PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 534,50 KB
SHA-256 Hash: 76AB8DF709543469D0F7EA393BC3C50B3052B3723702E9444083459A3D407BED
SHA-1 Hash: 7C4013FE4393D2489CEB47D336C74A73F7482C97
MD5 Hash: F59D3594A5F206F41CF36AF90DAB6641
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
CheckSum: 00000000
EntryPoint (rva): 871CE
SizeOfHeaders: 200
SizeOfImage: 8C000
ImageBase: 400000
Architecture: x86
ImportTable: 87180
Characteristics: 22
TimeDateStamp: 1F36AC7B
Date: 06/08/1986 1:46:35
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	200	85200	2000	851D4
.rsrc	40000040	85400	400	88000	3F4
.reloc	42000040	85800	200	8A000	C

Description:

InternalName: xxxx.exe
OriginalFilename: xxxx.exe
CompanyName: :594GG9:>82F3=;D5AB995=H
LegalCopyright: Copyright 2024 :594GG9:>82F3=;D5AB995=H
ProductName: BEABBFAG;6=H3J96B78CA
FileVersion: 8.12.16.20

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 853CE
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
• JMP DWORD PTR [0X402000]
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL
• ADD BYTE PTR [EAX], AL

Signatures:

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v4.0
Detect It Easy (die)
• PE: library: .NET(v4.0.30319)[-]
• PE: compiler: VB.NET(-)[-]
• PE: linker: Microsoft Linker(80.0)[EXE32]
• Entropy: 7.059

Suspicious Functions:

Library	Function	Description
USER32.DLL	GetAsyncKeyState	Retrieves the status of a virtual key asynchronously.

Windows REG (UNICODE):

Software\Microsoft\Windows\CurrentVersion\Themes\Personalize

File Access:

mscoree.dll
user32.dll
Temp

File Access (UNICODE):

xxxx.exe
\WorkflowDiagrams\output.txt
schedule.txt
)PrioritizedRisks.txt
OpenRisksReport.txt
yyyyMMdd_HHmmss}.txt
%RiskRegisterDB.txt
VortexLattice.txt
PercolationFlow.txt
OrbitalPath.txt
ResonatedEnergy.txt
VortexSpin.txt
WaveletEnergy.txt
!EnergyConfig.txt
Temp

Interest's Words:

Decrypt
exec
attrib
start
pause
ping
replace

Interest's Words (UNICODE):

Encrypt
<html
<head
<body
<table
<title
exec
start
pause
ping

URLs (UNICODE):

http://studyhub.com/{0}/{1}
https://api.calendar/sync
https://api.openweathermap.org/data/2.5/weather?q={0}&appid={1}

IP Addresses:

11.0.0.0
17.0.0.0
17.12.0.0

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Encryption (CreateDecryptor)
• Rule Text (Ascii): Encryption (CryptoStream)
• Rule Text (Ascii): Encryption (CryptoStreamMode)
• Rule Text (Ascii): Encryption (FromBase64String)
• Rule Text (Ascii): Encryption (ICryptoTransform)
• Rule Text (Ascii): Encryption (RNGCryptoServiceProvider)
• Rule Text (Ascii): Encryption (ToBase64String)
• EP Rules: Microsoft Visual C / Basic .NET
• EP Rules: Microsoft Visual C v7.0 / Basic .NET
• EP Rules: Microsoft Visual Studio .NET
• EP Rules: .NET executable

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\0	88058	39C	85458	9C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000C00	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String:

• xxxx.exe
• 8.12.16.20
• (resources/184839.png
• -.EXj
• .txt
• !EnergyConfig.txt
• .csv
• EnergyWave.wav
• WaveletEnergy.txt
• VortexSpin.txt
• 'ResonatedEnergy.txt
• OrbitalPath.txt
• 'PercolationFlow.txt
• VortexLattice.txt
• %RiskRegisterDB.txt
• URiskRegisterBackup_{0:yyyyMMdd_HHmmss}.txt
• 'OpenRisksReport.txt
• RisksExport.csv
• )PrioritizedRisks.txt
• schedule.txt
• 7study_plan_{0:yyyyMMdd}.ics
• https://api.calendar/sync
• )resources/184839.png
• http://studyhub.com/{0}/{1}
• https://api.openweathermap.org/data/2.5/weather?q={0}&appid={1}
• C:\WorkflowDiagrams\output.txt
• <svg xmlns='http://www.w3.org/2000/svg' width='800' height='600'>
• _CorExeMainmscoree.dll
• 1.0.0.0

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	324218	59,2365%
Null Byte Code	100952	18,4445%

PESCAN.IO - Analysis Report Valid Code