Attempts to repeatedly call a single API many times in order to delay analysis time
Checks for the presence of known devices from debuggers and forensic tools
Detects Sandboxie through the presence of a library
Detects VMWare through the in instruction feature
This sample is detected by clamav as: Win.Spyware.Banker-3114
One or more AV tool detects this sample as malicious: Trojan:Win32/Tiggre!rfn
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Repeatedly searches for a not-found process, you may want to run a web browser during analysis
One or more of the buffers contains an embedded PE file
Executed a process and injected code into it, probably while unpacking
Unconventionial language used in binary resources
The executable has PE anomalies (could be a false positive)
Allocates read-write-execute memory (usually to unpack itself)
The binary likely contains encrypted or compressed data.
Contains obfuscated control-flow to defeat static analysis.
More than %50 of the external calls do not go through the import address table
This sample contains high entropy sections
Anomalous binary characteristics
Presents an Authenticode digital signature