Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:SY5DeZW6pz.exe
Analysis ID:694552


Gandcrab, ReflectiveLoader
Range:0 - 100


Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Found evasive API chain (may stop execution after checking mutex)
Infects executable files (exe, dll, sys, html)
Contains functionality to determine the online IP of the system
Found Tor onion address
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Machine Learning detection for dropped file
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE file contains more sections than normal
Contains functionality to enumerate device drivers
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider


  • System is w10x64
  • SY5DeZW6pz.exe (PID: 5580 cmdline: "C:\Users\user\Desktop\SY5DeZW6pz.exe" MD5: 536F2C1238EF65A64820C35D4504CE67)
    • vSQshX.exe (PID: 5540 cmdline: C:\Users\user\AppData\Local\Temp\vSQshX.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)
      • WerFault.exe (PID: 5876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 1432 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 1276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 532 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
SY5DeZW6pz.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0xf522:$x1: ReflectiveLoader
SY5DeZW6pz.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0xee7e:$: DECRYPT.txt
  • 0xeee4:$: DECRYPT.txt
SY5DeZW6pz.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    SY5DeZW6pz.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      SY5DeZW6pz.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0xf521:$s1: _ReflectiveLoader@
      • 0xf522:$s2: ReflectiveLoader@
      Click to see the 1 entries
      00000000.00000000.307805000.000000000F3A2000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000000.00000000.324852504.000000000F3A2000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
          00000000.00000000.307798996.000000000F39A000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
            00000000.00000002.353018126.000000000F39A000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
              00000000.00000000.317764936.000000000F3A2000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                Click to see the 17 entries
                0.0.SY5DeZW6pz.exe.3760000.2.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
                • 0xe522:$x1: ReflectiveLoader
                0.0.SY5DeZW6pz.exe.3760000.2.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xde7e:$: DECRYPT.txt
                • 0xdee4:$: DECRYPT.txt
                0.0.SY5DeZW6pz.exe.3760000.2.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                  0.0.SY5DeZW6pz.exe.3760000.2.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                    0.0.SY5DeZW6pz.exe.3760000.2.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                    • 0xe521:$s1: _ReflectiveLoader@
                    • 0xe522:$s2: ReflectiveLoader@
                    Click to see the 43 entries
                    No Sigma rule has matched
                    Timestamp: 08/31/22-23:41:31.686542
                    Source Port:49708
                    Destination Port:799
                    Classtype:A Network Trojan was detected
                    Timestamp: 08/31/22-23:41:23.030290
                    Source Port:49707
                    Destination Port:799
                    Classtype:A Network Trojan was detected
                    Timestamp: 08/31/22-23:41:22.706087
                    Source Port:58565
                    Destination Port:53
                    Classtype:A Network Trojan was detected

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    Source: SY5DeZW6pz.exeVirustotal: Detection: 81%Perma Link
                    Source: SY5DeZW6pz.exeMetadefender: Detection: 65%Perma Link
                    Source: SY5DeZW6pz.exeReversingLabs: Detection: 95%
                    Source: SY5DeZW6pz.exeAvira: detected
                    Source: http://ddos.dnsnb8.net:799/cj//k3.rar%Avira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net:799/cj//k3.rarAvira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net:799/cj//k2.rar%Avira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net:799/cj//k2.rarAvira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net/&Avira URL Cloud: Label: malware
                    Source: ddos.dnsnb8.netVirustotal: Detection: 5%Perma Link
                    Source: http://ddos.dnsnb8.net:799/cj//k3.rarVirustotal: Detection: 6%Perma Link