PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 1,68 MB
SHA-256 Hash: 8805E4CC034B48CFE6A87B65AB477B8B22F8747DF0928D6B795D4A9743A40838
SHA-1 Hash: F2956C3D5EB43F3E3CCEB8D094A8CB000492700B
MD5 Hash: D9CCEA4B525BE03B449E9A43985BB8D6
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 001B14F9
EntryPoint (rva): 2334
SizeOfHeaders: 1000
SizeOfImage: 1B4000
ImageBase: 400000
Architecture: x86
ImportTable: 19F304
Characteristics: 10E
TimeDateStamp: 43C42C41
Date: 10/01/2006 21:50:57
File Type: EXE
Number Of Sections: 5
ASLR: Disabled
Section Names: .text, .sdata, .text, .reloc, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows Console

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	1000	2000	2000	18E4
.sdata	C0000040 (Writeable)	3000	1000	4000	1000
.text	60000020 (Executable)	4000	1A9000	6000	1A8A98
.reloc	42000040	1AD000	1000	1B0000	C
.rsrc	40000040	1AE000	1000	1B2000	838

Description:

InternalName: Bisiesto.exe
OriginalFilename: Bisiesto.exe
CompanyName: Casa
LegalCopyright: Copyright Casa 2006
ProductName: Bisiesto
FileVersion: 1.0.0.0

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1334
Code -> FF2548F359000000133002003B0000000D000011007E0600000414282300000A0C082C207279000070D00800000228150000
• JMP DWORD PTR [0X59F348]
• ADD BYTE PTR [EAX], AL
• ADC ESI, DWORD PTR [EAX]
• ADD AL, BYTE PTR [EAX]
• CMP EAX, DWORD PTR [EAX]
• ADD BYTE PTR [EAX], AL
• OR EAX, 0X110000
• JLE 0X101D
• ADD BYTE PTR [EAX], AL
• ADD AL, 0X14
• SUB BYTE PTR [EBX], AH
• ADD BYTE PTR [EAX], AL
• OR CL, BYTE PTR [EAX + ECX]
• SUB AL, 0X20
• JB 0X109F
• ADD BYTE PTR [EAX], AL
• JO 0XFFA
• OR BYTE PTR [EAX], AL
• ADD BYTE PTR [EDX], AL

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Duplicate Sections:

Section .text duplicate 2 times

Packer/Compiler:

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: True
• Version: v2.0
Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE: library: .NET(v2.0.50727)[-]
• PE: compiler: VB.NET(-)[-]
• Entropy: 7.89575

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	RtlMoveMemory	Moves a block of memory to another location.
KERNEL32.DLL	GetModuleHandle	Retrieves a handle to the specified module.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).

File Access:

Bisiesto.exe
kernel32.dll
mscoree.dll
Temp

File Access (UNICODE):

Bisiesto.exe
WinDir

Interest's Words:

exec
attrib
start

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Stealth (VirtualAlloc)
• Rule Text (Ascii): Stealth (VirtualProtect)
• Rule Text (Unicode): Linux Virtual File System - (/proc/)

Intelligent String:

• 1.0.0.0
• Bisiesto.exe
• _CorExeMainmscoree.dll
• n I\Visual Basic 2005\Ejercicios\Ejercicio 13\Bisiesto\Bisiesto\obj\Debug\Bisiesto.pdb
• mscoree.dll
• /proc/self/maps

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	1177949	66,7251%
Null Byte Code	67286	3,8114%