PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 585,00 KB
SHA-256 Hash: 3638BFE45EE552B57DC8C5AF39C5E0F317FF83748DBF6326A0CDCCCB2FD52DA4
SHA-1 Hash: 779E4C4E891BAD76FBDD4B80328EA1F5BB46F869
MD5 Hash: 7C16101F721B468256C0B61E37727599
Imphash: 901EC837D6125799D133B50B020012B7
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 24A6E0
SizeOfHeaders: 200
SizeOfImage: 24C000
ImageBase: 0000000000400000
Architecture: x64
ImportTable: 24B5D8
Characteristics: 22F
TimeDateStamp: 0
Date: 01/01/1970
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names (Optional Header): UPX0, UPX1, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 1,73 MB Missing]
Sections Info
Section Name Flags ROffset RSize VOffset VSize
UPX0 E0000080 (Executable) (Writeable) 200 0 1000 1B8000
UPX1 E0000040 (Executable) (Writeable) 200 91A00 1B9000 92000
.rsrc C0000040 (Writeable) 91C00 800 24B000 1000
Description
OriginalFilename: upx.exe
CompanyName: The UPX Team https://upx.github.io
LegalCopyright: 1996-2025 Markus F.X.J. Oberhumer
ProductName: UPX
FileVersion: 5.0.2 (2025-07-20)
FileDescription: UPX executable packer
ProductVersion: 5.0.2 (2025-07-20)
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point
The section number (2) have the Entry Point
Information -> EntryPoint (calculated) - 918E0
Code -> 53565755488D353AE9F6FF488DBEDB7FE4FF488D870C222400FF30C7007B9EE7A4505731DB31C94883CDFFE85000000001DB
PUSH RBX
PUSH RSI
PUSH RDI
PUSH RBP
LEA RSI, [RIP - 0X916C6]
LEA RDI, [RSI - 0X1B8025]
LEA RAX, [RDI + 0X24220C]
PUSH QWORD PTR [RAX]
MOV DWORD PTR [RAX], 0XA4E79E7B
PUSH RAX
PUSH RDI
XOR EBX, EBX
XOR ECX, ECX
OR RBP, 0XFFFFFFFFFFFFFFFF
CALL 0X1080
ADD EBX, EBX
Signatures
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compression: UPX
Detect It Easy (die)
PE+(64): packer: UPX(5.02)[NRV,brute]
PE+(64): compiler: MinGW(-)[-]
PE+(64): linker: GNU linker ld (GNU Binutils)(2.28)[-]
Entropy: 7.92872
Suspicious Functions
Library Function Description
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
File Access
msvcrt.dll
KERNEL32.DLL
File Access (UNICODE)
upx.exe
Interest's Words
exec
Interest's Words (UNICODE)
exec
URLs (UNICODE)
https://upx.github.io
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii Stealth (VirtualProtect)
Text Ascii Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
Entry Point Hex Pattern Microsoft Visual C++ 8.0 (DLL)
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern VC8 -> Microsoft Corporation
Entry Point Hex Pattern ZM-Exe Executable Image
Resources
Path DataRVA Size FileOffset CodeText
\VERSION\1\1033 24B0A4 328 91CA4 280334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000(.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033 24B3D0 205 91FD0 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279<?xml version="1.0" encoding="UTF-8" standalone="y
Intelligent String
• upx.exe
• The UPX Team https://upx.github.io
Flow Anomalies
Offset RVA Section Description
91BA0 24A945 UPX1 TLS Callback | Pointer to 64A945 *Memory*
Extra Analysis
Metric Value Percentage
Ascii Code 418461 69,8553%
Null Byte Code 6983 1,1657%
© 2025 All rights reserved.