d. .
\STRING\4092\0 21C54 D4 17C54 0900530065007000740065006D0062006500720007004F00630074006F0062006500720008004E006F00760065006D006200..S.e.p.t.e.m.b.e.r...O.c.t.o.b.e.r...N.o.v.e.m.b.
\STRING\4093\0 21D28 A4 17D28 03004D006100790003004A0075006E0003004A0075006C000300410075006700030053006500700003004F00630074000300..M.a.y...J.u.n...J.u.l...A.u.g...S.e.p...O.c.t...
\STRING\4094\0 21DCC 2AC 17DCC 1F0049006E00760061006C00690064002000760061007200690061006E00740020007400790070006500200063006F006E00..I.n.v.a.l.i.d. .v.a.r.i.a.n.t. .t.y.p.e. .c.o.n.
\STRING\4095\0 22078 34C 18078 160049006E00760061006C0069006400200063006C0061007300730020007400790070006500630061007300740030004100..I.n.v.a.l.i.d. .c.l.a.s.s. .t.y.p.e.c.a.s.t.0.A.
\STRING\4096\0 223C4 294 183C4 0D004F007500740020006F00660020006D0065006D006F00720079000C0049002F004F0020006500720072006F0072002000..O.u.t. .o.f. .m.e.m.o.r.y...I./.O. .e.r.r.o.r. .
\RCDATA\CHARTABLE\1033 22658 82E8 18658 1800000018220000B82C0000C8420000C8640000E86800000000100020003000400050006000700080009000A000B000C000....."...,...B...d...h...... .0.@.P..p...........
\RCDATA\DVCLAL\0 2A940 10 20940 263D4F38C28237B8F3244203179B3A83&=O8..7..$B...:.
\RCDATA\PACKAGEINFO\0 2A950 150 20950 000010CC000000001F000000010A53657475704C6472001087526564697246756E6300009C436D6E46756E63320010555479..............SetupLdr...RedirFunc...CmnFunc2..UTy
\RCDATA\11111\0 2AAA0 2C 20AA0 72446C507453CDE6D77B0B2A0100000006F22F00C3262A00002E1200AF1DAA4AA9832800001802003A7E0C7ErDlPtS...{.*....../..&*........J..(.....:~.~
\GROUP_ICON\MAINICON\1033 2AACC 5A 20ACC 0000010006003030000001000800A80E000001002020000001000800A8080000020010100000010008006805000003003030000001002000A825000004002020000001002000A810000005001010000001002000680400000600......00............ ....................h.....00.... ..%.... .... ............. .h.....
\VERSION\1\1033 2AB28 4F4 20B28 F40434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033 2B01C 5E8 2101C 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279<?xml version="1.0" encoding="UTF-8" standalone="y
Intelligent String:
• kernel32.dll
• .tmp
• .bss
• .tls
• x:\dirname"
• For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
• shell32.dll
• oleaut32.dll
• RegCloseKeyuser32.dll
• CharNextWkernel32.dll
• CloseHandlekernel32.dll
• user32.dll
• CloseHandleadvapi32.dll
• Sleepadvapi32.dll
• <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 2133695 67,9056%
Null Byte Code 51375 1,635%
© 2025 All rights reserved.