Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SY5DeZW6pz.exe

Overview

General Information

Sample Name:SY5DeZW6pz.exe
Analysis ID:694552
MD5:536f2c1238ef65a64820c35d4504ce67
SHA1:7806d51132e40728f581374a9d72d9713bff2dd0
SHA256:b6a71449958283718f01e6be9f7a9eb057479072c1cc55f26a11b033ea210271
Tags:exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Found evasive API chain (may stop execution after checking mutex)
Infects executable files (exe, dll, sys, html)
Contains functionality to determine the online IP of the system
Found Tor onion address
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Machine Learning detection for dropped file
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE file contains more sections than normal
Contains functionality to enumerate device drivers
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • SY5DeZW6pz.exe (PID: 5580 cmdline: "C:\Users\user\Desktop\SY5DeZW6pz.exe" MD5: 536F2C1238EF65A64820C35D4504CE67)
    • vSQshX.exe (PID: 5540 cmdline: C:\Users\user\AppData\Local\Temp\vSQshX.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)
      • WerFault.exe (PID: 5876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 1432 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 1276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 532 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SY5DeZW6pz.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0xf522:$x1: ReflectiveLoader
SY5DeZW6pz.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0xee7e:$: DECRYPT.txt
  • 0xeee4:$: DECRYPT.txt
SY5DeZW6pz.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    SY5DeZW6pz.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      SY5DeZW6pz.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0xf521:$s1: _ReflectiveLoader@
      • 0xf522:$s2: ReflectiveLoader@
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.307805000.000000000F3A2000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000000.00000000.324852504.000000000F3A2000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
          00000000.00000000.307798996.000000000F39A000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
            00000000.00000002.353018126.000000000F39A000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
              00000000.00000000.317764936.000000000F3A2000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                Click to see the 17 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.SY5DeZW6pz.exe.3760000.2.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
                • 0xe522:$x1: ReflectiveLoader
                0.0.SY5DeZW6pz.exe.3760000.2.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xde7e:$: DECRYPT.txt
                • 0xdee4:$: DECRYPT.txt
                0.0.SY5DeZW6pz.exe.3760000.2.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                  0.0.SY5DeZW6pz.exe.3760000.2.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                    0.0.SY5DeZW6pz.exe.3760000.2.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                    • 0xe521:$s1: _ReflectiveLoader@
                    • 0xe522:$s2: ReflectiveLoader@
                    Click to see the 43 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.463.251.106.25497087992807908 08/31/22-23:41:31.686542
                    SID:2807908
                    Source Port:49708
                    Destination Port:799
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.463.251.106.25497077992807908 08/31/22-23:41:23.030290
                    SID:2807908
                    Source Port:49707
                    Destination Port:799
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.48.8.8.858565532838522 08/31/22-23:41:22.706087
                    SID:2838522
                    Source Port:58565
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: SY5DeZW6pz.exeVirustotal: Detection: 81%Perma Link
                    Source: SY5DeZW6pz.exeMetadefender: Detection: 65%Perma Link
                    Source: SY5DeZW6pz.exeReversingLabs: Detection: 95%
                    Antivirus / Scanner detection for submitted sample
                    Source: SY5DeZW6pz.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://ddos.dnsnb8.net:799/cj//k3.rar%Avira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net:799/cj//k3.rarAvira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net:799/cj//k2.rar%Avira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net:799/cj//k2.rarAvira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net/&Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URL
                    Source: ddos.dnsnb8.netVirustotal: Detection: 5%Perma Link
                    Source: http://ddos.dnsnb8.net:799/cj//k3.rarVirustotal: Detection: 6%Perma Link
                    Antivirus detection for dropped file
                    Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeAvira: detection malicious, Label: W32/Jadtre.B
                    Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Jadtre.B
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeAvira: detection malicious, Label: TR/Dldr.Small.Z.haljq
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeMetadefender: Detection: 76%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeReversingLabs: Detection: 100%
                    Machine Learning detection for sample
                    Source: SY5DeZW6pz.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeJoe Sandbox ML: detected
                    Source: 1.0.vSQshX.exe.c20000.3.unpackAvira: Label: W32/Jadtre.D
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpackAvira: Label: W32/Jadtre.B
                    Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpackAvira: Label: W32/Jadtre.B
                    Source: 1.0.vSQshX.exe.c20000.0.unpackAvira: Label: W32/Jadtre.D
                    Source: 1.2.vSQshX.exe.c20000.0.unpackAvira: Label: W32/Jadtre.D
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpackAvira: Label: W32/Jadtre.B
                    Source: 1.0.vSQshX.exe.c20000.1.unpackAvira: Label: W32/Jadtre.D
                    Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpackAvira: Label: W32/Jadtre.B
                    Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpackAvira: Label: W32/Jadtre.B
                    Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpackAvira: Label: W32/Jadtre.B