Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Analysis Reports of Evasive Malware

Latest Analysis Reports of Evasive Malware generated by Joe Sandbox

Cloud 30.0.0
17/09/2020

Analysis Report
GuLoader with many evasion, including Instruction Hammering

01a54f73856cfb74a3bbba47bcec227b

Cloud 29.0.0
14/09/2020

Analysis Report
SmoleLoader using various VM detections, CodeIntegrity checks, etc

18b04e2fd804d553d9a35e088193dea7

Cloud 28.0.0
22/04/2020

Analysis Report
AgentTesla loader using RDTSC, CPUID and Win32_BaseBoard VM detection

MD5: 87e74af7016e8a9b9304dc537fa093da

Cloud 28.0.0
24/02/2020

Analysis Report
Azorult, using several tricks to detect sandboxes (desktop resolution, tick count, processes etc)

MD5: ff17014cbb249e173309a9e1251e4574

Cloud 28.0.0
24/01/20220

Analysis Report
Date-aware (<20.1.2020) Cassandra Crypter dropping AgentTesla

MD5: a24c195da4f8a5dee365875b3e3a38a1

Cloud 28.0.0
22/01/20220

Analysis Report
TrickBot Downloader counting total number of processes

MD5: 3e8c58262860fcbce68af93f4a022232

Cloud 28.0.0
10/12/2019

Analysis Report
Country (Application.LanguageSettings. LanguageID) and filename (ActiveWorkbook.Name) aware VBA dropping Ursnif

MD5: c5e1106f9654a23320132cbc61b3f29d

Cloud 26.0.0
12/08/2019

Analysis Report
FrenchyShellcode Packer with open window check, dropping NJRAT

MD5: 879d9a2c75ee83443a0a913f5dc71b5c

Cloud 26.0.0
12/06/2019

Analysis Report
GetKeyboardLayout - check English / Russian - if yes crash

MD5: 2d1ca86789091f84f0d4f6af9fd5d51d

Cloud 26.0.0
09/05/2019

Analysis Report
Delays execution by executing massive amount of instructions / loops for more than 3 minutes

27cf7e2be6e049b2793ad9f38218eb01

Cloud 25.0.0
21/03/2019

Analysis Report
Malicious document dropping Gozi, NUMBER_OF_PROCESSORS VBA check

MD5: 6f772eb660bc05fc26df86c98ca49abc

Cloud 26.0.0
01/03/2019

Analysis Report
Country aware VBA Macro using GetLocaleInfo

MD5: 6a9eda3eb0bfc222ab46725829faaec7

Cloud 26.0.0
26/02/2019

Analysis Report
Country aware VBA Macro

MD5: aacb83294ca96f6713da83363ffd9804

Cloud 25.0.0
18/01/2019

Analysis Report
Imminent RAT using several anti-debugging and anti-VM evasions

MD5: d6c644512c430cd64965c2259150f371

Cloud 24.0.0
13/12/2018

Analysis Report
Country aware VBA Office Macro

7ffdde19a2ce936c1e1ed92aeb25eb78

Cloud 24.0.0
18/11/2018

Analysis Report
Word Document VBA process name and count check

MD5: cd15a7c3cb1725dc9d21160c26ab9c2e

Cloud 24.0.0
10/10/2018

Analysis Report
Gootkit e-Banking trojan using a whole bunch of anti-analysis and anti-vm techniques

MD5: 0ee40dfb96795b73c6bc1eef31e59356

Cloud 24.0.0
03/10/2018

Analysis Report
Gozi 2.17 using GetLocaleInfo and GetCursorPos evasions

MD5: 7e17f0f35d50f49407841372f24fbd38

Cloud 23.0.0
14/09/2018

Analysis Report
BONDUPDATER using various WMI querys to check for physical hardware (fan, thermal sensors etc)

MD5: ea6321f55ea83e6f2887a2360f8e55b0

Cloud 23.0.0
04/07/2018

Analysis Report
Evasive Backdoor, Time Evasions, Debugger Detection, VM Detection

MD5: 9e3ea995e40b62adae78e93e6b30780c

Cloud 22.0.0
08/05/2018

Analysis Report
Evasive sample using GetKeyboardLayout to target French computers

MD5: fe1214a06ffc40b1ebb524f185894487

Cloud 21.0.0
20/02/2018

Analysis Report
Olympic Destroyer, Wiper malware targeting Olympic Games 2018 in PyeongChang

MD5: f12fc711529b48bcef52c5ca0a52335a

Cloud 21.0.0
08/02/2018

Analysis Report
Elise malware loaded with Sandbox evasion using CVE-2018-0802 for persistence

MD5: f12fc711529b48bcef52c5ca0a52335a

Cloud 21.0.0
27/11/2017

Analysis Report
Retefe using MUILanguages Sandbox evasion trick

MD5: 85fc638bd373af9a95c715bc4f8b97fc

Cloud 20.0.0
09/10/2017

Analysis Report
Sandbox Process DOS / overloading

MD5: 1de07d0af66cfa7b504c2f563d45437b

Cloud 20.0.0
18/09/2017

Analysis Report
CCleaner (signed) infected by unknown malware, IcmpSendEcho evasion

MD5: ef694b89ad7addb9a16bb6f26f1efaf7

Cloud 20.0.0
12/09/2017

Analysis Report
Debugger and sandbox detection (file, registry and mutex based)

MD5: 24a3d1d2f36824dfa190d8f93da26432

Cloud 20.0.0
23/08/2017

Analysis Report
Ransomware SyncCrypt using scheduled tasks to evade analysis

MD5: d10c1bd17c1b84a22db0d77515b7c32e

Cloud 16.0.0
03/10/2016

Analysis Report
Loop based & ping sleep based evasions

MD5: 4c3f80e146987a5fcd97b807071e2dd6

Cloud 16.0.0
22/09/2016

Analysis Report
Macro Evasions: Tasks, File Name, GeoIP check

MD5: 09f16077acf6c05e5c293835b3a75a20

Cloud 16.0.0
07/09/2016

Analysis Report
PartOfDomain evasion

MD5: af0e156bd39be48edd884578616ab153

Cloud 16.0.0
31/08/2016

Analysis Report
Zone.Identifier based evasion

MD5: 43b8cc7dc3ff1987354e974d77216b1b

Cloud 16.0.0
27/07/2016

Analysis Report
Time and command line based dropper evasions

c5d5058c8af64b79c9973e492aeb39d8d0e46931

Cloud 15.0.0
13/07/2016

Analysis Report
Extensive use of finger printing (disk, network card, files, directories etc)

MD5: 564ac87ca4114edd6a84a005092f1285

Cloud 15.0.0
07/07/2016

Analysis Report
Malicious Document dropping Cerber Ransom, using timer based Sleep evasion in VBS

MD5: 58258b89e076c4d378436f3b03682402

Cloud 14.0.0
12/05/2016

Analysis Report
TeslaCrypt, Speaker check via COM

MD5: 61f847bcb69d0fe86ad7a4ba3f057be5

Cloud 14.0.0
29/03/2016

Analysis Report
Nymaim, GetSystemTime, API hammering

MD5: f1a12884b999b9e572f91a94043d6e01

Cloud 13.0.0
24/11/2015

Analysis Report
Upatre, NtQuerySystemInformation IdleTime Evasion

MD5: 06a4059da943b09f13ab2909824968de

Cloud 13.0.0
01/10/2015

Analysis Report
Dyre, containing GetTickCount evasion technique

MD5: ad0d7d0903cb059b87892a099fe21d7e

Cloud 13.0.0
07/09/2015

Analysis Report
Multiple known evasion, including foreground window change detection, SCSI descriptor, SystemBiosVersion, VMware and VirtualBox driver file check and PhysicalDrive0 device IO 0x2D1400 trick

MD5: 40D19FBA73C6B011814E2C6920E8792F

Cloud 12.5.0
24/07/2015

Analysis Report
Bot / dropper using SystemBiosVersion, VideoBiosVersion, Disk Identifier and PCI devices for VM detection.

MD5: 9437eabf2fe5d32101e3fbf9f6027880

Cloud 12.5.0
06/05/2015

Analysis Report
Simple evasion based on CPU core check. Check is done via PEB-> NumberOfProcessors. Terminates if core count is smaller than 2.

MD5: cbdda646a20d95f078393506ecdc0796

Cloud 12.5.0
05/05/2015

Execution Graph
Very sophisticated evasions based on sandbox overloading (instructions and APIs), hook detection, sample file name check and memory hashing. If an analysis system / sandbox has been detected it encrypts personal files and kills the MBR.

MD5: f504ef6e9a269e354de802872dc5e209

Cloud 13.0.0
20/04/2015

Analysis Report
Sophisticated evasion based on user behavior detection. Watches for mouse pointer moves and window changes. Checks the size of the disk via IOCTL_DISK_GET_DRIVE_GEOMETRY_EX / DeviceIoControl. Terminates if the disk has less than 5000 cylinders.

MD5: 3616a11fa463644fa20d2317c5971378

Ultimate 12.0.0
20/04/2015

Analysis Report
Simple evasion based on date check: only executes its payload at a particular year and month. Terminates if the year or month does not match.

MD5: 0AF4EF5069F47A371A0CAF22AE2006A6

Ultimate 12.0.0
20/04/2015

Analysis Report
Evasion based on VM detection via Disk/Enum check. Additional evasion based on direct detection of Joe Sandbox with fingerprinting specific software installed on the analysis system. Installed software is enumerated via registry Windows\CurrentVersion\Uninstall key.

MD5: D80E956259C858EACCB53C1AFFAF8141

Desktop 8.0.0
11/09/2013

Analysis Report
Evasion based on VM detection via SetupDiGetClassDevs, SetupDiEnumDeviceInfo and SetupDiGetDeviceRegistryProperty.

MD5: 9fac72a50a7f756d0d3319c686850516

Cloud 29.0.0
01/07/2020

Analysis Report
EvilQuest (ThiefQuest) Ransomware, contains functions related to anti-analysis

SHA256: b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

Cloud 26.0.0
01/07/2019

Analysis Report
OSX CrescentCore, VM-aware rogue software installer

SHA256: 45eab9f25158b677877a447b052f024c44c80744bcfae59deb660c47a9cbf1ac

Cloud 20.0.0
16/06/2017

Analysis Report
MacOS MacRansom, queries model and CPU count information

MD5: 8fe94843a3e655209c57af587849ac3a

Cloud 26.0.0
16/09/2019

Analysis Report
Nicro Android Trojan using several evasion techniques

MD5: 7b7064d3876fc3cb1b3593e3c173a1a2

Cloud 26.0.0
14/08/2019

Analysis Report
Cerberus using motion events (accelerator) to trigger payload

MD5: a342b423e0ca57eba3a40311096a4f50

Cloud 26.0.0
21/02/2019

Analysis Report
Evasive Android dropper using native libraries to detect VMs and rooted devices

MD5: f412517d1e386cbd567fbba81d1842fe

Cloud 25.0.0
20/01/2019

Analysis Report
Anubis Loader using motion events (accelerator) to trigger the installation

MD5: d97a63536a7225bb1e788e7c244373dc

Cloud 24.0.0
07/11/2018

Analysis Report
BianLia Trojan / Banker using date evasion and packing

MD5: 0c52aa43d1244c604b5f073f344677d8

Cloud 24.0.0
27/10/2018

Analysis Report
Banking Trojan Dropper with Anti-Emulator and Anti-Sandbox Stub

MD5: cfa7fdb907e9165a9299fb164dda3b90

Cloud 21.0.0
22/12/2017

Analysis Report
Loapi multi Layer unpacking trojan with Mining capabilities

MD5: 3b574b67bf5a80c43e6430d69b72e6ec