PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 3,43 MB SHA-256 Hash: A103953A13B6BBDBEEE6AF30D9C3B2CA8C4C228663F7AD0AC30EDD9DEB75E7BB SHA-1 Hash: B2261F0BFBC5926FE03DCD43F63D5915C62E91BA MD5 Hash: 516A526FB4A30AF2BE9751002EA1AA06 Imphash: 6ED4F5F04D62B18D96B26D6DB7C18840 MajorOSVersion: 6 MinorOSVersion: 1 CheckSum: 00000000 EntryPoint (rva): C53310 SizeOfHeaders: 200 SizeOfImage: C55000 ImageBase: 400000 Architecture: x86 ImportTable: C54000 Characteristics: 102 TimeDateStamp: 0 Date: 01/01/1970 File Type: EXE Number Of Sections: 3 ASLR: Enabled Section Names: UPX0, UPX1, UPX2 Number Of Executable Sections: 2 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 8,91 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| UPX0 | 0xE0000080 Uninitialized Data Executable Readable Writeable |
200 | 0 | 1000 | 8E6000 |
|
|
| UPX1 | 0xE0000040 Initialized Data Executable Readable Writeable |
200 | 36D000 | 8E7000 | 36D000 |
|
|
| UPX2 | 0xC0000040 Initialized Data Readable Writeable |
36D200 | 200 | C54000 | 1000 |
|
|
| Entry Point |
The section number (2) - (UPX1) have the Entry Point Information -> EntryPoint (calculated) - 36C510 Code -> 60BE1570CE008DBEEB9F71FF5789E58D9C2480C1FFFF31C05039DC75FB464653688B13C5005783C3045368ECC236005683C3 Assembler |PUSHAD |MOV ESI, 0XCE7015 |LEA EDI, [ESI - 0X8E6015] |PUSH EDI |MOV EBP, ESP |LEA EBX, [ESP - 0X3E80] |XOR EAX, EAX |PUSH EAX |CMP ESP, EBX |JNE 0X1018 |INC ESI |INC ESI |PUSH EBX |PUSH 0XC5138B |PUSH EDI |ADD EBX, 4 |PUSH EBX |PUSH 0X36C2EC |PUSH ESI |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compression: UPX Detect It Easy (die) • PE: packer: UPX(5.02)[LZMA,brute] • Entropy: 7.99993 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| File Access |
| KERNEL32.DLL |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV) |
| Entry Point | Hex Pattern | UPX - www.upx.sourceforge.net |
| Entry Point | Hex Pattern | UPX v3.0 (EXE_LZMA) - Markus Oberhumer & Laszlo Molnar & John Reiser |
| Intelligent String |
| • e.KbI • KERNEL32.DLL |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 2474 | 73A11552 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| FB32 | 318A4C72 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2FA1B | 318A4C72 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 2FE23 | 62514C43 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 37A55 | 62514C43 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 3EA23 | 62514C43 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 40771 | 2EFF4F25 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 44CDA | 2EFF4F25 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 463B8 | 5AC32786 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 4FF5F | 675F8A | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 618F2 | 264A1DE6 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 65589 | 6B67DC72 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 733AB | 4DD1C4EF | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 7353D | 5A9874B | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 82EAC | 700B4086 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 87845 | 700B4086 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 878AF | 700B4086 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 8EE16 | 700B4086 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 92375 | 4743D1C9 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 92A3D | 10D7098C | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 9B7D6 | 2A939D05 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| B65EB | 32342292 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| B8A03 | 32342292 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| C4AE6 | 583375AC | UPX1 | CALL [static] | Indirect call to absolute memory address |
| C6EFB | 583375AC | UPX1 | CALL [static] | Indirect call to absolute memory address |
| CCAEC | 2585E190 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| CEBE1 | 2585E190 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| CF0A1 | 18569068 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| D9CDE | 39DEA20E | UPX1 | CALL [static] | Indirect call to absolute memory address |
| E2439 | 2AAF4B7F | UPX1 | CALL [static] | Indirect call to absolute memory address |
| E5692 | 2AAF4B7F | UPX1 | CALL [static] | Indirect call to absolute memory address |
| EAD27 | 7D9511DF | UPX1 | CALL [static] | Indirect call to absolute memory address |
| F0987 | 7D9511DF | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| F8FE0 | 2D038A34 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| F93B3 | 1A60C7D6 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 11D5F8 | 24D40C12 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1334A3 | 2963F15A | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 133D8A | 68BE166E | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 13405A | 68BE166E | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 139B4C | 68BE166E | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 13F3E1 | 68BE166E | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 141DB2 | 68BE166E | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 14E4A2 | 49BA586C | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 14E937 | 49BA586C | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1538D3 | 6F55C42E | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 157170 | 6F55C42E | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 15D2EC | 6F55C42E | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 165AA3 | 31B8BEF6 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 16AF5B | 31B8BEF6 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 174DA0 | 56B8BB0 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 176E36 | 5292D2CF | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 177A46 | 5292D2CF | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1859FE | 5292D2CF | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 18E3E0 | 44E0B3E8 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1AADE0 | 405DBC26 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1B0DFA | 405DBC26 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1B3D2E | 405DBC26 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1D38FF | 405DBC26 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 1DBEE2 | 405DBC26 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 1EC3A0 | 4ECC69D4 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1F42BE | 5F90EE38 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1FBBC8 | 47CB964D | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 2005FF | 40F1B3C0 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 202192 | 688DA7CF | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 208983 | 688DA7CF | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 2107C8 | 47868641 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2120C8 | 2776599A | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 21DF9E | 13047A13 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 229267 | 2CA60859 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 22A75E | 5F570450 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 23441C | 7DB2BD55 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 23DD64 | 762B4F6C | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 2425CB | 762B4F6C | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 244D88 | 48E34B9A | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 2479E1 | 48E34B9A | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 24DDA0 | 55850983 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 25437A | 55850983 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2553C5 | 55850983 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 2563E3 | 7C62246D | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 25BB80 | 7C62246D | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 26DFB5 | 7C62246D | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 270235 | 546AEA32 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2704C3 | 546AEA32 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 271BAC | 546AEA32 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 276754 | 16474F | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 27B817 | 16474F | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 27C38B | 28E0C160 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2907B5 | 4F9813D0 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 292EB5 | 4FAD4A98 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 29DB3E | 4FAD4A98 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2B1B46 | 1A291B06 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2B7F56 | 71277994 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 2BD101 | 71277994 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 2CDB2B | 71277994 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2D4020 | 71277994 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2D56F6 | 293465CE | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2D86E8 | 293465CE | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 2E6910 | 293465CE | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2EE8D5 | 293465CE | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 2F32E5 | 293465CE | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 200-36D1FF | 8E7000 | UPX1 | Executable section anomaly, first bytes: 4B1356FD748B13C5 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 2470580 | 68,7568% |
| Null Byte Code | 15335 | 0,4268% |
© 2026 All rights reserved.