PESCAN.IO - Analysis Report Valid Code |
|||||
| File Structure: | |||||
|
|||||
| Information: |
| Size: 1,54 MB SHA-256 Hash: 0CEFD7307E7D43B0A13DA9E04EB89C7160D856E8335E96498F5F98A8F020E87B SHA-1 Hash: 99FA1129D0003FF1322AA3CF18C0431B79B65EA9 MD5 Hash: CD25DDB526539CC211CA2F7356855231 Imphash: C85E887BDB558C29A9964A7332B7D28A MajorOSVersion: 5 CheckSum: 001962D5 EntryPoint (rva): F68B6 SizeOfHeaders: 400 SizeOfImage: 196000 ImageBase: 10000000 Architecture: x86 ExportTable: 15BA60 ImportTable: 1589F0 Characteristics: 2102 TimeDateStamp: 6832C8E8 Date: 25/05/2025 7:38:16 File Type: DLL Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 400 | 118200 | 1000 | 11818B |
| .rdata | 40000040 | 118600 | 41E00 | 11A000 | 41C29 |
| .data | C0000040 (Writeable) | 15A400 | 5E00 | 15C000 | D2BC |
| .rsrc | 40000040 | 160200 | 3000 | 16A000 | 2EF8 |
| .reloc | 42000040 | 163200 | 28200 | 16D000 | 28140 |
| Entry Point: |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - F5CB6 Code -> 8BFF558BEC837D0C017505E8DF700000FF75088B4D108B550CE8ECFEFFFF595DC20C008BFF558BEC538B5D0883FBE0776F56 • MOV EDI, EDI • PUSH EBP • MOV EBP, ESP • CMP DWORD PTR [EBP + 0XC], 1 • JNE 0X1010 • CALL 0X80EF • PUSH DWORD PTR [EBP + 8] • MOV ECX, DWORD PTR [EBP + 0X10] • MOV EDX, DWORD PTR [EBP + 0XC] • CALL 0XF0A • POP ECX • POP EBP • RET 0XC • MOV EDI, EDI • PUSH EBP • MOV EBP, ESP • PUSH EBX • MOV EBX, DWORD PTR [EBP + 8] • CMP EBX, -0X20 • JA 0X10A0 • PUSH ESI |
| Signatures: |
| Rich Signature Analyzer: Code -> A6EC006ED07100526963686FD071 Footprint md5 Hash -> 65FEFF32335CDB31543884C2376B3EE2 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler: |
| Detect It Easy (die) • PE: library: MFC(-)[static] • PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[DLL32] • PE: compiler: Microsoft Visual C++(2010)[libcmt] • PE: linker: Microsoft Linker(10.0)[DLL32] • Entropy: 6.46485 |
| Suspicious Functions: |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| USER32.DLL | GetAsyncKeyState | Retrieves the status of a virtual key asynchronously. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| ET Functions (carving): |
| Original Name -> DQ.dll arkHTTPCancelRequest arkHTTPClose arkHTTPGetDownloadDirectory arkHTTPOpen arkHTTPQueryInfo arkHTTPSendRequest arkHTTPSetConfig arkHTTPSetDefaultProxy arkHTTPSetDownloadDirectory arkHTTPSetLogCallback arkHTTPSetOption arkHTTPSetUseThirdLSP arkHTTPShutdown arkHTTPStartup |
| Windows REG (UNICODE): |
| Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Software\Microsoft\Windows\CurrentVersion\Policies\Network Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 Software\Classes\ Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - NoRun |
| File Access: |
| DQ.dll WINMM.dll IMM32.dll OLEACC.dll gdiplus.dll OLEAUT32.dll ole32.dll SHLWAPI.dll COMCTL32.dll SHELL32.dll ADVAPI32.dll COMDLG32.dll MSIMG32.dll GDI32.dll USER32.dll KERNEL32.dll Temp |
| File Access (UNICODE): |
| %s%s.dll Advapi32.dll comctl32.dll comdlg32.dll shell32.dll dwmapi.dll UxTheme.dll SHCreateItemFromParsingNameShell32.dll RegisterTouchWindowuser32.dll kernel32.dll ole32.dll CorExitProcessmscoree.dll Temp |
| Interest's Words: |
| lockbit PADDINGX outlook ToolBar exec attrib start shutdown systeminfo replace |
| Interest's Words (UNICODE): |
| outlook ToolBar exec start pause replace |
| URLs: |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Unicode): WinAPI Sockets (connect) • Rule Text (Ascii): Registry (RegCreateKeyEx) • Rule Text (Ascii): Registry (RegOpenKeyEx) • Rule Text (Ascii): Registry (RegSetValueEx) • Rule Text (Ascii): Registry (RegDeleteKeyEx) • Rule Text (Ascii): File (GetTempPath) • Rule Text (Ascii): File (CopyFile) • Rule Text (Ascii): File (CreateFile) • Rule Text (Ascii): File (WriteFile) • Rule Text (Ascii): File (ReadFile) • Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent) • Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo) • Rule Text (Ascii): Anti-Analysis VM (GetVersion) • Rule Text (Ascii): Stealth (VirtualAlloc) • Rule Text (Ascii): Stealth (VirtualProtect) • Rule Text (Ascii): Execution (ShellExecute) • Rule Text (Ascii): Execution (ResumeThread) • Rule Text (Ascii): Keyboard Key (Scroll) • Rule Text (Unicode): Keyboard Key (Scroll) • Rule Text (Unicode): Keyboard Key (RightArrow) • Rule Text (Ascii): Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV) • EP Rules: Microsoft Visual C++ 8 • EP Rules: VC8 -> Microsoft Corporation |
| Resources: |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \CURSOR\1\2052 | 16AA18 | 134 | 160C18 | 020002002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\2\2052 | 16AB4C | B4 | 160D4C | 010001002800000010000000200000000100010000000000800000000000000000000000000000000000000000000000FFFF | ....(....... ..................................... |
| \CURSOR\3\2052 | 16AC00 | 134 | 160E00 | 0F0014002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\4\2052 | 16AD34 | 134 | 160F34 | 100008002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\5\2052 | 16AE68 | 134 | 161068 | 0A000E002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\6\2052 | 16AF9C | 134 | 16119C | 15000E002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\7\2052 | 16B0D0 | 134 | 1612D0 | 0C0012002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\8\2052 | 16B204 | 134 | 161404 | 140012002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\9\2052 | 16B338 | 134 | 161538 | 0C000B002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\10\2052 | 16B46C | 134 | 16166C | 13000A002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\11\2052 | 16B5A0 | 134 | 1617A0 | 10000F002800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\12\2052 | 16B6D4 | 134 | 1618D4 | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\13\2052 | 16B808 | 134 | 161A08 | 0F000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\14\2052 | 16B93C | 134 | 161B3C | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\15\2052 | 16BA70 | 134 | 161C70 | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\16\2052 | 16BBA4 | 134 | 161DA4 | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \BITMAP\30994\2052 | 16BCD8 | B8 | 161ED8 | 280000000C0000000A0000000100040000000000500000000000000000000000000000000000000000000000000080000080 | (...................P............................. |
| \BITMAP\30996\2052 | 16BD90 | 144 | 161F90 | 28000000210000000B0000000100040000000000DC0000000000000000000000000000000000000000000000000080000080 | (...!............................................. |
| \DIALOG\30721\2052 | 16BED4 | E2 | 1620D4 | C400C88000000000050009001A00B700460000000000B065FA5E000009004D00530020005300680065006C006C0020004400 | ................F......e.....M.S. .S.h.e.l.l. .D. |
| \DIALOG\30734\2052 | 16BFB8 | 34 | 1621B8 | C800C88000000000000009001A00B700460000000000000009004D00530020005300680065006C006C00200044006C0067000000 | ................F.........M.S. .S.h.e.l.l. .D.l.g... |
| \STRING\3841\2052 | 16BFEC | 4E | 1621EC | 02005362005F0300E653585B3A4E0900406209678765F64E28002A002E002A0029000300E065076898980000000006002A677D540D5484768765F64E000000000000000000000000000000000000 | ..Sb._...SX[:N..@b.g.e.N(.*...*.)....e.h........*g}T.T.v.e.N.................. |
| \STRING\3842\2052 | 16C03C | 2C | 16223C | 000006009096CF85280026004800290000000000000000000000000000000000000000000000000000000000 | ........(.&.H.)............................. |
| \STRING\3843\2052 | 16C068 | 84 | 162268 | 0900E065D56CD0639B4F1995EF8BE14F6F6002300B000D4E2F6501631D5CD58B67624C888476CD645C4F0230080040620097 | ...e.l.c.O.....Oo.0...N/e.c.\..gbL..v.d\O.0..@b.. |
| \STRING\3857\2052 | 16C0EC | 1C4 | 1622EC | 07008765F64E0D540D4E636B6E78023007005362005F876563683159258D02300700DD4F585B876563683159258D02300D00 | ...e.N.T.Ncknx.0..Sb._.ech1Y%..0...OX[.ech1Y%..0.. |
| \STRING\3858\2052 | 16C2B0 | 14E | 1624B0 | 0800F78B938F6551004E2A4E7465706502300800F78B938F6551004E2A4E7065575B02301400F78B938F6551004E2A4E2000 | ......eQ.N*Ntepe.0......eQ.N*NpeW[.0......eQ.N*N . |
| \STRING\3859\2052 | 16C400 | 10E | 162600 | 08000F61165984768765F64E3C680F5F02301C00250031000A00E065D56C7E623052646B8765F64E02300A00F78B6E78A48B | ...a.Y.v.e.N<h._.0..%.1....e.l~b0Rdk.e.N.0....nx.. |
| \STRING\3860\2052 | 16C510 | 50 | 162710 | 1000250031003A002000250032000A002F662654E77EED7ED08F4C881A812C673F000800038CA65E025F385E3A0020002500310000000000000000000000000000000000000000000000000000000000 | ..%.1.:. .%.2.../f&T.~.~..L...,g?......._8:. .%.1............................. |
| \STRING\3865\2052 | 16C560 | 44 | 162760 | 0000000000000000000000000000000000000000000000000900E065D56CFB8BD653EA5399515E5C276002300900E065D56C99516551EA53FB8B5E5C2760023000000000 | ...........................e.l...S.S.Q\'.0...e.l.QeQ.S..\'.0.... |
| \STRING\3866\2052 | 16C5A4 | 68 | 1627A4 | 0B00E065D56CA0527D8FAE90F64EFB7CDF7E2F65016302300C00AE90F64EFB7CDF7E200044004C004C002000E06548650230 | ...e.l.R}....N.|.~/e.c.0.....N.|.~ .D.L.L. ..eHe.0 |
| \STRING\3867\2052 | 16C60C | 1B2 | 16280C | 06002A67D1531F751995EF8B02300F00BF8BEE952000250031002000F665D1531F75864E2A67E5771995EF8B02300800A16C | ..*g.S.u.....0...... .%.1. ..e.S.u.N*g.w.....0...l |
| \STRING\3868\2052 | 16C7C0 | F4 | 1629C0 | 06002A67D1531F751995EF8B02300F00BF8BEE952000250031002000F665D1531F75864E2A67E5771995EF8B023014001D5C | ..*g.S.u.....0...... .%.1. ..e.S.u.N*g.w.....0...\ |
| \STRING\3869\2052 | 16C8B4 | 24 | 162AB4 | 0200CF50207D000000000000000000000000000000000000000000000000000000000000 | ...P }.............................. |
| \STRING\3887\2052 | 16C8D8 | 1A6 | 162AD8 | 00000400D653886D09902D4E020009902D4E0200F76D085410007E623052864E004E2A4E16621A592A4EEA81A852DD4F585B | .....S.m..-N....-N...m.T..~b0R.N.N*N.b.Y*N...R.OX[ |
| \GROUP_CURSOR\30977\2052 | 16CA80 | 22 | 162C80 | 00000200020020004000010001003401000001001000200001000100B40000000200 | ...... .@.....4....... ........... |
| \GROUP_CURSOR\30998\2052 | 16CAA4 | 14 | 162CA4 | 0000020001002000400001000100340100000800 | ...... .@.....4..... |
| \GROUP_CURSOR\30999\2052 | 16CAB8 | 14 | 162CB8 | 0000020001002000400001000100340100000300 | ...... .@.....4..... |
| \GROUP_CURSOR\31000\2052 | 16CACC | 14 | 162CCC | 0000020001002000400001000100340100000700 | ...... .@.....4..... |
| \GROUP_CURSOR\31001\2052 | 16CAE0 | 14 | 162CE0 | 0000020001002000400001000100340100000600 | ...... .@.....4..... |
| \GROUP_CURSOR\31002\2052 | 16CAF4 | 14 | 162CF4 | 0000020001002000400001000100340100000D00 | ...... .@.....4..... |
| \GROUP_CURSOR\31003\2052 | 16CB08 | 14 | 162D08 | 0000020001002000400001000100340100000500 | ...... .@.....4..... |
| \GROUP_CURSOR\31004\2052 | 16CB1C | 14 | 162D1C | 0000020001002000400001000100340100000A00 | ...... .@.....4..... |
| \GROUP_CURSOR\31005\2052 | 16CB30 | 14 | 162D30 | 0000020001002000400001000100340100000400 | ...... .@.....4..... |
| \GROUP_CURSOR\31006\2052 | 16CB44 | 14 | 162D44 | 0000020001002000400001000100340100000900 | ...... .@.....4..... |
| \GROUP_CURSOR\31007\2052 | 16CB58 | 14 | 162D58 | 0000020001002000400001000100340100000B00 | ...... .@.....4..... |
| \GROUP_CURSOR\31008\2052 | 16CB6C | 14 | 162D6C | 0000020001002000400001000100340100000C00 | ...... .@.....4..... |
| \GROUP_CURSOR\31009\2052 | 16CB80 | 14 | 162D80 | 0000020001002000400001000100340100000E00 | ...... .@.....4..... |
| \GROUP_CURSOR\31010\2052 | 16CB94 | 14 | 162D94 | 0000020001002000400001000100340100000F00 | ...... .@.....4..... |
| \GROUP_CURSOR\31011\2052 | 16CBA8 | 14 | 162DA8 | 0000020001002000400001000100340100001000 | ...... .@.....4..... |
| \VERSION\1\2052 | 16CBBC | DC | 162DBC | DC0034000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\2\1033 | 16CC98 | 25F | 162E98 | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" |
| Intelligent String: |
| • KERNEL32.DLL • %s%s.dll • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp • Advapi32.dll • :comctl32.dll • <;comdlg32.dll • ;shell32.dll • .INI • .HLP • .CHM • f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl • SHELL32.DLL • dwmapi.dll • UxTheme.dll • RegisterTouchWindowuser32.dll • hhctrl.ocx • f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp • kernel32.dll • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp • TaskDialogIndirect • COMCTL32.DLL • USER32.DLL • ole32.dll • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp • RICHED20.DLL • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp • mscoree.dll • GetNextDlgTabItemaCreateDialogIndirectParamW • USER32.dll • MSIMG32.dll • WINSPOOL.DRV • WINMM.dll • .PAX |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 912391 | 56,3572% |
| Null Byte Code | 276812 | 17,0983% |
© 2025 All rights reserved.