MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00b5c410d204d6a92f6636e23998777d2716e8928f96b56826b093c9177afaae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00b5c410d204d6a92f6636e23998777d2716e8928f96b56826b093c9177afaae
SHA3-384 hash: e33c3d31056d1f4a3dbc55b3ae68681b1a7bbeb3d1f80c0ab021ca292167aaa72da3093bdd470e8cf9c683ad1547d04c
SHA1 hash: 353242843d7115c936b0b370ef0dc3b5243fed04
MD5 hash: d53ddc86260fa2b2508bb4a7270bf985
humanhash: six-early-mobile-william
File name:00B5C410D204D6A92F6636E23998777D2716E8928F96B.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'076'999 bytes
First seen:2022-01-05 12:05:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:J9tR6AFMyejvPQR51KXn7v61uR9gsTJ9BaPaA5iWwNFS9F:J9tUnE0b61u4sTJKszFSv
Threatray 1'887 similar samples on MalwareBazaar
TLSH T18A1633F257539052C7BB2134F9CCF6295B86463434183F82A919AD3D6A2C6F1E18B7B8
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
185.151.240.132:33087

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://116.202.186.120/ https://threatfox.abuse.ch/ioc/290704/
185.151.240.132:33087 https://threatfox.abuse.ch/ioc/290926/

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00B5C410D204D6A92F6636E23998777D2716E8928F96B.exe
Verdict:
No threats detected
Analysis date:
2022-01-05 12:09:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/762ad581-845c-42d8-bf7e-0a93cd99fda7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector05
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217435/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Sending an HTTP GET request
Reading critical registry keys
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61d589af92bdc4b4078051ea/reports/cfd5e7fc-373f-458c-bc02-525659e76a62/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/915793
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 548271 Sample: 00B5C410D204D6A92F6636E2399... Startdate: 05/01/2022 Architecture: WINDOWS Score: 100 68 208.95.112.1 TUT-ASUS United States 2->68 70 148.251.234.83 HETZNER-ASDE Germany 2->70 72 3 other IPs or domains 2->72 92 Antivirus detection for URL or domain 2->92 94 Antivirus detection for dropped file 2->94 96 Antivirus / Scanner detection for submitted sample 2->96 98 22 other signatures 2->98 10 00B5C410D204D6A92F6636E23998777D2716E8928F96B.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 21 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\...\Fri05ee592874b8542.exe, PE32 13->50 dropped 52 C:\Users\user\...\Fri05a7d64e94079ff.exe, PE32 13->52 dropped 54 16 other files (8 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 66 127.0.0.1 unknown unknown 16->66 88 Adds a directory exclusion to Windows Defender 16->88 90 Disables Windows Defender (via service or powershell) 16->90 20 cmd.exe 16->20         started        22 cmd.exe 16->22         started        24 cmd.exe 16->24         started        26 7 other processes 16->26 signatures10 process11 signatures12 29 Fri05634322728.exe 20->29         started        34 Fri053a65c426ae3ead3.exe 22->34         started        36 Fri05273a613aa54.exe 24->36         started        100 Adds a directory exclusion to Windows Defender 26->100 102 Disables Windows Defender (via service or powershell) 26->102 38 Fri05ee592874b8542.exe 26->38         started        40 Fri058b74ce36.exe 26->40         started        42 powershell.exe 21 26->42         started        44 2 other processes 26->44 process13 dnsIp14 74 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 29->74 76 103.155.92.143 TWIDC-AS-APTWIDCLimitedHK unknown 29->76 86 20 other IPs or domains 29->86 56 C:\Users\...\RCfk5frH_fUwIRTzw1nqSsZ5.exe, PE32 29->56 dropped 58 C:\Users\...\3wCZM_yiKPrfEx0j11ULeO8Q.exe, PE32+ 29->58 dropped 60 C:\Users\user\AppData\...\Setup12[1].exe, PE32 29->60 dropped 64 44 other files (14 malicious) 29->64 dropped 104 Antivirus detection for dropped file 29->104 106 Creates HTML files with .exe extension (expired dropper behavior) 29->106 108 Tries to harvest and steal browser information (history, passwords, etc) 29->108 110 Disable Windows Defender real time protection (registry) 29->110 112 Machine Learning detection for dropped file 34->112 114 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->114 116 Maps a DLL or memory area into another process 34->116 118 Checks if the current machine is a virtual machine (disk enumeration) 34->118 120 Injects a PE file into a foreign processes 36->120 78 104.21.85.99 CLOUDFLARENETUS United States 38->78 80 192.168.2.1 unknown unknown 38->80 62 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 38->62 dropped 122 Creates processes via WMI 38->122 82 8.8.8.8 GOOGLEUS United States 40->82 84 172.67.221.103 CLOUDFLARENETUS United States 40->84 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00b5c410d204d6a92f6636e23998777d2716e8928f96b56826b093c9177afaae/
Threat name:
Win32.Trojan.Antiloadr
Create hunting rule
Status:
Malicious
First seen:
2021-10-23 13:38:15 UTC
File Type:
PE (Exe)
Extracted files:
112
AV detection:
33 of 43 (76.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ac24iegsatlksl3gg3rdtgdxputrn2esr6llk2bgwcj4sf327kxa._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
0d054d4b3068ea7f877963a9be8a71581cb0396a309f65e0a95a45ac1e758d62
GCleaner
2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df
GCleaner
44e401aaf0b52528aa033257c1a1b8a09a2b10edf26edaafcef0f45a2c40e885
GCleaner
780426de24ae46f300fdaf9cbf597c8f2164f7b6c525c0bbcc07dca087be768c
GCleaner
7af33e5528ab8a8f45ee7b8c4dd24b4014feaa6e1d310458fdc53f95ea9f8a04
GCleaner
81c62d3a5523b804ee83aadc9ca7d648fa028073d8f8e6f0d39123ca402d739e
GCleaner
c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347
GCleaner
f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3
GCleaner
+ 1'877 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:chrisnew botnet:media21 botnet:sehrish2 aspackv2 backdoor infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220105-n9rkhaacf5/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
135.181.129.119:4805
194.104.136.5:46013
91.121.67.60:23325
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Unpacked files
SH256 hash:
c347a863ee10a621b0368d2c52e297fe82f4a70f5223bdf5e1cc332cfbb300b3
MD5 hash:
222c2101d2689ccd889d864cefc0e52c
SHA1 hash:
dfc809a6dd96db2ceb701883dff3fe826d2b6d69
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
62aa90b21e22bb662ef9923f220fe854c206af67ad2cf1776030ccfd8e8cf567
MD5 hash:
ec26b8c7d5a5b27039e7b38d1165da92
SHA1 hash:
66ae32262b2c5def873f474df2ebc941b337ec24
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
fb35e940eb07e761704d5c922e77e28d51279088375fef12ed342361e428df66
MD5 hash:
4023b304f7969a24b91be30d76997997
SHA1 hash:
40bf9443df97437df7b695874fefa3e8103d76bc
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
3c7eafd4b40f81bb7bdfb00c5a9d5fc741ddd12ed6d660db826de783aa429b25
MD5 hash:
350b836e6fbd8d8a1f104ebdd82ed0f7
SHA1 hash:
e19ab63560fe796fe7fd140bf315aeff412cde6a
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
b3dcba8a5bc137c22566984e9fafc78fd5175eaca6a48a628bcb0686d78b3986
MD5 hash:
346d64c02ecfcff0b2fbdc3c1c066e2b
SHA1 hash:
b68034f5ebd0f4d986d61ec1020907742b656e00
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
6bcca33a599532917b446f07952719fa7a70edf6646c14b13e64686ff2c6d44c
MD5 hash:
7af76a6cff6996241b9d85558848e6c8
SHA1 hash:
a8df8a22e003849550c2e6827bf17a5edbec5524
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
58a511be989fdb9eed5b31ed94141c2967c871362d4041eb51c9760ce529927b
MD5 hash:
31f4beb34c8dd25447de34af79d151c8
SHA1 hash:
5f27a05dcaed73009ce0fc40d82f5a8417dede2c
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
3957b505fb366810cd245680544aad0f9c3940d30414595d93b3d04c7aca1a72
MD5 hash:
f31a54784f43aad28110894c79091bbc
SHA1 hash:
51541a89438fb38a764d5fb1caafe0003200e938
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
eb46a5dd639179cb261cb797527a343bb32bc8e44efe6a9620cd94392b9734ce
MD5 hash:
a8cdf3dfd3908d9e908bceda5eb17e64
SHA1 hash:
33e0d68fb94117c57ae0bdc121567d440f5ece90
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
d1de928f9afdb6db88aef36536df284567f184b8e0cc6cab23e6b25c952ec003
MD5 hash:
62553dbe009b8fefdd2332af822e6c9a
SHA1 hash:
25adea1922ef1fab531552031147baf8f977dc7f
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
a66bf332eab3d4153d03454f661adf5b98afabb119bbe9069a871125ab190a3f
MD5 hash:
177d13a7bf5ae8cb3aa31bc60567f52c
SHA1 hash:
235206d85cb4093ac35adf1be5cb5b686fdd737e
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
MD5 hash:
9074b165bc9d453e37516a2558af6c9b
SHA1 hash:
11db0a256a502aa87d5491438775922a34fb9aa8
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
e07353baabb9c287093629bdbe00c5721f3b130a2bf337cba5cf475d857681e9
MD5 hash:
a46e4985a6592cad27270c965643b752
SHA1 hash:
89188cb0f9c715848b71b162916e0c88e956f08a
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
e7e08c4b50215589fa80bc3ef2b6680d97313d903a5419439c4bec862488e276
MD5 hash:
f8974ed40577c51e812f0fd3c217fbab
SHA1 hash:
8b4cebf2bbff386400ea9249d0808769650d3cb6
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
d2a4f2a63d62e5f9c219b19e09d2d06b75be125e47cf401dc52eaec9b9d0787b
MD5 hash:
4601ca60c015043b32f8ed2cfe9adc90
SHA1 hash:
6b1b9a104639f6eb1c3a9c0e70d61407a547d069
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
8e91dfc50003cd9624c4b09a690488ffc9c1e46f3b74af9006923c7adb4925a0
MD5 hash:
f77ba2449de24c6c64d07e5cca34ffeb
SHA1 hash:
bb52a35863f88ca22e1feca84c02f4cc1f771b19
Detections:
win_retefe_auto
Create hunting rule
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
71bb8ae65e0b6527c74387f7e10515db897a287e55edc36e4216590ae8fb5c73
MD5 hash:
86d66480ece22a6a9ca3ee087d3eb35d
SHA1 hash:
3b57c9f119102d1de5194a27af28b06c7a739eee
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
SH256 hash:
00b5c410d204d6a92f6636e23998777d2716e8928f96b56826b093c9177afaae
MD5 hash:
d53ddc86260fa2b2508bb4a7270bf985
SHA1 hash:
353242843d7115c936b0b370ef0dc3b5243fed04
Link:
https://www.unpac.me/results/267bc6b6-d1d3-47e0-80b8-c8902b175efd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00b5c410d204d6a92f6636e23998777d2716e8928f96b56826b093c9177afaae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217435/

Comments