The analysis report contains all the results on a file that has been submitted for analysis. The report is divided into three sections: Overview, Summary and Full Report.

Overview

The overview section summarises the results of the Threatray analysis. It aggregates all kinds of findings, such as detection and identification verdicts, as well as intelligence.

1. Verdict: This is the verdict of the analysis. The verdict can be ‘unknown’, ‘suspicious’ or ‘malicious’. This is explained in detail here.
2. Malware families: An optional list of malware families that were identified.
3. Verdict details: The details of how the verdict came to be. Threatray employs various techniques to detect and identify. These are:
   1. Code: Verdict from Threatray’s code detections. This is explained in detail here.
   2. AV: Verdict from an OEM antivirus engine.
   3. YARA: Verdict from YARA rules curated by Threatray.
   4. Behavior: Verdict based on behavioral detection rules curated by Threatray.
4. Intelligence: Any intelligence related to this analysis. This encompasses unvetted community YARA rules. Intelligence does not affect the verdict and is purely informational.
5. File metadata: SHA256 hash, filename, type, size and first seen date.
6. Analysis metadata: Unique Analysis ID, creation timestamps and analysis type details.
7. Actions: Download file, Reanalyse file, Report a false negative or false positive, Delete the analysis.

Summary

The summary section gives an overview of all binary code that was extracted and analyzed.

It contains the analysis for the submitted file (1) and the analysis of all memory regions that contain binary code (2). A memory region has either been extracted through dynamic analysis, or extracted statically in case the analysis is from a minidump or an endpoint scan.

Each memory region can also be found in the full report and navigation to it is possible via a button (3).

 Details on binary code

Threatray provides details on the submitted file and each memory region that was analyzed.

In this example, we are looking at the details of a memory region, extracted from the explorer.exe process and identified as Latrodectus. There are four tabs: verdict details, prevalence, OSINT hunt and file information.

Verdict details

The verdict details tab explains how the verdict came to be (1). The structure and semantics is the same as in the summary section.

The code detections (2) section shows how much code in this binary file is reused from known malware families or known-good executables. These overlaps determine the ‘code’ verdict and relevant overlaps can be from just a few functions to hundreds. Code detections are explained in detail here.

The right-hand side includes the actions (3): Show this region in the full report, Download the file, Retrohunt for this file, Show code detections per function.

Prevalence

The prevalence tab indicates how many samples contain this or similar binary code. The statistics (1) aggregate the malware identification of the similar samples and the graph (2) shows their distribution over time, based on first-seen timestamps. The prevalence is calculated over the files you have analyzed and over the millions of files that Threatray provides in its global threat feed.

A more detailed list of similar samples can be reached via retrohunt, explained in detail here.

OSINT Hunt

The OSINT Hunt tab shows a list of similar samples that contain this or similar binary code, and were mentioned in Open Source Intelligence (OSINT) threat reports.

Each threat report can be opened, showing a summary of the report and the list of similar samples in this report.

More details on OSINT Hunts can be found here.

File information

The file information tab lists general file metadata, extracted strings and in case that it is a PE file, PE metadata.

Full report

The full report section contains additional information from our sandboxing component, such as the submitted file (1, equal to the summary), process graph (2), dynamic artifacts (3), as well as process and memory details (4).

In case the analysis is a minidump or endpoint scan, it will only contain the process and memory details.

Progress graph

The process graph shows the process behavior exhibited during the execution of the submitted file in the sandboxing component.

 Dynamic artifacts

The dynamic artifacts section lists all artifacts that were extracted during the sandboxing process. The types collected are:

• IPs, Domains and URLs that were fetched
• Files and registry modifications
• Mutex creations

The extraction process is purely dynamic, no static extraction takes place, e.g. an IP that was not called will not appear here.

Process and memory details

This section shows details on processes and process memory behavior.

This includes process name, PID, liveness, command line arguments, verdict with its details and the lifetime (1).

For each process, Threatray shows memory regions which possibly contain suspicious code. This can be an unknown executable or DLL which was loaded, or a memory region which may result from code-injections and unpacking. Some processes don’t have any dumped memory regions in case no suspicious code was loaded, e.g. a cmd.exe process issuing a command.

In this example, the explorer.exe process has exactly one memory region, identified as Latrodectus (2). This is the same memory region visible in the Binary Intelligence tab.

The rundll32.exe process has several memory regions, one of them identified as BruteRatelC4 (3). The information in the collapsible memory region is once more the same as in the Binary Intelligence tab.