PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 5,23 MBSHA-256 Hash: BF70FB14DB91D05986ABA7D82D79A43AA27BCC99CB54B56E37FE89DF5F7AE1C2 SHA-1 Hash: 2962CEE0B26470A5BAAC7DBAE870AA7D7DCEEA97 MD5 Hash: CDA706C5FF823B08BCA6584992D2051B Imphash: 2E5467CBA76F44A088D39F78C5E807B6 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 99458C SizeOfHeaders: 2000 SizeOfImage: 998000 ImageBase: 400000 Architecture: x86 ExportTable: 78D020 ImportTable: 78DE18 Characteristics: 102 TimeDateStamp: 64B8F583 Date: 20/07/2023 8:51:15 File Type: EXE Number Of Sections: 6 ASLR: Enabled Section Names: (0x20)(0x20)(0x20)(0x20)(0x20)(0x20), hnjeqcfv, eeudsstp, (0x20)(0x20)(0x20), .cydata, .cyanide Number Of Executable Sections: 6 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 4,37 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | E0000040 (Initialized Data, Executable, Readable, Writeable) | 2000 | 14000 | 2000 | 26000 | 7,9963 | 458,20 |
| hnjeqcfv | E0000040 (Initialized Data, Executable, Readable, Writeable) | 16000 | 0 | 28000 | 24000 | N/A | N/A |
| eeudsstp | E0000040 (Initialized Data, Executable, Readable, Writeable) | 16000 | 200 | 4C000 | 2000 | 0,2647 | 123995,00 |
| (0x20)(0x20)(0x20) | E0000040 (Initialized Data, Executable, Readable, Writeable) | 16200 | 22A00 | 4E000 | 24000 | 7,6246 | 322280,58 |
| .cydata | E0000040 (Initialized Data, Executable, Readable, Writeable) | 38C00 | 2F3C00 | 72000 | 718000 | 7,9974 | 11109,04 |
| .cyanide | E0000040 (Initialized Data, Executable, Readable, Writeable) | 32C800 | 20D400 | 78A000 | 20E000 | 7,9829 | 57976,66 |
| Description |
| OriginalFilename: BMW EDC16 Immo tool.exe CompanyName: ShperAuto.com LegalCopyright: Copyright 2023 LegalTrademarks: BMW EDC16 Immo tool ProductName: BMW EDC16 Immo tool FileVersion: 1.0.0.0 FileDescription: BMW EDC16 Immo tool ProductVersion: 1.0.0.0 Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (6) - (.cyanide) have the Entry Point Information -> EntryPoint (calculated) - 536D8C Code -> EB0800C832000000000060E8000000005D81ED1000000081ED8C459900E9040000006A0DAE87B88C45990003C581C04C0000 • JMP 0X100A • ADD AL, CL • XOR AL, BYTE PTR [EAX] • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • PUSHAD • CALL 0X1010 • POP EBP • SUB EBP, 0X10 • SUB EBP, 0X99458C • JMP 0X1026 • PUSH 0XD • SCASB AL, BYTE PTR ES:[EDI] • XCHG DWORD PTR [EAX + 0X99458C], EDI • ADD EAX, EBP EP changed to another address -> (Address Of EntryPoint > Base Of Data) |
| Signatures |
| Certificate - Digital Signature: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • Entropy: 7.99327 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| File Access |
| mscoree.dll version.dll shell32.dll gdi32.dll oleaut32.dll advapi32.dll user32.dll kernel32.dll |
| File Access (UNICODE) |
| BMW EDC16 Immo tool.exe |
| Interest's Words |
| exec ping |
| URLs |
| http://s.symcd.com http://s.symcb.com/universal-root.crl http://ts-crl.ws.symantec.com/sha256-tss-ca.crl http://ts-ocsp.ws.symantec.com http://ts-aia.ws.symantec.com/sha256-tss-ca.cer http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl http://pki-ocsp.symauth.com http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl https://d.symcb.com/cps0% https://d.symcb.com/rpa0. https://d.symcb.com/rpa0@ |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Antivirus Software (Symantec) |
| Entry Point | Hex Pattern | ASPack 1.02b or 1.08.03 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\2\0 | 4E388 | 5938 | 16588 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000200049444154789CED7DED81E3BAAE | .PNG........IHDR.............\r.f.. .IDATx..}..... |
| \ICON\3\0 | 53CC0 | 668 | 1BEC0 | 2800000030000000600000000100040000000000000600000000000000000000100000001000000000000000000080000080 | (...0............................................ |
| \ICON\4\0 | 54328 | 2E8 | 1C528 | 2800000020000000400000000100040000000000800200000000000000000000100000001000000000000000000080000080 | (... ...@......................................... |
| \ICON\5\0 | 54610 | 1E8 | 1C810 | 2800000018000000300000000100040000000000800100000000000000000000100000001000000000000000000080000080 | (.......0......................................... |
| \ICON\6\0 | 547F8 | 128 | 1C9F8 | 2800000010000000200000000100040000000000C00000000000000000000000100000001000000000000000000080000080 | (....... ......................................... |
| \ICON\7\0 | 54920 | 8751 | 1CB20 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000200049444154789CECBD797C5BE599 | .PNG........IHDR.............\r.f.. .IDATx...y|[.. |
| \ICON\8\0 | 5D074 | EA8 | 25274 | 2800000030000000600000000100080000000000800A00000000000000000000000100000001000000000000838383004544 | (...0..........................................ED |
| \ICON\9\0 | 5DF1C | 8A8 | 2611C | 2800000020000000400000000100080000000000800400000000000000000000000100000001000000000000D9B46C001515 | (... ...@.....................................l... |
| \ICON\10\0 | 5E7C4 | 6C8 | 269C4 | 2800000018000000300000000100080000000000A00200000000000000000000000100000001000000000000725A2B00E0E0 | (.......0...................................rZ+... |
| \ICON\11\0 | 5EE8C | 568 | 2708C | 28000000100000002000000001000800000000004001000000000000000000000001000000010000000000007D8284007D82 | (....... ...........@.......................}...}. |
| \ICON\12\0 | 5F3F4 | CD23 | 275F4 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000200049444154789CECBD777C1CD5B9 | .PNG........IHDR.............\r.f.. .IDATx...w|... |
| \ICON\13\0 | 6C118 | 25A8 | 34318 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\14\0 | 6E6C0 | 10A8 | 368C0 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\15\0 | 6F768 | 988 | 37968 | 2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000 | (.......0..... .................................. |
| \ICON\16\0 | 700F0 | 468 | 382F0 | 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000 | (....... ..... .....@............................. |
| \GROUP_ICON\32512\0 | 70558 | D8 | 38758 | 000001000F00000010000100040038590000020030301000010004006806000003002020100001000400E802000004001818 | ..............8Y....00......h..... .............. |
| \VERSION\1\0 | 70630 | 38C | 38830 | 8C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • 1.0.0.0 • BMW EDC16 Immo tool.exe • 9Jx • ShperAuto.com • kernel32.dll • user32.dll • advapi32.dll • oleaut32.dll • gdi32.dll • shell32.dll • version.dll • mscoree.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 429E | 70630 | (0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | JMP [static] | Indirect jump to absolute memory address |
| 14BB3 | 32F58CAA | (0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | JMP [static] | Indirect jump to absolute memory address |
| 181B7 | 32F58CAA | (0x20)(0x20)(0x20) | JMP [static] | Indirect jump to absolute memory address |
| 2E50D | 500100AA | (0x20)(0x20)(0x20) | CALL [static] | Indirect call to absolute memory address |
| 32C09 | 500100AA | (0x20)(0x20)(0x20) | JMP [static] | Indirect jump to absolute memory address |
| 350D3 | 13FF1515 | (0x20)(0x20)(0x20) | CALL [static] | Indirect call to absolute memory address |
| 351A3 | 3AFF1515 | (0x20)(0x20)(0x20) | CALL [static] | Indirect call to absolute memory address |
| 35253 | 24FF2525 | (0x20)(0x20)(0x20) | JMP [static] | Indirect jump to absolute memory address |
| 355CF | 5BFF161E | (0x20)(0x20)(0x20) | JMP [static] | Indirect jump to absolute memory address |
| 35833 | 2FC2224 | (0x20)(0x20)(0x20) | JMP [static] | Indirect jump to absolute memory address |
| 360EB | DFF1515 | (0x20)(0x20)(0x20) | CALL [static] | Indirect call to absolute memory address |
| 3610B | DFF1515 | (0x20)(0x20)(0x20) | CALL [static] | Indirect call to absolute memory address |
| 376AF | 9FF1515 | (0x20)(0x20)(0x20) | CALL [static] | Indirect call to absolute memory address |
| 37BEB | 5EFF1214 | (0x20)(0x20)(0x20) | CALL [static] | Indirect call to absolute memory address |
| 37CFB | 11FF1515 | (0x20)(0x20)(0x20) | CALL [static] | Indirect call to absolute memory address |
| 37DA7 | 1EE2224 | (0x20)(0x20)(0x20) | JMP [static] | Indirect jump to absolute memory address |
| 38507 | FF1D22 | (0x20)(0x20)(0x20) | JMP [static] | Indirect jump to absolute memory address |
| 38547 | FF2023 | (0x20)(0x20)(0x20) | JMP [static] | Indirect jump to absolute memory address |
| 3A83A | FF2023 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 3D447 | 25124847 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 3D579 | A04B2F0 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 4C439 | 660D7E7F | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 4CF65 | 21072D24 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 58EA0 | 5FE186AE | .cydata | CALL [static] | Indirect call to absolute memory address |
| 5B4F7 | 5FE186AE | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 5E83D | 69547BE8 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 6285E | 69547BE8 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 63EB3 | 69547BE8 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 7026B | 4FB61CB3 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 70997 | 4FB61CB3 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 752E8 | 4FB61CB3 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 89525 | FF50E4E | .cydata | CALL [static] | Indirect call to absolute memory address |
| 939C3 | 56F80CE4 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 95742 | 62D9B6B | .cydata | CALL [static] | Indirect call to absolute memory address |
| 9AD3E | 62D9B6B | .cydata | CALL [static] | Indirect call to absolute memory address |
| A5E6B | 78DB6DDD | .cydata | CALL [static] | Indirect call to absolute memory address |
| A6B88 | 50150813 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| B1531 | 50150813 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| BB890 | 50150813 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| C5919 | 50150813 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| D3381 | 50150813 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| D36AE | 2D44BA90 | .cydata | CALL [static] | Indirect call to absolute memory address |
| D7318 | 2D44BA90 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| D9C48 | 2D44BA90 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| E3A51 | 6D8F5044 | .cydata | CALL [static] | Indirect call to absolute memory address |
| F02E9 | 6D8F5044 | .cydata | CALL [static] | Indirect call to absolute memory address |
| F56D0 | 6589A615 | .cydata | CALL [static] | Indirect call to absolute memory address |
| F8548 | 191B1923 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 1052BD | 3F51AB74 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 112384 | 59AE1182 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 1140C6 | 5055E013 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 11430E | 5055E013 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 13914C | 63DC4B1 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 13BC86 | 63DC4B1 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 1437C4 | 3D3DAC1B | .cydata | CALL [static] | Indirect call to absolute memory address |
| 14E78C | 7A209D02 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 14FEB2 | 7A209D02 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 157E46 | 7A209D02 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 16B811 | A53E7CA | .cydata | CALL [static] | Indirect call to absolute memory address |
| 170580 | 601B7772 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 172B3B | 601B7772 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 17B61F | 5B0C49FE | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 181A2E | 5B0C49FE | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 182A85 | 19447B3F | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 183170 | 19447B3F | .cydata | CALL [static] | Indirect call to absolute memory address |
| 198554 | B195A31 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 1AA461 | B195A31 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 1AAAA8 | 780AFD2F | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 1BE69A | 780AFD2F | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 1E9F97 | 934B851 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 1F3BA2 | 11954CD9 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 206BBC | 11954CD9 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 21342D | 7E3B69C5 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 219E5A | 3D06232F | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 21BE8C | 43FD5CFB | .cydata | CALL [static] | Indirect call to absolute memory address |
| 21D50B | 43FD5CFB | .cydata | CALL [static] | Indirect call to absolute memory address |
| 224256 | 43FD5CFB | .cydata | CALL [static] | Indirect call to absolute memory address |
| 2251A9 | 76D7C07 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 22F480 | 76D7C07 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 238C3C | 76D7C07 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 246D22 | 76D7C07 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 24A668 | 76D7C07 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 24D643 | 76D7C07 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 24D98A | 1889B941 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 25CA44 | 1889B941 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 260372 | 4409EC54 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 2659F2 | 4409EC54 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 27928E | 4409EC54 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 27BCAF | 1EEBA197 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 2824AB | 1EEBA197 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 28324F | 7F0A7E1E | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 2842A1 | 7284A10 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 28FB8B | 7284A10 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 29C37F | 7284A10 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 29D69F | 7284A10 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 29DAB0 | 7284A10 | .cydata | CALL [static] | Indirect call to absolute memory address |
| 2A1543 | 7284A10 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 2B07B3 | 4189E076 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 2B4B0B | 540A0718 | .cydata | JMP [static] | Indirect jump to absolute memory address |
| 2C5315 | 1C8875FC | .cydata | CALL [static] | Indirect call to absolute memory address |
| 3487CE-3487DB | N/A | .cyanide | Potential obfuscated jump sequence detected, count: 7 |
| 3487DE-3487EF | N/A | .cyanide | Potential obfuscated jump sequence detected, count: 9 |
| 2000-15FFF | 2000 | (0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | Executable section anomaly, first bytes: 06F9F5AA16C5DAC9 |
| 16000-161FF | 4C000 | eeudsstp | Executable section anomaly, first bytes: EDB1A1F480C2003A |
| 16200-38BFF | 4E000 | (0x20)(0x20)(0x20) | Executable section anomaly, first bytes: 0000000000000000 |
| 38C00-32C7FF | 72000 | .cydata | Executable section anomaly, first bytes: 4E3DF93B9E33EDE4 |
| 32C800-539BFF | 78A000 | .cyanide | Executable section anomaly, first bytes: 5441474700300000 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3717172 | 67,8387% |
| Null Byte Code | 49022 | 0,8947% |
© 2026 All rights reserved.