Threat Score

[ POST ] https://api.malcore.io/api/threatscore

Generate a threat score for a passed file


Query Params

  • filename1 file

  • apiKey string


Request

 curl -X POST  https://api.malcore.io/api/threatscore \ 
	 -H "apiKey: MY-API-KEY" \
   -F "filename1=@calc.exe" \

Response

🟢 200

{
  "signatures": [
    {
      "discovered": [
        [
          "jne 0x1400018c2",
          "call qword [sym.imp.msvcrt.dll_void___cdecl_terminate_void]",
          "int3",
          "xor eax, eax",
          "add rsp, 0x28",
          "ret"
        ],
        [
          "sub rsp, 0x28",
          "lea rcx, qword [0x140001890]",
          "call qword [sym.imp.KERNEL32.dll_SetUnhandledExceptionFilter]",
          "xor eax, eax",
          "add rsp, 0x28",
          "ret"
        ],
        [
          "push rbx",
          "sub rsp, 0x20",
          "mov ebx, ecx",
          "xor ecx, ecx",
          "call qword [sym.imp.api_ms_win_core_libraryloader_l1_2_0.dll_GetModuleHandleW]",
          "test rax, rax"
        ],
        [
          "add rax, 0x28",
          "cmp r9d, r11d",
          "jb 0x1400019e3",
          "xor eax, eax",
          "ret",
          "int3"
        ],
        [
          "jne 0x140001a9a",
          "mov eax, 1",
          "ret",
          "xor eax, eax",
          "ret",
          "int3"
        ],
        [
          "push r12",
          "add byte [rax], r10b",
          "add byte [rax], al",
          "xor byte [rcx], al",
          "add byte [rax], al",
          "je 0x140002494"
        ]
      ],
      "info": {
        "description": "Suspicious assembly calls are calls that are using jumps in quick succession of one another, these are potentially indicators of on the fly loading of imports (dynamic import loading), cryptographic intentions (such as ransomware, or encryption/decryption techniques), or possibly even sandbox evasion. These are suspicious in nature due to the file type.",
        "title": "Suspicious assembly"
      }
    },
    {
      "discovered": [
        "GetTickCount",
        "UnhandledExceptionFilter",
        "SetUnhandledExceptionFilter",
        "QueryPerformanceCounter"
      ],
      "info": {
        "description": "Anti-debugging is a set of techniques used within the code of an application to detect and prevent the act of debugging. This stops attackers from dynamically running applications, trying to understand how they work and changing the behavior of certain features or checks within the application. Malicious applications use anti-debugging to prevent reverse engineers from dynamically analyzing the code and can potentially be an indication of malware.",
        "title": "Anti-Debugging imports"
      }
    },
    {
      "discovered": [
        "GetModuleHandle",
        "GetStartupInfo",
        "ShellExecute",
        "System",
        "GetCurrentProcess",
        "GetCurrentThreadId",
        "GetTickCount",
        "SetUnhandledExceptionFilter",
        "UnhandledExceptionFilter"
      ],
      "info": {
        "description": "The file calls Windows API endpoints which have been used by multiple malwares in the past to perform malicious activities.",
        "title": "Common malicious Windows API calls"
      }
    },
    {
      "discovered": {
        "signed": false
      },
      "info": {
        "description": "The file is not signed by a distributor (IE Microsoft). This means that the file has no verification and may be dangerous in nature. This is not an indicator that the file is malicious, but is a warning that there is no valid signature in the binary file.",
        "title": "No signature detected in binary file"
      }
    },
    {
      "discovered": [
        {
          "raw_address": "0x00006750",
          "virtual_address": "0x00409550",
          "section_name": ".rsrc",
          "cave_byte_size": 386
        }
      ],
      "info": {
        "description": "A code cave is a series of unused bytes in a process's memory. This series of bytes can be used to inject custom instructions into the memory. This is a well known tactic for hiding malware inside of known applications but does not always mean that there is an issue.",
        "title": "Code Cave"
      }
    },
    {
      "discovered": "safe",
      "info": {
        "description": "Malcore attempts to classify each file processed through an AI driven classifier.",
        "title": "Malcore AI file classification"
      }
    }
  ],
  "score": "14.28/100"
}

🔴 400

{}

Last updated