Deep Malware and Phishing Analysis

Cloud 44.0.0

14/01/2026

info-stealer

Digit Stealer (AppleScript-based Info Stealer Payload) on Sequoia (ARM64)

SHA256: 5d8a374139573798e23de60d1ca1610f6d1abecd5d17ecf32c82f1cfd338e03f

Open Report

Cloud 42.3.0

17/10/2025

info-stealer

Rhadamanthys delivered by an in-browser fake Windows Update, abusing the Fullscreen API (on-click), and using ClickFix-style

hxxps://thefatshallot[.]com/

Open Report

Cloud 42.0.0

21/05/2025

rat

CloudFlare Theme ClickFix/CAPTCHAScam dropping Redline

hxxp://gogocharters[.]com/lexington-charter-bus

Open Report

Cloud 42.0.0

13/05/2025

phishing

Phishing Chain from e-Mail to Catpcha to Tycoon2FA

SHA256: c99ce182e582b618ae2fe4c7258fc113625730739086e73029f022fb689588b4

Open Report

Cloud 41.0.0

31/10/2024

phishing

CloudFlare Theme ClickFix/CAPTCHAScam dropping NetSupport RAT

hxxps://webdemo[.]biz

Open Report

Cloud 41.0.0

26/08/2024

info-stealer

Cthulhu Stealer on Ventura (ARM64)

SHA256: 6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12

Open Report

Cloud 40.0.0

09/07/2024

phishing

EvilProxy using open redirect vulnerability

https://m.exactag.com/ai.aspx?tc=d9282403bc40b07205bbd26a23a8d2e6b6b4f9&url=http%3Asellartatauction.com/oplo/osiwuhjfmniek/bobibobi@outlook.com

Open Report

Cloud 40.0.0

10/05/2024

rat

HTML payload leading to download and installation of WSHRAT

SHA256: 427fb9938ca75db1a362fe51356a1dc06350daa5f9db788a4ca2f7e2cb21fd34

Open Report

Cloud 40.0.0

07/05/2024

phishing

HTML based phisher exhibiting a large spectrum of malicious behaviors

SHA256: 360a04ca0c6ef3401d14f04089d6e7e08869ab298dbf842d8f063bfaca618891

Open Report

Cloud 40.0.0

10/04/2024

trojan

Dinodas RAT on Ubuntu 22.04 x64

SHA256: 15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45

Open Report

Cloud 38.0.0

28/09/2023

e-banking-trojan

Xenomorph, targeting over 30 different banks

SHA256: 259e88f593a3df5cf14924eec084d904877953c4a78ed4a2bc9660a2eaabb20b

Open Report

Cloud 37.0.0

23/08/2023

info-stealer

XLoader (Objective-C) on Ventura (ARM64)

SHA256: 453e155722ac23771d63418e39f88430b0a922bd5f4afa81dcc73db44571b79e

Open Report

Cloud 37.0.0

16/08/2023

ransomware

LockBit randomware analyzed on native MacMini Apple Silicon (ARM64) with macOS Ventura

SHA256: 3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79

Open Report

Cloud 38.0.0

12/07/2023

exploiter

CVE-2023-36884 using RTF to load Word DOC via MSHTML iframe injection

SHA256: a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f

Open Report

Cloud 38.0.0

28/06/2023

info-stealer

DexPro protected APK using multiple Android Zipfile parser flaws

SHA256: b3561bf581721c84fd92501e2d0886b284e8fa8e7dc193e41ab300a063dfe5f3

Open Report

Cloud 38.0.0

15/06/2023

info-stealer

SolarMarker with file pumping, valid PE signature, Powershell dropper and .Net backdoor

SHA256: 6f7332625d573ccc7b14264ee0db7e671305e1206c7eaf920e17c26f7b5b64a7

Open Report

Cloud 37.0.0

15/02/2023

ransomware

STOP Djvu Ransomware via SmokeLoader with full config extracted

SHA256: 5ea4451ca1ce36db2dc6e7a85f07c748ddbb758b65f2194d734afd08bd141126

Open Report

Cloud 36.0.0

15/09/2022

trojan

AgentTesla v3 with full malware configuration

SHA256: c6dae959f8e5373c6ac8746cfd8227b8d8099b692ee726aacbe18ecf1479282e

Open Report

Cloud 35.0.0

24/08/2022

trojan

XCSSET trojan

SHA256: 483b2f45a06516439b1dbfedda52f135a4ccdeafd91192e64250305644e5ff48

Open Report

Cloud 35.0.0

18/08/2022

e-banking-trojan

S.O.V.A analysis on Android 12 Snow Cone

SHA256: b01b74aaf249d0740f541c081c0c0de4bf455b4b68f2634fab6cf8aafcd95d52

Open Report

Cloud 35.0.0

18/08/2022

trojan

NukeSped with Coinbase PDF (Lazarus)

SHA256: fe336a032b564eef07afb2f8a478b0e0a37d9a1a6c4c1e7cd01e404cc5dd2853

Open Report

Cloud 35.0.0

26/07/2022

trojan

Stealthy new payload delivery method: HTML (showing a PW) -> ZIP encrypted -> ISO -> LNK -> Calc.exe -> DLL -> DLL -> QBOT

SHA256: f5c16248418a4f1fd8dff438b26b8da7f587b77db9e180a82493bae140893687

Open Report

Cloud 35.0.0

21/07/2022

miner

TeamTNT variant mining Raptoreum (RTM) cryptocurrency

SHA256: 4f4fef3aa02d725b00793b75afcd2d75ecd554a9a23cb3e7d87969b3226f72b1

Open Report

Cloud 34.0.0

04/05/2022

trojan

NukeSped.N with Decoy PDF (Lazarus)

SHA256: 55571ac52e1f02f18af77e2f3314382c982a37744b58732dfc15faac9d66619f

Open Report

Cloud 34.0.0

28/03/2022

trojan

Gimmick Trojan

SHA256: 2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f

Open Report

Cloud 33.0.0

01/02/2022

exploiter

noPac using CVE-2021-42287 - CVE-2021-42278 Exploit to gain DC Admin

SHA256: 4e37819484e865f8e20c2aaa94ec05f3bfe3bb6f36ea4bb6df376c8d4f1ffcca

Open Report

Cloud 33.0.0

26/01/2022

trojan

DazzlySpy Trojan implant

SHA256: f9ad42a9bd9ade188e997845cae1b0587bf496a35c3bffacd20fefe07860a348

Open Report

Cloud 33.0.0

12/01/2022

trojan

SysJoker Multi-Platform Backdoor

SHA256: bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed

Open Report

Cloud 33.0.0

12/01/2022

trojan

SysJoker Multi-Platform Backdoor

SHA256: 1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c

Open Report

Cloud 33.0.0

12/01/2022

trojan

SysJoker Multi-Platform Backdoor

SHA256: 1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac

Open Report

Cloud 33.0.0

23/12/2021

trojan

Emotet dropped by Hidden Macro

SHA256: bb1f500a59544aa8e44a0377cc506dfbebca1ecb7a8c73dc72d3268803976ff5

Open Report

Cloud 33.0.0

30/11/2021

spreading

Abcbot botnet malware

SHA256: 22b521f8d605635e1082f3f33a993979c37470fe2980956064aa4917ea1b28d5

Open Report

Cloud 33.0.0

12/11/2021

trojan

MACMA aka CDDS Payload used in watering hole attack campaign

SHA256: cf5edcff4053e29cb236d3ed1fe06ca93ae6f64f26e25117d68ee130b9bc60c8

Open Report

Cloud 32.0.0

15/09/2021

trojan

OSX ZuRu running in trojanized iTerm2

SHA256: e5126f74d430ff075d6f7edcae0c95b81a5e389bf47e4c742618a042f378a3fa

Open Report

Cloud 33.0.0

10/09/2021

e-banking-trojan

S.O.V.A. Banking Trojan

SHA256: efb92fb17348eb10ba3a93ab004422c30bcf8ae72f302872e9ef3263c47133a7

Open Report

Cloud 33.0.0

25/08/2021

info-stealer

Kimsuky Espionage Campaign, JS instrumentation

SHA256: 20eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd

Open Report

Cloud 32.0.0

06/08/2021

miner

XMrig cryptominer disabling HW prefetcher in MSR registers

SHA256: 28e9b06e5a4606c9d806092a8ad78ce2ea7aa1077a08bcf3ec1d8e3d19714f08

Open Report

Cloud 33.0.0

29/07/2021

e-banking-trojan

TEABot e-Banking trojan

SHA256: 89e5746d0903777ef68582733c777b9ee53c42dc4d64187398e1131cccfc0599

Open Report

Cloud 33.0.0

22/07/2021

info-stealer

XLoader / Formbook info stealer on macOS

SHA256: 81c4276f2e3c0ed456b08402a6a5b63d0cad68220b7a3275b3cbf0ba73faaa21

Open Report

Cloud 33.0.0

22/07/2021

info-stealer

Hanictor analysis with VBA and shellcode execution graph, dropping FickerStealer

SHA256: 83c9c9beaca0a147e23995b84792f56cd130ccf262147374bd1114c2ac698fee

Open Report

Cloud 33.0.0

15/07/2021

ransomware

Kaseya attack dropping Sodinokibi

SHA256: 939aae3cc456de8964cb182c75a5f8cc

Open Report

Cloud 32.0.0

09/07/2021

trojan

WildPressure macOS Python (analyzed with Live Interaction)

SHA256: 1448f34fcde1e6d7df000c38a61c3dd6d5fd304f9ad60cadfa3deb875b6b088f

Open Report

Cloud 32.0.0

01/07/2021

ransomware

REvil Linux (analyzed with Live Interaction)

SHA256: ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4

Open Report

Cloud 31.0.0

28/04/2021

info-stealer

Shlayer with CVE-2021-30657 exploit for bypassing Gatekeeper, File Quarantine and Application Notarization

SHA256: 70c6f9da05046525605e2066185929c2659e27a3851dc43d8aa69e2692e6154f

Open Report

Solutions

Sandbox

Lab

Agent

Plugins

Endpoint

Overview

Solutions

Sandbox

Lab

Agent

Plugins

Endpoint

Overview

Deep Malware Analysis Reports

Dive deep into the latest behavior analysis and reverse engineering reports generated by Joe Sandbox and Joe Reverser.

Joe Sandbox

Joe Reverser

Reverser Reports

Binary

URL

Email

Office/PDF

Joe Reverser 1.3.0

Tycoon 2FA PaaS campaign abusing DocuSign branding to steal Google/Gmail credentials. It uses CAPTCHA gating, heavy obfuscation, anti-analysis, and socket.io exfiltration.

Joe Reverser 1.3.0

Auphora / ENI HARVESTER v2.0 is a novel 64-bit Windows infostealer targeting browsers, gaming platforms, Discord, and Claude AI data. It zips stolen data in memory and exfiltrates it via hardcoded Telegram Bot API credentials.

Joe Reverser 1.3.0

UninstallTool.exe is a trojanized “Uninstall Tool” app signed with a deceptive valid certificate. It drops ZTrat RAT, sets persistence, bypasses firewall, and uses ngrok C2.

Joe Reverser 1.3.0

hackerai.co_stealer_python.py is an AI-generated multi-stage Python infostealer with phishing, browser/Telegram theft, file collection, C2 exfiltration, and anti-forensics. Despite its “pentest” label, it is clearly malicious.

Joe Reverser 1.3.0

A spear-phishing email impersonating a consultant used malicious attachments to deploy malware from BunnyCDN infrastructure. The attack established persistent remote access via VS Code tunnels and used Discord webhooks for data exfiltration, helping it evade detection.

Joe Reverser 1.3.0

An active malicious phishing gateway using a fake CAPTCHA slider and ClickFix-style verification to funnel victims to a fake Microsoft 365/Copilot login. It can harvest credentials and MFA tokens, enabling MFA bypass.

Joe Reverser 1.3.0

HWMonitor supply chain attack installing Cobalt Strike

Joe Reverser 1.3.0

Malicious PDF document exploiting CVE-2026-34621

Joe Reverser 1.3.0

Joe Reverser 1.3.0

A phishing email impersonates a trusted sender and uses a redirect chain to deliver a fake Microsoft sign-in page for credential harvesting. It leverages an AiTM phishing kit, legitimate platforms, and CAPTCHA evasion to bypass detection.

Joe Reverser 1.0.0

Multi-stage decryption from URL to dropper to payload (Vidar)

Joe Reverser 1.0.0

Beautiful ClickFix deploying RAT via Dll hijacking

Joe Reverser 0.9.0 (Beta)

LLM Bot using GenAI to generate malicious code

Joe Reverser 0.9.0 (Beta)

Reversing of VoidLink Stage 1

Joe Reverser 0.9.0 (Beta)

Reversing of VoidLink Stage 0

Joe Reverser 0.9.0 (Beta)

Deep Analysis of VoidLink Implants

Joe Reverser 0.9.0 (Beta)

Docusign Phishing Analysis

Joe Reverser 0.9.0 (Beta)

Analysis of Sandbox evasion

Joe Reverser 0.9.0 (Beta)

Salvador Android Stealer

Joe Reverser 0.9.0 (Beta)

RevoltRat uses Revolt for C2 communication

Joe Reverser 0.9.0 (Beta)

Full reversing of MasonRAT V6 CPL incl. unpacking

Joe Reverser 0.9.0 (Beta)

GrokPy uses Grok LLM model to solve CAPTCHAs

Sandbox Reports

Windows

Mac

Linux

Android

Cloud 44.0.0

Digit Stealer (AppleScript-based Info Stealer Payload) on Sequoia (ARM64)

Cloud 42.3.0

Rhadamanthys delivered by an in-browser fake Windows Update, abusing the Fullscreen API (on-click), and using ClickFix-style

Cloud 42.0.0

CloudFlare Theme ClickFix/CAPTCHAScam dropping Redline

Cloud 42.0.0

Phishing Chain from e-Mail to Catpcha to Tycoon2FA

Cloud 41.0.0