Live Demo — Interactive TUI Malware Analysis | Hacksguard

// INTERACTIVE DEMO

Simulated analysis of sf.exe

Click the tabs or use ←/→ keys — exactly like the real TUI. Get the real thing ↓

◆ HACKSGUARD — analyzing sf.exe
Spawning threads · parsing PE · computing entropy · loading YARA cache…
◆ HACKSGUARD sf.exe (92.0 KB) ● LIVE SIMULATION
! CRITICAL — Strong malware indicators detected  [100/100]
── File Info ──
Name: sf.exe
Size: 92.0 KB (94208)
Type: PE32+ EXE (x86-64 (AMD64))
Magic: 4D 5A 90 00 03 00 00 00
── PE Metadata ──
Authenticode: ✗ absent
Entry Point: 0x00015030
Image Base: 0x140000000
Subsystem: Windows GUI
Linker: 2.45
Compiled: 2026-07-10 20:10:09 UTC (3 minutes ago)
── Risk Breakdown ──
{{ r.name }}
{{ r.pts }}
Total   100/100 (CRITICAL)
── Hashes ──
MD5   : 9690468b640feab936be78e28295c6d0
SHA1  : 476d6f21c813b57d4e0d289959435d5e3fe4669d
SHA256: aa3516dd15490c3ff49a36f27a0283a68ed7d0dd664fa54adf37fcc713f633e0
── Detection Checks (5/33) ──
5/33 triggered
● [CRIT] Indirect Syscalls Detected
◉ [HIGH] IAT Spoofing / Hidden IAT
◉ [HIGH] PEB Walking (API Hashing)
◉ [HIGH] API Hashing loop detected
· [INFO] No imports
── YARA Analysis ──
1 rules matched:
 · Windows_Trojan_Adaptix_b2cda978
── Embedded Executable Scan ──
No embedded PE found
── Entropy by Section ──
{{ se.name }}
{{ se.val }}
── Byte Distribution ──
Pattern: Mixed (typical binary) (32% printable, 19% null)
── Malware Pattern ──
✓ No known malware pattern matched
── Anomalies ──
[WARN] No imports — possibly packed or hand-crafted
[INFO] [.bss] Raw size 0 with non-zero virtual size
── COFF Header ──
Machine: x86-64 (AMD64)
Timestamp: 2026-07-10 20:10:09 UTC
Is DLL: false
64-bit: true
── Characteristics ──
Executable Image
Line Nums Stripped
Local Syms Stripped
Large Address Aware
Debug Stripped
── Optional Header ──
Entry Point: 0x00015030 (.text)
Image Base: 0x140000000
Subsystem: Windows GUI
Linker: 2.45
── Security Mitigations ──
ASLR ✓ enabled
DEP  ✓ enabled
CFG  ✗ disabled
── System Calls ──
Direct    NOT FOUND
Indirect  ▲ DETECTED
── Data Directories ──
{{ d.name }} RVA: {{ d.rva }} Size: {{ d.size }}
NameVSizeRawSizeEntropyFlagsAnomalies
{{ s.name }} {{ s.vsize }} {{ s.rawsize }} {{ s.entropy }} {{ s.flags }} {{ s.anom }}
Imports
0 DLLs, 0 functions ● 0● 0● 0
▲ Why is an empty IAT suspicious?
Every real Windows program imports functions. A binary with zero static imports almost certainly resolves APIs at runtime — via PEB walking, API hashing, or manual syscalls — a classic evasion pattern. Hacksguard flags this as IAT Spoofing / Hidden IAT.
Detected System Call Instructions
Address: {{ sc.addr }} [Indirect] mov eax,1; call {{ sc.reg }} (possibly NtWorkerFactoryWorkerReady)
Disassembly at Entry Point (0x00015030)
{{ d.addr }}  {{ d.op }}    {{ d.args }}
Hex Dump (First 1024 bytes)
{{ h.off }} {{ h.bytes }} {{ h.ascii }}
Strings
459 strings extracted
[STR] {{ st.off }} {{ st.val }}
Full File Entropy Graph
8.04.00.0
Entropy Analysis Details
Global Shannon Entropy: 5.4801 [Normal]
Peak Local Entropy: 5.5500 (at offset range: 0xcf00..0xd4c0)
File Size: 94208 bytes / Graph Resolution: 64 chunks
✓ Entropy levels are within normal bounds.
Hacksguard Analyst Guide
── 1. Risk Score ──
The global score (0-100) indicates the probability that a file is malicious, across 5 axes:
 · Entropy (25 pts) · APIs (25 pts) · Anomalies (25 pts) · Strings (15 pts) · Packing (15 pts)
── 2. Entropy & Overlay Analysis ──
 · < 6.0 : Normal data · 6.0-7.0 : Gray zone · > 7.0 : Highly suspicious
── 3. Packers & YARA ──
UPX / MPRESS: common, sometimes legitimate · Themida / VMProtect: high risk. YARA rules from Elastic protections-artifacts and Neo23x0 signature-base.
── 4. APIs & Imports ──
Injection: VirtualAllocEx, WriteProcessMemory, CreateRemoteThread · Keylogging: SetWindowsHookEx, GetAsyncKeyState · Anti-debug: IsDebuggerPresent
── 5. PE Format Anomalies ──
W+X sections, forged timestamps, entry point out of bounds — indicators of manual manipulation.
Full guide with detail on every check → Analyst Guide page
←/→ Tab ↑/↓ Scroll Home Top q Quit simulation — data from a real Adaptix trojan triage