Exescan

From aldeid
Jump to: navigation, search

Description

PE File Anomaly Detector Tool

Installation

Requirements

Exescan

Usage

Syntax

Usage: prog [option] file/Directory

Options

-a
advanced scan with anomaly detection
-b
display basic information
-m
scan for commonly known malware APIs
-i
display import/export table
-p
display PE header

Examples

Example #1

C:\tools\ExeScan>python exescan.py -a \malware\bintext.exe
C:\malware\bintext.exe
                **********************************************************
                **           Author: Amit Malik ([email protected])    **
                **           http://www.SecurityXploded.com             **
                **                                                      **
                **********************************************************


[+] File: C:\malware\bintext.exe

        [*] MD5         : 30170b9e391f9f62afa14affc10bba13
        [*] SHA-1       : 531b48897de360b83643f37e74e5efe0e6a35246
        [*] SHA-256     : 907ba8f9ac12d0a5d6e1c3c43c2ebd4f9e3851c02bc08fd6f2f9856e8e7fd6f3

[+] File Type: EXE

[+] Signature [Compiler/Packer]

        [*] No match found.


[+] Address of entry point      : 0x00001061

[+] Image Base Address          : 0x00400000

[+] Sections
       Name: .text     Virtual Address: 0x00001000     Size: 0x0004c000    Entropy: 7.995590
       Name: .rsrc     Virtual Address: 0x0004d000     Size: 0x00001000    Entropy: 3.827535

[+] Anomalies Check

        [*] Based on the sections entropy check! file is possibly packed
        [*] Header Checksum is zero!
        [*] Optional Header NumberOfRvaAndSizes field is valued illegal
        [*] Optional Header LoaderFlags field is valued illegal

[+] Following expected Malware APIs are Detected


        [-] Import Table

                IA: 0x0040102c  GetProcAddress
                IA: 0x00401028  LoadLibraryA

        [-] Entire Executable

                 1 times        GetProcAddress
                 1 times        LoadLibrary
                 1 times        LoadLibraryA

Example #2

C:\tools\ExeScan>python exescan.py -a \malware\windowsxp2.exe
C:\malware\windowsxp2.exe
                **********************************************************
                **           Author: Amit Malik ([email protected])    **
                **           http://www.SecurityXploded.com             **
                **                                                      **
                **********************************************************


[+] File: C:\malware\windowsxp2.exe

        [*] MD5         : f04cb834ac843ad08a1a5c17e4f67ba3
        [*] SHA-1       : 5483af01af68d62f3354c5f8923f97ea08910979
        [*] SHA-256     : 5ebdba9cd72f7ff3feff287985f740506264da46df8956927a9087be3bf922d2

[+] File Type: EXE

[+] Signature [Compiler/Packer]

        ['PECompact V2.X-> Bitsum Technologies']
        ['PeCompact 2.xx --> BitSum Technologies']

[+] Address of entry point      : 0x000028e8

[+] Image Base Address          : 0x00400000

[+] Sections
        Name: .text     Virtual Address: 0x00001000     Size: 0x00116000    Entropy: 7.998314
        Name: .rsrc     Virtual Address: 0x00117000     Size: 0x00003000    Entropy: 4.987640

[+] Anomalies Check

        [*] Based on the sections entropy check! file is possibly packed

[+] Following expected Malware APIs are Detected


        [-] Import Table

                IA: 0x00518a94  GetProcAddress
                IA: 0x00518a90  LoadLibraryA
                IA: 0x00518a98  VirtualAlloc

        [-] Entire Executable

                 1 times        GetProcAddress
                 1 times        LoadLibrary
                 1 times        LoadLibraryA
                 1 times        VirtualAlloc

Comments

blog comments powered by Disqus