PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 374,70 KBSHA-256 Hash: 23C0DF0D9DCFFD88E0B397FEF20F3668F70FCB4800D1BD548E3624ABC5730C46 SHA-1 Hash: A515C096893527F93AAE387062CDD5FDCC76B03A MD5 Hash: 9FD461847EAACE0967BAA34802CFB3EE Imphash: 05D3DCE2BE32DF01CA249872DD2CC117 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00067DC2 EntryPoint (rva): 34FA0 SizeOfHeaders: 1000 SizeOfImage: 46000 ImageBase: 400000 Architecture: x86 ImportTable: 45B4C Characteristics: 10F TimeDateStamp: 5B886D39 Date: 30/08/2018 22:18:33 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: UPX0, UPX1, .rsrc Number Of Executable Sections: 2 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| UPX0 | 0xE0000080 Uninitialized Data Executable Readable Writeable |
400 | 0 | 1000 | 24000 |
|
|
| UPX1 | 0xE0000040 Initialized Data Executable Readable Writeable |
400 | 10200 | 25000 | 11000 |
|
|
| .rsrc | 0xC0000040 Initialized Data Readable Writeable |
10600 | FC00 | 36000 | 10000 |
|
|
| Description |
| OriginalFilename: 7zS.sfx.exe CompanyName: Mozilla LegalCopyright: Mozilla ProductName: Firefox FileVersion: 18.05 FileDescription: Firefox ProductVersion: 18.05 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 94,70 KB |
| Entry Point |
The section number (2) - (UPX1) have the Entry Point Information -> EntryPoint (calculated) - 103A0 Code -> 60BE005042008DBE00C0FDFF5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB Assembler |PUSHAD |MOV ESI, 0X425000 |LEA EDI, [ESI - 0X24000] |PUSH EDI |OR EBP, 0XFFFFFFFF |JMP 0X1022 |NOP |NOP |NOP |NOP |NOP |NOP |MOV AL, BYTE PTR [ESI] |INC ESI |MOV BYTE PTR [EDI], AL |INC EDI |ADD EBX, EBX |JNE 0X1029 |MOV EBX, DWORD PTR [ESI] |SUB ESI, -4 |ADC EBX, EBX |JB 0X1018 |MOV EAX, 1 |ADD EBX, EBX |
| Signatures |
| CheckSum Integrity Problem: • Header: 425410 • Calculated: 445490 Rich Signature Analyzer: Code -> 8AF90E0ACE986059CE986059CE9860594D846E59C998605926876459CC9860590D973F59CF9860590D973D59CD986059CE9861596298605926876A59D498605926876B5987986059769E6659CF98605952696368CE986059 Footprint md5 Hash -> DAA819D4CB3EDF008C056A8D8E201A99 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compression: UPX - Version: 3.95 Detect It Easy (die) • PE: installer: 7-Zip(1.0)[-] • PE: packer: UPX(3.95)[NRV,brute] • PE: compiler: Microsoft Visual C/C++(6.0)[-] • PE: archive: 7-Zip(0.4)[-] • PE: linker: Microsoft Linker(6.0*)[-] • PE: overlay: 7-zip Installer data(-)[-] • Entropy: 7.94763 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| File Access |
| setup-stub.exe 7zS.sfx.exe MSVCRT.dll KERNEL32.DLL 2.dll Temp |
| File Access (UNICODE) |
| setup-stub.exe sfx.exe |
| Interest's Words |
| exec ping |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://www.digicert.com/CPS0 http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl https://mozilla.org0/ |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Stealth (VirtualProtect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | UPX - www.upx.sourceforge.net |
| Entry Point | Hex Pattern | UPX 2.00-3.0X - Markus Oberhumer & Laszlo Molnar & John Reiser |
| Entry Point | Hex Pattern | UPX 2.90 (LZMA) |
| Entry Point | Hex Pattern | UPX v0.80 - v0.84 |
| Entry Point | Hex Pattern | UPX v0.89.6 - v1.02 / v1.05 - v1.22 |
| Entry Point | Hex Pattern | UPX v2.0 - Markus, Laszlo & Reiser (h) |
| Entry Point | Hex Pattern | UPX V2.00-V2.90 - Markus Oberhumer & Laszlo Molnar & John Reiser |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 362E4 | 528 | 108E4 | 2800000010000000200000000100200000000000000500000000000000000000000000000000000033111D6034111EFF3611 | (....... ..... .........................3..4...6. |
| \ICON\2\1033 | 36810 | 1428 | 10E10 | 2800000020000000400000000100200000000000001400000000000000000000000000000000000033111D0033111D103311 | (... ...@..... .........................3...3...3. |
| \ICON\3\1033 | 37C3C | 2D28 | 1223C | 2800000030000000600000000100200000000000002D00000000000000000000000000000000000033111D0033111D003311 | (...0........ ......-..................3...3...3. |
| \ICON\4\1033 | 3A968 | A9CB | 14F68 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000017352474200AECE1CE900004000 | .PNG........IHDR.............\r.f....sRGB.......@. |
| \DIALOG\97\1033 | 32324 | B8 | D724 | D50EBB3B595497602CC7F0504A70482E3B97EB8A487A127C0FC13DEE40153F9B4011342A22979CD428BBBB0D894C14682411 | ...;YT.,..PJpH.;...Hz.|..=.@.?.@.4*"...(....L.h$. |
| \STRING\1\1033 | 323DC | 60 | D7DC | 271236648FEC054C8C244D0D99C8E910FC88D45618D29D7C0F36222D6805EBBAD324CCA38D15BF215EC84BE8A40580D7068823502D228228D40023097543E7822ED94DE017687C401FBB2D9876C7DCEBB376740820C71842055D43BE80CBB0F4 | '.6d...L.$M........V...|.6"-h....$.....!.K.......P-".(...uC....M..h|@..-.v....vt. ..B.]C..... |
| \STRING\5\1033 | 3243C | 88 | D83C | 3B82B470F0FCFE6E7D45FEDAE21000C49E50B182FE757D676C8C3BC324BD75417CA161CE0509FE7410137C08E02FB9C475A9 | ;..p...n}E.......P...u}gl.;.$.uA|.a....t..|../..u. |
| \STRING\188\1033 | 324C4 | 54 | D8C4 | 7090DE4DCC89A5604E8F8B21848F67156468436336698F410B1CA48B81B8AEF105A2A50E5633919B10EC0A9EB15D865E8D06562FB774807717A1AF1150899D09D135E6883379B7F4EC900A3A41C82886611DC0C7 | p..M...N..!..g.dhCc6i.A............V3.......]...V/.t.w....P....5..3y.....:A.(.a... |
| \STRING\207\1033 | 32518 | 34 | D918 | 5E97D0810700DA590F3C722C6C6708FE26850AC68538318086753CE1A8C245A8786125290E0843D8DE615C5B8BDE61025A316E9D | ......Y.<r,lg..&....81..u<...E.xa%)..C..a\[..a.Z1n. |
| \GROUP_ICON\1\1033 | 45338 | 3E | 1F938 | 000001000400101000000100200028050000010020200000010020002814000002003030000001002000282D000003000000000001002000CBA900000400 | ............ .(..... .... .(.....00.... .(-.......... ....... |
| \VERSION\1\1033 | 4537C | 274 | 1F97C | 740234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000500 | t.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 455F4 | 555 | 1FBF4 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • 7zS.sfx • 7zS.sfx.exe • <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="7zS.sfx.exe" type="win32" • <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> • kernel32.dll • msvcrt.dll • setup-stub.exe • __MOZCUSTOM__:campaign%3DSET_DEFAULT_BROWSER%26content%3D%2528not%2Bset%2529%26dlsource%3Dfxdotcom%26dltoken%3Ded8bd6ad-4ca0-4b3b-8ea5-973cc1c62484%26experiment%3D%2528not%2Bset%2529%26medium%3Dreferral%26source%3Dwww.google.com%26ua%3Dedge%26variation%3D%2528not%2Bset%2529 • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 48D | 455F4 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| F3E | 61585A08 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 3004 | 61585A08 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 3293 | 39244E47 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| C874 | F8C2589 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| DDE1 | 729C1F18 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 10B53 | 1AFFFF70 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 10BD7 | 1EFFFF8D | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 11757 | 24FFFD8D | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 117CF | 1AFFFF72 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 11863 | 18FFFFA4 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 11957 | 11FFFF8B | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 11ACF | 14FFFF8C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 1355B | 47FFF097 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 136E3 | 58FFFFB8 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 1385F | 28FFFFB8 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 13A83 | 22FFFF71 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 13AA7 | 19FFFFA1 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 13B3F | 22FFFF70 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 13B63 | 19FFFFA2 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 13C1F | 19FFFFA2 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 13CDB | 19FFFFA2 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 13D8B | 12FFFF8C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 1408B | 1BFFCE73 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 32DD1 | 1BFFCE73 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 3EB7A | 4A89D376 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 42E46 | 31A8D885 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 4A14A | 31A8D885 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 4A361 | D9CE035 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 4B04E | 8D17E6E | *padding* | CALL [static] | Indirect call to absolute memory address |
| 4FCEB | 20559EC2 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 510B5 | 696A85B7 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 514DF | 696A85B7 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 400-105FF | 25000 | UPX1 | Executable section anomaly, first bytes: FFFFFFFF8B442404 |
| 20200 | N/A | *Overlay* | 3B2140496E7374616C6C40215554462D38210A54 | ;!@Install@!UTF-8!.T |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 259498 | 67,6311% |
| Null Byte Code | 9085 | 2,3678% |
| NOP Cave Found | 0x9090909090 | Block Count: 1 | Total: 0,0007% |
© 2026 All rights reserved.