PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
| Information |
| Size: 2,25 MB SHA-256 Hash: 46AC21E535144355715E748494B19F30E0B78E55E1D4BCF06D94D9DDBE39F374 SHA-1 Hash: 35C8605BFB6136315622CD6DDC497784A366924E MD5 Hash: 3CACE2BBFA5646D50EA23DC1B39B97E7 Imphash: 7F0B271A221D83CADDBF34C3D4422C76 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 14F0 SizeOfHeaders: 400 SizeOfImage: 249000 ImageBase: 0000000000400000 Architecture: x64 ImportTable: 244000 Characteristics: 22F TimeDateStamp: 0 Date: 01/01/1970 File Type: EXE Number Of Sections: 10 ASLR: Disabled Section Names (Optional Header): .text, .data, .rdata, .pdata, .xdata, .bss, .idata, .CRT, .tls, .rsrc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60500060 (Code, Initialized Data, Executable, Readable) | 400 | E2000 | 1000 | E1EF0 | 6,1686 | 9278845,30 |
| .data | C0600040 (Initialized Data, Readable, Writeable) | E2400 | C00 | E3000 | A50 | 1,5381 | 550453,33 |
| .rdata | 40600040 (Initialized Data, Readable) | E3000 | 149A00 | E4000 | 149840 | 6,0110 | 16393591,44 |
| .pdata | 40300040 (Initialized Data, Readable) | 22CA00 | 9000 | 22E000 | 8ED4 | 5,9215 | 782862,99 |
| .xdata | 40300040 (Initialized Data, Readable) | 235A00 | 9600 | 237000 | 9568 | 4,9119 | 883667,12 |
| .bss | C0600080 (Uninitialized Data, Readable, Writeable) | 0 | 0 | 241000 | 2EC0 | N/A | N/A |
| .idata | C0300040 (Initialized Data, Readable, Writeable) | 23F000 | 1800 | 244000 | 16A8 | 3,8813 | 355736,50 |
| .CRT | C0400040 (Initialized Data, Readable, Writeable) | 240800 | 200 | 246000 | 70 | 0,3345 | 121525,00 |
| .tls | C0400040 (Initialized Data, Readable, Writeable) | 240A00 | 200 | 247000 | 10 | 0,0000 | 130560,00 |
| .rsrc | C0300040 (Initialized Data, Readable, Writeable) | 240C00 | 600 | 248000 | 5D0 | 4,2914 | 68171,00 |
| Description |
| OriginalFilename: upx.exe CompanyName: The UPX Team https://upx.github.io LegalCopyright: 1996-2025 Markus F.X.J. Oberhumer ProductName: UPX FileVersion: 5.0.2 (2025-07-20) FileDescription: UPX executable packer ProductVersion: 5.0.2 (2025-07-20) Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 8F0 Code -> 4883EC28488B05E5A42100C70000000000E88AFCFFFF90904883C428C30F1F004883EC28E84F9E0A004885C00F94C00FB6C0 • SUB RSP, 0X28 • MOV RAX, QWORD PTR [RIP + 0X21A4E5] • MOV DWORD PTR [RAX], 0 • CALL 0XCA0 • NOP • NOP • ADD RSP, 0X28 • RET • NOP DWORD PTR [RAX] • SUB RSP, 0X28 • CALL 0XAAE78 • TEST RAX, RAX • SETE AL • MOVZX EAX, AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Pure Basic 4.x Detect It Easy (die) • PE+(64): compiler: MinGW(GCC: (GNU) 9.3.0)[-] • PE+(64): linker: GNU linker ld (GNU Binutils)(2.28)[-] • Entropy: 6.32482 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| lzma.exe i386-bsd.elf.exe bsd.exe i386-linux.elf.exe linux.exe i086-dos16.exe .EXE CWSDPMI.EXE The STUB.EXE msvcrt.dll KERNEL32.DLL COREDLL.dll ntdll.dll i086-dos16.sys .dat lzma.ini 00000000 l d lzma.init 0 lzma.ini 00000000 l d lzma.ini 00000000 l d nrv2e.init 0 nrv2e.ini 00000000 l d nrv2e.ini 00000000 l d nrv2d.init 0 nrv2d.ini 00000000 l d nrv2d.ini 00000000 l d nrv2b.init 0 nrv2b.ini 00000000 l d nrv2b.ini 43 lzma.ini 18 nrv2e.ini 17 nrv2d.ini 16 nrv2b.ini nrv2e.ini nrv2d.ini nrv2b.ini 35 lzma.ini Temp |
| File Access (UNICODE) |
| upx.exe |
| Interest's Words |
| Virus exec attrib start ping expand |
| Interest's Words (UNICODE) |
| exec |
| URLs |
| http://upx.sf.net http://www.oberhumer.com http://www.oberhumer.com/ https://upx.github.io https://www.oberhumer.com/opensource/upx/ |
| URLs (UNICODE) |
| https://upx.github.io |
| Known IP/Domains |
| gmail.com |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (SetThreadContext) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateSemaphoreA) |
| Text | Ascii | Execution (CreateEventA) |
| Text | Ascii | Keyboard Key (Scroll) |
| Text | Ascii | Linux Virtual File System - (/proc/) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 2480A0 | 328 | 240CA0 | 280334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | (.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 2483C8 | 205 | 240FC8 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • upx.exe • /proc/self/cmdline • /proc/self/exe • M/proc/self/cmdline • /proc/self/auxv • =/proc/self/exe • @0@.bss • .CRT • .tls • /home/mfx/code/github/upx/upx4/src/check/dt_check.cpp • UPX comes with ABSOLUTELY NO WARRANTY; for details visit https://upx.github.io • https://upx.github.io • decompressfileinfofile-infohelplicenselistsysinfosys-infotestuncompressversionforceforce-compressforce-overwritelinkno-envno-linkno-modeno-ownerno-timeoutputdebugdump-stub-loaderfake-stub-versionfake-stub-yeardebug-use-random-methoddebug-use-random-filterall-filtersall-methodsfilterno-filtersmallcrp-nrv-cfcrp-nrv-slcrp-nrv-hlcrp-nrv-plcrp-nrv-mocrp-nrv-mmcrp-nrv-mscrp-ucl-cfcrp-ucl-slcrp-ucl-hlcrp-ucl-plcrp-ucl-mocrp-ucl-mmcrp-ucl-mscrp-lzma-pbcrp-lzma-lpcrp-lzma-lccrp-lzma-dscrp-lzma-fbcrp-zlib-mlcrp-zlib-wbcrp-zlib-stsplit-segmentsforce-macoscoffno-relocblocksizeforce-execveis_ptinterpuse_ptinterpmake_ptinterpLinuxlinuxFreeBSDfreebsdNetBSDnetbsdOpenBSDopenbsdunmap-all-pagespreserve-build-idandroid-shlibforce-pieandroid-oldboot-onlyno-align8-bit8mib-ram8mb-ramle • The STUB.EXE stub loader is Copyright (C) 1993-1995 DJ Delorie. • CWSDPMI.EXE • upx/proc/self/auxv • H=/proc/self/exe • 0/proc/self/exe • /proc/self/auxvYj[' • linux/elfi386i386-linux.elf.interpFOLDEXECLXPTI000LXPTI040LXPTI090LXPTI041LXPTI042LXPTI091LXPTI140LXUNF002,LXUNF008,LXUNF010LXUNF042,LXUNF035LXPTI200pack1/home/mfx/code/github/upx/upx4/src/p_lx_interp.cpp • Unrecognized Macho cmd offset=0x%lx cmd=0x%lx size=0x%lx • 00000000 l d cdb.lzma.cpr 0 cdb.lzma.cpr • 00000000 l d cdb.dec.ptr 0 cdb.dec.ptr • 00000000 l d dec.ptr 0 dec.ptr • 00000000 l d 8bit.sub 0 8bit.sub • 00000000 l d 32bit.sub 0 32bit.sub • writePackHeader/home/mfx/code/github/upx/upx4/src/p_unix.cpp • /home/mfx/code/github/upx/upx4/src/packer.cppopt->cmd == CMD_COMPRESS • overflow reloc size_of_block %uodd reloc size_of_block %unextRelocopt->cmd == CMD_COMPRESSadd_relocstart_did_allocbad reloc_type %x %uname_for_dlldll != nullptrl > 0%s%cR_X86_64_32R_X86_64_64X*UND*empty import: %sadd_importprocLoadLibraryAGetProcAddressExitProcessVirtualProtect • @$KERNEL32.DLL • The UPX Team https://upx.github.io |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 668 | N/A | .text | CALL QWORD PTR [RIP+0x2434A6] |
| 873 | N/A | .text | CALL QWORD PTR [RIP+0x24318B] |
| 10FD1 | N/A | .text | JMP QWORD PTR [RIP+0x232C55] |
| 11037 | N/A | .text | CALL QWORD PTR [RIP+0x232B37] |
| 11116 | N/A | .text | CALL QWORD PTR [RIP+0x232A58] |
| 11184 | N/A | .text | CALL QWORD PTR [RIP+0x232812] |
| 111BF | N/A | .text | CALL QWORD PTR [RIP+0x2327D7] |
| 111E9 | N/A | .text | CALL QWORD PTR [RIP+0x2328DD] |
| 11247 | N/A | .text | CALL QWORD PTR [RIP+0x23287F] |
| 1128B | N/A | .text | JMP QWORD PTR [RIP+0x23284B] |
| 112CA | N/A | .text | JMP QWORD PTR [RIP+0x23280C] |
| 112F4 | N/A | .text | CALL QWORD PTR [RIP+0x2326B2] |
| 113B6 | N/A | .text | CALL QWORD PTR [RIP+0x2325E8] |
| 113D2 | N/A | .text | CALL QWORD PTR [RIP+0x2325D4] |
| 113EA | N/A | .text | CALL QWORD PTR [RIP+0x2325AC] |
| 1141B | N/A | .text | CALL QWORD PTR [RIP+0x2325CB] |
| 11430 | N/A | .text | CALL QWORD PTR [RIP+0x2325BE] |
| 11575 | N/A | .text | CALL QWORD PTR [RIP+0x232549] |
| 11672 | N/A | .text | CALL QWORD PTR [RIP+0x2324FC] |
| 116C4 | N/A | .text | CALL QWORD PTR [RIP+0x23240A] |
| 117BD | N/A | .text | CALL QWORD PTR [RIP+0xD0FDD] |
| 119C3 | N/A | .text | CALL QWORD PTR [RIP+0xD0DD7] |
| 11A20 | N/A | .text | CALL QWORD PTR [RIP+0xD0D7A] |
| 11BB3 | N/A | .text | CALL QWORD PTR [RIP+0x232043] |
| 11C08 | N/A | .text | CALL QWORD PTR [RIP+0x231FEE] |
| 11C59 | N/A | .text | CALL QWORD PTR [RIP+0x231FAD] |
| 11CBF | N/A | .text | CALL QWORD PTR [RIP+0x231F47] |
| 11DC4 | N/A | .text | CALL QWORD PTR [RIP+0x231E32] |
| 11E23 | N/A | .text | CALL QWORD PTR [RIP+0x231DD3] |
| 11E52 | N/A | .text | CALL QWORD PTR [RIP+0x231DA4] |
| 11F09 | N/A | .text | CALL QWORD PTR [RIP+0x231CED] |
| 11F56 | N/A | .text | CALL QWORD PTR [RIP+0x231CB0] |
| 11F8F | N/A | .text | CALL QWORD PTR [RIP+0x231C67] |
| 120F9 | N/A | .text | CALL QWORD PTR [RIP+0x231AFD] |
| 12397 | N/A | .text | CALL QWORD PTR [RIP+0x23185F] |
| 12534 | N/A | .text | CALL QWORD PTR [RIP+0x2316C2] |
| 125AB | N/A | .text | CALL QWORD PTR [RIP+0xD01EF] |
| 126F3 | N/A | .text | CALL QWORD PTR [RIP+0x231503] |
| 188E1 | N/A | .text | CALL QWORD PTR [RIP+0xC9EB9] |
| 1917E | N/A | .text | CALL QWORD PTR [RIP+0xC961C] |
| 19362 | N/A | .text | CALL QWORD PTR [RIP+0xC9438] |
| 1971B | N/A | .text | CALL QWORD PTR [RIP+0x22A543] |
| 19729 | N/A | .text | CALL QWORD PTR [RIP+0x22A505] |
| 19796 | N/A | .text | CALL QWORD PTR [RIP+0x22A480] |
| 1DAC8 | N/A | .text | CALL QWORD PTR [RIP+0xC4CD2] |
| 1DCE4 | N/A | .text | CALL QWORD PTR [RIP+0xC4AB6] |
| 1DD05 | N/A | .text | CALL QWORD PTR [RIP+0xC4A95] |
| 1DE52 | N/A | .text | CALL QWORD PTR [RIP+0xC4948] |
| 1DF74 | N/A | .text | CALL QWORD PTR [RIP+0xC4826] |
| 1E1C4 | N/A | .text | CALL QWORD PTR [RIP+0xC45D6] |
| 1E216 | N/A | .text | CALL QWORD PTR [RIP+0xC4584] |
| 1E269 | N/A | .text | CALL QWORD PTR [RIP+0xC4531] |
| 1E2C9 | N/A | .text | CALL QWORD PTR [RIP+0xC44D1] |
| 1E30C | N/A | .text | CALL QWORD PTR [RIP+0xC448E] |
| 1E388 | N/A | .text | CALL QWORD PTR [RIP+0xC4412] |
| 1E4A5 | N/A | .text | CALL QWORD PTR [RIP+0xC42F5] |
| 1E4D8 | N/A | .text | CALL QWORD PTR [RIP+0xC42C2] |
| 1F0EC | N/A | .text | CALL QWORD PTR [RIP+0xC36AE] |
| 1F4B5 | N/A | .text | CALL QWORD PTR [RIP+0xC32E5] |
| 1F4EC | N/A | .text | CALL QWORD PTR [RIP+0xC32AE] |
| 1FA19 | N/A | .text | CALL QWORD PTR [RIP+0xC2D81] |
| 1FBBF | N/A | .text | CALL QWORD PTR [RIP+0xC2BDB] |
| 1FE86 | N/A | .text | CALL QWORD PTR [RIP+0xC2914] |
| 1FF1D | N/A | .text | CALL QWORD PTR [RIP+0xC287D] |
| 1FF85 | N/A | .text | CALL QWORD PTR [RIP+0xC2815] |
| 1FFF0 | N/A | .text | CALL QWORD PTR [RIP+0xC27AA] |
| 2006E | N/A | .text | CALL QWORD PTR [RIP+0xC272C] |
| 200BC | N/A | .text | CALL QWORD PTR [RIP+0xC26DE] |
| 20178 | N/A | .text | CALL QWORD PTR [RIP+0xC2622] |
| 201C3 | N/A | .text | CALL QWORD PTR [RIP+0xC25D7] |
| 20361 | N/A | .text | CALL QWORD PTR [RIP+0xC2439] |
| 20380 | N/A | .text | CALL QWORD PTR [RIP+0xC241A] |
| 204C6 | N/A | .text | CALL QWORD PTR [RIP+0xC22D4] |
| 20515 | N/A | .text | CALL QWORD PTR [RIP+0xC2285] |
| 31A20 | N/A | .text | CALL QWORD PTR [RIP+0xB0D7A] |
| 32881 | N/A | .text | CALL QWORD PTR [RIP+0xAFF19] |
| 4F18F | N/A | .text | CALL QWORD PTR [RIP+0x9360B] |
| 574A1 | N/A | .text | JMP QWORD PTR [RIP+0x3FFFFFC] |
| 6481F | N/A | .text | CALL QWORD PTR [RIP+0x7DF7B] |
| 658F8 | N/A | .text | CALL QWORD PTR [RIP+0x7CEA2] |
| 65C35 | N/A | .text | CALL QWORD PTR [RIP+0x7CB65] |
| 668CC | N/A | .text | CALL QWORD PTR [RIP+0x7BECE] |
| 66A09 | N/A | .text | CALL QWORD PTR [RIP+0x7BD91] |
| 66AC0 | N/A | .text | CALL QWORD PTR [RIP+0x7BCDA] |
| 66B7C | N/A | .text | CALL QWORD PTR [RIP+0x7BC1E] |
| 66C2D | N/A | .text | CALL QWORD PTR [RIP+0x7BB6D] |
| 67395 | N/A | .text | CALL QWORD PTR [RIP+0x7B405] |
| 6741E | N/A | .text | CALL QWORD PTR [RIP+0x7B37C] |
| 674A7 | N/A | .text | CALL QWORD PTR [RIP+0x7B2F3] |
| 67530 | N/A | .text | CALL QWORD PTR [RIP+0x7B26A] |
| 675B9 | N/A | .text | CALL QWORD PTR [RIP+0x7B1E1] |
| 67642 | N/A | .text | CALL QWORD PTR [RIP+0x7B158] |
| 6782D | N/A | .text | CALL QWORD PTR [RIP+0x7AF6D] |
| 67865 | N/A | .text | CALL QWORD PTR [RIP+0x7AF35] |
| 678B5 | N/A | .text | CALL QWORD PTR [RIP+0x7AEE5] |
| 678FD | N/A | .text | CALL QWORD PTR [RIP+0x7AE9D] |
| 6793D | N/A | .text | CALL QWORD PTR [RIP+0x7AE5D] |
| 67991 | N/A | .text | CALL QWORD PTR [RIP+0x7AE09] |
| 679D4 | N/A | .text | CALL QWORD PTR [RIP+0x7ADC6] |
| 67A17 | N/A | .text | CALL QWORD PTR [RIP+0x7AD83] |
| 680F7-68120 | N/A | .text | Potential obfuscated jump sequence detected, count: 9 |
| 240840 | 9DFD0 | .CRT | TLS Callback | Pointer to 49DFD0 - 0x9D3D0 .text |
| 240848 | 9DFA0 | .CRT | TLS Callback | Pointer to 49DFA0 - 0x9D3A0 .text |
| 240850 | ACC20 | .CRT | TLS Callback | Pointer to 4ACC20 - 0xAC020 .text |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1570417 | 66,4332% |
| Null Byte Code | 392820 | 16,6174% |
| NOP Cave Found | 0x9090909090 | Block Count: 1120 | Total: 0,1184% |
© 2025 All rights reserved.