MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00581e2fa186e5b6f044427945709e2439aad5782b8718c73cd5587d2a65359e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00581e2fa186e5b6f044427945709e2439aad5782b8718c73cd5587d2a65359e
SHA3-384 hash: dd68ab81f68f78b316f115508c85041af85a36b9fd04981eeb58f136cf8ed68e4f654bd11dfb00a32da01a4d0de4710d
SHA1 hash: 6696b063a9fde1a455299f205a13bb7fc595ac8c
MD5 hash: 02f3be868ce7ffe8d819d29f44f60736
humanhash: butter-ack-fourteen-cola
File name:00581e2fa186e5b6f044427945709e2439aad5782b8718c73cd5587d2a65359e
Download: download sample
Signature GCleaner
Create hunting rule
File size:7'531'834 bytes
First seen:2022-03-17 05:44:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:J3oVycyd4EHSFMzmfrr/AvuLDMrFxaPxVr3s3:J3OycmHoMzQXAvuErF8Px23
Threatray 6'844 similar samples on MalwareBazaar
TLSH T192763306B1559E91D7F9FD736B3586A768F76F570D302E6F03A113221413B8AEC8C8A2
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter JAMESWT_WT
Tags:exe gcleaner hhiuew33-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SPAM.7z
Verdict:
Malicious activity
Analysis date:
2022-03-17 07:38:20 UTC
Tags:
evasion trojan loader rat redline
Link:
https://app.any.run/tasks/dbe8ec91-0db1-4823-aa29-15c09f696e27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/251733/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Launching a process
Creating a window
Searching for synchronization primitives
Creating a process with a hidden window
DNS request
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9521/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6232caf0b94fb38cb49598ce/reports/273c2cee-8c73-4ee8-ab8c-70feef32303b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80c13bd1-7a2e-42cb-b473-3e8f9e3b794a
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/958468
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 590949 Sample: yLuLadKu7U Startdate: 17/03/2022 Architecture: WINDOWS Score: 100 59 ip-api.com 208.95.112.1, 49772, 80 TUT-ASUS United States 2->59 61 41.41.255.235 TE-ASTE-ASEG Egypt 2->61 63 20 other IPs or domains 2->63 75 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->75 77 Multi AV Scanner detection for domain / URL 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 18 other signatures 2->81 10 yLuLadKu7U.exe 10 2->10         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->49 dropped 13 setup_installer.exe 23 10->13         started        process6 file7 51 C:\Users\user\AppData\...\setup_install.exe, PE32 13->51 dropped 53 C:\Users\...\61fb699bc11e6_Thu051a9cf2cb.exe, PE32 13->53 dropped 55 C:\Users\...\61fb699b71970_Thu05a9579b.exe, PE32 13->55 dropped 57 18 other files (13 malicious) 13->57 dropped 16 setup_install.exe 1 13->16         started        process8 signatures9 73 Disables Windows Defender (via service or powershell) 16->73 19 cmd.exe 16->19         started        21 cmd.exe 16->21         started        23 cmd.exe 1 16->23         started        25 7 other processes 16->25 process10 signatures11 28 61fb6991c8324_Thu051a93ecf.exe 19->28         started        31 61fb698f6033a_Thu057602b286ee.exe 21->31         started        34 61fb6987381fc_Thu0580b89842d.exe 3 23->34         started        83 Obfuscated command line found 25->83 85 Disables Windows Defender (via service or powershell) 25->85 36 61fb698de26c3_Thu0587cfa4596.exe 25->36         started        38 61fb698cd16f5_Thu0527f2559cbf.exe 2 25->38         started        41 61fb6986604f3_Thu05dfc1caf4ed.exe 1 25->41         started        43 2 other processes 25->43 process12 dnsIp13 87 Multi AV Scanner detection for dropped file 28->87 89 Detected unpacking (changes PE section rights) 28->89 91 Machine Learning detection for dropped file 28->91 103 4 other signatures 28->103 65 80.71.158.106 PARKNET-ASDK unknown 31->65 67 80.71.158.165 PARKNET-ASDK unknown 31->67 93 Antivirus detection for dropped file 31->93 95 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 31->95 97 Sample uses process hollowing technique 34->97 69 presstheme.me 172.67.201.63, 443, 49773, 49777 CLOUDFLARENETUS United States 36->69 71 iplogger.org 36->71 99 May check the online IP address of the machine 36->99 45 C:\...\61fb698cd16f5_Thu0527f2559cbf.tmp, PE32 38->45 dropped 101 Obfuscated command line found 38->101 47 C:\Users\user\AppData\Local\...\UfyWu0BD.cpl, PE32 43->47 dropped file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00581e2fa186e5b6f044427945709e2439aad5782b8718c73cd5587d2a65359e/
Threat name:
Win32.Trojan.GenSHCode
Create hunting rule
Status:
Malicious
First seen:
2022-02-04 07:10:00 UTC
File Type:
PE (Exe)
Extracted files:
421
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=abmb4l5bq3s3n4ceij4uk4e6eq42vvlyfodrrrz42vmh2ktfgwpa._file
Verdict:
malicious
Similar samples:
1c57e67bf823c9c15d3afb19746746df06a218fb70816a26b150efb072660d6d
GCleaner
1e769ecd87928bf1e50a23f6e159c7326a1c6724f66e53d0f3d920784bb15257
GCleaner
59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388
GCleaner
6059bdd4738c812b60b43a1e0ade3099cfad2dfd306e8fa41c30484a9830d38b
GCleaner
62e2a9186c1fab1693c2db86b723cbfd4d51accdd03d6baa324f1e02e78e5913
GCleaner
7ffeae85c9e4be6675aa85f9fb8883c9a41960de2f7437be9e41288682329b3c
GCleaner
8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405
GCleaner
b8319b0b5b554b983279cc8ceb7c23ba8a6a46446a06a6902b1b15eee964b010
GCleaner
feba9bf42249bc45378ea0c07e476dc7bbf2ec9665db5981757d37b75ebab3ca
GCleaner
+ 6'834 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:socelars botnet:media360 botnet:v1user1 aspackv2 infostealer loader persistence spyware stealer suricata upx
Link:
https://tria.ge/reports/220317-gfsgdahhgn/
Behaviour
Checks SCSI registry key(s)
Enumerates processes with tasklist
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
suricata: ET MALWARE GCleaner Downloader Activity M5
Malware Config
C2 Extraction:
http://www.tpyyf.com/
116.203.252.195:22021
92.255.57.115:11841
Unpacked files
SH256 hash:
3a479148fa75b78704c4644a326baf950f8fe2ec3140aadac478772f6f7d63cc
MD5 hash:
fbd3fd03f5ff7b4d3fda9a5b3a12774e
SHA1 hash:
cb9e189ad3df2879332d58487c9f5abe263b83bc
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
e79ff194eb355b0ff63a5cfd5f6e94367ff2f267d60c9f2df6cbc844bd115e06
MD5 hash:
9d9c68549cf06b0485742e0865f5390c
SHA1 hash:
b23241ac8419df6bb0a930ac80cdae9edbd55893
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
bb32e0889f62f007ed7e68d5a98aef4c8680a9a1f42d53f51c52431e87606c0a
MD5 hash:
84137d380bb08b6b002d93a333a40eae
SHA1 hash:
c7775cd19a2e0e3eb522a0d612c0e39234a0db92
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
553edb84c48b6278a459507319f0c1797c141d5b6f2a7670c346d87392c57f86
MD5 hash:
90b737fff02ccd531ac5876dcb6475ee
SHA1 hash:
d8fc82184979a883f940d2edc36aaff9a90141fa
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f
MD5 hash:
32404da1b26037746f9bf0d5628ea968
SHA1 hash:
8d2bf53983638235d5cc2f81171839801ba02e84
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
dc4c232a236bc778f6c8404ce4b1043c519129b4c788376211221d30455aee17
MD5 hash:
807981caa748a34a1a5dd0eb4beb3d6b
SHA1 hash:
f683ed140dac727dfc6190002fbb5586e944ef3f
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
c7a81e40cb02073379d7bf046d5a5471d07488df70a021cf22493451c2bbd8c6
MD5 hash:
ea3daec5486cc6109f7329a0e4870b66
SHA1 hash:
e2a14a9eff90fcc770a9eaf42f89159f081747f6
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
a6334a93323db29971a851352354d59b6ba2c26bf3ab49895e6db6f7fcbc3283
MD5 hash:
36941f4d11216f011ebb2b6bae57a590
SHA1 hash:
b60c5e36c66986466d589651a7bc2567101eb2de
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
509486ae2d429f77ada5367d718d339e9d71883e0b9b4c44a71adc6e51724b84
MD5 hash:
e6c1aa3d620c0ee307dcb2932bd74bc5
SHA1 hash:
a2a0fbc93ac5f31c281f1d37191a6896373096b6
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
6ce64aba15476934aa7e6d7fb36b6f2c29bbafeed7a9185b368c009fa079aed4
MD5 hash:
83e1242cda5d2bfc73e490df0f37532b
SHA1 hash:
91628494183c800d924ca76dbfe458c82698daad
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
3959dc227089d0a9b38d2ea8c387e993db3584c7bb9129780f20673d1fd15e61
MD5 hash:
7eb2d388416744a108c0cf107caf8ef8
SHA1 hash:
876cc415ac9a3832afde3f8bacf86edb7a5b72ce
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
eb92d5dae7108e69aff106b6bb188abce04740919099b5eba87c56b8ef4493f1
MD5 hash:
2fe1fbe1cf3b63c2b9d04859ba27b5a7
SHA1 hash:
6d82b25f27939d2c712ca76d267437569799518a
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
cf90ca84d08f1c0a029c3abb38cdc9e3ea163dbb3007cb1ddd9ae5ded068994e
MD5 hash:
ced5248196f9734259208b2192469de1
SHA1 hash:
3fb60ca1f742980f1d8e99f572945cf498d6d48f
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
4748e29c74eb6906264d7a605e3814d3c796660ca63aaeaede2d1625e3a98493
MD5 hash:
52ceb5ef5139c74f4fb8b4c14bc72f10
SHA1 hash:
0374ab43e8b0d5bac705174d170f9bada3d515e2
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
9ebf60587e9960acc2ab52a29715f7d8eb30bcd7c83ebc8ce23e5c5abad31cc4
MD5 hash:
50ef1194c88fd3dc366527d50a2a4ccd
SHA1 hash:
3b90f5f8ef9e6a9daebd9648b49153f008403c98
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
e4ad98b7f6794fd2241324fff46eff49b240e74604453f774dff90826162d55c
MD5 hash:
0f5e1ad444539786561c337760093801
SHA1 hash:
f7f609a554458785ec11f6934ef522ec40c989c8
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
ff8df5f30f0f4f27d30f8c1a357cb0f3c93466cd593197a21d1aca69058b1352
MD5 hash:
1a0e7942874e146ad99df635b2572cd6
SHA1 hash:
bb692570b07cf5932ffc1a5a1112609c577ea5ca
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
2b6b0567246198189618fbdb6b0bb8b918c736f9347e74a3c525a3d75eda2cf7
MD5 hash:
669aec77ce686728c38c489002309c6a
SHA1 hash:
7a9bc0d5ee609d72d52fa0433ff30a85a9380281
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
546798f32653762e6ae012063e3008dab72ad1079cb383535508429859d31a26
MD5 hash:
2bb211b38e155da14874704250d31212
SHA1 hash:
3a4bca52a086af2682f121c50e8ed7c1ef178226
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
8d05e27e87df16bd86b084262674c87d0d9d766c26e2a1fb107884e621b2559d
MD5 hash:
934213214fd37eface31bf7517ca4020
SHA1 hash:
4543bc5ff12dc496fbacbbd88faa6bf4ec0056cd
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
SH256 hash:
00581e2fa186e5b6f044427945709e2439aad5782b8718c73cd5587d2a65359e
MD5 hash:
02f3be868ce7ffe8d819d29f44f60736
SHA1 hash:
6696b063a9fde1a455299f205a13bb7fc595ac8c
Link:
https://www.unpac.me/results/f0e877d5-4b1e-4fbd-bc30-43ac5157eb88/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00581e2fa186e5b6f044427945709e2439aad5782b8718c73cd5587d2a65359e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/251733/

Comments