MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0312919f4b57e341c3193801ca39bd4621facdc2abeedecec0962aaa0c0b1c64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GCleaner


Vendor detections: 17


Intelligence 17 IOCs YARA 17 File information Comments

SHA256 hash: 0312919f4b57e341c3193801ca39bd4621facdc2abeedecec0962aaa0c0b1c64
SHA3-384 hash: b1c83cf784c2af66225d28f0774afe4fd8a16486f2670fcbd25bd20ff6290bf2e21eb20e1d47485e7ec816c300d76ce3
SHA1 hash: 924b212ff6dc2d203bfc0c2f4d8a9262ffe7e26e
MD5 hash: 162f4d47fff9a4f6c0e51e12e06884d7
humanhash: october-venus-maine-oven
File name:Setup.exe
Download: download sample
Signature GCleaner
File size:1'235'728 bytes
First seen:2026-07-07 13:34:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 47e8684ebfb6580430e769529c609065 (2 x GCleaner)
ssdeep 24576:1rjQ0cJ9o81mawUIwggMyv3ZO5DENKn7am:xk0U1xu1ENOd
Threatray 2'355 similar samples on MalwareBazaar
TLSH T111458F26B1C19837D4B2167C9D2BB2BC9836BD215D2C9C4A7BE45E4C1E3AF403A25377
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 399998ecd4d46c0e (573 x Quakbot, 310 x GCleaner, 137 x ArkeiStealer)
Reporter aachum
Tags:exe gcleaner unluckytool-com


Avatar
iamaachum
https://gsmtoolpack.com/Setup.rar

GCleaner C2:
http://158.94.209.95/success?substr=mixtwo&s=three&sub=none

Intelligence


File Origin
# of uploads :
1
# of downloads :
111
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
ID:
1
File name:
_0312919f4b57e341c3193801ca39bd4621facdc2abeedecec0962aaa0c0b1c64.exe
Verdict:
Malicious activity
Analysis date:
2026-07-07 13:41:29 UTC
Tags:
loader gcleaner amadey botnet stealer socks5systemz backdoor auto-startup stealc vidar auto tofsee golang inno installer delphi sainbox rat auto-reg generic

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Tags:
cobalt delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Deleting a recently created file
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 borland_delphi expired-cert fingerprint installer-heuristic invalid-signature keylogger packed signed
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-07T10:53:00Z UTC
Last seen:
2026-07-08T00:12:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Evilch.gen
Result
Threat name:
Amadey, CryptOne, GCleaner, REMUS Steale
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Hijacks the control flow in another process
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Powershell creates an autostart link
Sample uses string decryption to hide its real strings
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Powershell create lnk in startup
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected CryptOne packer
Yara detected GCleaner
Yara detected REMUS Stealer
Yara detected Socks5Systemz
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1938622 Sample: Setup.exe Startdate: 07/07/2026 Architecture: WINDOWS Score: 100 112 utiliq.xyz 2->112 114 45.91.200.135 PODAONLV Netherlands 2->114 116 23 other IPs or domains 2->116 174 Suricata IDS alerts for network traffic 2->174 176 Found malware configuration 2->176 178 Antivirus detection for URL or domain 2->178 182 21 other signatures 2->182 12 Setup.exe 2->12         started        15 SOtZQrPoVetr.exe 2->15         started        17 PC1500DiskAnalyzer.exe 2->17         started        19 Bwale.exe 18 2->19         started        signatures3 180 Performs DNS queries to domains with low reputation 112->180 process4 dnsIp5 190 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->190 192 Hijacks the control flow in another process 12->192 194 Contains functionality to inject code into remote processes 12->194 204 3 other signatures 12->204 22 svchost.exe 49 12->22         started        196 Injects a PE file into a foreign processes 15->196 27 SOtZQrPoVetr.exe 15->27         started        29 SOtZQrPoVetr.exe 15->29         started        198 Antivirus detection for dropped file 17->198 200 Multi AV Scanner detection for dropped file 17->200 202 Detected unpacking (changes PE section rights) 17->202 206 2 other signatures 17->206 118 91.92.242.236, 49719, 49720, 49721 OMEGATECH-ASSC Netherlands 19->118 signatures6 process7 dnsIp8 120 158.94.209.95, 49708, 49717, 49718 OMEGATECH-ASSC Netherlands 22->120 122 drive.usercontent.google.com 142.251.163.132, 443, 49704 GOOGLE-GoogleLLCUS United States 22->122 76 C:\Users\user\AppData\...\QPdHNtTO6.exe, PE32+ 22->76 dropped 78 C:\Users\user\AppData\...\uWybi8chMUYt.exe, PE32 22->78 dropped 80 C:\Users\user\AppData\...\8v2SgtPfZPQ27.exe, PE32+ 22->80 dropped 86 15 other malicious files 22->86 dropped 186 System process connects to network (likely due to code injection or exploit) 22->186 188 Unusual module load detection (module proxying) 22->188 31 QDJeQ5D5u.exe 2 22->31         started        34 NoGqeCxQKgBQ.exe 22->34         started        37 7JLRqQfAN.exe 4 22->37         started        43 6 other processes 22->43 82 C:\Users\user\AppData\...\p82Bpj1IisTaaI3.exe, PE32+ 27->82 dropped 84 C:\Users\user\AppData\Local\Temp\Remus.exe, PE32+ 27->84 dropped 39 p82Bpj1IisTaaI3.exe 27->39         started        41 Remus.exe 27->41         started        file9 signatures10 process11 dnsIp12 100 C:\Users\user\AppData\Local\...\QDJeQ5D5u.tmp, PE32 31->100 dropped 46 QDJeQ5D5u.tmp 18 20 31->46         started        150 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->150 152 Found many strings related to Crypto-Wallets (likely being stolen) 34->152 154 Tries to harvest and steal ftp login credentials 34->154 156 Tries to harvest and steal browser information (history, passwords, etc) 34->156 102 C:\Users\user\AppData\Local\...\Bwale.exe, PE32 37->102 dropped 158 Detected unpacking (creates a PE file in dynamic memory) 37->158 49 Bwale.exe 37->49         started        160 Multi AV Scanner detection for dropped file 39->160 162 Modifies the context of a thread in another process (thread injection) 39->162 164 Injects a PE file into a foreign processes 39->164 52 p82Bpj1IisTaaI3.exe 39->52         started        166 Antivirus detection for dropped file 41->166 124 tur.realmadridiran.news 172.67.189.111 CLOUDFLARENET-CloudflareIncUS Canada 43->124 126 dutalogambone.com 109.106.254.249 AS-HOSTINGERCY Singapore 43->126 128 3 other IPs or domains 43->128 104 C:\Users\user\AppData\...\C7qpr38emPBw.tmp, PE32 43->104 dropped 106 C:\Users\user\AppData\...\uWybi8chMUYt.tmp, PE32 43->106 dropped 108 C:\Windows\Temp\5jh5on0u.inf, Windows 43->108 dropped 168 Tries to detect virtualization through RDTSC time measurements 43->168 170 Hides threads from debuggers 43->170 172 Unusual module load detection (module proxying) 43->172 54 C7qpr38emPBw.tmp 43->54         started        56 uWybi8chMUYt.tmp 43->56         started        58 msedgewebview2.exe 43->58         started        60 2 other processes 43->60 file13 signatures14 process15 file16 88 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 46->88 dropped 90 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 46->90 dropped 92 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 46->92 dropped 98 22 other malicious files 46->98 dropped 62 diskanalyzer3678.exe 18 46->62         started        134 Antivirus detection for dropped file 49->134 136 Multi AV Scanner detection for dropped file 49->136 138 Detected unpacking (creates a PE file in dynamic memory) 49->138 140 Unusual module load detection (module proxying) 49->140 142 Tries to steal Mail credentials (via file / registry access) 52->142 144 Tries to harvest and steal ftp login credentials 52->144 146 Tries to harvest and steal browser information (history, passwords, etc) 52->146 148 2 other signatures 52->148 94 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 54->94 dropped 96 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 56->96 dropped 66 msedgewebview2.exe 58->66         started        signatures17 process18 dnsIp19 130 196.251.121.77 Hero-TelecomsZA Turkey 62->130 132 64.89.160.142 GHOSTYNETWORKSUS Luxembourg 62->132 110 C:\ProgramData\...\PC1500DiskAnalyzer.exe, PE32 62->110 dropped 68 powershell.exe 17 62->68         started        file20 process21 file22 74 C:\Users\user\...\fPC1500DiskAnalyzer32.lnk, MS 68->74 dropped 184 Powershell creates an autostart link 68->184 72 conhost.exe 68->72         started        signatures23 process24
Gathering data
Threat name:
Win32.Trojan.GCleaner
Status:
Malicious
First seen:
2026-07-07 13:35:54 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Result
Malware family:
gcleaner
Score:
  10/10
Tags:
family:gcleaner adware discovery loader persistence spyware
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Family: GCleaner
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
185.156.73.98
45.91.200.135
Unpacked files
SH256 hash:
0312919f4b57e341c3193801ca39bd4621facdc2abeedecec0962aaa0c0b1c64
MD5 hash:
162f4d47fff9a4f6c0e51e12e06884d7
SHA1 hash:
924b212ff6dc2d203bfc0c2f4d8a9262ffe7e26e
SH256 hash:
03e5417c79953d8cebdb240e3d1262d8395ab22d41780ef9c2ac62196bbb3a13
MD5 hash:
755e8104cebfd2e1dc9e010da85603ba
SHA1 hash:
9df54bd19979f4c9ae38a4560de724fab17abd78
Detections:
GCleaner
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Author:malware-lu
Rule name:Borland
Author:malware-lu
Rule name:CAS_Malware_Hunting
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:Check_OutputDebugStringA_iat
Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
Rule name:Suspicious_Process
Author:Security Research Team
Description:Suspicious process creation
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 0312919f4b57e341c3193801ca39bd4621facdc2abeedecec0962aaa0c0b1c64

(this sample)

  
Delivery method
Distributed via web download

Comments