Hacksguard Analyst Guide
── 1. Risk Score ──
The global score (0-100) indicates the probability that a file is malicious, across 5 axes:
· Entropy (25 pts) · APIs (25 pts) · Anomalies (25 pts) · Strings (15 pts) · Packing (15 pts)
── 2. Entropy & Overlay Analysis ──
· < 6.0 : Normal data · 6.0-7.0 : Gray zone · > 7.0 : Highly suspicious
── 3. Packers & YARA ──
UPX / MPRESS: common, sometimes legitimate · Themida / VMProtect: high risk. YARA rules from Elastic protections-artifacts and Neo23x0 signature-base.
── 4. APIs & Imports ──
Injection: VirtualAllocEx, WriteProcessMemory, CreateRemoteThread · Keylogging: SetWindowsHookEx, GetAsyncKeyState · Anti-debug: IsDebuggerPresent
── 5. PE Format Anomalies ──
W+X sections, forged timestamps, entry point out of bounds — indicators of manual manipulation.