PESCAN.IO - Analysis Report |
|||||
| File Structure: | |||||
|
|||||
| Information: |
| Size: 351,22 KB SHA-256 Hash: 873EDEBCE4C999DD92CA76B5E8E1CF2871FA1E6BE327F90DB331C2A15F68D5DF SHA-1 Hash: 603973C47328E757F8A8B8D6AC8D37AEB3DADF01 MD5 Hash: 5B9FE0031A6026D068E97A2C59611CDE Imphash: D77785BC46CC37B89F2D2AE8C4E29843 MajorOSVersion: 6 CheckSum: 000670C1 EntryPoint (rva): E911 SizeOfHeaders: 400 SizeOfImage: 58000 ImageBase: 400000 Architecture: x86 ImportTable: 4EC5C Characteristics: 102 TimeDateStamp: 637F81E7 Date: 24/11/2022 14:38:31 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 400 | 38C00 | 1000 | 38BD7 |
| .rdata | 40000040 | 39000 | 16E00 | 3A000 | 16C4C |
| .data | C0000040 (Writeable) | 4FE00 | C00 | 51000 | 1668 |
| .rsrc | 40000040 | 50A00 | 600 | 53000 | 5C8 |
| .reloc | 42000040 | 51000 | 4000 | 54000 | 3F3C |
| Description: |
| InternalName: PSMWinAgentInvoker OriginalFilename: PSMWinAgentInvoker.exe CompanyName: CyberArk Software Ltd. LegalCopyright: Copyright 1999-2022 CyberArk Software Ltd. All Rights Reserved.. ProductName: CyberArk PSM Win Agent Invoker FileVersion: 13.0.0.16 |
| Entry Point: |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - DD11 Code -> E8CD0B0000E929FEFFFFE8220000006A00E81AFBFFFF5984C0740E68C4E94000E8BBFCFFFF5933C0C36A07E829040000CC56 • CALL 0X1BD2 • JMP 0XE33 • CALL 0X1031 • PUSH 0 • CALL 0XB30 • POP ECX • TEST AL, AL • JE 0X1029 • PUSH 0X40E9C4 • CALL 0XCE0 • POP ECX • XOR EAX, EAX • RET • PUSH 7 • CALL 0X1459 • INT3 • PUSH ESI |
| Signatures: |
| Rich Signature Analyzer: Code -> 54330E89105260DA105260DA105260DA192AF3DA025260DA763D9DDA165260DA422765DB0D5260DA422764DB1C5260DA422763DB165260DA422761DB145260DA043961DB1B5260DA105261DA365360DAD22769DB175260DAAD2765DB055260DAAD2764DB195260DAD22765DB125260DAD2279FDA115260DA1052F7DA115260DAD22762DB115260DA52696368105260DA Footprint md5 Hash -> 6D0E911C7898E39F5D0213F53F8580FF • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler: |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32] • PE: compiler: Microsoft Visual C++(-)[-] • PE: linker: Microsoft Linker(14.29**)[EXE32,console,signed] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.52058 |
| Suspicious Functions: |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CopyFileA | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| Windows REG: |
| System\CurrentControlSet\Services\EventLog\ |
| File Access: |
| PSMKeystrokesLogger64.exe PSMKeystrokesLogger32.exe PSMWinAgent.exe api-ms-win-crt-filesystem-l1-1-0.dll api-ms-win-crt-time-l1-1-0.dll WS2_32.dll SHLWAPI.dll api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-convert-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll VCRUNTIME140.dll MSVCP140.dll ADVAPI32.dll KERNEL32.dll WTSAPI32.dll Failed to load %s.DLL Wevtapi.dll .jar Proxy password is specified in the Vault define command, but ProxyUser parameter is missing in Vault.ini Proxy password is specified in the Vault define command, but Vault is defined with no proxy in Vault.ini t be specified in Vault.ini t be specified both in the Vault define command and inside Vault.ini Temp |
| File Access (UNICODE): |
| kernel32.dll PSMWinAgentInvoker.exe |
| Interest's Words: |
| Virus Encrypt Decrypt Encryption PassWord exec unescape attrib start hostname systeminfo ping expand replace |
| URLs: |
| http://www.OpenSSL.org/) http://site.icu-project.org/) http://www.apache.org/licenses/LICENSE-2.0 http://www.cyberark.com/acknowledgments http://ocsp.globalsign.com/codesigningrootr450F http://secure.globalsign.com/cacert/codesigningrootr45.crt http://crl.globalsign.com/codesigningrootr45.crl http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt http://ocsp.globalsign.com/gsgccr45evcodesignca20200U http://crl.globalsign.com/gsgccr45evcodesignca2020.crl http://s.symcd.com http://s.symcb.com/universal-root.crl http://ts-crl.ws.symantec.com/sha256-tss-ca.crl http://ts-ocsp.ws.symantec.com http://ts-aia.ws.symantec.com/sha256-tss-ca.cer https://www.globalsign.com/repository/ https://d.symcb.com/cps0% https://d.symcb.com/rpa0. https://d.symcb.com/rpa0@ |
| Payloads: |
| Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...) |
| IP Addresses: |
| 13.0.0.16 |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Ascii): WinAPI Sockets (bind) • Rule Text (Ascii): WinAPI Sockets (listen) • Rule Text (Ascii): WinAPI Sockets (accept) • Rule Text (Ascii): WinAPI Sockets (connect) • Rule Text (Ascii): WinAPI Sockets (send) • Rule Text (Ascii): Registry (RegOpenKeyEx) • Rule Text (Ascii): File (GetTempPath) • Rule Text (Ascii): File (CopyFile) • Rule Text (Ascii): File (CreateFile) • Rule Text (Ascii): File (WriteFile) • Rule Text (Ascii): File (ReadFile) • Rule Text (Ascii): Service (OpenSCManager) • Rule Text (Ascii): Service (StartServiceCtrlDispatcher) • Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent) • Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo) • Rule Text (Ascii): Anti-Analysis VM (GlobalMemoryStatusEx) • Rule Text (Ascii): Anti-Analysis VM (GetVersion) • Rule Text (Ascii): Execution (CreateProcessA) • Rule Text (Ascii): Antivirus Software (Symantec) • Rule Text (Ascii): Information used to authenticate a users identity (Credential) • Rule Text (Ascii): Software that records user activity (Logger) • Rule Text (Ascii): Information used for user authentication (Credential) • EP Rules: Microsoft Visual C++ 8 • EP Rules: Microsoft Visual C++ 8 • EP Rules: VC8 -> Microsoft Corporation |
| Resources: |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1037 | 530A0 | 3A8 | 50AA0 | A80334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 53448 | 17D | 50E48 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String: |
| • PSMKeystrokesLogger32.exe • PSMKeystrokesLogger64.exe • invalid string positionvector too long\xDR@api-ms-win-core-synch-l1-2-0.dll • kernel32.dll • xD/ACCAGBuffer.cpp • CCAGComponentException.cpp • %s%05d%05d%016I64d%06d.tmp • CCAGMessages.cpp • CCAGTimeStamp.cpp • old.log • CCAGLoggerBase.cpp • "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" • You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 • Third party components used in CyberArk software may be subject to terms and conditions listed on http://www.cyberark.com/acknowledgments • %d.%d.%d.%d.zip • .cab • .jar • .chm • .jpg • .gif • .png • .gz.new • .dat • d:\jenkins_aws\Components\PAS-enginescommon-release-release_PSM-RDP-v13.0.0-Windows32-19\OSObjects\OSObjects\CAOSOInvokerService.cpp • d:\jenkins_aws\Components\PAS-enginescommon-release-release_PSM-RDP-v13.0.0-Windows32-19\OSObjects\OSObjects\CAOSORemoteInvokerServiceRequestMessage.cpp • d:\jenkins_aws\Components\PAS-enginescommon-release-release_PSM-RDP-v13.0.0-Windows32-19\OSObjects\OSObjects\CAOSORemoteInvokerServiceResponseMessage.cpp • d:\jenkins_aws\Components\PAS-enginescommon-release-release_PSM-RDP-v13.0.0-Windows32-19\OSObjects\OSObjects\CAOSONamedPipeIPCChannel.cpp • d:\jenkins_aws\Components\psm-rdp-release-release_PSM-RDP-v13.0.0-Windows32-16\bin\PSM-RDP\exec\Win32\Release\PSMWinAgentInvoker.pdb • .tls • .bss • .sCS • KERNEL32.dll • ADVAPI32.dll • api-ms-win-crt-runtime-l1-1-0.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-convert-l1-1-0.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-locale-l1-1-0.dll • WS2_32.dll • 4_strnicmpF_fdopen&_fileno4_getpid._strlwrapi-ms-win-crt-time-l1-1-0.dll • api-ms-win-crt-filesystem-l1-1-0.dll • .PAD • .PAX • 13.0.0.16 • PSMWinAgentInvoker.exe |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 211816 | 58,8954% |
| Null Byte Code | 50422 | 14,0198% |
© 2025 All rights reserved.