MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 022e85b0301517e90423006b4ea98ace33f914820228f0e5f2fab9d66219ac98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 022e85b0301517e90423006b4ea98ace33f914820228f0e5f2fab9d66219ac98
SHA3-384 hash: 2952c97db6779f38b50b5e7ba0c38ecf10e727a7683d644520cea52d4a75a577ee02373ea159df90a0fb0e7feb3cbb05
SHA1 hash: b7ee5551b39dd9d00fc330fce68993fd84ee5d64
MD5 hash: 6c0a00bf0745accd27441b4c0ac56876
humanhash: seven-violet-india-cola
File name:022e85b0301517e90423006b4ea98ace33f914820228f0e5f2fab9d66219ac98
Download: download sample
Signature GCleaner
Create hunting rule
File size:6'005'432 bytes
First seen:2022-03-17 05:44:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xW/P8ErvgTY8kTksnxRoIFgw1UScseq0Hr4OBsmZ1hp6zbH4nqJkzOtM6B7CgsiV:xWn8dTTkQoDOwCSgq05Z1PsgOtM6rsiV
Threatray 6'838 similar samples on MalwareBazaar
TLSH T156563361BFF885F7E3511A36E58C7FB868FA97049A3508E367015A1C1FED861731B08A
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter JAMESWT_WT
Tags:exe gcleaner hhiuew33-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SPAM.7z
Verdict:
Malicious activity
Analysis date:
2022-03-17 07:38:20 UTC
Tags:
evasion trojan loader rat redline
Link:
https://app.any.run/tasks/dbe8ec91-0db1-4823-aa29-15c09f696e27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251732/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9524/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6232caed0cd58dbd92abfa98/reports/a793b53a-1fad-42af-aa9f-2d0d91d864ac/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1b460d5-a9db-4947-b539-10ce9324c16d
Result
Threat name:
Cookie Stealer RedLine SmokeLoader Socel
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/958469
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Cookie Stealer
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 590950 Sample: XmNlGswk9G Startdate: 17/03/2022 Architecture: WINDOWS Score: 100 62 80.71.158.106 PARKNET-ASDK unknown 2->62 64 ip-api.com 208.95.112.1, 49775, 80 TUT-ASUS United States 2->64 66 17 other IPs or domains 2->66 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 20 other signatures 2->74 11 XmNlGswk9G.exe 21 2->11         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\setup_install.exe, PE32 11->52 dropped 54 C:\Users\...\62289c031f2bf_Wed12e30b44c.exe, PE32 11->54 dropped 56 C:\Users\...\62289c015452d_Wed120e1c444d.exe, PE32 11->56 dropped 58 16 other files (10 malicious) 11->58 dropped 14 setup_install.exe 1 11->14         started        process6 signatures7 96 Adds a directory exclusion to Windows Defender 14->96 17 cmd.exe 1 14->17         started        19 cmd.exe 1 14->19         started        21 cmd.exe 1 14->21         started        23 6 other processes 14->23 process8 signatures9 26 62289b744d470_Wed12c08737a1.exe 3 17->26         started        29 62289b72b4e7f_Wed12d9f28132.exe 1 19->29         started        31 62289b749962c_Wed127c62d7273.exe 3 21->31         started        76 Adds a directory exclusion to Windows Defender 23->76 78 Disables Windows Defender (via service or powershell) 23->78 33 62289b73994fb_Wed12baac26a0d.exe 14 4 23->33         started        37 62289b798fb85_Wed127134703931.exe 23->37         started        39 62289b7631fd1_Wed1293a04b53.exe 23->39         started        41 powershell.exe 26 23->41         started        process10 dnsIp11 80 Antivirus detection for dropped file 26->80 82 Multi AV Scanner detection for dropped file 26->82 84 Machine Learning detection for dropped file 26->84 86 Sample uses process hollowing technique 26->86 88 Disables Windows Defender (via service or powershell) 29->88 43 cmd.exe 29->43         started        90 Injects a PE file into a foreign processes 31->90 60 gardnersoftwera.com 188.114.96.7, 49782, 80 CLOUDFLARENETUS European Union 33->60 48 5c4acf2a-65b5-4ef4-b4a8-b55a12a9c520.exe, PE32 33->48 dropped 50 C:\...\62289b798fb85_Wed127134703931.tmp, PE32 37->50 dropped 92 Obfuscated command line found 37->92 file12 signatures13 process14 signatures15 94 Disables Windows Defender (via service or powershell) 43->94 46 powershell.exe 43->46         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/022e85b0301517e90423006b4ea98ace33f914820228f0e5f2fab9d66219ac98/
Threat name:
Win32.PUA.PassView
Create hunting rule
Status:
Malicious
First seen:
2022-03-09 22:47:00 UTC
File Type:
PE (Exe)
Extracted files:
343
AV detection:
23 of 27 (85.19%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aixilmbqcul6sbbdabvu5kmkzyz7sfecaiupbzps7k45myqzvsma._file
Verdict:
malicious
Similar samples:
0608db47a51634204b29ea7e166c28e039721eefc409173f804fb2c488440e72
GCleaner
0e144c258913a35001fd23c3413005c90e7bc35be3baff3f90ca77570a8c0a27
GCleaner
73e25ced557e8008074958707573a4d6ad68e3861d04a98a22cfdaed57fab84f
GCleaner
8a8ed9f1dbe9f72dd7f60806be5130daf6148443a45d6c20d1449a4e490837c9
GCleaner
c8c2d9fd30bed8d8431437ce0453a27018e80c1500f89ad72d453737423a0ba0
GCleaner
cd32b9face07e67bd602c5fc4eabba1f1cd9d8ea969832d13e5c0fa829e9b948
GCleaner
+ 6'828 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:smokeloader family:socelars botnet:mdea80557 botnet:user33new aspackv2 backdoor discovery infostealer loader spyware stealer suricata trojan
Link:
https://tria.ge/reports/220317-gfsgdahhgm/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
92.255.57.154:11841
http://coralee.at/upload/
http://ducvietcao.com/upload/
http://biz-acc.ru/upload/
http://toimap.com/upload/
http://bbb7d.com/upload/
http://piratia-life.ru/upload/
http://curvreport.com/upload/
http://viagratos.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
116.203.252.195:11112
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
93d9ce6291eb10f727da27c487816b29fcba1b907d252f94d11ea0c3a99175fa
MD5 hash:
c7fc3bcb573b112eca27af5ef7192cce
SHA1 hash:
e43a907bdaced88d3c4444844e72d2381e9f1ad7
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
834136d2e5800ea580273012ac7ffd38596a9deb5d62475c0dba779c67249cc4
MD5 hash:
8533238a42c2038dcb6cadb57a545198
SHA1 hash:
a54020355df0af1728ac30d4bea5e42fa82a35b1
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
cbdca1bbec1594dfe74cfc2e89ce369ad9a37d4f185e236851fda640f54d3851
MD5 hash:
35f49989614fe170496cb7b248b3b8e9
SHA1 hash:
7ab41f6256b74d03980aecbd8e44701c2e822fee
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
e718a2f50e72d94ee2c9455603d98f67e7705aefc283351c182b5e503d59f6d8
MD5 hash:
5264c8567cf762e7cd37971a88b28a45
SHA1 hash:
ffd23a453665086713bbeccf0029c5b026d4c47e
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
7382632010b962fe845138c67406a369d1a00e77b293003a6aa89a206806f892
MD5 hash:
79d12bf220e9ea93125df294ac4a2c47
SHA1 hash:
d0d63a8d43e079f856cce3186f3714ea66cda844
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
9b6c121ff5414ef109c06c1d5a1a688f5990aeb5d807d8d6497d1bb1f82a7691
MD5 hash:
1a9af8c0bc63e1af7873307fc57746d2
SHA1 hash:
8621f812eade24f6046344bc2180926285342091
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
fb63b01ed8198e4e85a20e11a788ac93b585969c796f383fc1cd9e490294a528
MD5 hash:
ad20b9c6ecef9d1770d11c12f6544154
SHA1 hash:
547ad9792040b9aaa14655e1ba4c40b2d45e6b7f
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
6eb61d1eb41e6da86042b15178ce4d37c829ef856d4a139d97d57976c9bfd917
MD5 hash:
95f4986b1c9772f24af828131c25613b
SHA1 hash:
37e1fd7ee7e1c90fe49b5f16e6b5ace7a52eb0af
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
f1edc38a3e2f8c5f29345bc7e2d9c705f22c80682a0776d711049bf771888179
MD5 hash:
583c78d43104f1cc4ad2dd047397a791
SHA1 hash:
1d3bf56526f54b689ef96dc5953355ef49d5dfd6
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
0e77875dacd36fbdc3fe66e1b3d2cc63522116d79be7d905d96fdf989e10eb0b
MD5 hash:
030894b4e383058f5a68a67e245ea557
SHA1 hash:
1cfa2333a2915e5642a59e43e8c9d857451a1379
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
af301eda76bb8963b3dac402dceed8da510d4e2b99da597213cbc612a02520f9
MD5 hash:
21087b6baf7f9498e8e4d895a678aaac
SHA1 hash:
f891be6c56ae0443c73c73679da08e00362e6625
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
9049ff744c56858b777adf1cf80f4e0f876a4d54dc23ea884c2f8aa39a3bef1d
MD5 hash:
31ebd93c9fb74de0bf3c9eac412f72fb
SHA1 hash:
b7c4e5e258b4b7a3742c23315c7a204d73bf72d4
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
a3e120432dc458417eda6d64eea8be63512aa87a099e346cab983ba33f0c4630
MD5 hash:
e305b4a308d8830199a2a065918dd97f
SHA1 hash:
34c0dea0fc4b08d7034767761308a5f80c6da5b6
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
03af0c4f00a158b1b0025eab2dd2cf834c580f88c27b78ffe49ad5ca6531b1f5
MD5 hash:
ad2d001ea4eb6ace88305c1be41ac06a
SHA1 hash:
0c6fff0e62644810e2998cd63b3394d35131b233
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
19d2fd9206ffc47c8156aaf94d478d6b6104aea81a0ea501b744511273b9891e
MD5 hash:
b7eab88dbbb6a7d2945ef3136eaeede9
SHA1 hash:
db1fb11fcb42d427bfd2f6dc91e14271f9674ca5
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
71c9e7ac7f5041f9014547b5d2f7e82ec9ab3a6b0585d0b1688ae0c169320abf
MD5 hash:
6791ba21a937c2585e5eda68cc8d9974
SHA1 hash:
c5dd0a44c668a631754d924dec08b2f80a9a69ca
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
0eec5eee71aa70ddcc769a9d7b70761425d7b5c31390435808f433316563456d
MD5 hash:
24a368c58b5cb3421ee1ccd945cd0afe
SHA1 hash:
7d3409cf1b500f59beb76680255ec9b5a6282429
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
SH256 hash:
022e85b0301517e90423006b4ea98ace33f914820228f0e5f2fab9d66219ac98
MD5 hash:
6c0a00bf0745accd27441b4c0ac56876
SHA1 hash:
b7ee5551b39dd9d00fc330fce68993fd84ee5d64
Link:
https://www.unpac.me/results/850e3f3c-28bb-4d6c-93b7-2ed8b58432c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/022e85b0301517e90423006b4ea98ace33f914820228f0e5f2fab9d66219ac98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/251732/

Comments