MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00ec85e5cc917be0b64d17bbc2426f20808250849fd7cd1f773bf276336fa450. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	00ec85e5cc917be0b64d17bbc2426f20808250849fd7cd1f773bf276336fa450
SHA3-384 hash:	da4da2832607bfc75673d2c6e907ec072432cc1ceb7b99ba0a6b34b145eaa681c16b60a03a42d0ddffe2ca0e41ed2ecb
SHA1 hash:	52a9261dfc4765a271b71239b8241a6ef6ced06f
MD5 hash:	c27cd68e61c1e5940f839c148bb04f46
humanhash:	florida-neptune-four-hydrogen
File name:	SecuriteInfo.com.Win32.PWSX-gen.22294.11474
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	273'408 bytes
First seen:	2024-05-13 10:21:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	45e87619d0753609d495ea386cbf9cb6 (1 x GCleaner)
ssdeep	6144:KpL+CGahhNbN+dtmxwj+j4l3FBuEbaDur:vCGahh2ux5jUbu3Dur
TLSH	T12C44AE0166F0DC23EF5B47314A29C2E47A3EBC6A4B79957E72843B1F1A731E0966231D
TrID	34.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.8% (.EXE) InstallShield setup (43053/19/16) 18.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 6.3% (.EXE) Win64 Executable (generic) (10523/12/4) 3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	64d29a98d189a181 (1 x GCleaner)
Reporter	SecuriteInfoCom
Tags:	exe gcleaner

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

00ec85e5cc917be0b64d17bbc2426f20808250849fd7cd1f773bf276336fa450.exe

Verdict:

Malicious activity

Analysis date:

2024-05-13 10:23:14 UTC

Tags:

gcleaner loader opendir

Link:

https://app.any.run/tasks/d266192f-4db5-40af-b77d-b3d3302127c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.22294.11474.UNOFFICIAL

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint

Link:

https://www.filescan.io/uploads/6641e9d0b8652ad994a7c32c/reports/a856b59c-fcab-4a15-81c1-8e653f1c4016/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/00ec85e5cc917be0b64d17bbc2426f20808250849fd7cd1f773bf276336fa450

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/35eb3c9c-2bfd-4fea-89fb-36423cb8e5b4

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/00ec85e5cc917be0b64d17bbc2426f20808250849fd7cd1f773bf276336fa450

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/00ec85e5cc917be0b64d17bbc2426f20808250849fd7cd1f773bf276336fa450/

Threat name:

Win32.Trojan.Gcleaner

Status:

Malicious

First seen:

2024-05-13 07:45:45 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=adwilzomsf56bnsnc654eqtpecaieueet7l42h3xhpzhmm3puria._file

Verdict:

malicious

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner loader

Link:

https://tria.ge/reports/240513-md8cpsab3z/

Behaviour

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Deletes itself

GCleaner

Malware Config

C2 Extraction:

185.172.128.90
5.42.65.64

Unpacked files

SH256 hash:

9c7b9e215019ee60b020594d925e16ba46891fe0c856031dd18f0261917af204

MD5 hash:

3f77b69c60f28f076bd02d531490b300

SHA1 hash:

b2070e496f5b062131c36c1a1ec99b243dada692

Detections:

GCleaner

Link:

https://www.unpac.me/results/4662f876-fd12-4b86-b8c1-3107cd4af72a/

Parent samples :

f0a6f13b482273d029a6a8613664c33a8f6381dcf98d2cdc7954bbf161c93f49
35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025
088f37fc09e69a1294fcc28f526d433f114e966b8c30078a9c718c82caf3790a
114aa6cb595ed49423707788c3a06a79e250d23d0615108cbb3fb5bdd20af5c8
037a46151276b43c63d80cff902a606130b50c73cd0f381fb7b9054f8d84f983
ee36bc6d088eefecf233a4592027abfe4934fdd240afd39dc654da60e49b710c
92cb84e3fecd6b25fba5bbf07795ba1d0c477cdb54b618724d86632d92cd4294
8d8369a5383653ff8f891ac08546aaf807fe2d3d355a04f5ce8f4b22ca78685e
a977eb01f51fb7c09cc433d7854d0cf228c46041a9a4c3de031a90cd43881cf3
00ec85e5cc917be0b64d17bbc2426f20808250849fd7cd1f773bf276336fa450
dee97c0c3d5ec6b18d68104fb7703b0457157751ee999ae44f388db055b854a7
89cfbdb9bb8613b4d86426bc61d463ae29759690b567bc276cd0dc21a501a629

SH256 hash:

00ec85e5cc917be0b64d17bbc2426f20808250849fd7cd1f773bf276336fa450

MD5 hash:

c27cd68e61c1e5940f839c148bb04f46

SHA1 hash:

52a9261dfc4765a271b71239b8241a6ef6ced06f

Link:

https://www.unpac.me/results/4662f876-fd12-4b86-b8c1-3107cd4af72a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/00ec85e5cc917be0b64d17bbc2426f20808250849fd7cd1f773bf276336fa450

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

exe 00ec85e5cc917be0b64d17bbc2426f20808250849fd7cd1f773bf276336fa450

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2798339/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2798218/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::WriteConsoleA KERNEL32.dll::SetConsoleScreenBufferSize KERNEL32.dll::SetConsoleTitleA KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleDisplayMode KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::GetFileAttributesW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample