PESCAN.IO - Analysis Report

File Structure:
Analysis Image
Information:
Size: 5,00 MB
SHA-256 Hash: 64EAE8CBDC7829517F43E5D20A77B617FAB7DA0AA905D6428FAF8F5A717A481E
SHA-1 Hash: 91B18B360892B9D1B5B7892D11C8CD3BE93ACAE8
MD5 Hash: E1F139D891202F505E71C94B9E4660CF
Imphash: D8CB122E0D75EF6A8F274AD6A4C34345
MajorOSVersion: 6
CheckSum: 00502981
EntryPoint (rva): 951058
SizeOfHeaders: 600
SizeOfImage: CB8000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 37248F
Characteristics: 22
TimeDateStamp: 67D999B2
Date: 18/03/2025 16:05:06
File Type: EXE
Number Of Sections: 12
ASLR: Disabled
Section Names (Optional Header): (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), .imports, .tls, .rsrc, .themida, .boot, .reloc
Number Of Executable Sections: 3
Subsystem: Windows GUI
UAC Execution Level Manifest: requireAdministrator
[Incomplete Binary or Compressor Packer - 7,72 MB Missing]

Sections Info:
Section Name Flags ROffset RSize VOffset VSize
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) 60000020 (Executable) 600 B8D19 1000 166F44
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) 40000040 B9400 359EA 168000 7A6DA
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) C0000040 (Writeable) EEE00 A0438 1E3000 17A9A0
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) 40000040 18F400 9AD1 35E000 10758
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) 40000040 199000 113 36F000 1E8
(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) 42000040 199200 AFD 370000 17D4
.imports C0000040 (Writeable) 199E00 A00 372000 1000
.tls C0000000 (Writeable) 19A800 200 373000 1000
.rsrc 40000040 19AA00 200 374000 1000
.themida E0000060 (Executable) (Writeable) 19AC00 0 375000 5DC000
.boot 60000060 (Executable) 19AC00 365400 951000 365400
.reloc 40000000 500000 10 CB7000 1000
Entry Point:
The section number (11) have the Entry Point
Information -> EntryPoint (calculated) - 19AC58
Code -> E88201000041524989E24152498B7210498B7A20FCB2808A0648FFC6880748FFC7BB0200000000D275078A1648FFC610D273
CALL 0X1187
PUSH R10
MOV R10, RSP
PUSH R10
MOV RSI, QWORD PTR [R10 + 0X10]
MOV RDI, QWORD PTR [R10 + 0X20]
• CLD
MOV DL, 0X80
MOV AL, BYTE PTR [RSI]
INC RSI
MOV BYTE PTR [RDI], AL
INC RDI
MOV EBX, 2
ADD DL, DL
JNE 0X1031
MOV DL, BYTE PTR [RSI]
INC RSI
• ADC DL, DL

Signatures:
Rich Signature Analyzer:
Code -> 9CBC7183D8DD1FD0D8DD1FD0D8DD1FD0D1A58CD0CEDD1FD093581AD1CCDD1FD093A51BD1D9DD1FD0EE5D1BD1C3DD1FD0C859E2D0D1DD1FD0C8591BD1D2DD1FD0C8591AD1E8DD1FD0C8591CD1DEDD1FD0C8591ED1DEDD1FD093A51ED1C4DD1FD093581BD15ADD1FD00A8F83D0DFDD1FD0D8DD1ED0C5DF1FD0935816D1D2DD1FD09358E0D0D9DD1FD093581DD1D9DD1FD052696368D8DD1FD0
Footprint md5 Hash -> C9F4A8A8E0A3C5621A1CCD5401439036
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Duplicate Sections:
Section (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) duplicate 6 times

Packer/Compiler:
Detect It Easy (die)
PE+(64): linker: Microsoft Linker(14.41**)[EXE64,admin]
Entropy: 7.97979

Suspicious Functions:
Library Function Description
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
SHELL32.DLL ShellExecuteA Performs a run operation on a specific file.
File Access:
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
VCRUNTIME140.dll
VCRUNTIME140_1.dll
bcrypt.dll
USERENV.dll
IMM32.dll
d3dx11_43.dll
WINHTTP.dll
MSVCP140.dll
OLEAUT32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
GDI32.dll
USER32.dll
CRYPT32.dll
WS2_32.dll
D3DCOMPILER_43.dll
d3d11.dll
kernel32.dll
+.vBe
UserProfile

Interest's Words:
exec

Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): Execution (ShellExecute)

Resources:
Path DataRVA Size FileOffset CodeText
\24\1\1033 374058 188 19AA58 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String:
• .tls
• orB
• kernel32.dll
• ShellExecuteAole32.dll
• WinHttpConnectd3dx11_43.dll
• UnloadUserProfilebcrypt.dll
• __std_exception_copyapi-ms-win-crt-heap-l1-1-0.dll
• _callnewhapi-ms-win-crt-math-l1-1-0.dll
• powfapi-ms-win-crt-locale-l1-1-0.dll
• _configthreadlocaleapi-ms-win-crt-stdio-l1-1-0.dll
• __p__commodeapi-ms-win-crt-runtime-l1-1-0.dll
• terminateapi-ms-win-crt-utility-l1-1-0.dll
• qsortapi-ms-win-crt-string-l1-1-0.dll
• strcspnapi-ms-win-crt-convert-l1-1-0.dll
• wcstombsapi-ms-win-crt-filesystem-l1-1-0.dll
• _unlinkapi-ms-win-crt-environment-l1-1-0.dll
• _dupenv_sapi-ms-win-crt-time-l1-1-0.dll

Extra 4n4lysis:
Metric Value Percentage
Ascii Code 3638752 69,4035%
Null Byte Code 53509 1,0206%
© 2025 All rights reserved.