PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 34,34 KBSHA-256 Hash: D3C1E759E0FD69FEDD5415A1B60A9FEE67F3CC192BFC0F68D8733C3065E063AF SHA-1 Hash: 32B195D313AEAB7053BACFA7170FE7CFA9E33A5B MD5 Hash: F4120486B3860D9E11E36BB4021698FA Imphash: 6C5B3A3376D8E198F78D7C136B92A079 MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 1C200 SizeOfHeaders: 1000 SizeOfImage: 1F000 ImageBase: 400000 Architecture: x86 ImportTable: 1E57C Characteristics: 818F TimeDateStamp: 5CCC8337 Date: 03/05/2019 18:06:47 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: UPX0, UPX1, .rsrc Number Of Executable Sections: 2 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 89,66 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| UPX0 | 0xE0000080 Uninitialized Data Executable Readable Writeable |
400 | 0 | 1000 | 15000 |
|
|
| UPX1 | 0xE0000040 Initialized Data Executable Readable Writeable |
400 | 6400 | 16000 | 7000 |
|
|
| .rsrc | 0xC0000040 Initialized Data Readable Writeable |
6800 | 1800 | 1D000 | 2000 |
|
|
| Description |
| OriginalFilename: Server CompanyName: Microsoft Corporation LegalCopyright: Microsoft Corporation. All rights reserved. FileVersion: 4.0.0.0 FileDescription: Microsoft Windows Spooler ProductVersion: 4.0.0 Language: English (United States) (ID=0x409) CodePage: Western European (Windows 1252) (0x4E4) |
| Entry Point |
The section number (2) - (UPX1) have the Entry Point Information -> EntryPoint (calculated) - 6600 Code -> 60BE006041008DBE00B0FEFF5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB Assembler |PUSHAD |MOV ESI, 0X416000 |LEA EDI, [ESI - 0X15000] |PUSH EDI |OR EBP, 0XFFFFFFFF |JMP 0X1022 |NOP |NOP |NOP |NOP |NOP |NOP |MOV AL, BYTE PTR [ESI] |INC ESI |MOV BYTE PTR [EDI], AL |INC EDI |ADD EBX, EBX |JNE 0X1029 |MOV EBX, DWORD PTR [ESI] |SUB ESI, -4 |ADC EBX, EBX |JB 0X1018 |MOV EAX, 1 |ADD EBX, EBX |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compression: UPX - Version: 3.95 Detect It Easy (die) • PE: packer: UPX(3.95)[NRV,best] • PE: compiler: Borland Delphi(-)[-] • PE: linker: Turbo Linker(2.25*,Delphi)[-] • Entropy: 7.14956 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| File Access |
| taskkill /F /IM chrome.exe iexplore.exe .exe wsock32.dll ws2_32.dll user32.dll oleaut32.dll KERNEL32.DLL advapi32.dll |
| Interest's Words |
| taskkill taskkill |
| URLs |
| http://kernel32.ir |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | Stealth (VirtualProtect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | UPX - www.upx.sourceforge.net |
| Entry Point | Hex Pattern | UPX 2.00-3.0X - Markus Oberhumer & Laszlo Molnar & John Reiser |
| Entry Point | Hex Pattern | UPX 2.90 (LZMA) |
| Entry Point | Hex Pattern | UPX v0.80 - v0.84 |
| Entry Point | Hex Pattern | UPX v0.89.6 - v1.02 / v1.05 - v1.22 |
| Entry Point | Hex Pattern | UPX v2.0 - Markus, Laszlo & Reiser (h) |
| Entry Point | Hex Pattern | UPX V2.00-V2.90 - Markus Oberhumer & Laszlo Molnar & John Reiser |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 1D1EC | 10A8 | 69EC | 280000002000000040000000010020000000000080100000000000000000000000000000000000000000000E0000002A0000 | (... ...@..... ................................*.. |
| \RCDATA\DVCLAL\0 | 1A290 | 10 | 4690 | 0C71DB88D8FC7C7B031A83C622F8ED4B | .q....|{...."..K |
| \RCDATA\PACKAGEINFO\0 | 1A2A0 | 98 | 46A0 | 92EE1A730405C82066890142B014DF2783C3024A34E0EF9C22902273398AC8A3E490198A088A1C0A79500F8A408AF2406294 | ...s... f..B...'...J4..."."s9...........yP..@..@b. |
| \RCDATA\PLATFORMTARGETS\1033 | 1A338 | 2 | 4738 | AD67 | .g |
| \GROUP_ICON\MAINICON\1033 | 1E298 | 14 | 7A98 | 0000010001002020000001002000A81000000100 | ...... .... ....... |
| \VERSION\1\1033 | 1E2B0 | 2CC | 7AB0 | CC0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • 4.0.0.0 • iexplore.exe • http://kernel32.ir • taskkill /F /IM chrome.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 8DC | 1E2B0 | UPX1 | JMP [static] | Indirect jump to absolute memory address |
| 1A67 | 7409F744 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 39DF | 6BE2EC0E | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 42A4 | 355F1AB0 | UPX1 | CALL [static] | Indirect call to absolute memory address |
| 400-67FF | 16000 | UPX1 | Executable section anomaly, first bytes: 2E66FEFF04104000 |
| 8000 | N/A | *Overlay* | 0001000000000000000000010000000000000000 | .................... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 20246 | 57,5825% |
| Null Byte Code | 5948 | 16,917% |
| NOP Cave Found | 0x9090909090 | Block Count: 1 | Total: 0,0071% |
© 2026 All rights reserved.