PESCAN.IO - Analysis Report |
|||||
| File Structure: | |||||
|
|||||
| Information: |
| Size: 5,00 MB SHA-256 Hash: 64EAE8CBDC7829517F43E5D20A77B617FAB7DA0AA905D6428FAF8F5A717A481E SHA-1 Hash: 91B18B360892B9D1B5B7892D11C8CD3BE93ACAE8 MD5 Hash: E1F139D891202F505E71C94B9E4660CF Imphash: D8CB122E0D75EF6A8F274AD6A4C34345 MajorOSVersion: 6 CheckSum: 00502981 EntryPoint (rva): 951058 SizeOfHeaders: 600 SizeOfImage: CB8000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 37248F Characteristics: 22 TimeDateStamp: 67D999B2 Date: 18/03/2025 16:05:06 File Type: EXE Number Of Sections: 12 ASLR: Disabled Section Names (Optional Header): (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), .imports, .tls, .rsrc, .themida, .boot, .reloc Number Of Executable Sections: 3 Subsystem: Windows GUI UAC Execution Level Manifest: requireAdministrator [Incomplete Binary or Compressor Packer - 7,72 MB Missing] |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | 60000020 (Executable) | 600 | B8D19 | 1000 | 166F44 |
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | 40000040 | B9400 | 359EA | 168000 | 7A6DA |
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | C0000040 (Writeable) | EEE00 | A0438 | 1E3000 | 17A9A0 |
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | 40000040 | 18F400 | 9AD1 | 35E000 | 10758 |
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | 40000040 | 199000 | 113 | 36F000 | 1E8 |
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | 42000040 | 199200 | AFD | 370000 | 17D4 |
| .imports | C0000040 (Writeable) | 199E00 | A00 | 372000 | 1000 |
| .tls | C0000000 (Writeable) | 19A800 | 200 | 373000 | 1000 |
| .rsrc | 40000040 | 19AA00 | 200 | 374000 | 1000 |
| .themida | E0000060 (Executable) (Writeable) | 19AC00 | 0 | 375000 | 5DC000 |
| .boot | 60000060 (Executable) | 19AC00 | 365400 | 951000 | 365400 |
| .reloc | 40000000 | 500000 | 10 | CB7000 | 1000 |
| Entry Point: |
| The section number (11) have the Entry Point Information -> EntryPoint (calculated) - 19AC58 Code -> E88201000041524989E24152498B7210498B7A20FCB2808A0648FFC6880748FFC7BB0200000000D275078A1648FFC610D273 • CALL 0X1187 • PUSH R10 • MOV R10, RSP • PUSH R10 • MOV RSI, QWORD PTR [R10 + 0X10] • MOV RDI, QWORD PTR [R10 + 0X20] • CLD • MOV DL, 0X80 • MOV AL, BYTE PTR [RSI] • INC RSI • MOV BYTE PTR [RDI], AL • INC RDI • MOV EBX, 2 • ADD DL, DL • JNE 0X1031 • MOV DL, BYTE PTR [RSI] • INC RSI • ADC DL, DL |
| Signatures: |
| Rich Signature Analyzer: Code -> 9CBC7183D8DD1FD0D8DD1FD0D8DD1FD0D1A58CD0CEDD1FD093581AD1CCDD1FD093A51BD1D9DD1FD0EE5D1BD1C3DD1FD0C859E2D0D1DD1FD0C8591BD1D2DD1FD0C8591AD1E8DD1FD0C8591CD1DEDD1FD0C8591ED1DEDD1FD093A51ED1C4DD1FD093581BD15ADD1FD00A8F83D0DFDD1FD0D8DD1ED0C5DF1FD0935816D1D2DD1FD09358E0D0D9DD1FD093581DD1D9DD1FD052696368D8DD1FD0 Footprint md5 Hash -> C9F4A8A8E0A3C5621A1CCD5401439036 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Duplicate Sections: |
| Section (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) duplicate 6 times |
| Packer/Compiler: |
| Detect It Easy (die) • PE+(64): linker: Microsoft Linker(14.41**)[EXE64,admin] • Entropy: 7.97979 |
| Suspicious Functions: |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| File Access: |
| api-ms-win-crt-time-l1-1-0.dll api-ms-win-crt-environment-l1-1-0.dll api-ms-win-crt-filesystem-l1-1-0.dll api-ms-win-crt-convert-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-utility-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll VCRUNTIME140.dll VCRUNTIME140_1.dll bcrypt.dll USERENV.dll IMM32.dll d3dx11_43.dll WINHTTP.dll MSVCP140.dll OLEAUT32.dll ole32.dll SHELL32.dll ADVAPI32.dll GDI32.dll USER32.dll CRYPT32.dll WS2_32.dll D3DCOMPILER_43.dll d3d11.dll kernel32.dll +.vBe UserProfile |
| Interest's Words: |
| exec |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Ascii): Execution (ShellExecute) |
| Resources: |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\1\1033 | 374058 | 188 | 19AA58 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String: |
| • .tls • orB • kernel32.dll • ShellExecuteAole32.dll • WinHttpConnectd3dx11_43.dll • UnloadUserProfilebcrypt.dll • __std_exception_copyapi-ms-win-crt-heap-l1-1-0.dll • _callnewhapi-ms-win-crt-math-l1-1-0.dll • powfapi-ms-win-crt-locale-l1-1-0.dll • _configthreadlocaleapi-ms-win-crt-stdio-l1-1-0.dll • __p__commodeapi-ms-win-crt-runtime-l1-1-0.dll • terminateapi-ms-win-crt-utility-l1-1-0.dll • qsortapi-ms-win-crt-string-l1-1-0.dll • strcspnapi-ms-win-crt-convert-l1-1-0.dll • wcstombsapi-ms-win-crt-filesystem-l1-1-0.dll • _unlinkapi-ms-win-crt-environment-l1-1-0.dll • _dupenv_sapi-ms-win-crt-time-l1-1-0.dll |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3638752 | 69,4035% |
| Null Byte Code | 53509 | 1,0206% |
© 2025 All rights reserved.