PE Similarity Search

PE fields

These features are carefully selected based on their ability to provide accurate and relevant results, and they are continuously updated to stay current with the latest malware trends and techniques.

Field name

Type

Description

File size

Number

Size of the input file

Unix timestamp

Number

A timestamp showing when the file was compiled

File characteristic

Number

Characteristics defining the behavior of the PE

DLL characteristic

Number

Features which make a PE actually portable in memory

Subsystem

Number

Defines whether the PE is made to be a Console or UI application

Image base

Number

“Base” address used if relocation doesn’t happen

Linker version(major)

Number

What version of linker what used at compilation time

Linker version(minor)

Number

What version of linker what used at compilation time

Entry point section entropy

Number

Entropy of the section where the entry point resides

Section number

Number

Number of sections present in the PE

Resource number

Number

Number of resources present in the PE

Resources to file ratio

Number

Ratio between the size of the resources & the file itself

CFG

Boolean

Indicator whether CFG (Control Flow Guard) is enabled at compilation time.

GS

Boolean

Indicator whether GS (Buffer Security Check [Guarded Stack]) is enabled at compilation time.

ASLR

Boolean

Indicator whether ASLR (Address space layout randomization) is enabled at compilation time.

Nxcompat

Boolean

Indicator whether NX compatibility (Data Execution Prevention [No eXecute]) is enabled at compilation time.

SEH

Boolean

Indicator whether SEH (Structured Exception Handler) is enabled at compilation time.

IsDotnet

Boolean

Whether the executable file is using the .NET framework

Digitally Signed

Boolean

Whether the digital signature is verified or not.

Field name

Type

Description

Digital signature verification

String

Whether the digital signature is verified or not.

Architecture

String

A string describing what target of architecture (eg. 32 or 64bit) the binary was compiled for

Language

String

What speaking language does the binary target

Entry point section name

String

Name of the section where the entry point of the PE resides. It’s a calculated value, based on the supplied entry point address & section details.

Pdb path

String

Path of the PDB file on the compiler machine

Field name

Type

Description

Verinfo: File Description

String

Version information describing the file description of this application

Verinfo: File version

String

Version information describing the file version of this application

Verinfo: Internal name

String

Version information describing the internal name of this application

Verinfo: Legal copyright

String

Version information describing the legal copyright of this application

Verinfo: Product name

String

Version information describing the product name of this application

Verinfo: Product version

String

Version information describing the product version of this application

Verinfo: Company name

String

Version information describing the company name who created this application

Field name

Type

Description

Pdb guid

String

GUID of the PDB associated with the binary

Field name

Type

Description

Rich header compiler ids

String

An ID number to the specific compiler used during the compilation process

Field name

Type

Description

Memory base address of section

String

In-memory base address of the section

Memory size of a section

Number

In-memory size of the section

Size of physical data

Number

Size of the physical data on-disk

Entropy of section

Number

Entropy of the specific section

Field name

Type

Description

Size of resources

Number

Size of the resource

File type of the actual data

String

File type of the actual data

Language

String

Intended language of the resource

Sublanguage

String

Intended language of the resource

Field name

Type

Description

Extracted Urls

String

Extracted URLs from the file

Extracted Domains

String

Extracted Domains from the file

Extracted Ips

String

Extracted Ips from the file

Extracted SHA-512 Hashes

String

Extracted SHA-512 from the file

Extracted UUIDs

String

Extracted UUIDs from the file

Extracted Registry Paths

String

Extracted Registry Paths from the file

Field name

Type

Description

DLL

String

Imported DLL of the input file

Functions

String

Imported functions from a specific dll

Field name

Type

Description

Certificate Owner

String

Shows the owner of the certificate

Certificate isRevoked

Boolean

Shows whether the associated certificate is revoked

Certificate isSelfSigned

Boolean

Shows whether the associated certificate is selfsigned

Certificate isExpired

Boolean

Shows whether the associated certificate is expired

Field name

Type

Example

Description

Threat Indicators

String

Number

An identifier to show what kind of rules (Threat indicator) Filescan itself matched on the target file. It can contain more info than what is present in the actual report

Similarity Search Filters

In addition to advanced technology, Similarity Search provides multi filtering search parameters. This feature offers greater flexibility and ensures that users receive the most accurate and relevant results for their specific needs.

Field name

Type

Possible values

Example

Description

Required

SHA-256

String


Number


Yes

Submission data

Date

2023-01-17T12:17:20.000Z

Number


Optional

Final Verdict

String

MALICIOUS, LIKELY_MALICIOUS, INFORMATIONAL, SUSPICIOUS, BENIGN, UNKNOWN

MALICIOUS

Verdict of a file

Optional

Tags

String

peexe,xml


Tags of a file

Optional

Threshold

Number

1 to 100 any integer

Number

Similarity threshold 0% to 100%

Higher score means higher similarity

Optional

Limit

Number

1 to 100 any integer

Number

Number of returns

Optional

Field name

Type

Description

File size

Number

Size of the input file

Entropy

Number

Entropy of the whole file

Architecture

Number

A string describing what target of architecture (eg. 32 or 64bit) the binary was compiled for

IsDotnet

Number

Whether the executable file is using the .NET framework