PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 450,00 KBSHA-256 Hash: 699EC052ECC898BDBDAFEA0027C4AB44C3D01AE011C17745DD2B7FBDDAA077F3 SHA-1 Hash: 9AA826795798948E8058E3FF1342D81D5D8EE4FA MD5 Hash: 2B294B3499D1CCE794BADFFC959B7618 Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 6C2CE SizeOfHeaders: 200 SizeOfImage: 76000 ImageBase: 400000 Architecture: x86 ImportTable: 6C27C IAT: 2000 Characteristics: 102 TimeDateStamp: 5A5DB497 Date: 16/01/2018 8:15:19 File Type: EXE Number Of Sections: 3 ASLR: Enabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
200 | 6A400 | 2000 | 6A2D4 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
6A600 | 6000 | 6E000 | 5E80 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
70600 | 200 | 74000 | C |
|
|
| Description |
| OriginalFilename: Po160118.exe CompanyName: Comverse Technology LegalCopyright: (c) 2015Comverse Technology ProductName: Comverse Technology Cemp Kopl FileVersion: 6.9.1.5 FileDescription: Comverse Technology ProductVersion: 6.9.1.5 Comments: Comverse Technology Kopl Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 6A4CE Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Assembler |JMP DWORD PTR [0X402000] |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: False • Version: v4.0 Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: compiler: VB.NET(-)[-] • PE: linker: Microsoft Linker(11.0)[-] • Entropy: 6.96315 |
| File Access |
| Po160118.exe mscoree.dll Temp |
| File Access (UNICODE) |
| Po160118.exe |
| Interest's Words |
| exec attrib |
| IP Addresses |
| 11.0.0.0 17.18.7.0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Entry Point | Hex Pattern | Microsoft Visual C / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C v7.0 / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual Studio .NET |
| Entry Point | Hex Pattern | .NET executable |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\2\0 | 6E528 | 4228 | 6AB28 | 280000004000000080000000010020000000000000000000130B0000130B000000000000000000004435E5FF4435E5FF4435 | (...@......... .........................D5..D5..D5 |
| \ICON\3\0 | 72750 | 10A8 | 6ED50 | 280000002000000040000000010020000000000000000000130B0000130B000000000000000000004435E5FF4435E5FF4435 | (... ...@..... .........................D5..D5..D5 |
| \ICON\4\0 | 737F8 | 468 | 6FDF8 | 280000001000000020000000010020000000000000000000130B0000130B000000000000000000004435E5FF4435E5FF4536 | (....... ..... .........................D5..D5..E6 |
| \GROUP_ICON\32512\0 | 73C60 | 30 | 70260 | 00000100030040400000010020002842000002002020000001002000A810000003001010000001002000680400000400 | ......@@.... .(B.... .... ............. .h..... |
| \VERSION\1\0 | 6E190 | 398 | 6A790 | 980334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000900 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 73C90 | 1EA | 70290 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • Po160118.exe • 6.9.1.5 • _CorExeMainmscoree.dll • 17.18.7.0 |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| A88B | 38C963C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 16679 | 38C963C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 27B21 | 3C2B50D5 | .text | CALL [static] | Indirect call to absolute memory address |
| 2BA44 | 3850991 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2BDB8 | 2D0F712D | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C04A | 2FFA61E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3EB91 | 2FFA61E0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6A4CE | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 275077 | 59,6955% |
| Null Byte Code | 91433 | 19,8422% |
© 2026 All rights reserved.