PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 699,34 KB
SHA-256 Hash: 65B4DC0633ACBEFC5B6F28022377455B476D7C1D1DD838D4C12BF5A12808C568
SHA-1 Hash: 4A335F295A757E9C71E77CF5D5589F5C30ADBA3D
MD5 Hash: F7FF125BD4422AAEDC08183275B89993
Imphash: 6E7F9A29F2C85394521A08B9F31F6275
MajorOSVersion: 4
CheckSum: 000B981C
EntryPoint (rva): 34C5
SizeOfHeaders: 400
SizeOfImage: 65000
ImageBase: 400000
Architecture: x86
ImportTable: 8610
Characteristics: 10F
TimeDateStamp: 60FC9250
Date: 24/07/2021 22:21:04
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .ndata, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	6800	1000	6793
.rdata	40000040	6C00	1600	8000	14A4
.data	C0000040 (Writeable)	8200	600	A000	2B018
.ndata	C0000080 (Writeable)	0	0	36000	2D000
.rsrc	40000040	8800	1400	63000	1398

Description:

InternalName: renteberegningen.exe
CompanyName: pwr dvorak baguet
LegalTrademarks: marseilles
ProductName: plesken

Binder/Joiner/Crypter:

Dropper code detected (EOF) - 295,34 KB

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 28C5
Code -> 81ECD40200005356576A205F33DB6801800000895C2414C7442410E0A24000895C241CFF15CC804000FF15D080400025FFFF
• SUB ESP, 0X2D4
• PUSH EBX
• PUSH ESI
• PUSH EDI
• PUSH 0X20
• POP EDI
• XOR EBX, EBX
• PUSH 0X8001
• MOV DWORD PTR [ESP + 0X14], EBX
• MOV DWORD PTR [ESP + 0X10], 0X40A2E0
• MOV DWORD PTR [ESP + 0X1C], EBX
• CALL DWORD PTR [0X4080CC]
• CALL DWORD PTR [0X4080D0]

Signatures:

Rich Signature Analyzer:
Code -> AD310881E95066D2E95066D2E95066D22A5F39D2EB5066D2E95067D24C5066D22A5F3BD2E65066D2BD7356D2E35066D22E5660D2E85066D252696368E95066D2
Footprint md5 Hash -> 8D248B46736E162BA0D0DEE443AD4BB3
• The Rich header apparently has not been modified

Packer/Compiler:

Compiler: Nullsoft Install System - Version: v3.07
Detect It Easy (die)
• PE: installer: Nullsoft Scriptable Install System(3.07)[zlib]
• PE: linker: Microsoft Linker(6.0*)[EXE32,signed]
• PE: overlay: NSIS data(-)[-]
• Entropy: 7.97906

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	CopyFileW	Copies an existing file to a new file.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
SHELL32.DLL	ShellExecuteExW	Performs a run operation on a specific file.

Windows REG (UNICODE):

Software\Microsoft\Windows\CurrentVersion

File Access:

Nullsoft.NSIS.exe
KERNEL32.dll
GDI32.dll
USER32.dll
COMCTL32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
Temp

File Access (UNICODE):

%s%S.dll
renteberegningen.exe
Temp

Interest's Words:

exec
attrib
shutdown
expand

Interest's Words (UNICODE):

shutdown

URLs (UNICODE):

http://nsis.sf.net/NSIS_Error

Strings/Hex Code Found With The File Rules:

• Rule Text (Ascii): Registry (RegCreateKeyEx)
• Rule Text (Ascii): Registry (RegOpenKeyEx)
• Rule Text (Ascii): Registry (RegSetValueEx)
• Rule Text (Ascii): Registry (RegDeleteKeyEx)
• Rule Text (Ascii): File (GetTempPath)
• Rule Text (Ascii): File (CopyFile)
• Rule Text (Ascii): File (CreateFile)
• Rule Text (Ascii): File (WriteFile)
• Rule Text (Ascii): File (ReadFile)
• Rule Text (Ascii): Anti-Analysis VM (GetVersion)
• Rule Text (Ascii): Execution (CreateProcessW)
• Rule Text (Ascii): Execution (ShellExecute)
• Rule Text (Unicode): Privileges (SeShutdownPrivilege)
• EP Rules: fasm -> Tomasz Grysztar

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1033	63208	8A8	8A08	2800000020000000400000000100080000000000800400000000000000000000000100000000000000000000000080000080	(... ...@.........................................
\DIALOG\105\1033	63AB0	100	92B0	0100FFFF00000000000000004808CA800600000000001801A2000000000000000800000000014D0053002000530068006500	............H.........................M.S. .S.h.e.
\DIALOG\106\1033	63BB0	11C	93B0	0100FFFF0000000000000000480400400500000000000A0182000000000000000800000000014D0053002000530068006500	............H..@......................M.S. .S.h.e.
\DIALOG\107\1033	63CD0	C4	94D0	0100FFFF0000000000000000480400400400000000000A0182000000000000000800000000014D0053002000530068006500	............H..@......................M.S. .S.h.e.
\DIALOG\111\1033	63D98	60	9598	0100FFFF0000000000000000C8080080010000000000A20016000000000000000800000000014D0053002000530068006500	......................................M.S. .S.h.e.
\GROUP_ICON\103\1033	63DF8	14	95F8	0000010001002020000000000000A8080000010000000000440234000000560053005F00560045005200530049004F004E00	...... ................D.4...V.S._.V.E.R.S.I.O.N.
\VERSION\1\1033	63E10	244	9610	440234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000000000400	D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	64058	33E	9858	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String:

• COMCTL32.dll
• USER32.dll
• http://nsis.sf.net/NSIS_Error
• .tmp
• .exe
• %s%S.dll
• renteberegningen.exe

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	486742	67,9686%
Null Byte Code	11629	1,6239%

PESCAN.IO - Analysis Report Valid Code