| Found API chain indicative of debugger detection |
Anti Debugging |
Virtualization/Sandbox Evasion
|
| Sample file is different than original file name gathered from version info |
System Summary |
|
| Extensive use of GetProcAddress (often used to hide API calls) |
Hooking and other Techniques for Hiding and Protection |
|
| Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Anti Debugging |
|
| Contains functionality to query locales information (e.g. system language) |
Language, Device and Operating System Detection |
|
| Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
|
| PE file contains sections with non-standard names |
Data Obfuscation |
Security Software Discovery
|
| Detected potential crypto function |
System Summary |
|
| Found potential string decryption / allocating functions |
System Summary |
Deobfuscate/Decode Files or Information
Obfuscated Files or Information
|
| Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems) |
Malware Analysis System Evasion, Anti Debugging |
Security Software Discovery
|
| Contains functionality to check if a debugger is running (OutputDebugString,GetLastError) |
Anti Debugging |
|
| Contains functionality to call native functions |
System Summary |
|
| Contains functionality to communicate with device drivers |
System Summary |
Security Software Discovery
|
| Found large amount of non-executed APIs |
Malware Analysis System Evasion |
|
| Uses Microsoft's Enhanced Cryptographic Provider |
Cryptography |
|
| Uses the system / local time for branch decision (may execute only at specific dates) |
Malware Analysis System Evasion |
|
| Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) |
Anti Debugging |
|
| PE file has an executable .text section and no other executable section |
System Summary |
|
| Reads software policies |
System Summary |
Security Software Discovery
|
| Contains functionality to enumerate / list files inside a directory |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
| Contains functionality to query time zone information |
Language, Device and Operating System Detection |
|
| Uses an in-process (OLE) Automation server |
System Summary |
|
| Contains functionality to register its own exception handler |
Anti Debugging |
|
| URLs found in memory or binary data |
Networking |
|
| Contains functionality to query local / system time |
Language, Device and Operating System Detection |
System Information Discovery
|
| Sample might require command line arguments |
System Summary |
|
| PE file contains a valid data directory to section mapping |
System Summary |
|
| PE file contains a debug data directory |
System Summary |
|
| Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
| PE file contains a mix of data directories often seen in goodware |
System Summary |
|
| PE file has a big raw section |
System Summary |
|
| Submission file is bigger than most known malware samples |
System Summary |
|
| PE file has a big code size |
System Summary |
|
| PE file has a high image base, often used for DLLs |
System Summary |
Security Software Discovery
|
| PE / OLE file has a valid certificate |
Compliance, System Summary |
|
