PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 510,30 KBSHA-256 Hash: 89835ACC8E83DC7EFAB5B4DF6066E3B4258D37720B02262A95C02DE256A5BD7A SHA-1 Hash: 6C4651FADEC42157F0334137C6A08955A92FDA6E MD5 Hash: 38FE8FA470D6B683D1AAB7AF2BEA1F5C Imphash: 11313CCF7D0FD7A4FA8593D69280967C MajorOSVersion: 5 MinorOSVersion: 1 CheckSum: 00081C0E EntryPoint (rva): 136CA0 SizeOfHeaders: 1000 SizeOfImage: 13E000 ImageBase: 400000 Architecture: x86 ImportTable: 13D0B8 Characteristics: 122 TimeDateStamp: 61AC4D3A Date: 05/12/2021 5:25:14 File Type: EXE Number Of Sections: 3 ASLR: Enabled Section Names: UPX0, UPX1, .rsrc Number Of Executable Sections: 2 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 761,70 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| UPX0 | E0000080 (Uninitialized Data, Executable, Readable, Writeable) | 400 | 0 | 1000 | BD000 | N/A | N/A |
| UPX1 | E0000040 (Initialized Data, Executable, Readable, Writeable) | 400 | 79A00 | BE000 | 7A000 | 7,9992 | 576,01 |
| .rsrc | C0000040 (Initialized Data, Readable, Writeable) | 79E00 | 5600 | 138000 | 6000 | 3,6906 | 1691373,02 |
| Description |
| CompanyName: https://www.xyboot.com/ LegalCopyright: Free https://www.xyboot.com/ FileVersion: 2.0.0.3 ProductVersion: 2.0.0.3 Comments: Compiled 2021Q4 Language: Chinese (People's Republic of China) (ID=0x804) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (2) - (UPX1) have the Entry Point Information -> EntryPoint (calculated) - 790A0 Code -> 60BE00E04B008DBE0030F4FFC78730F70C003ACFD1475789E58D9C2480C1FFFF31C05039DC75FB464653687E4E13005783C3 • PUSHAD • MOV ESI, 0X4BE000 • LEA EDI, [ESI - 0XBD000] • MOV DWORD PTR [EDI + 0XCF730], 0X47D1CF3A • PUSH EDI • MOV EBP, ESP • LEA EBX, [ESP - 0X3E80] • XOR EAX, EAX • PUSH EAX • CMP ESP, EBX • JNE 0X1022 • INC ESI • INC ESI • PUSH EBX • PUSH 0X134E7E • PUSH EDI |
| Signatures |
| Rich Signature Analyzer: Code -> 36C7B5AE72A6DBFD72A6DBFD72A6DBFDC63A2AFD51A6DBFDC63A28FDEFA6DBFDC63A29FD51A6DBFDEC061CFD73A6DBFD20CEDEFC5FA6DBFD20CEDFFC60A6DBFD20CED8FC67A6DBFD7BDE58FD7BA6DBFD7BDE48FD57A6DBFD72A6DAFD5BA4DBFDE1CFD5FC22A6DBFDE1CFD8FC73A6DBFDE1CF24FD73A6DBFD72A64CFD73A6DBFDE1CFD9FC73A6DBFD5269636872A6DBFD Footprint md5 Hash -> 8395FD3098E48B6A01B22EFB16A61051 • The Rich header apparently has not been modified |
| Packer/Compiler |
| Compression: UPX - Version: 3.96 Detect It Easy (die) • PE: packer: UPX(3.96)[LZMA,brute] • PE: library: AutoIt(3.XX)[-] • PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[-] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 7.9482 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| File Access |
| WSOCK32.dll WINMM.dll WININET.dll VERSION.dll UxTheme.dll USERENV.dll USER32.dll SHELL32.dll PSAPI.DLL OLEAUT32.dll ole32.dll MPR.dll KERNEL32.DLL IPHLPAPI.DLL GDI32.dll COMDLG32.dll COMCTL32.dll ADVAPI32.dll UserProfile |
| Interest's Words |
| exec |
| URLs (UNICODE) |
| https://www.xyboot.com/ |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Stealth (VirtualProtect) |
| Entry Point | Hex Pattern | UPX - www.upx.sourceforge.net |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\2057 | 1383E0 | 128 | 7A1E0 | 2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F | (....... ...................................z..y_ |
| \ICON\2\2057 | 13850C | 4228 | 7A30C | 2800000040000000800000000100200000000000004200000000000000000000000000000000000000000000000000000000 | (...@......... ......B............................ |
| \STRING\7\2057 | D872C | 594 | 1AB2C | 9C620ACBD72C6865280AA28F79A22444002FDBF329919AC100DACF5E032F6E503BFC3BF2D6EA4B30165DDD7F539BED872657 | .b...,he(...y.$D./..)......./nP;.;...K0.]..S...&W |
| \STRING\8\2057 | D8CC0 | 68A | 1B0C0 | D2582AFEC8001200AF7077D5AF73C1D887267375AF0A2E4888EF0A2788D8E9AF062FD97B8D2A48F752C4A73A9FF7AF9AB83C | .X*......pw..s...&su...H...'...../.{.*H.R..:.....< |
| \STRING\9\2057 | D934C | 490 | 1B74C | 838BEBFFD77BBD0BB473CE00D337647138C6C40583A5DE5E4F34B6B3699411C839157D7ED3643FD393B16F18F9A32751D289 | .....{...s...7dq8......O4..i...9.}~.d?...o...'Q.. |
| \STRING\10\2057 | D97DC | 5FC | 1BBDC | BDAFB353B683D0B7D43BA083375803E462C731C788E3F238C6CE92FDBF2739152507C01E9ECF5A25ACFBA8B9458B0A191B33 | ...S.....;..7X..b.1....8.....'9.%.....Z%....E....3 |
| \STRING\11\2057 | D9DD8 | 65C | 1C1D8 | 0B77D0085E610E73820EB3D2DE9F3E87E42A0441BD40D1433607731D4287FF8E4227592AB1D039A9D4F9A9EE027813EAC5BA | .w..a.s......>..*.A.@.C6.s.B...B'Y*..9......x.... |
| \STRING\12\2057 | DA434 | 466 | 1C834 | 7723B3F6081FCBD31DA37F431EC71184DE7F51DFD045B58608A623DA34C4C820F739C3AC0A9CC36D96AA1FA38C3CDCDAFB11 | w.........C......Q..E.....4.. .9.....m.....<.... |
| \STRING\313\2057 | DA89C | 158 | 1CC9C | 5DDC574799C701F08B613D5038DC556E6B6A21DBB58C69FE120D331E5157BDC4E7D29300986E244FBA772053F7440A0FE82A | ].WG.....a=P8.Unkj!...i...3.QW.......n$O.w S.D...* |
| \RCDATA\SCRIPT\0 | DA9F4 | 1E607 | 1CDF4 | 059AB132E24CE4400FA775BDDC86A848AD17FAE35CE57B5C4A3B895B8F7602F1473E8BD75424276950993EBAC0F84C04228F | ...2.L.@..u....H....\.{\J;.[.v..G>..T$'iP.>...L.". |
| \RCDATA\_0101000101\2052 | F8FFC | 2DF22 | 3B3FC | 441D2537269DC4F38C8F09E11B06D1D24A689248BB6E455923AAA9A3EED85FF5855008A422D3B0653E2833C6843EE4AEE621 | D.%7&...........Jh.H.nEY....._..P.."..e>(3..>...! |
| \RCDATA\_01010110\2052 | 126F20 | 6 | 69320 | 0C833F51FBBB | ..?Q.. |
| \GROUP_ICON\99\2057 | 13C738 | 14 | 7E538 | 0000010001004040000001002000284200000200 | ......@@.... .(B.... |
| \GROUP_ICON\169\2057 | 13C750 | 14 | 7E550 | 0000010001001010100001000400280100000100 | ..............(..... |
| \VERSION\1\2052 | 13C768 | 2EC | 7E568 | EC0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\2052 | 13CA58 | 65D | 7E858 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • 2.0.0.3 |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 176B3 | 407CEAAC | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 183A6 | 407CEAAC | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 19523 | 407CEAAC | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1C7BC | 407CEAAC | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1CEFC | 407CEAAC | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1FEB0 | 5BCFBE64 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 3249C | 10C6CE26 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 53698 | 10C6CE26 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 5B3CE | 10C6CE26 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 64507 | 10C6CE26 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 74FD9 | 10C6CE26 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 75768 | 10C6CE26 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 7ABAF | 2AFE1615 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 7ACD7 | 2AFF2726 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 7B7F7 | FF2525 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 7F81B | 7DDDDE10 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 400-79DFF | BE000 | UPX1 | Executable section anomaly, first bytes: 1A03005C7FFD8329 |
| 7F400 | N/A | *Overlay* | 38050000000202003082052B06092A864886F70D | 8.......0..+..*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 349942 | 66,9679% |
| Null Byte Code | 15269 | 2,922% |
© 2026 All rights reserved.