MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1027 Obfuscated Files or Information
The sample exhibits high-risk heuristics related to PEB access and API hash resolution, indicating anti-analysis techniques. These methods are often employed by malware to hinder dynamic analysis. No specific family could be identified, and no external IOCs were extracted from the provided evidence.
Heuristics 2
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
x86 disassembly · validity: code (0.969) — 6/6 branch targets land on an instruction boundary (100% coherence)000EEB2F 648b4030 mov eax, dword ptr fs:[eax + 0x30] 000EEB33 3e8b400c mov eax, dword ptr ds:[eax + 0xc] 000EEB37 3e8b701c mov esi, dword ptr ds:[eax + 0x1c] 000EEB3B ad lodsd eax, dword ptr [esi] 000EEB3C 3e8b6808 mov ebp, dword ptr ds:[eax + 8] 000EEB40 56 push esi 000EEB41 57 push edi 000EEB42 368b453c mov eax, dword ptr ss:[ebp + 0x3c] 000EEB46 368b542878 mov edx, dword ptr ss:[eax + ebp + 0x78] 000EEB4B 03d5 add edx, ebp 000EEB4D 52 push edx 000EEB4E 3e8b5220 mov edx, dword ptr ds:[edx + 0x20] 000EEB52 03d5 add edx, ebp 000EEB54 33c0 xor eax, eax 000EEB56 33c9 xor ecx, ecx 000EEB58 41 inc ecx 000EEB59 3e8b348a mov esi, dword ptr ds:[edx + ecx*4] 000EEB5D 03f5 add esi, ebp 000EEB5F 33ff xor edi, edi 000EEB61 c1cf0d ror edi, 0xd 000EEB64 ac lodsb al, byte ptr [esi] 000EEB65 03f8 add edi, eax 000EEB67 85c0 test eax, eax 000EEB69 75f6 jne 0xeeb61 000EEB6B 3bfb cmp edi, ebx 000EEB6D 75e9 jne 0xeeb58 000EEB6F 5a pop edx 000EEB70 3e8b5a24 mov ebx, dword ptr ds:[edx + 0x24] 000EEB74 03dd add ebx, ebp 000EEB76 663e8b0c4b mov cx, word ptr ds:[ebx + ecx*2] 000EEB7B 3e8b5a1c mov ebx, dword ptr ds:[edx + 0x1c] 000EEB7F 03dd add ebx, ebp 000EEB81 3e8b048b mov eax, dword ptr ds:[ebx + ecx*4] 000EEB85 03c5 add eax, ebp 000EEB87 5f pop edi 000EEB88 5e pop esi 000EEB89 ffe0 jmp eax 000EEB8B 58 pop eax 000EEB8C 50 push eax 000EEB8D c3 ret 000EEB8E 55 push ebp
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Disassembly
x86 disassembly · validity: code (0.969) — 6/6 branch targets land on an instruction boundary (100% coherence)000EEB2F 648b4030 mov eax, dword ptr fs:[eax + 0x30] 000EEB33 3e8b400c mov eax, dword ptr ds:[eax + 0xc] 000EEB37 3e8b701c mov esi, dword ptr ds:[eax + 0x1c] 000EEB3B ad lodsd eax, dword ptr [esi] 000EEB3C 3e8b6808 mov ebp, dword ptr ds:[eax + 8] 000EEB40 56 push esi 000EEB41 57 push edi 000EEB42 368b453c mov eax, dword ptr ss:[ebp + 0x3c] 000EEB46 368b542878 mov edx, dword ptr ss:[eax + ebp + 0x78] 000EEB4B 03d5 add edx, ebp 000EEB4D 52 push edx 000EEB4E 3e8b5220 mov edx, dword ptr ds:[edx + 0x20] 000EEB52 03d5 add edx, ebp 000EEB54 33c0 xor eax, eax 000EEB56 33c9 xor ecx, ecx 000EEB58 41 inc ecx 000EEB59 3e8b348a mov esi, dword ptr ds:[edx + ecx*4] 000EEB5D 03f5 add esi, ebp 000EEB5F 33ff xor edi, edi 000EEB61 c1cf0d ror edi, 0xd 000EEB64 ac lodsb al, byte ptr [esi] 000EEB65 03f8 add edi, eax 000EEB67 85c0 test eax, eax 000EEB69 75f6 jne 0xeeb61 000EEB6B 3bfb cmp edi, ebx 000EEB6D 75e9 jne 0xeeb58 000EEB6F 5a pop edx 000EEB70 3e8b5a24 mov ebx, dword ptr ds:[edx + 0x24] 000EEB74 03dd add ebx, ebp 000EEB76 663e8b0c4b mov cx, word ptr ds:[ebx + ecx*2] 000EEB7B 3e8b5a1c mov ebx, dword ptr ds:[edx + 0x1c] 000EEB7F 03dd add ebx, ebp 000EEB81 3e8b048b mov eax, dword ptr ds:[ebx + ecx*4] 000EEB85 03c5 add eax, ebp 000EEB87 5f pop edi 000EEB88 5e pop esi 000EEB89 ffe0 jmp eax 000EEB8B 58 pop eax 000EEB8C 50 push eax 000EEB8D c3 ret 000EEB8E 55 push ebp
Open this report in the interactive analyzer, or submit your own file for analysis.