MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02883fa63667972547fe36023646554c3d2895b41c5a8683ab5b2292f5d2d464. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02883fa63667972547fe36023646554c3d2895b41c5a8683ab5b2292f5d2d464
SHA3-384 hash: 339e659c11802f2b79626219f0b99416a117131048464149ba106cd4a0b7f9acdf8c58d0bfa8c5b5c29e0978d9b6e336
SHA1 hash: 905be498f9490445da60c9ee457de1e8411ce074
MD5 hash: 2de8d046d57fa60509800b164868a881
humanhash: virginia-two-lemon-sweet
File name:2de8d046d57fa60509800b164868a881
Download: download sample
Signature GCleaner
Create hunting rule
File size:453'120 bytes
First seen:2021-10-18 12:26:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d29112deebad1bc2847e7571006fa346 (1 x DanaBot, 1 x GCleaner, 1 x Smoke Loader)
ssdeep 12288:b9i0a/2iNj0gXXj2+ZQo8zbNHrf0PBbGMpv:bG2iNjZXjhQzrf0P3
Threatray 113 similar samples on MalwareBazaar
TLSH T123A4AE00A661C038F6B762F58EB99278A52E7FE06B2450CB52D527FE97345E0ED3131B
File icon (PE):PE icon
dhash icon 88d4f8c4c4e8f0f9 (1 x GCleaner)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-10-17 20:36:31 UTC
Tags:
evasion trojan loader opendir stealer vidar rat redline
Link:
https://app.any.run/tasks/7084c1f0-7ff4-4b50-a90e-5d55ee433643

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198170/
Detection(s):
Win.Trojan.Generic-9903173-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/616d681b9a5a1e91c5c3caaf/reports/ac0ed1e7-8ddf-4563-b36e-9cf7df531c70/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36655967-2a27-4ae6-a084-32387e7d30c5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/872253
Signature
Antivirus detection for URL or domain
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02883fa63667972547fe36023646554c3d2895b41c5a8683ab5b2292f5d2d464/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 05:02:40 UTC
AV detection:
33 of 45 (73.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aked7jrwm6lskr76gybdmrsvjq6srfnudrnina5llmrjf5os2rsa._file
Verdict:
malicious
Similar samples:
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
GCleaner
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
GCleaner
8d53be201d501a00295678466c9fe32c1a972faa705cd6b24636f789a349bb73
GCleaner
b18aad2f2f6dd798cb2e30e96d2825aa9c21c32611a699790319d94b70b92e21
GCleaner
ca77cc344a3c2f6ab1cbee4e6da2ba30f3a14b824bdc00a0da73271e8c365e14
GCleaner
ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3
GCleaner
e390ebfd3537c9b4210916f4e7762e4c12b5fc8825c93e65e3f01fc9f44ac16b
GCleaner
fe622c4801737dede008dfecf2bcf48316f0adebbc080d27a2664ee8b606415c
GCleaner
+ 103 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/211018-pmsdyseeck/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
suricata: ET MALWARE GCleaner Downloader Activity M5
Unpacked files
SH256 hash:
630a641bebd6ded36fb1c42520e4c7ddc5ace49436dede6c255d8f12ddbfbe54
MD5 hash:
cbbdd5a549a37602019203e20a21866a
SHA1 hash:
50c80b98548b24565decfa94c034b43b753a197a
Link:
https://www.unpac.me/results/28932a39-efd9-4718-9f30-53d8f283b7df/
SH256 hash:
02883fa63667972547fe36023646554c3d2895b41c5a8683ab5b2292f5d2d464
MD5 hash:
2de8d046d57fa60509800b164868a881
SHA1 hash:
905be498f9490445da60c9ee457de1e8411ce074
Link:
https://www.unpac.me/results/28932a39-efd9-4718-9f30-53d8f283b7df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02883fa63667972547fe36023646554c3d2895b41c5a8683ab5b2292f5d2d464

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 02883fa63667972547fe36023646554c3d2895b41c5a8683ab5b2292f5d2d464

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198170/

Comments


Avatar
zbet commented on 2021-10-18 12:26:29 UTC

url : hxxp://45.9.20.156/pub.php?pub=five/