Advanced Static Analysis Tool
PEscan is a static analysis tool designed to examine Microsoft Windows files, specifically those in the Portable Executable (PE) format, including file types such as .exe, .dll, .sys, .ocx, .scr, .drv, and .cpl. The tool's primary purpose is to gather detailed information to assist in identifying malicious code within these files. PEScan inspects various elements such as the PE headers, section structures, and internal contents, including strings and metadata. Through its unique detection methods, PEScan identifies irregularities and potential threats commonly associated with modern malware. By focusing on static analysis, it can uncover malicious code without executing the files, making it a valuable tool for malware researchers and security professionals.
The tool is widely used in environments like Computer Emergency Response Teams (CERTs), Security Operations Centers (SOCs), Digital Forensic Laboratories, and other cybersecurity-related fields. Its ability to analyze files without execution makes it indispensable in the prevention, detection, and investigation of malicious activities in a variety of settings, including incident response and malware analysis.
Supported Architecture Matrix
| Architecture | Supported Processors and Functionalities |
|---|---|
| 32-bit | Debugging and Import/Export Table extraction supported for: 8086, x86, and ARMv7. |
| 64-bit | Debugging and Import/Export Table extraction supported for: AMD64, x86-64, x64, and ARMv8. |
| Additional Architectures | Import/Export Table extraction supported for: Alpha AXP, ARM Thumb-2, EFI Byte Code (EBC), Hitachi SH3/SH4/SH5, Intel i860, Intel Itanium (IA-64), M32R, MIPS16, MIPS16 with FPU, MIPS R3000/R4000, MIPS with FPU, MIPS little-endian, and MIPS little-endian WCE v2. |
Detection Features
PEscan offers an extensive range of detection capabilities, including:
| Feature | Description |
|---|---|
| PE Information | Details about the Portable Executable (PE) file format, used in Windows executables. |
| Entry Points | Detects entry points in unexpected locations within a file, often used by malware. This analysis involves reviewing over 10,000 current malware entry points and implementing detection rules for compilers and packers to identify potential obfuscation or manipulation techniques. |
| Algorithms | Identifies cryptographic or other computational algorithms within the file. |
| Anomalous Instructions | Flags unusual or suspicious instructions that deviate from typical execution patterns. |
| Packers | Detects the use of software packers, often used to obfuscate code or compress executables. |
| Compilations | Analyzes compilation details, such as timestamps and compilers used. |
| Binders/Joiners/Crypters | Detects tools used to combine multiple files or encrypt executables, often used by malware. Employs proprietary methodologies to identify dropper code in analyzed files. |
| Possible Malicious Functions | Identifies functions commonly associated with malicious behavior. Provides a description of the functionalities of flagged suspicious functions and employs proprietary methods to identify potential functions not defined in the Import Table, known as Call API By Name. |
| Registry Keys | Lists Windows Registry keys accessed or modified, often a sign of malware activity. |
| File Access | Identifies file names commonly associated with malware activity. |
| Juicy Words | Searches for sensitive or revealing keywords within the file. |
| Anti-VM/Sandbox/Debug Detection | Detects techniques used to evade virtual machines, sandboxes, or debuggers. |
| URL Extractor | Extracts all types of URLs, including HTTP, HTTPS, FTP, and others, embedded in the file. |
| Payload and Exploit Detection | Detects both known payloads embedded within the file and applies custom detection rules to identify new or evolving payloads that may not yet be recognized. |
| AV Services | Checks for interactions with or attempts to disable antivirus services. |
| Duplicate Sections | Finds duplicate sections in the file, which may indicate obfuscation or redundancy. |
| IP/Domains List | Extracts IP addresses and domain names, potentially used for communication. |
| Polymorphic Patterns | Flags code patterns designed to change frequently, evading detection. |
| Rich Signature Analysis | Analyzes Rich headers for compiler and toolchain metadata and includes a custom detection method to identify modifications in the Rich Signature. |
| CheckSum Integrity Problems | Checks for invalid checksum values, which may indicate tampering. |
| SQL Queries | Identifies embedded SQL queries, potentially related to database interaction or exploitation. |
| Emails | Extracts email addresses from the file. |
| Malicious Resources | Flags suspicious resources embedded in the file, such as payloads or executables. |
| PE Carve | Extracts PE files from binary blobs or other structures. |
| Export Table Carving Extraction | Method for extracting export tables from binaries using carving techniques. |
| Intelligent Strings | Detects a wide range of IOCs intelligently, in a way familiar to reversers. |
| Creating automatic Yara rules | Generates Yara rules for file signature-based detection. |
Information about Codes
Codes are an essential feature that allows users to access advanced functionalities, maintain the platform and share information within the community. With each code, users can generate various analysis files, such as:
- String Dump: A file that collects all strings detected in an executable file during analysis.
- Extraction of Import and Export Tables: Retrieves detailed information about the imported and exported functions in executables.
- Generation of Verified Yara Rules: Creates a Yara rule based on the analysis, useful for detecting similar files in the future.
Using Codes
Each code is associated with a specific number of scans, which can be checked in the "Code" section of the website. There, users can verify how many scans remain available for their code.
Using a code to perform a scan consumes one of its scans, allowing a complete analysis of any file or executable on the platform. Private scans consume double the scans.
Users who use a code to scan files will notice an increase in processing capacity for larger files, with the limit increasing from 3 MB to 15 MB.
Exceptions: If a user scans a file whose hash has been previously processed with a valid code, no new scan will be deducted, and the result will be shown automatically. If the scan is performed without a valid code, the file will be scanned again.
Analysis without a Code
Analyses without a code will not generate advanced files (such as string dumps or Yara rules) but will be available for reference if other users search for the file’s hash.
This code system ensures that advanced functions are available to those who need them, while also providing flexibility and accessibility within the platform.
Pricing Details - Q1 2025
Below is a breakdown of the available packages:
| Number of Scans | Price | Price per Use | Details |
|---|---|---|---|
| 10 Scans | €1.50 | €0.15 | Perfect for small-scale usage. |
| 50 Scans | €5.00 | €0.10 | Great for frequent analyses. |
| 100 Scans | €9.00 | €0.09 | Discounted for larger volumes of analysis. |
| 200 Scans | €16.00 | €0.08 | Best offer for regular users. |
| 500 Scans | €35.00 | €0.07 | Lowest price per use, ideal for heavy users. |
How Your Contribution Helps
Your purchase ensures that we can continue offering high-quality services and keep improving the platform for malware analysis. The codes give you access to more advanced capabilities than the Platino Medal, helping us keep the service free and efficient for everyone.
Payment Concept
When making a payment, please include your email address for confirmation purposes. If you experience any issues with the codes, feel free to reach out to me directly at gsanchez@enelpc.com. I’ll be happy to assist you with any concerns or issues regarding this service.