PESCAN.IO - Analysis Report Basic |
|||||
| File Structure |
|
| Information |
| Size: 2,25 MB SHA-256 Hash: 46AC21E535144355715E748494B19F30E0B78E55E1D4BCF06D94D9DDBE39F374 SHA-1 Hash: 35C8605BFB6136315622CD6DDC497784A366924E MD5 Hash: 3CACE2BBFA5646D50EA23DC1B39B97E7 Imphash: 7F0B271A221D83CADDBF34C3D4422C76 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 14F0 SizeOfHeaders: 400 SizeOfImage: 249000 ImageBase: 0000000000400000 Architecture: x64 ImportTable: 244000 Characteristics: 22F TimeDateStamp: 0 Date: 01/01/1970 File Type: EXE Number Of Sections: 10 ASLR: Disabled Section Names (Optional Header): .text, .data, .rdata, .pdata, .xdata, .bss, .idata, .CRT, .tls, .rsrc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60500060 (Executable) | 400 | E2000 | 1000 | E1EF0 |
| .data | C0600040 (Writeable) | E2400 | C00 | E3000 | A50 |
| .rdata | 40600040 | E3000 | 149A00 | E4000 | 149840 |
| .pdata | 40300040 | 22CA00 | 9000 | 22E000 | 8ED4 |
| .xdata | 40300040 | 235A00 | 9600 | 237000 | 9568 |
| .bss | C0600080 (Writeable) | 0 | 0 | 241000 | 2EC0 |
| .idata | C0300040 (Writeable) | 23F000 | 1800 | 244000 | 16A8 |
| .CRT | C0400040 (Writeable) | 240800 | 200 | 246000 | 70 |
| .tls | C0400040 (Writeable) | 240A00 | 200 | 247000 | 10 |
| .rsrc | C0300040 (Writeable) | 240C00 | 600 | 248000 | 5D0 |
| Description |
| OriginalFilename: upx.exe CompanyName: The UPX Team https://upx.github.io LegalCopyright: 1996-2025 Markus F.X.J. Oberhumer ProductName: UPX FileVersion: 5.0.2 (2025-07-20) FileDescription: UPX executable packer ProductVersion: 5.0.2 (2025-07-20) Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 8F0 Code -> 4883EC28488B05E5A42100C70000000000E88AFCFFFF90904883C428C30F1F004883EC28E84F9E0A004885C00F94C00FB6C0 • SUB RSP, 0X28 • MOV RAX, QWORD PTR [RIP + 0X21A4E5] • MOV DWORD PTR [RAX], 0 • CALL 0XCA0 • NOP • NOP • ADD RSP, 0X28 • RET • NOP DWORD PTR [RAX] • SUB RSP, 0X28 • CALL 0XAAE78 • TEST RAX, RAX • SETE AL • MOVZX EAX, AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Pure Basic 4.x Detect It Easy (die) • PE+(64): compiler: MinGW(GCC: (GNU) 9.3.0)[-] • PE+(64): linker: GNU linker ld (GNU Binutils)(2.28)[-] • Entropy: 6.32482 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| lzma.exe i386-bsd.elf.exe bsd.exe i386-linux.elf.exe linux.exe i086-dos16.exe .EXE CWSDPMI.EXE The STUB.EXE msvcrt.dll KERNEL32.DLL COREDLL.dll ntdll.dll i086-dos16.sys Temp |
| File Access (UNICODE) |
| upx.exe |
| Interest's Words |
| Virus exec attrib start ping expand |
| Interest's Words (UNICODE) |
| exec |
| URLs |
| http://upx.sf.net http://www.oberhumer.com http://www.oberhumer.com/ https://upx.github.io https://www.oberhumer.com/opensource/upx/ |
| URLs (UNICODE) |
| https://upx.github.io |
| Known IP/Domains |
| gmail.com |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Keyboard Key (Scroll) |
| Text | Ascii | Linux Virtual File System - (/proc/) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 2480A0 | 328 | 240CA0 | 280334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | (.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 2483C8 | 205 | 240FC8 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • upx.exe • /proc/self/cmdline • /proc/self/exe • M/proc/self/cmdline • /proc/self/auxv • =/proc/self/exe • @0@.bss • .CRT • .tls • /home/mfx/code/github/upx/upx4/src/check/dt_check.cpp • UPX comes with ABSOLUTELY NO WARRANTY; for details visit https://upx.github.io • https://upx.github.io • decompressfileinfofile-infohelplicenselistsysinfosys-infotestuncompressversionforceforce-compressforce-overwritelinkno-envno-linkno-modeno-ownerno-timeoutputdebugdump-stub-loaderfake-stub-versionfake-stub-yeardebug-use-random-methoddebug-use-random-filterall-filtersall-methodsfilterno-filtersmallcrp-nrv-cfcrp-nrv-slcrp-nrv-hlcrp-nrv-plcrp-nrv-mocrp-nrv-mmcrp-nrv-mscrp-ucl-cfcrp-ucl-slcrp-ucl-hlcrp-ucl-plcrp-ucl-mocrp-ucl-mmcrp-ucl-mscrp-lzma-pbcrp-lzma-lpcrp-lzma-lccrp-lzma-dscrp-lzma-fbcrp-zlib-mlcrp-zlib-wbcrp-zlib-stsplit-segmentsforce-macoscoffno-relocblocksizeforce-execveis_ptinterpuse_ptinterpmake_ptinterpLinuxlinuxFreeBSDfreebsdNetBSDnetbsdOpenBSDopenbsdunmap-all-pagespreserve-build-idandroid-shlibforce-pieandroid-oldboot-onlyno-align8-bit8mib-ram8mb-ramle • The STUB.EXE stub loader is Copyright (C) 1993-1995 DJ Delorie. • CWSDPMI.EXE • upx/proc/self/auxv • H=/proc/self/exe • 0/proc/self/exe • /proc/self/auxvYj[' • linux/elfi386i386-linux.elf.interpFOLDEXECLXPTI000LXPTI040LXPTI090LXPTI041LXPTI042LXPTI091LXPTI140LXUNF002,LXUNF008,LXUNF010LXUNF042,LXUNF035LXPTI200pack1/home/mfx/code/github/upx/upx4/src/p_lx_interp.cpp • Unrecognized Macho cmd offset=0x%lx cmd=0x%lx size=0x%lx • 00000000 l d cdb.lzma.cpr 0 cdb.lzma.cpr • 00000000 l d cdb.dec.ptr 0 cdb.dec.ptr • 00000000 l d dec.ptr 0 dec.ptr • 00000000 l d 8bit.sub 0 8bit.sub • 00000000 l d 32bit.sub 0 32bit.sub • writePackHeader/home/mfx/code/github/upx/upx4/src/p_unix.cpp • /home/mfx/code/github/upx/upx4/src/packer.cppopt->cmd == CMD_COMPRESS • overflow reloc size_of_block %uodd reloc size_of_block %unextRelocopt->cmd == CMD_COMPRESSadd_relocstart_did_allocbad reloc_type %x %uname_for_dlldll != nullptrl > 0%s%cR_X86_64_32R_X86_64_64X*UND*empty import: %sadd_importprocLoadLibraryAGetProcAddressExitProcessVirtualProtect • @$KERNEL32.DLL • The UPX Team https://upx.github.io |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 680F7-68120 | N/A | .text | Potential obfuscated jump sequence detected, count: 9 |
| 240840 | 9DFD0 | .text | TLS Callback | Pointer to 49DFD0 *Memory* |
| 240848 | 9DFA0 | .text | TLS Callback | Pointer to 49DFA0 *Memory* |
| 240850 | ACC20 | .text | TLS Callback | Pointer to 4ACC20 *Memory* |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1570417 | 66,4332% |
| Null Byte Code | 392820 | 16,6174% |
| NOP Cave Found | 0x9090909090 | Block Count: 1120 | Total: 0,1184% |
© 2025 All rights reserved.