MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0153ad4d1224b9a37b2eb3264ea7f8685828ab18c9c49aecaa6bda39d914aa7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0153ad4d1224b9a37b2eb3264ea7f8685828ab18c9c49aecaa6bda39d914aa7a
SHA3-384 hash: 4a2b663c85c72a3b380a9ce181f5464663c7ca67254a210a461417181b815b10882ae371638a525553299fb32e163321
SHA1 hash: bb546b645ac1a213dab1c012217fc840ecf36f9e
MD5 hash: eea2d2cad5ff13c5a693d8d74a823395
humanhash: north-river-red-enemy
File name:0153AD4D1224B9A37B2EB3264EA7F8685828AB18C9C49.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'609'480 bytes
First seen:2022-05-31 20:17:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JhHQxKTGzYupOuzDwJY/fUTOCzyP+fpekUhDBsOPKOsNi0fic:J+2+OuoJY3XZ+fnUxaOPUV6c
TLSH T17C26332B054745F6E338D93C39E6A339CD851D36F4209B7F923A6C427429EE249BBB11
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://78.24.220.207/Server73Flower/Python/test/pipeapi/4DefaultBaseLinux/PublicUpdatelongpoll6/processor/videojsLongpollBigloadwindows.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.24.220.207/Server73Flower/Python/test/pipeapi/4DefaultBaseLinux/PublicUpdatelongpoll6/processor/videojsLongpollBigloadwindows.php https://threatfox.abuse.ch/ioc/643773/
142.132.228.93:22249 https://threatfox.abuse.ch/ioc/643774/

Intelligence

File Origin
# of uploads :
1
# of downloads :
386
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://dl.uploadgram.me/6175b90501383h
Verdict:
Malicious activity
Analysis date:
2021-10-24 19:50:50 UTC
Tags:
trojan evasion rat redline loader opendir stealer raccoon vidar bitrat
Link:
https://app.any.run/tasks/85b5a485-4964-4eaa-938a-1fb6882f997b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275811/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.36246775.27485.2482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Sending an HTTP GET request
Reading critical registry keys
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Launching a tool to kill processes
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fb475bde-f246-4f39-9439-491d9ae276d4
Result
Threat name:
Nymaim, RedLine, SmokeLoader, Socelars,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1004553
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 637049 Sample: 0153AD4D1224B9A37B2EB3264EA... Startdate: 31/05/2022 Architecture: WINDOWS Score: 100 64 212.193.30.21 SPD-NETTR Russian Federation 2->64 66 91.195.240.101 SEDO-ASDE Germany 2->66 68 28 other IPs or domains 2->68 108 Snort IDS alert for network traffic 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus detection for URL or domain 2->112 114 20 other signatures 2->114 11 0153AD4D1224B9A37B2EB3264EA7F8685828AB18C9C49.exe 10 2->11         started        signatures3 process4 file5 54 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->54 dropped 14 setup_installer.exe 22 11->14         started        process6 dnsIp7 74 192.168.2.1 unknown unknown 14->74 56 C:\Users\user\AppData\...\setup_install.exe, PE32 14->56 dropped 58 C:\Users\user\...\Sun18fb46bb57c2296.exe, PE32 14->58 dropped 60 C:\Users\user\AppData\...\Sun18ddf2eaf4.exe, PE32 14->60 dropped 62 17 other files (11 malicious) 14->62 dropped 18 setup_install.exe 1 14->18         started        file8 process9 dnsIp10 70 127.0.0.1 unknown unknown 18->70 72 marianu.xyz 18->72 116 Performs DNS queries to domains with low reputation 18->116 118 Adds a directory exclusion to Windows Defender 18->118 120 Disables Windows Defender (via service or powershell) 18->120 22 cmd.exe 18->22         started        24 cmd.exe 18->24         started        26 cmd.exe 18->26         started        28 9 other processes 18->28 signatures11 process12 signatures13 31 Sun182d9b76665556.exe 22->31         started        35 Sun180d11d6a26b0dc9f.exe 24->35         started        38 Sun18400a0b7e3.exe 26->38         started        122 Adds a directory exclusion to Windows Defender 28->122 124 Disables Windows Defender (via service or powershell) 28->124 40 Sun18ddf2eaf4.exe 28->40         started        42 Sun1857455a011f.exe 28->42         started        44 Sun18cdd85185ce.exe 28->44         started        46 4 other processes 28->46 process14 dnsIp15 76 ip-api.com 208.95.112.1, 49745, 80 TUT-ASUS United States 31->76 78 staticimg.youtuuee.com 31->78 90 Antivirus detection for dropped file 31->90 92 Multi AV Scanner detection for dropped file 31->92 94 May check the online IP address of the machine 31->94 96 Tries to harvest and steal browser information (history, passwords, etc) 31->96 86 2 other IPs or domains 35->86 50 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 35->50 dropped 98 Creates processes via WMI 35->98 52 C:\Users\user\AppData\...\Sun18400a0b7e3.tmp, PE32 38->52 dropped 100 Obfuscated command line found 38->100 80 niemannbest.me 172.67.221.103, 443, 49746, 49754 CLOUDFLARENETUS United States 40->80 88 3 other IPs or domains 40->88 102 Machine Learning detection for dropped file 40->102 82 iplogger.org 148.251.234.83, 443, 49764, 49766 HETZNER-ASDE Germany 42->82 84 www.listincode.com 199.59.242.150, 443, 49752 BODIS-NJUS United States 42->84 104 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 44->104 106 Injects a PE file into a foreign processes 46->106 48 mshta.exe 46->48         started        file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0153ad4d1224b9a37b2eb3264ea7f8685828ab18c9c49aecaa6bda39d914aa7a/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-25 06:16:20 UTC
File Type:
PE (Exe)
Extracted files:
140
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=afj22tises42g6zowmte5j7ynbmcrkyyzhcjv3fknpndtwiuvj5a._file
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:onlylogger family:redline family:socelars botnet:chrisnew botnet:media23 botnet:snova aspackv2 discovery evasion infostealer loader ransomware spyware stealer suricata trojan
Link:
https://tria.ge/reports/220531-y29ffsgbcr/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger Payload
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
91.121.67.60:23325
194.104.136.5:46013
95.217.225.59:40037
http://ugll.org/test3/get.php
Unpacked files
SH256 hash:
dc1112feaaeb9c2145098c2664b7cc7540b4b2561d1afd555198a1ca8032124d
MD5 hash:
f35a4046014aace5b828f1574f8d99be
SHA1 hash:
5c791a8c7e3623959307b90e2107b6bd950194db
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
c3a26ccd56b024806184b0271b6651399e6eb3ecb37862047f2e69cf5b0097eb
MD5 hash:
a79110584de394d139246e6ee5827f4d
SHA1 hash:
b6394529006c7795080b24c0c747a6df65a3dffa
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
4cc7bafdbf99b8f929c6937fe5085d89330f9bb18a4a044f59e4cf6fcca9847c
MD5 hash:
7698b56f96a338e693851d0130a65532
SHA1 hash:
f843d73084b0fdb6dc84189faaa9c37ae069e0b0
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
708334f5943c5fcf26899d7c3f0356d2a7b969fba5f83c5d5d11498416c2e517
MD5 hash:
6a52356896a79d7c32ebce168e523419
SHA1 hash:
df6a956d16c0fab19ebb36b266c4d5bab9b0bbce
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
88b31f082da7f752c6983b99ace5daa7e7e978647beeb1a00cdf713c67d19c7e
MD5 hash:
e80569868dddd1c6633d50d1813aaa9a
SHA1 hash:
b5e2a9be1680139f332907cc016f783fd5fd8da8
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
6bcca33a599532917b446f07952719fa7a70edf6646c14b13e64686ff2c6d44c
MD5 hash:
7af76a6cff6996241b9d85558848e6c8
SHA1 hash:
a8df8a22e003849550c2e6827bf17a5edbec5524
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
cf61958248ff80d26797fb721dbb69a78c903c368559161c7f5b2bc47999e8ff
MD5 hash:
93c5cf5540ee4efed483de4fc5635686
SHA1 hash:
a8dce3f7c3db33f3d8a0c33e5c05016472a7a2ea
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
4a036fd7b0046e4e39e213321e47c133fb33c7ceb1c813c93b848b137846a144
MD5 hash:
3aa54c74c3ed02950225e9ec60d5505e
SHA1 hash:
782307606256e3fdd4d0f5c447bfaf2d2792824d
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
b8adf80e66fe4e09d105c6e375cc793f2a0c0fbed29de2806208d85b429fc4dd
MD5 hash:
b1637eaf5594b5050196f702f88674f6
SHA1 hash:
09d78b037dd6ce198a358f27dee03be8e4e8161e
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
f79f40167a9abbaaeff10a2d7e784391d2f6d9e44f1976566c6cc94ebb585ea5
MD5 hash:
a7194852a319ac991cf01f2f8a0ea55f
SHA1 hash:
0528bb502fcad9f0ea3a760afbe021d9e6904175
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
199f8f28c6146eca22bc3cda334c49fa12d8c007d8c34d95892a25c9e42685e2
MD5 hash:
d2d11939160fa93da1339da060310b23
SHA1 hash:
03339386fe13b5519f797843228f6ba28c1121b8
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
3a4537aa5b9e0d713b62e5b6345e281d46c00b74770b67f6acad520f2b9c1121
MD5 hash:
54ce3774fe6f4fff1c04a94794245ab2
SHA1 hash:
9cbe3c707b27cb58620de55b535ce8f841641535
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
fb35e940eb07e761704d5c922e77e28d51279088375fef12ed342361e428df66
MD5 hash:
4023b304f7969a24b91be30d76997997
SHA1 hash:
40bf9443df97437df7b695874fefa3e8103d76bc
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
344bd2eb3cbc1562a4ae8085af574adf02e1d4d696c4db61528193322a70a93c
MD5 hash:
9daee313560b4682502a6ee5843ceb15
SHA1 hash:
dd2608252024968cfbe1549b07b5546c1183c258
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
70faf366917299e15ecc83965c631f5b67b980259473b13f83ac53f62214e5ed
MD5 hash:
150859a738c6d399ba146eabe3318138
SHA1 hash:
698b8984292703119b300c3d25cb1c1eecc7aa1c
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
d29c161e8737168015cfd324d5241487bdf6fb7d3b3067e794734a8854b7782f
MD5 hash:
dff4daa6d07721e987cfd762b1ed0ced
SHA1 hash:
5a2da101f702258f5ecc42fba89e6dae67b04831
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
SH256 hash:
0153ad4d1224b9a37b2eb3264ea7f8685828ab18c9c49aecaa6bda39d914aa7a
MD5 hash:
eea2d2cad5ff13c5a693d8d74a823395
SHA1 hash:
bb546b645ac1a213dab1c012217fc840ecf36f9e
Link:
https://www.unpac.me/results/ac038d0f-761f-446d-a753-c96bcf34945c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0153ad4d1224b9a37b2eb3264ea7f8685828ab18c9c49aecaa6bda39d914aa7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275811/

Comments