PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 100,00 KBSHA-256 Hash: ABB6747BC93675AB4D216A3806314AD6A67D2101E7B5CE2F7ED1D219BAD798C6 SHA-1 Hash: F014E20807CDC1B234CC54CB5FB02D5C0B33129B MD5 Hash: D39726B304001DB8BFDC2F9E22173B16 Imphash: E029F98A2DA83608852F59FA44F95F0E MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 5EB10 SizeOfHeaders: 1000 SizeOfImage: 63000 ImageBase: 400000 Architecture: x86 ImportTable: 62D44 Characteristics: 10F TimeDateStamp: 4A0C4EE1 Date: 14/05/2009 17:03:29 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: UPX0, UPX1, .rsrc Number Of Executable Sections: 2 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 296,00 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| UPX0 | 0xE0000080 Uninitialized Data Executable Readable Writeable |
400 | 0 | 1000 | 49000 |
|
|
| UPX1 | 0xE0000040 Initialized Data Executable Readable Writeable |
400 | 14E00 | 4A000 | 15000 |
|
|
| .rsrc | 0xC0000040 Initialized Data Readable Writeable |
15200 | 3E00 | 5F000 | 4000 |
|
|
| Description |
| OriginalFilename: NimToy.exe CompanyName: Home ProductName: NimToy FileVersion: 3.06.0005 ProductVersion: 3.06.0005 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (2) - (UPX1) have the Entry Point Information -> EntryPoint (calculated) - 14F10 Code -> 60BE00A044008DBE0070FBFF5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB Assembler |PUSHAD |MOV ESI, 0X44A000 |LEA EDI, [ESI - 0X49000] |PUSH EDI |OR EBP, 0XFFFFFFFF |JMP 0X1022 |NOP |NOP |NOP |NOP |NOP |NOP |MOV AL, BYTE PTR [ESI] |INC ESI |MOV BYTE PTR [EDI], AL |INC EDI |ADD EBX, EBX |JNE 0X1029 |MOV EBX, DWORD PTR [ESI] |SUB ESI, -4 |ADC EBX, EBX |JB 0X1018 |MOV EAX, 1 |ADD EBX, EBX |
| Signatures |
| Rich Signature Analyzer: Code -> 5DFBC7DA199AA989199AA989199AA9899A86A789189AA9897085A0891C9AA989F085A489189AA98952696368199AA989 Footprint md5 Hash -> 2746BB12C0B86B5FF78A356945308881 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Visual Basic 6 - (Native Code) Compression: UPX - Version: 1.20 Possible Compiler: Visual Basic 6 Detect It Easy (die) • PE: packer: UPX(1.20)[NRV,brute] • PE: compiler: Microsoft Visual Basic(6.0)[-] • PE: linker: Microsoft Linker(6.0*)[-] • Entropy: 7.60444 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| File Access |
| MSVBVM60.DLL KERNEL32.DLL |
| File Access (UNICODE) |
| NimToy.exe |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | UPX - www.upx.sourceforge.net |
| Entry Point | Hex Pattern | UPX 2.90 (LZMA) |
| Entry Point | Hex Pattern | UPX v0.80 - v0.84 |
| Entry Point | Hex Pattern | UPX v0.89.6 - v1.02 / v1.05 - v1.22 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\30001\0 | 5F17C | 568 | 1537C | 2800000010000000200000000100080000000000400100000000000000000000000000000000000000000000161313001D1A | (....... ...........@............................. |
| \ICON\30002\0 | 5F6E8 | 8A8 | 158E8 | 2800000020000000400000000100080000000000800400000000000000000000000000000000000000000000000000000000 | (... ...@......................................... |
| \ICON\30003\0 | 5FF94 | EA8 | 16194 | 2800000030000000600000000100080000000000800A000000000000000000000000000000000000000000006C6C6C002727 | (...0......................................lll.'' |
| \ICON\30004\0 | 60E40 | 1CA8 | 17040 | 2800000030000000600000000100180000000000801C00000000000000000000000000000000000000000000000000000000 | (...0............................................ |
| \GROUP_ICON\1\0 | 62AEC | 40 | 18CEC | 00000100040010100000010008006805000031752020000001000800A808000032753030000001000800A80E000033753030000001001800A81C000034750000 | ..............h...1u ..........2u00..........3u00..........4u.. |
| \VERSION\1\1033 | 62B30 | 214 | 18D30 | 140234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000600 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • NimToy.exe • kernel32.dll • msvbvm60.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| D03 | A4010E0 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 400-151FF | 4A000 | UPX1 | Executable section anomaly, first bytes: FE21229000050008 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 64933 | 63,4111% |
| Null Byte Code | 9768 | 9,5391% |
| NOP Cave Found | 0x9090909090 | Block Count: 1 | Total: 0,0024% |
© 2026 All rights reserved.