PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Icon: Icon
Size: 25,50 KB
SHA-256 Hash: 85796CC681A6D84486EC4FFCD5BD2D4208FFA3E28602B36E5A4BD5764450561A
SHA-1 Hash: A852176EDFF654FA3CD28FC46002B9F6B2A91C12
MD5 Hash: E1A8A1987A5D9492D55AEFD06059A3F0
Imphash: 8B1B6015E405F67D65A5FD3A26890614
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 0000ED7E
EntryPoint (rva): 1309A
SizeOfHeaders: 200
SizeOfImage: 15000
ImageBase: 400000
Architecture: x86
ImportTable: 13000
IAT: 1303C
Characteristics: 30F
TimeDateStamp: 4E9C3C78
Date: 17/10/2011 14:32:24
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .MPRESS1, .MPRESS2, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows GUI
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.MPRESS1 E00000E0 (Code, Initialized Data, Uninitialized Data, Executable, Readable, Writeable) 200 4E00 1000 12000
7.9903
268.95
.MPRESS2 E00000E0 (Code, Initialized Data, Uninitialized Data, Executable, Readable, Writeable) 5000 E00 13000 C04
5.8387
43436.29
.rsrc C0000040 (Initialized Data, Readable, Writeable) 5E00 800 14000 6D4
3.1732
140754.25
Entry Point
The section number (2) - (.MPRESS2) have the Entry Point
Information -> EntryPoint (calculated) - 509A
Code -> 60E80000000058055A0B00008B3003F02BC08BFE66ADC1E00C8BC850AD2BC803F18BC85751498A44390688043175F62BC0AC
EP changed to another address -> (Address Of EntryPoint > Base Of Data)
Assembler
|PUSHAD
|CALL 0X1006
|POP EAX
|ADD EAX, 0XB5A
|MOV ESI, DWORD PTR [EAX]
|ADD ESI, EAX
|SUB EAX, EAX
|MOV EDI, ESI
|LODSW AX, WORD PTR [ESI]
|SHL EAX, 0XC
|MOV ECX, EAX
|PUSH EAX
|LODSD EAX, DWORD PTR [ESI]
|SUB ECX, EAX
|ADD ESI, ECX
|MOV ECX, EAX
|PUSH EDI
|PUSH ECX
|DEC ECX
|MOV AL, BYTE PTR [ECX + EDI + 6]
|MOV BYTE PTR [ECX + ESI], AL
|JNE 0X1025
|SUB EAX, EAX
|LODSB AL, BYTE PTR [ESI]
Signatures
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Visual Basic 6 - (Native Code)
Packer: MPress v2.x
Detect It Easy (die)
PE: packer: EP:MPRESS(2.01-2.12)[-]
PE: packer: MPRESS(2.18)[-]
PE: compiler: Microsoft Visual Basic(6.0)[-]
Entropy: 7.6653
Suspicious Functions
Library Function Description
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
File Access
!Win32 .EXE
MSVBVM60.DLL
KERNEL32.DLL
Interest's Words
PADDINGX
Resources
Path DataRVA Size FileOffset CodeText
\SETTINGS\101\0 12164 101 11364 N/AN/A
\ICON\30001\0 140D4 130 5ED4 2800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFFFF00FFFF(... ...@.........................................
\ICON\30002\0 1422C 2E8 602C 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080(... ...@.........................................
\ICON\30003\0 1453C 128 633C 2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000000080000080(....... .........................................
\GROUP_ICON\1\0 146A4 30 64A4 00000100030020200200010001003001000031752020100001000400E802000032751010100001000400280100003375...... ......0...1u ..........2u........(...3u
Flow Anomalies
Offset RVA Section Description
200-4FFF 1000 .MPRESS1 Executable section anomaly, first bytes: 1200E24D00001000
5000-5DFF 13000 .MPRESS2 Executable section anomaly, first bytes: 3C30010000000000
Extra Analysis
Metric Value Percentage
Ascii Code 16338 62,5689%
Null Byte Code 2142 8,2031%
© 2026 All rights reserved.