Dynamic Analysis

[ POST ] https://api.malcore.io/api/dynamicanalysis

Scan the file against thousands of yara rules


Query Params

  • filename1 file

Headers

  • apiKey string

  • X-No-Poll string


Request

curl -X POST https://api.malcore.io/api/dynamicanalysis \
-H "apiKey: MY-API-KEY" \
-H "X-No-Poll: true" \
-F "filename1=@calc.exe" \

Response

🟢 200

{'dynamic_analysis': [
                {'entry_points': [
                        {'ep_args': ['0x4000', '0x4010', '0x4020', '0x4030'
                            ], 'instr_count': 133, 'apis': [
                                {'pc': '0x140005d3a', 'api_name': 'api-ms-win-core-sysinfo-l1-1-0.GetSystemTimeAsFileTime', 'args': ['0x1211f90'], 'ret_val': None
                                },
                                {'pc': '0x140005d48', 'api_name': 'api-ms-win-core-processthreads-l1-1-0.GetCurrentProcessId', 'args': [], 'ret_val': '0x420'
                                },
                                {'pc': '0x140005d54', 'api_name': 'api-ms-win-core-processthreads-l1-1-0.GetCurrentThreadId', 'args': [], 'ret_val': '0x434'
                                },
                                {'pc': '0x140005d60', 'api_name': 'api-ms-win-core-sysinfo-l1-1-0.GetTickCount', 'args': [], 'ret_val': '0x5265c14'
                                },
                                {'pc': '0x140005d70', 'api_name': 'api-ms-win-core-sysinfo-l1-1-0.GetTickCount', 'args': [], 'ret_val': '0x5265c28'
                                },
                                {'pc': '0x140005d8b', 'api_name': 'api-ms-win-core-profile-l1-1-0.QueryPerformanceCounter', 'args': ['0x1211f98'
                                    ], 'ret_val': '0x1'
                                },
                                {'pc': '0x140005bc8', 'api_name': 'api-ms-win-core-libraryloader-l1-2-0.GetModuleHandleW', 'args': ['0x0', '0x4010', '0x4020', '0x4030'
                                    ], 'ret_val': '0x1'
                                }
                            ], 'start_addr': '0x1400057c0', 'error': {'instr': 'cmp word ptr [rcx
                                ], ax', 'regs': {'r14': '0x0000000000000000', 'r9': '0x0000000000004030', 'rcx': '0x0000000000000001', 'rsi': '0x0000000000000000', 'r10': '0x0000000000000000', 'rbx': '0x0000000000000001', 'rsp': '0x0000000001211ef8', 'r11': '0x0000000000000000', 'r8': '0x0000000000004020', 'rdx': '0x0000000000000000', 'rip': '0x0000000140005b71', 'rbp': '0x0000000001211fd8', 'r15': '0x00000001400065f0', 'r12': '0x0000000000000000', 'rdi': '0x00000001400065e0', 'rax': '0x0000000000005a4d', 'r13': '0x0000000000000000'
                                }, 'pc': '0x140005b71', 'address': '0x1', 'type': 'invalid_read', 'stack': ['sp+0x00: 0x0000000000000000', 'sp+0x08: 0x0000000000000000', 'sp+0x10: 0x0000000000000000', 'sp+0x18: 0x0000000140005bd5 -> emu.module._MALWARE__d58c0826509944f4647617d878c1bbe51cb9e551671bc27f26dec97fe8235c2f.0x140000000', 'sp+0x20: 0x0000000000000000', 'sp+0x28: 0x0000000000000000', 'sp+0x30: 0x0000000000000000', 'sp+0x38: 0x0000000000000000', 'sp+0x40: 0x0000000000000001', 'sp+0x48: 0x0000000140005539 -> emu.module._MALWARE__d58c0826509944f4647617d878c1bbe51cb9e551671bc27f26dec97fe8235c2f.0x140000000', 'sp+0x50: 0x0000000000000000', 'sp+0x58: 0x0000000140005d8b -> emu.module._MALWARE__d58c0826509944f4647617d878c1bbe51cb9e551671bc27f26dec97fe8235c2f.0x140000000', 'sp+0x60: 0x0000000000000000', 'sp+0x68: 0x0000000000000000', 'sp+0x70: 0x0000000000000000', 'sp+0x78: 0x0000000140005699 -> emu.module._MALWARE__d58c0826509944f4647617d878c1bbe51cb9e551671bc27f26dec97fe8235c2f.0x140000000'
                                ]
                            }, 'mem_access': [
                                {'reads': 22, 'tag': 'emu.module._MALWARE__d58c0826509944f4647617d878c1bbe51cb9e551671bc27f26dec97fe8235c2f.0x140000000', 'writes': 5, 'base': '0x140000000', 'execs': 133
                                },
                                {'reads': 12, 'tag': 'emu.stack.0x1200000', 'writes': 27, 'base': '0x1200000', 'execs': 0
                                },
                                {'reads': 2, 'tag': 'emu.segment.gs.0x3000', 'writes': 0, 'base': '0x3000', 'execs': 0
                                },
                                {'reads': 1, 'tag': None, 'writes': 0, 'base': '0x0', 'execs': 0
                                }
                            ], 'ep_type': 'module_entry', 'apihash': '223ff75967673e5cb2f84ae933dde2f84e66fa049b2ad6be9a89c89a0eba49d6', 'ret_val': '0x5a4d', 'dynamic_code_segments': []
                        }
                    ], 'emulation_total_runtime': 0.144, 'timestamp': 1710193423, 'os_run': 'windows.10_1', 'arch': 'x64', 'strings': {'in_memory': {'ansi': [], 'unicode': []
                        }
                    }
                }
            ], 'parsed_output': [], 'misc_information': [
                {'raw_output': []
                }
            ]
        },
        []
    ], 'isMaintenance': False, 'success': True, 'messages': [
        {'type': 'success', 'code': 200, 'message': 'Scan ran successfully'
        }
    ]

🔴 400

 

Last updated