MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 066c240c3fec6aa5150db849c2bd94e6ef77c7c6d4c65a6934c1f4e9d22798ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	066c240c3fec6aa5150db849c2bd94e6ef77c7c6d4c65a6934c1f4e9d22798ed
SHA3-384 hash:	4c2f24e98b1d55f221c67e97381e8b95579df87f281c41c9c7fb8d501529af87d5ac17e15f421f5d406c729960361523
SHA1 hash:	fdb6e46395fc202da5f3cfb40b2db9be9185efc8
MD5 hash:	8c0099c6cf3355140684e0157c1658ba
humanhash:	hot-two-red-item
File name:	file
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	2'052'608 bytes
First seen:	2024-12-07 16:23:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	49152:81aZfNXlZZnwcaShd3bsfCtq1D8QHFCA:8UZdZyShd3bntq1YQF
TLSH	T160953316FB73B815F180C6712C23DA0A761A6C76DD5029DF26053E25F8EB9E0EEC1678
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
File icon (PE):
dhash icon	e7a99a86c649318d (1 x GCleaner)
Reporter	Bitsight
Tags:	exe gcleaner

Bitsight

url: http://31.41.244.11/files/unique2/random.exe

Intelligence

File Origin

# of uploads :

# of downloads :

439

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Suspicious activity

Analysis date:

2024-12-07 16:25:00 UTC

Tags:

themida

Link:

https://app.any.run/tasks/7842d8cc-4d52-4611-ac33-51c1162a0bf5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.25837.25260.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=675476a568b6ff121708824a

Tags:

vmdetect small hype sage

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for analyzing tools

Connection attempt to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm microsoft_visual_cc packed packed packer_detected

Link:

https://www.filescan.io/uploads/675476a39925097c67ba0c62/reports/1fba82a4-c899-4807-9aef-84c397514358/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/066c240c3fec6aa5150db849c2bd94e6ef77c7c6d4c65a6934c1f4e9d22798ed

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/90873508-ecea-4119-8e5c-848a6e36e75c

Result

Threat name:

Nymaim

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1570672

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Yara detected Nymaim

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/066c240c3fec6aa5150db849c2bd94e6ef77c7c6d4c65a6934c1f4e9d22798ed

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/066c240c3fec6aa5150db849c2bd94e6ef77c7c6d4c65a6934c1f4e9d22798ed/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2024-12-07 16:24:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=azwcidb75rvkkfinxbe4fpmu43xxpr6g2tdfu2juyh2oturhtdwq._file

Verdict:

malicious

Label(s):

shellcode_loader_002

gcleaner

Similar samples:

error

GCleaner

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner discovery evasion loader

Link:

https://tria.ge/reports/241207-twcr3swra1/

Behaviour

Suspicious behavior: EnumeratesProcesses

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Identifies Wine through registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

GCleaner

Gcleaner family

Malware Config

C2 Extraction:

92.63.197.221
45.91.200.135

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f92862b6-7ef6-4264-8f18-e1b463a53a2a

Unpacked files

SH256 hash:

9dd95e5b3d25c5eacaa5a8586c51986ef20bdaa7ddee70cc2167783fdea138c5

MD5 hash:

0dd2b1d47a591848e45774f4c70ddd68

SHA1 hash:

9f1f0a44a5c5bf054dc26142cb3f9aefc1129216

Detections:

GCleaner

Link:

https://www.unpac.me/results/81d185eb-f846-49a9-b85b-02f2dda6b982/

Parent samples :

06cf4dfdf3f256011e537de47e63a233b5a0cb7d9e8c241758f9a58904af9e0b
416ee8092b0fb449b899bc9932a17f1add69084af02d9bdb320251e1beac738b
164a72fba52d6e7a03754235fababdd3437a52e176f36a3a16991f7d074ff280
424bb16b1d8bcbfa9a58ed86931e903ac6a746e3713b7105499e9e15986dd673
f4f278b824f27949d6257834b89904218c4fd8cecf882feb9a9594d0944a2940
7b1eeae44b3a2410fe0116a2aff1730200e2f4841869c147ad4655e6e1346185
1dfbf151f8ade66c44308d5dc2b7264ae1a1ec4909859a8cd1d877b19bd58af7
0b4b11751b544fa9c37d8d68a9161c5af6a5b83fcc88d96f098af4f3b59444b6
ff7a0d10b449e5ebf2691f2c3c377d8a27030d78191866553a48a97bacdaf075
0728cc536e45cadc41fd6e18265ebcfd2f0a5a8fa915de35f7e66f641089d165
2840ded7408a604248f60f9566a19c5f8dca193d7f6605c68ea1c04b8a7adc16
24a043af69762d8f53cd4b8ab5e4e58f81462c3d0e6a60d0ad0e68ad8f451a4b
d9d26b62fef8fd2e8ce7bd875971824d5e6690d36853c13ab0bf53338ba33ed2
31f965407764f0da15f8e28f611fdcca9dc454ec5afe1a047fe24c946867394f
2b3a82ff21c4933aa74c525b55492530d56e28088852549ff29e66384d0dd25a
cead013e2c3a7335e5945972ecd71d9d0b9a2deec418a3fa693763320c22b212
69e9ecde048f8d5aeea81e8120664e994a2513fb483e7c8d91612abc69d74768
ddd29358003656b3ce2323ed8bf7b52b716aa883668716f39acc7b924b5236f3
ecbf55ec73fd8ce437b60db742f889f57e7a3027bcdd52baf7b6cd8bdbb4d88d
a9e92705e50c5ee6795eb54011a4e1f68bdc6f15dd5effc25abf3cf7ea5c35fe
b3bab1d09ce9738f8bcf2c838086eaf628715df4fe99ef26c7c85b6e9b9a6443
9e209e099c46c9b103f651910aa17fe13e86b5a416c4fdefcdfb423262b96e18
ccd13fcd2302d16a0fd2d9cc2653869ce0551d464145bf264f75163f03f874bc
21dc740db5d2a51343530deaf4859d811ef3dbecbb7bb8394a5fb6355e7a852c
20aa6407587318875a98f4cc567752a4caffcd46104d7f42c427ad8b10317eab
eab9619df6b82520165d2b4455fbdf147077932f8f53b80d6adb9501e822cdbc
6b7c184726f4065c3200e5d2710874c1a1ae816a5c86c354fbec27b7d625c6cd
747ebc458a95ab80f371b899d4b6e54eaefba46bf5343ae39eeeafba61ba8365
970b1fe105bbe418f79ecae867d42d511bc6c9a8b4b9eb53095ff33149da02a3
a5373b0a6fb3af6cc0166168bff40c602b6a67d9404962e438b61273e874c1bc
e8004da7a3c79934e0234cf767e38363368899050858a81dfd31b2010395d40c
74567ee5c75fd4a34c44dc8c75e9f4ea1dcf3c60d6d3fff4e8d8526460e49b10
ce50862f51244b9dce6dbde2bc96fa852cff8ca84b720797894a3f43f4e293ca
d4219157d8de6bb639892620034961242decf0a4e0507747328b799357ae146c
8d74dff63ca291a7a5457b6924722959319ff92d8130954bfd8a816d117e6160
ccae5dfec9a32bebf96900ea6a260d6dfe3fe7a7abd90046d57b6061edf1b9f3
956aa8781bb234807f058747b32e87baa93da2f2f7973c2fd264bbfafec58768
066c240c3fec6aa5150db849c2bd94e6ef77c7c6d4c65a6934c1f4e9d22798ed

SH256 hash:

066c240c3fec6aa5150db849c2bd94e6ef77c7c6d4c65a6934c1f4e9d22798ed

MD5 hash:

8c0099c6cf3355140684e0157c1658ba

SHA1 hash:

fdb6e46395fc202da5f3cfb40b2db9be9185efc8

Link:

https://www.unpac.me/results/81d185eb-f846-49a9-b85b-02f2dda6b982/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/066c240c3fec6aa5150db849c2bd94e6ef77c7c6d4c65a6934c1f4e9d22798ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

exe 066c240c3fec6aa5150db849c2bd94e6ef77c7c6d4c65a6934c1f4e9d22798ed

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3308787/

URLhaus

https://urlhaus.abuse.ch/url/3331748/

URLhaus

https://urlhaus.abuse.ch/url/3331761/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample