Executable File Analysis
[POST] https://api.malcore.io/api/upload
Upload a file to perform a full static and dynamic analysis on it
Query Params
filename1
file
Headers
apiKey
string API KeyX-No-Poll
string
Request
curl -X POST https://api.malcore.io/upload \
-F "filename=1@myfile.exe" \
-H "apiKey: myapikey" \
-H "X-No-Poll: true"
Responses
🟢 200
// X-No-Poll: true passed
{
"data": {
"data": {
"status": "pending",
"uuid": "582669c471f825ce-4e845eba-87ce22fe-c56b423b-f1c83727-5b82c04f21f23b79"
},
"isMaintenance": false,
"success": true,
"messages": [
{
"type": "success",
"code": 200,
"message": "Scan ran"
}
]
},
"isMaintenance": false,
"success": true
}
// X-No-Poll: true not passed
{
"data": {
"data": {
"exports": {
"results": []
},
"packer_information": {
"results": [
[
"Aspack v2.1x -> www.aspack.co",
60.87
],
[
"DJoin v0.7 public (xor encryption) -> drmis",
61.25
],
[
"FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0",
61.54
],
[
"Microsoft Visual Basic v5.",
60
],
[
"MinGW GCC DLL v2x",
60.24
]
]
},
"assembly": {
"results": "sub rsp, 0x28\ncall fcn.1400012a4\nadd rsp, 0x28\njmp 0x140001600\nsub rsp, 0x28\nmov rax, qword [rcx]\ncmp dword [rax], 0xe06d7363\njne 0x1400018c2\ncmp dword [rax + 0x18], 4\njne 0x1400018c2\nmov ecx, dword [rax + 0x20]\nlea eax, [rcx - 0x19930520]\ncmp eax, 2\njbe 0x1400018bb\ncmp ecx, 0x1994000\njne 0x1400018c2\ncall qword [sym.imp.msvcrt.dll_void___cdecl_terminate_void_]\nxor eax, eax\nadd rsp, 0x28\nr:\te\tt\nsub rsp, 0x28\nlea rcx, [0x140001890]\ncall qword [sym.imp.KERNEL32.dll_SetUnhandledExceptionFilter]\nxor eax, eax\nadd rsp, 0x28\nr:\te\tt\njmp qword [sym.imp.msvcrt.dll__XcptFilter]\nsub rsp, 0x18\nxor edx, edx\nlea rax, [rcx - 1]\ncmp rax, 0xfffffffffffffffd\nja 0x140001948\nmov eax, 0x5a4d\ncmp word [rcx], ax\njne 0x140001940\ncmp dword [rcx + 0x3c], edx\njl 0x140001940\ncmp dword [rcx + 0x3c], 0x10000000\njae 0x140001940\nmovsxd rax, dword [rcx + 0x3c]\nadd rax, rcx\nmov qword [rsp], rax\ncmp dword [rax], 0x4550\ncmovne rax, rdx\nmov rdx, rax\nmov qword [rsp], rax\njmp 0x140001948\nxor edx, edx\nmov qword [rsp], rdx\nmov rax, rdx\n# default of 50 lines shown, to view all use the /viewfull endpoint with hash: 58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f"
},
"file_type": {
"results": "PE"
},
"imports": {
"results": {
"import_location": {
"shell32.dll": [
{
"name": "ShellExecuteW",
"address": "0x1400021b0"
}
],
"IumSdk.dll": [
{
"name": "EventSetInformation",
"address": "0x140002128"
},
{
"name": "EventWriteTransfer",
"address": "0x140002130"
},
{
"name": "EventRegister",
"address": "0x140002138"
}
],
"kernel32.dll": [
{
"name": "GetCurrentThreadId",
"address": "0x140002148"
},
{
"name": "GetSystemTimeAsFileTime",
"address": "0x140002150"
},
{
"name": "GetTickCount",
"address": "0x140002158"
},
{
"name": "RtlCaptureContext",
"address": "0x140002160"
},
{
"name": "GetCurrentProcessId",
"address": "0x140002168"
},
{
"name": "RtlVirtualUnwind",
"address": "0x140002170"
},
{
"name": "UnhandledExceptionFilter",
"address": "0x140002178"
},
{
"name": "SetUnhandledExceptionFilter",
"address": "0x140002180"
},
{
"name": "GetCurrentProcess",
"address": "0x140002188"
},
{
"name": "TerminateProcess",
"address": "0x140002190"
},
{
"name": "QueryPerformanceCounter",
"address": "0x140002198"
},
{
"name": "RtlLookupFunctionEntry",
"address": "0x1400021a0"
},
{
"name": "__C_specific_handler",
"address": "0x140002200"
},
{
"name": "Sleep",
"address": "0x1400021e0"
},
{
"name": "GetStartupInfoW",
"address": "0x1400021d0"
},
{
"name": "GetModuleHandleW",
"address": "0x1400021c0"
}
],
"ucrtbase.dll": [
{
"name": "__setusermatherr",
"address": "0x1400021f0"
},
{
"name": "_initterm",
"address": "0x1400021f8"
},
{
"name": "_cexit",
"address": "0x140002228"
},
{
"name": "exit",
"address": "0x140002248"
},
{
"name": "_exit",
"address": "0x140002258"
}
],
"msvcrt.dll": [
{
"name": "_wcmdln",
"address": "0x140002208"
},
{
"name": "_fmode",
"address": "0x140002210"
},
{
"name": "_commode",
"address": "0x140002218"
},
{
"name": "?terminate@@YAXXZ",
"address": "0x140002220"
},
{
"name": "__wgetmainargs",
"address": "0x140002230"
},
{
"name": "_amsg_exit",
"address": "0x140002238"
},
{
"name": "_XcptFilter",
"address": "0x140002240"
},
{
"name": "__set_app_type",
"address": "0x140002250"
}
]
},
"raw_discovered_imports": [
[
"0x1400021b0",
"ShellExecuteW"
],
[
"0x140002148",
"GetCurrentThreadId"
],
[
"0x140002150",
"GetSystemTimeAsFileTime"
],
[
"0x140002158",
"GetTickCount"
],
[
"0x140002160",
"RtlCaptureContext"
],
[
"0x140002168",
"GetCurrentProcessId"
],
[
"0x140002170",
"RtlVirtualUnwind"
],
[
"0x140002178",
"UnhandledExceptionFilter"
],
[
"0x140002180",
"SetUnhandledExceptionFilter"
],
[
"0x140002188",
"GetCurrentProcess"
],
[
"0x140002190",
"TerminateProcess"
],
[
"0x140002198",
"QueryPerformanceCounter"
],
[
"0x1400021a0",
"RtlLookupFunctionEntry"
],
[
"0x1400021f0",
"__setusermatherr"
],
[
"0x1400021f8",
"_initterm"
],
[
"0x140002200",
"__C_specific_handler"
],
[
"0x140002208",
"_wcmdln"
],
[
"0x140002210",
"_fmode"
],
[
"0x140002218",
"_commode"
],
[
"0x140002220",
"?terminate@@YAXXZ"
],
[
"0x140002228",
"_cexit"
],
[
"0x140002230",
"__wgetmainargs"
],
[
"0x140002238",
"_amsg_exit"
],
[
"0x140002240",
"_XcptFilter"
],
[
"0x140002248",
"exit"
],
[
"0x140002250",
"__set_app_type"
],
[
"0x140002258",
"_exit"
],
[
"0x140002128",
"EventSetInformation"
],
[
"0x140002130",
"EventWriteTransfer"
],
[
"0x140002138",
"EventRegister"
],
[
"0x1400021e0",
"Sleep"
],
[
"0x1400021d0",
"GetStartupInfoW"
],
[
"0x1400021c0",
"GetModuleHandleW"
]
],
"import_hashes": [
[
"GetCurrentProcess",
"0x51e2f352"
],
[
"GetCurrentProcessId",
"0x62c64749"
],
[
"GetCurrentThreadId",
"0x5fa0c4b9"
],
[
"GetModuleHandleW",
"0xdb85b06c"
],
[
"GetStartupInfoW",
"0xb21b4ab1"
],
[
"GetSystemTimeAsFileTime",
"0x9b1b6595"
],
[
"GetTickCount",
"0x6bced369"
],
[
"QueryPerformanceCounter",
"0x1d8e6ab1"
],
[
"RtlCaptureContext",
"0xb8f3232d"
],
[
"SetUnhandledExceptionFilter",
"0xea320efe"
],
[
"Sleep",
"0xe035f044"
],
[
"TerminateProcess",
"0x5ecadc87"
],
[
"UnhandledExceptionFilter",
"0x4a18ce54"
],
[
"RtlCaptureContext",
"0x64de23a2"
]
]
}
},
"yara_rules": {
"results": [
[
"Embedded_PE",
"Discover embedded PE files, without relying on easily stripped/modified header strings."
],
[
"png",
"N/A"
],
[
"exe",
"Checks if the program is an EXE file"
],
[
"custom YARA rule",
"rule myg__1669998546737_exe\n{\n\n\tmeta:\n\t\tauthor = \"Generated by Malcore Yara Generator (MYG) on 12-03-2022 (contact@internet2-0.com)\"\n\t\tref = \"https://internet2-0.com\"\n\t\tcopyright = \"Internet 2.0\"\n\t\tsha256 = \"58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f\"\n\tstrings:\t\n\t\t$specific1 = \"calc.pdb\"\n\t\t$matchable1 = \" H3E\"\n\t\t$matchable10 = \".CRT$XIY\"\n\t\t$matchable11 = \".CRT$XIZ\"\n\t\t$matchable12 = \".bss\"\n\t\t$matchable13 = \".data\"\n\t\t$matchable14 = \".data$brc\"\n\t\t$matchable15 = \".gfids\"\n\t\t$matchable16 = \".idata$2\"\n\t\t$matchable17 = \".idata$3\"\n\t\t$matchable18 = \".idata$4\"\n\t\t$matchable19 = \".idata$5\"\n\t\t$matchable2 = \" wtf\"\n\t\t$matchable20 = \".idata$6\"\n\t\t$matchable21 = \".pdata\"\n\t\t$matchable22 = \".rdata\"\n\t\t$matchable23 = \".rdata$brc\"\n\t\t$matchable24 = \".rdata$zETW0\"\n\t\t$matchable25 = \".rdata$zETW1\"\n\t\t$matchable26 = \".rdata$zETW2\"\n\t\t$matchable3 = \"!This\"\n\t\t$matchable4 = \".00cfg\"\n\t\t$matchable5 = \".CRT$XCA\"\n\t\t$matchable6 = \".CRT$XCAA\"\n\t\t$matchable7 = \".CRT$XCZ\"\n\t\t$matchable8 = \".CRT$XIA\"\n\t\t$matchable9 = \".CRT$XIAA\"\n\t\t$hex_string1 = { 58 06 00 00 2e 62 73 73 00 00 00 00 }\n\t\t$hex_string2 = { 69 74 65 63 74 75 72 65 3d 22 2a 22 }\n\t\t$hex_string3 = { 75 57 89 1d 94 1f 00 00 4c 8d 3d 0d }\n\t\t$hex_string4 = { 6e 76 6f 6b 65 72 22 20 75 69 41 63 }\n\t\t$hex_string5 = { 98 22 00 00 08 00 00 00 2e 43 52 54 }\n\n\tcondition:\n\t\t1 of ($specific*) and 2 of ($hex_string*) and 13 of ($matchable*) and uint16(0) == 0x4d5a\n}"
]
]
},
"similar_samples": {},
"hexdump": {
"results": "0000000001:\t4d5a90000300000004000000\tMZ..........\n0000000002:\tffff0000b800000000000000\t............\n0000000003:\t400000000000000000000000\t@...........\n0000000004:\t000000000000000000000000\t............\n0000000005:\t000000000000000000000000\t............\n0000000006:\te80000000e1fba0e00b409cd\t............\n0000000007:\t21b8014ccd21546869732070\t!..L.!This.p\n0000000008:\t726f6772616d2063616e6e6f\trogram.canno\n0000000009:\t742062652072756e20696e20\tt.be.run.in.\n0000000010:\t444f53206d6f64652e0d0d0a\tDOS.mode....\n0000000011:\t2400000000000000bfdcfbc8\t$...........\n0000000012:\tfbbd959bfbbd959bfbbd959b\t............\n0000000013:\tf2c5069bfdbd959bfbbd949b\t............\n0000000014:\td3bd959befd6949af2bd959b\t............\n0000000015:\tefd6919aeabd959befd6969a\t............\n0000000016:\tf9bd959befd69d9af8bd959b\t............\n0000000017:\tefd6909af9bd959befd66a9b\t..........j.\n0000000018:\tfabd959befd6979afabd959b\t............\n0000000019:\t52696368fbbd959b00000000\tRich........\n0000000020:\t000000005045000064860600\t....PE..d...\n0000000021:\t10c440030000000000000000\t..@.........\n0000000022:\tf00022000b020e14000c0000\t..\".........\n0000000023:\t006200000000000070180000\t.b......p...\n0000000024:\t001000000000004001000000\t.......@....\n0000000025:\t00100000000200000a000000\t............\n0000000026:\t0a0000000a00000000000000\t............\n0000000027:\t00b000000004000063410100\t........cA..\n0000000028:\t020060c10000080000000000\t..`.........\n0000000029:\t002000000000000000001000\t............\n0000000030:\t000000000010000000000000\t............\n0000000031:\t000000001000000000000000\t............\n0000000032:\t0000000094270000a0000000\t.....'......\n0000000033:\t005000001047000000400000\t.P...G...@..\n0000000034:\tf00000000000000000000000\t............\n0000000035:\t00a000002c00000020230000\t....,....#..\n0000000036:\t540000000000000000000000\tT...........\n0000000037:\t000000000000000000000000\t............\n0000000038:\t000000001020000018010000\t............\n0000000039:\t000000000000000028210000\t........(!..\n0000000040:\t400100000000000000000000\t@...........\n0000000041:\t000000000000000000000000\t............\n0000000042:\t000000002e74657874000000\t.....text...\n0000000043:\td00b000000100000000c0000\t............\n0000000044:\t000400000000000000000000\t............\n0000000045:\t00000000200000602e726461\t.......`.rda\n0000000046:\t74610000760c000000200000\tta..v.......\n0000000047:\t000e00000010000000000000\t............\n0000000048:\t000000000000000040000040\t........@..@\n0000000049:\t2e64617461000000b8060000\t.data.......\n0000000050:\t0030000000020000001e0000\t.0..........\n# default of 50 lines shown, to view all use the /viewfull endpoint with hash: 58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f"
},
"interesting_strings": {
"results": [
"publicKeyToken=\"6595b64144ccf1df\"",
" version=\"6.0.0.0\"",
"version=\"6.0.0.0\"",
" publicKeyToken=\"6595b64144ccf1df\"",
" <dpiAware xmlns=\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\">true</dpiAware>",
"xmlns=\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\">true</dpiAware>",
" version=\"5.1.0.0\"",
"version=\"5.1.0.0\"",
"0.00"
]
},
"exif_data": {
"results": {
"code_signature": "48 83 ec 28 e8 2b fa ff ff 48",
"file_information": {
"file_extension": "exe",
"header_information": {
"file_header_hexdump": "4d5a90000300000004000000ffff0000b8000000000000004000000000000000",
"file_header_ascii": "MZ......................@.......",
"file_header_crc32": "0x208ddfe",
"offset": "0x0"
},
"file_description": "DOS MZ executable file format and its descendants (including NE and PE)"
},
"misc_information": {},
"file_size": "27648",
"signature_info": {
"signature_results": [],
"is_signed": false
},
"compilation_timestamp": "Sep 24, 1971 04:02:24 PM",
"mime_type": "application/x-msdownload"
}
},
"threat_score": {
"results": {
"signatures": [
{
"discovered": [
[
"cmp ecx, 0x1994000",
"jne 0x1400018c2",
"call qword [sym.imp.msvcrt.dll_void___cdecl_terminate_void_]",
"xor eax, eax",
"add rsp, 0x28",
"r:\te\tt"
],
[
"sub rsp, 0x28",
"lea rcx, [0x140001890]",
"call qword [sym.imp.KERNEL32.dll_SetUnhandledExceptionFilter]",
"xor eax, eax",
"add rsp, 0x28",
"r:\te\tt"
],
[
"push rbx",
"sub rsp, 0x20",
"mov ebx, ecx",
"xor ecx, ecx",
"call qword [sym.imp.api_ms_win_core_libraryloader_l1_2_0.dll_GetModuleHandleW]",
"test rax, rax"
],
[
"add rax, 0x28",
"cmp r9d, r11d",
"jb 0x1400019e3",
"xor eax, eax",
"r:\te\tt",
"mov qword [var_8h], rbx"
],
[
"jne 0x140001a9a",
"mov eax, 1",
"r:\te\tt",
"xor eax, eax",
"r:\te\tt",
"jmp qword [sym.imp.msvcrt.dll__initterm]"
],
[
"jo 0x14000247f",
"push r12",
"add byte [rax], r10b",
"xor byte [rcx], al",
"je 0x140002494",
"js 0x1400024a5"
]
],
"info": {
"description": "Suspicious assembly calls are calls that are using jumps, calls, or xor in quick succession of one another, these are potentially indicators of on the fly loading of imports (dynamic import loading), cryptographic intentions (such as ransomware, or encryption/decryption techniques), or possibly even sandbox evasion. These are suspicious in nature due to the file type.",
"title": "Suspicious Assembly"
}
},
{
"discovered": [
"GetTickCount",
"UnhandledExceptionFilter",
"SetUnhandledExceptionFilter",
"QueryPerformanceCounter"
],
"info": {
"description": "Anti-debugging is a set of techniques used within the code of an application to detect and prevent the act of debugging. This stops attackers from dynamically running applications, trying to understand how they work and changing the behavior of certain features or checks within the application. Malicious applications use anti-debugging to prevent reverse engineers from dynamically analyzing the code and can potentially be an indication of malware.",
"title": "Anti-Debugging Imports"
}
},
{
"discovered": [
"GetModuleHandle",
"GetStartupInfo",
"ShellExecute",
"System",
"GetCurrentProcess",
"GetCurrentThreadId",
"GetTickCount",
"SetUnhandledExceptionFilter",
"UnhandledExceptionFilter"
],
"info": {
"description": "The file statically imports commonly known malicious Windows API endpoints, or imports Windows libraries that have been used by multiple malware samples over time. It is possible that these imports are never used.",
"title": "Imports Known Malicious Endpoints"
}
},
{
"discovered": {
"signed": false
},
"info": {
"description": "The file is not signed by a distributor (IE Microsoft). This means that the file has no verification and may be dangerous in nature. This is not an indicator that the file is malicious, but is a warning that there is no valid signature in the binary file.",
"title": "No Signature Detected in Binary File"
}
},
{
"discovered": [
{
"raw_address": "0x00006750",
"virtual_address": "0x00409550",
"section_name": ".rsrc",
"cave_byte_size": 386
}
],
"info": {
"description": "A code cave is a series of unused bytes in a process's memory. This series of bytes can be used to inject custom instructions into the memory. This is a well known tactic for hiding malware inside of known applications but does not always mean that there is an issue.",
"title": "Code Cave"
}
},
{
"discovered": "suspicious\n",
"info": {
"description": "Malcore attempts to classify each file processed through an AI driven classifier.",
"title": "Malcore AI File Classification"
}
},
{
"discovered": {
"unmarked_objects": {
"is_unmarked_object": true,
"total_unmarked_objects": 2
}
},
"info": {
"description": "In Windows binary files there is a section called 'the Rich PE header section'. This section is responsible for (it is assumed) providing a development environment fingerprint. Anomalies inside of this header include invalid checksums, invalid xor keys, malformed 'rich data' or rich data removed, and unmarked objects in the build information. If some these occur, it is more likely that the file was tampered with, and is potentially an indicator of malicious intents.",
"title": "Rich PE Header Anomaly"
}
},
{
"discovered": {
"padding character": "'\\x00'"
},
"info": {
"description": "The file appears to have a padding character in it, this means that this was added to the end of the file in order to increase the file size. This may be done in order to evade AV and EDR detection and make the file appear larger than it is. This is not always an indicator of malicious intents but is an indicator of file manipulation.",
"title": "Padding Added to End of File"
}
}
],
"score": "15.43/100"
}
},
"dfi": {
"results": {}
},
"architecture": {
"results": 64
},
"phone_app_analysis": {
"results": []
},
"dynamic_analysis": {
"dynamic_analysis": [
{
"entry_points": [
{
"ep_args": [
"0x4000",
"0x4010",
"0x4020",
"0x4030"
],
"instr_count": 142,
"apis": [
{
"pc": "0x1400012df",
"api_name": "KERNEL32.GetSystemTimeAsFileTime",
"args": [
"0x1211f98"
],
"ret_val": null
},
{
"pc": "0x1400012ed",
"api_name": "KERNEL32.GetCurrentProcessId",
"args": [],
"ret_val": "0x420"
},
{
"pc": "0x1400012f9",
"api_name": "KERNEL32.GetCurrentThreadId",
"args": [],
"ret_val": "0x434"
},
{
"pc": "0x140001305",
"api_name": "KERNEL32.GetTickCount",
"args": [],
"ret_val": "0x5265c14"
},
{
"pc": "0x140001315",
"api_name": "KERNEL32.GetTickCount",
"args": [],
"ret_val": "0x5265c28"
},
{
"pc": "0x140001330",
"api_name": "KERNEL32.QueryPerformanceCounter",
"args": [
"0x1211f90"
],
"ret_val": "0x1"
},
{
"pc": "0x14000162e",
"api_name": "api-ms-win-core-processthreads-l1-1-0.GetStartupInfoW",
"args": [
"0x1211f38",
"0x4010",
"0x4020",
"0x4030"
],
"ret_val": "0x1"
},
{
"pc": "0x140001968",
"api_name": "api-ms-win-core-libraryloader-l1-2-0.GetModuleHandleW",
"args": [
"0x0",
"0x4010",
"0x4020",
"0x4030"
],
"ret_val": "0x1"
}
],
"start_addr": "0x140001870",
"apihash": "f5d28ae3775b19c5265c6786f2668d58729be4f27d9bc9ab52c3474b2ccfc673",
"mem_access": [
{
"reads": 23,
"tag": "emu.module._MALWARE__66fea2c3f401c12b3a16d9b8c88eb397e7fa19115aa84fda8e34585c38dcb67c.0x140000000",
"writes": 5,
"base": "0x140000000",
"execs": 142
},
{
"reads": 12,
"tag": "emu.stack.0x1200000",
"writes": 30,
"base": "0x1200000",
"execs": 0
},
{
"reads": 2,
"tag": "emu.segment.gs.0x3000",
"writes": 0,
"base": "0x3000",
"execs": 0
},
{
"reads": 1,
"tag": null,
"writes": 0,
"base": "0x0",
"execs": 0
}
],
"ep_type": "module_entry",
"error": {
"instr": "cmp word ptr [rcx], ax",
"regs": {
"r14": "0x0000000000000000",
"r15": "0x00000001400022a8",
"rcx": "0x0000000000000001",
"rsi": "0x0000000000000000",
"r10": "0x0000000000000000",
"rbx": "0x0000000000000002",
"rdi": "0x0000000140002298",
"r11": "0x0000000000000000",
"r8": "0x0000000000004020",
"r9": "0x0000000000004030",
"rip": "0x0000000140001911",
"rdx": "0x0000000000000000",
"r12": "0x0000000000000000",
"rbp": "0x0000000001211fd8",
"rsp": "0x0000000001211e78",
"rax": "0x0000000000005a4d",
"r13": "0x0000000000000000"
},
"pc": "0x140001911",
"address": "0x1",
"type": "invalid_read",
"stack": [
"sp+0x00: 0x0000000000000000",
"sp+0x08: 0x0000000000000000",
"sp+0x10: 0x0000000000000000",
"sp+0x18: 0x0000000140001975 -> emu.module._MALWARE__66fea2c3f401c12b3a16d9b8c88eb397e7fa19115aa84fda8e34585c38dcb67c.0x140000000",
"sp+0x20: 0x0000000000000000",
"sp+0x28: 0x0000000000000000",
"sp+0x30: 0x0000000000000000",
"sp+0x38: 0x0000000000000000",
"sp+0x40: 0x0000000000000001",
"sp+0x48: 0x0000000140001549 -> emu.module._MALWARE__66fea2c3f401c12b3a16d9b8c88eb397e7fa19115aa84fda8e34585c38dcb67c.0x140000000",
"sp+0x50: 0x0000000000000000",
"sp+0x58: 0x0000000000000000",
"sp+0x60: 0x0000000000000000",
"sp+0x68: 0x0000000000000000",
"sp+0x70: 0x0000000000000000",
"sp+0x78: 0x00000001400016c8 -> emu.module._MALWARE__66fea2c3f401c12b3a16d9b8c88eb397e7fa19115aa84fda8e34585c38dcb67c.0x140000000"
]
},
"ret_val": "0x5a4d",
"dynamic_code_segments": []
}
],
"timestamp": 1679416101,
"os_run": "windows.10_1",
"emulation_total_runtime": 0.165,
"arch": "x64",
"strings": {
"in_memory": {
"ansi": [],
"unicode": []
}
}
}
],
"parsed_output": [
{
"known_suspicious_function": false,
"dll_name": "KERNEL32",
"arguments_passed": [
"0x1211f98"
],
"function_return_value": "None",
"function_called": "GetSystemTimeAsFileTime",
"location": "0x1400012df"
},
{
"known_suspicious_function": false,
"dll_name": "KERNEL32",
"arguments_passed": [],
"function_return_value": "0x420",
"function_called": "GetCurrentProcessId",
"location": "0x1400012ed"
},
{
"known_suspicious_function": true,
"dll_name": "KERNEL32",
"arguments_passed": [],
"function_return_value": "0x434",
"function_called": "GetCurrentThreadId",
"location": "0x1400012f9"
},
{
"known_suspicious_function": true,
"dll_name": "KERNEL32",
"arguments_passed": [],
"function_return_value": "0x5265c14",
"function_called": "GetTickCount",
"location": "0x140001305"
},
{
"known_suspicious_function": true,
"dll_name": "KERNEL32",
"arguments_passed": [],
"function_return_value": "0x5265c28",
"function_called": "GetTickCount",
"location": "0x140001315"
},
{
"known_suspicious_function": false,
"dll_name": "KERNEL32",
"arguments_passed": [
"0x1211f90"
],
"function_return_value": "0x1",
"function_called": "QueryPerformanceCounter",
"location": "0x140001330"
},
{
"known_suspicious_function": false,
"dll_name": "api-ms-win-core-processthreads-l1-1-0",
"arguments_passed": [
"0x1211f38",
"0x4010",
"0x4020",
"0x4030"
],
"function_return_value": "0x1",
"function_called": "GetStartupInfoW",
"location": "0x14000162e"
},
{
"known_suspicious_function": false,
"dll_name": "api-ms-win-core-libraryloader-l1-2-0",
"arguments_passed": [
"0x0",
"0x4010",
"0x4020",
"0x4030"
],
"function_return_value": "0x1",
"function_called": "GetModuleHandleW",
"location": "0x140001968"
}
],
"misc_information": [
{
"raw_output": [
{
"api_call": "KERNEL32.GetSystemTimeAsFileTime(0x1211f98)",
"return_value": "None",
"address": "0x1400012df"
},
{
"api_call": "KERNEL32.GetCurrentProcessId()",
"return_value": "0x420",
"address": "0x1400012ed"
},
{
"api_call": "KERNEL32.GetCurrentThreadId()",
"return_value": "0x434",
"address": "0x1400012f9"
},
{
"api_call": "KERNEL32.GetTickCount()",
"return_value": "0x5265c14",
"address": "0x140001305"
},
{
"api_call": "KERNEL32.GetTickCount()",
"return_value": "0x5265c28",
"address": "0x140001315"
},
{
"api_call": "KERNEL32.QueryPerformanceCounter(0x1211f90)",
"return_value": "0x1",
"address": "0x140001330"
},
{
"api_call": "api-ms-win-core-processthreads-l1-1-0.GetStartupInfoW(0x1211f38,",
"return_value": "0x1",
"address": "0x14000162e"
},
{
"api_call": "api-ms-win-core-libraryloader-l1-2-0.GetModuleHandleW(0x0,",
"return_value": "0x1",
"address": "0x140001968"
}
]
}
]
},
"hashes": {
"sha1": "ed13af4a0a754b8daee4929134d2ff15ebe053cd",
"imphash": "8eeaa9499666119d13b3f44ecd77a729",
"crc32": "0xdf505c22",
"id_hash": "b63a9a1dde90a751d74ae15250e16b73f14041c699db23bcfd2cc976629d6c4d",
"ssdeep": "384:Otj8FKzuRxmeWCJxhd2WS/YWyiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiLiiiB:QXif4CbPQ7",
"sha256": "58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f",
"sha512": "6e2b067760ec178cdcc4df04c541ce6940fc2a0cdd36f57f4d6332e38119dbc5e24eb67c11d2c8c8ffeed43533c2dd8b642d2c7c997c392928091b5ccce7582a",
"md5": "5da8c98136d98dfec4716edd79c7145f"
},
"sections": {
"results": ".text:\t5.80653548846\n.rdata:\t3.96936179484\n.data:\t0.378703493488\n.pdata:\t1.97732827586\n.rsrc:\t2.81352566021\n.reloc:\t0.46347168954\n"
},
"strings": {
"results": "ukf+\n|$0A\n.00cfg\n language=\"*\"\n\\$0H\n <dependentAssembly>\n@.reloc\n<trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\n.CRT$XCAA\n<description>Windows Shell</description>\nP/!)\nprocessorArchitecture=\"*\"\n</dependentAssembly>\n!This\n8csm\n.text$x\nGetCurrentProcess\nEventWriteTransfer\nD$$I;\n</security>\nL$0H\nprogram\n_XcptFilter\nexit\n.data\ntype=\"win32\"/>\n_fmode\npublicKeyToken=\"6595b64144ccf1df\"\n\\$ UH\n.text$mn$00\n.CRT$XIA\nGCTL\n`.rdata\n@.rsrc\n.rdata$zETW0\n.CRT$XIY\n.CRT$XIZ\ncannot\nGetSystemTimeAsFileTime\nSHELL32.dll\n.rdata$zETW9\np AWH\n<!-- Copyright (c) Microsoft Corporation -->\n_initterm\n.rdata$zzzdbg\nxmlns=\"urn:schemas-microsoft-com:asm.v3\">\nxmlns=\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\">true</dpiAware>\nL$(H\n<assemblyIdentity\nGetTickCount\n_wcmdln\n.pdata\nIDATx\n</windowsSettings>\nD$ L\nD$ H\n<application xmlns=\"urn:schemas-microsoft-com:asm.v3\">\n<dependentAssembly>\nMicrosoftCalculator\n.rdata$brc\nlanguage=\"*\"\n </dependentAssembly>\nname=\"Microsoft.Windows.Shell.calc\"\nT$PH\n name=\"Microsoft.Windows.Shell.calc\"\n type=\"win32\"/>\n processorArchitecture=\"*\"\nETW0\nCalculatorWinMain\nRtlVirtualUnwind\nUnhandledExceptionFilter\nRSDSG\nHcA<H\nt\"H+\n</dependency>\nIEND\n</requestedPrivileges>\n<trustInfo\n\\$HH\n<requestedPrivileges>\n<dpiAware\n publicKeyToken=\"6595b64144ccf1df\"\napi-ms-win-core-processthreads-l1-1-0.dll\n.CRT$XCZ\nSetUnhandledExceptionFilter\n.xdata\n.CRT$XCA\nuiAccess=\"false\"/>\nD$0A\n.rsrc$02\nIHDR\n.rsrc$01\n.data$brc\n\"CalculatorStarted\"\nname=\"Microsoft.Windows.Common-Controls\"\nmanifestVersion=\"1.0\">\n@.data\nD$0H\nGetCurrentThreadId\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\nD$(H\nversion=\"6.0.0.0\"\nf9H\\u\nCopyright\ncalc.pdb\nQueryPerformanceCounter\nKERNEL32.dll\nmsvcrt.dll\nD$pH\n<requestedExecutionLevel\n</assembly>\nShell</description>\n_cexit\nEventSetInformation\n__C_specific_handler\n<security>\nversion=\"1.0\"\nu*9Q<|%\nMicrosoft\n <dpiAware xmlns=\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\">true</dpiAware>\nD$8H\nGetStartupInfoW\n_commode\nLcA<E3\n</trustInfo>\nD$hH\napi-ms-win-core-synch-l1-2-0.dll\nL$@L\n.CRT$XIAA\n<dependency>\nRtlLookupFunctionEntry\napi-ms-win-core-libraryloader-l1-2-0.dll\n.rdata\n type=\"win32\"\n</application>\n<?xml\n__setusermatherr\nCalculatorStarted\nprocessorArchitecture=\"amd64\"\nstandalone=\"yes\"?>\nShellExecuteW\nD$p3\n.text$mn\n name=\"Microsoft.Windows.Common-Controls\"\n <windowsSettings>\nADVAPI32.dll\n />\nversion=\"5.1.0.0\"\n <assemblyIdentity\n__wgetmainargs\nRich\n processorArchitecture=\"amd64\"\nCorporation\nT$xL\n<application\nt$ H\nD$$H\n<assembly\nD$HH\n.text\n_amsg_exit\n?terminate@@YAXXZ\n <security>\n.gfids\nD$@H\nu$L97t\n version=\"6.0.0.0\"\n.idata$6\n.idata$5\n.idata$4\n.idata$3\n.idata$2\n </security>\nencoding=\"UTF-8\"\n </requestedPrivileges>\nmode.\n<description>Windows\nL$pH3\nT$P3\nD$`H\n <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>\nD$HE3\ntype=\"win32\"\nlevel=\"asInvoker\"\n <requestedPrivileges>\nRtlCaptureContext\n<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n.bss\nxmlns=\"urn:schemas-microsoft-com:asm.v1\"\nGetModuleHandleW\n<!--\n H3E\n!This program cannot be run in DOS mode.\n </windowsSettings>\nL$xH\nEventRegister\nu HcA<H\n.rdata$zETW1\nD$4I\nD$XH\n.rdata$zETW2\n_exit\n wtf\n<windowsSettings>\nSleep\nTerminateProcess\n version=\"5.1.0.0\"\nGetCurrentProcessId\n__set_app_type\n"
}
},
"isMaintenance": false,
"success": true,
"messages": [
{
"type": "success",
"code": 200,
"message": "Scan ran"
}
]
},
"isMaintenance": false,
"success": true
}
🔴 400
{}
Last updated