PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 510,30 KB
SHA-256 Hash: 89835ACC8E83DC7EFAB5B4DF6066E3B4258D37720B02262A95C02DE256A5BD7A
SHA-1 Hash: 6C4651FADEC42157F0334137C6A08955A92FDA6E
MD5 Hash: 38FE8FA470D6B683D1AAB7AF2BEA1F5C
Imphash: 11313CCF7D0FD7A4FA8593D69280967C
MajorOSVersion: 5
MinorOSVersion: 1
CheckSum: 00081C0E
EntryPoint (rva): 136CA0
SizeOfHeaders: 1000
SizeOfImage: 13E000
ImageBase: 400000
Architecture: x86
ImportTable: 13D0B8
Characteristics: 122
TimeDateStamp: 61AC4D3A
Date: 05/12/2021 5:25:14
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: UPX0, UPX1, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows GUI
[Incomplete Binary or Compressor Packer - 761,70 KB Missing]

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
UPX0	E0000080 (Uninitialized Data, Executable, Readable, Writeable)	400	0	1000	BD000	N/A	N/A
UPX1	E0000040 (Initialized Data, Executable, Readable, Writeable)	400	79A00	BE000	7A000	7,9992	576,01
.rsrc	C0000040 (Initialized Data, Readable, Writeable)	79E00	5600	138000	6000	3,6906	1691373,02

Description

CompanyName: https://www.xyboot.com/
LegalCopyright: Free https://www.xyboot.com/
FileVersion: 2.0.0.3
ProductVersion: 2.0.0.3
Comments: Compiled 2021Q4
Language: Chinese (People's Republic of China) (ID=0x804)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (2) - (UPX1) have the Entry Point
Information -> EntryPoint (calculated) - 790A0
Code -> 60BE00E04B008DBE0030F4FFC78730F70C003ACFD1475789E58D9C2480C1FFFF31C05039DC75FB464653687E4E13005783C3
• PUSHAD
• MOV ESI, 0X4BE000
• LEA EDI, [ESI - 0XBD000]
• MOV DWORD PTR [EDI + 0XCF730], 0X47D1CF3A
• PUSH EDI
• MOV EBP, ESP
• LEA EBX, [ESP - 0X3E80]
• XOR EAX, EAX
• PUSH EAX
• CMP ESP, EBX
• JNE 0X1022
• INC ESI
• INC ESI
• PUSH EBX
• PUSH 0X134E7E
• PUSH EDI

Signatures

Rich Signature Analyzer:
Code -> 36C7B5AE72A6DBFD72A6DBFD72A6DBFDC63A2AFD51A6DBFDC63A28FDEFA6DBFDC63A29FD51A6DBFDEC061CFD73A6DBFD20CEDEFC5FA6DBFD20CEDFFC60A6DBFD20CED8FC67A6DBFD7BDE58FD7BA6DBFD7BDE48FD57A6DBFD72A6DAFD5BA4DBFDE1CFD5FC22A6DBFDE1CFD8FC73A6DBFDE1CF24FD73A6DBFD72A64CFD73A6DBFDE1CFD9FC73A6DBFD5269636872A6DBFD
Footprint md5 Hash -> 8395FD3098E48B6A01B22EFB16A61051
• The Rich header apparently has not been modified

Packer/Compiler

Compression: UPX - Version: 3.96
Detect It Easy (die)
• PE: packer: UPX(3.96)[LZMA,brute]
• PE: library: AutoIt(3.XX)[-]
• PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[-]
• PE: Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 7.9482

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).

File Access

WSOCK32.dll
WINMM.dll
WININET.dll
VERSION.dll
UxTheme.dll
USERENV.dll
USER32.dll
SHELL32.dll
PSAPI.DLL
OLEAUT32.dll
ole32.dll
MPR.dll
KERNEL32.DLL
IPHLPAPI.DLL
GDI32.dll
COMDLG32.dll
COMCTL32.dll
ADVAPI32.dll
UserProfile

Interest's Words

exec

URLs (UNICODE)

https://www.xyboot.com/

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Stealth (VirtualProtect)
Entry Point	Hex Pattern	UPX - www.upx.sourceforge.net

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\2057	1383E0	128	7A1E0	2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F	(....... ...................................z..y_
\ICON\2\2057	13850C	4228	7A30C	2800000040000000800000000100200000000000004200000000000000000000000000000000000000000000000000000000	(...@......... ......B............................
\STRING\7\2057	D872C	594	1AB2C	9C620ACBD72C6865280AA28F79A22444002FDBF329919AC100DACF5E032F6E503BFC3BF2D6EA4B30165DDD7F539BED872657	.b...,he(...y.$D./..)......./nP;.;...K0.]..S...&W
\STRING\8\2057	D8CC0	68A	1B0C0	D2582AFEC8001200AF7077D5AF73C1D887267375AF0A2E4888EF0A2788D8E9AF062FD97B8D2A48F752C4A73A9FF7AF9AB83C	.X......pw..s...&su...H...'...../.{.H.R..:.....<
\STRING\9\2057	D934C	490	1B74C	838BEBFFD77BBD0BB473CE00D337647138C6C40583A5DE5E4F34B6B3699411C839157D7ED3643FD393B16F18F9A32751D289	.....{...s...7dq8......O4..i...9.}~.d?...o...'Q..
\STRING\10\2057	D97DC	5FC	1BBDC	BDAFB353B683D0B7D43BA083375803E462C731C788E3F238C6CE92FDBF2739152507C01E9ECF5A25ACFBA8B9458B0A191B33	...S.....;..7X..b.1....8.....'9.%.....Z%....E....3
\STRING\11\2057	D9DD8	65C	1C1D8	0B77D0085E610E73820EB3D2DE9F3E87E42A0441BD40D1433607731D4287FF8E4227592AB1D039A9D4F9A9EE027813EAC5BA	.w..a.s......>...A.@.C6.s.B...B'Y..9......x....
\STRING\12\2057	DA434	466	1C834	7723B3F6081FCBD31DA37F431EC71184DE7F51DFD045B58608A623DA34C4C820F739C3AC0A9CC36D96AA1FA38C3CDCDAFB11	w.........C......Q..E.....4.. .9.....m.....<....
\STRING\313\2057	DA89C	158	1CC9C	5DDC574799C701F08B613D5038DC556E6B6A21DBB58C69FE120D331E5157BDC4E7D29300986E244FBA772053F7440A0FE82A	].WG.....a=P8.Unkj!...i...3.QW.......n$O.w S.D...*
\RCDATA\SCRIPT\0	DA9F4	1E607	1CDF4	059AB132E24CE4400FA775BDDC86A848AD17FAE35CE57B5C4A3B895B8F7602F1473E8BD75424276950993EBAC0F84C04228F	...2.L.@..u....H....\.{\J;.[.v..G>..T$'iP.>...L.".
\RCDATA\_0101000101\2052	F8FFC	2DF22	3B3FC	441D2537269DC4F38C8F09E11B06D1D24A689248BB6E455923AAA9A3EED85FF5855008A422D3B0653E2833C6843EE4AEE621	D.%7&...........Jh.H.nEY....._..P.."..e>(3..>...!
\RCDATA\_01010110\2052	126F20	6	69320	0C833F51FBBB	..?Q..
\GROUP_ICON\99\2057	13C738	14	7E538	0000010001004040000001002000284200000200	......@@.... .(B....
\GROUP_ICON\169\2057	13C750	14	7E550	0000010001001010100001000400280100000100	..............(.....
\VERSION\1\2052	13C768	2EC	7E568	EC0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\2052	13CA58	65D	7E858	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String

• 2.0.0.3

Flow Anomalies

Offset	RVA	Section	Description
176B3	407CEAAC	UPX1	JMP [static] \| Indirect jump to absolute memory address
183A6	407CEAAC	UPX1	CALL [static] \| Indirect call to absolute memory address
19523	407CEAAC	UPX1	JMP [static] \| Indirect jump to absolute memory address
1C7BC	407CEAAC	UPX1	JMP [static] \| Indirect jump to absolute memory address
1CEFC	407CEAAC	UPX1	JMP [static] \| Indirect jump to absolute memory address
1FEB0	5BCFBE64	UPX1	JMP [static] \| Indirect jump to absolute memory address
3249C	10C6CE26	UPX1	JMP [static] \| Indirect jump to absolute memory address
53698	10C6CE26	UPX1	JMP [static] \| Indirect jump to absolute memory address
5B3CE	10C6CE26	UPX1	JMP [static] \| Indirect jump to absolute memory address
64507	10C6CE26	UPX1	CALL [static] \| Indirect call to absolute memory address
74FD9	10C6CE26	UPX1	CALL [static] \| Indirect call to absolute memory address
75768	10C6CE26	UPX1	JMP [static] \| Indirect jump to absolute memory address
7ABAF	2AFE1615	.rsrc	CALL [static] \| Indirect call to absolute memory address
7ACD7	2AFF2726	.rsrc	JMP [static] \| Indirect jump to absolute memory address
7B7F7	FF2525	.rsrc	JMP [static] \| Indirect jump to absolute memory address
7F81B	7DDDDE10	padding	JMP [static] \| Indirect jump to absolute memory address
400-79DFF	BE000	UPX1	Executable section anomaly, first bytes: 1A03005C7FFD8329
7F400	N/A	Overlay	38050000000202003082052B06092A864886F70D \| 8.......0..+..*.H...

Extra Analysis

Metric	Value	Percentage
Ascii Code	349942	66,9679%
Null Byte Code	15269	2,922%

PESCAN.IO - Analysis Report Basic