// AI REVERSE ENGINEERING · STATIC · NO-EXECUTION PRO
Static, no-execution binary triage: capability, IOCs, next step.
Upload a suspicious file and get a fast static profile — file type and structure, packing/entropy, what it appears able to do, the indicators hiding inside it, and a prioritized next step. The sample is never run, emulated, or stored.
// TRIAGE OUTPUT
NeoShield Reverse Engineering — static triage ready. No execution. Upload a file or paste hex/base64 (Pro).
How static triage works
Running an unknown binary to see what it does is how incidents start. Static triage answers the first questions without execution: the engine reads the file's magic bytes to identify its format, measures entropy to spot packing or encryption, extracts ASCII and wide (UTF-16) strings, and lightly parses PE/ELF structure — section names, sizes, and per-section entropy — none of which runs a single instruction from the sample.
Capability, IOCs, next step
- Capability — referenced APIs and telltale strings are mapped to behavior categories (network/C2, persistence, injection, anti-analysis, ransomware, credential access, discovery, execution) and to MITRE ATT&CK.
- IOCs — URLs, domains, IPs, paths, registry keys, mutexes, onion and wallet addresses are extracted and shown defanged, ready to block and hunt.
- Next step — a prioritized triage plan: hash lookup, sandbox detonation, host isolation, YARA/detection authoring. An optional AI layer adds a calibrated classification and family guess from the extracted features only.
This is a triage aid, not a full reverse-engineering suite or a sandbox. It is deliberately static and defensive: it never executes the sample and never produces malware or offensive tooling.
Frequently asked questions
Is the file executed or run?
No. Analysis is entirely static — the bytes are inspected in memory (format, entropy, strings, structure). The sample is never executed, emulated, or launched, so there is no detonation risk on the server.
What does "capability" mean here?
It is what the file appears able to do — networking/C2, persistence, process injection, anti-analysis, cryptography/ransomware, credential access, discovery, and command execution — inferred from format structure, strings, and referenced API names, then mapped to MITRE ATT&CK.
What IOCs does it extract?
URLs, domains, IPv4 addresses, emails, Windows and Unix file paths, registry keys, mutexes, .onion addresses, and cryptocurrency wallet addresses found statically in the sample. They are shown defanged.
Do you store my uploaded file?
No. The bytes are analyzed for your session and discarded. Only metadata is recorded — file type, size, entropy, capabilities, score, and the SHA-256 hash — never the file itself or its extracted strings.
Why is this a Pro feature?
Static triage is compute- and AI-intensive and aimed at responders. Pro includes 100 analyses per month. It is a triage aid, not a replacement for a sandbox or full RE.