MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 096c1842a51fd1a2e70b5652706625be34b38057928142691d260d5b05581514. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 096c1842a51fd1a2e70b5652706625be34b38057928142691d260d5b05581514
SHA3-384 hash: e22f5ea524a0c5a533c8121e8f91286b0d29408f780aa32b6b158584e86e6ae9d10fc891b0db38e1d8e42b8146ad58f5
SHA1 hash: ba51d31eced82f358390fffc47497045fb3a3dec
MD5 hash: 327b19e7a819014a1323fbc051976e7c
humanhash: winner-ink-item-delaware
File name:327b19e7a819014a1323fbc051976e7c
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'828'490 bytes
First seen:2024-01-18 04:54:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep 24576:uPd6V+iwdTbkrHWzPT+7vmWgobAPacTvQ5sCH4tIgiUI83NhkwF1tr4GiDxL3Gf6:SzBd8kSKAITIzH4ViUzkgrCD9Gf1b4TL
Threatray 110 similar samples on MalwareBazaar
TLSH T1558523373F68E58BE88E4B74AB96D17046967F0018584A2336E4BF5929F36013CB8F75
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f4e0f0f0e0f070 (2 x GCleaner, 2 x Mimikatz, 1 x Formbook)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471404/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1550.2.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Reading critical registry keys
Changing a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65a8af271bf798554ab36cf0/reports/2f939418-b3f9-49c7-af1b-bdb364b4e9ae/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/096c1842a51fd1a2e70b5652706625be34b38057928142691d260d5b05581514
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e817072-3072-48d1-94b0-d0326c6f486c
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1376498
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1376498 Sample: 6m6BcqyxEL.exe Startdate: 18/01/2024 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 64 10 other signatures 2->64 8 6m6BcqyxEL.exe 1 34 2->8         started        process3 dnsIp4 52 185.172.128.53, 49711, 80 NADYMSS-ASRU Russian Federation 8->52 54 185.172.128.90, 49710, 80 NADYMSS-ASRU Russian Federation 8->54 36 C:\Users\user\AppData\Local\...\INetC.dll, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\nsk8BCD.tmp, PE32 8->38 dropped 40 C:\Users\user\AppData\...\BroomSetup.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 8->42 dropped 12 nsk8BCD.tmp 51 8->12         started        17 BroomSetup.exe 2 5 8->17         started        file5 process6 dnsIp7 56 185.172.128.79, 49716, 80 NADYMSS-ASRU Russian Federation 12->56 44 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->44 dropped 46 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->46 dropped 48 C:\Users\user\AppData\...\mozglue[1].dll, PE32 12->48 dropped 50 9 other files (5 malicious) 12->50 dropped 68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Detected unpacking (changes PE section rights) 12->72 74 6 other signatures 12->74 19 cmd.exe 1 12->19         started        21 WerFault.exe 3 16 12->21         started        23 cmd.exe 1 17->23         started        file8 signatures9 process10 signatures11 26 conhost.exe 19->26         started        28 timeout.exe 1 19->28         started        66 Uses schtasks.exe or at.exe to add and modify task schedules 23->66 30 conhost.exe 23->30         started        32 schtasks.exe 1 23->32         started        34 chcp.com 1 23->34         started        process12
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/096c1842a51fd1a2e70b5652706625be34b38057928142691d260d5b05581514
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/096c1842a51fd1a2e70b5652706625be34b38057928142691d260d5b05581514/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2024-01-18 04:55:07 UTC
File Type:
PE (Exe)
Extracted files:
127
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfwbqqvfd7i2fzylkzjhazrfxy2lhacxskaue2i5eygvwbkycuka._file
Verdict:
malicious
Similar samples:
1aa7193bbb01beafb0c15358d24d0642685bec304bfe65a2938542fa5fc9e46f
GCleaner
43d7e7f51f3ee88c66a2d6062d82d444c04978b3323c5caf5424585be9c0294c
GCleaner
4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d
GCleaner
69a94b658bce41d361945a1594fdc801209d8719ae67df8d2d3df5056e9b0537
GCleaner
6fe8ab034a34587aadbae158e721c37a120f1e4fe3a106d74182a18e2c4270c4
GCleaner
772039456ff22019e827028fcc18661a350c032687d8625427380c941690fcac
GCleaner
ff3bd8bcbd9f93c0b48fac3dad59735db9db2343da3126bc836a3134b563924d
GCleaner
+ 100 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery spyware stealer
Link:
https://tria.ge/reports/240118-fj44xadfg7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://185.172.128.79
Unpacked files
SH256 hash:
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
MD5 hash:
40d7eca32b2f4d29db98715dd45bfac5
SHA1 hash:
124df3f617f562e46095776454e1c0c7bb791cc7
Link:
https://www.unpac.me/results/abfe0444-713d-44a8-99b1-2386f5bc640e/
SH256 hash:
50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503
MD5 hash:
5e94f0f6265f9e8b2f706f1d46bbd39e
SHA1 hash:
d0189cba430f5eea07efe1ab4f89adf5ae2453db
Link:
https://www.unpac.me/results/abfe0444-713d-44a8-99b1-2386f5bc640e/
SH256 hash:
64ce2ee73ef02d4f876ae7334ddb561bee05e9064d12ab86efec8dd3ab112c12
MD5 hash:
0693683909c3031b00c3a6e5c10295f9
SHA1 hash:
0813c162d2f2fdfe15846d9a150b8f20a6cca199
Link:
https://www.unpac.me/results/abfe0444-713d-44a8-99b1-2386f5bc640e/
SH256 hash:
096c1842a51fd1a2e70b5652706625be34b38057928142691d260d5b05581514
MD5 hash:
327b19e7a819014a1323fbc051976e7c
SHA1 hash:
ba51d31eced82f358390fffc47497045fb3a3dec
Link:
https://www.unpac.me/results/abfe0444-713d-44a8-99b1-2386f5bc640e/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/096c1842a51f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/096c1842a51fd1a2e70b5652706625be34b38057928142691d260d5b05581514

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 096c1842a51fd1a2e70b5652706625be34b38057928142691d260d5b05581514

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/471404/
  
URLhaus
https://urlhaus.abuse.ch/url/2749264/

Comments


Avatar
zbet commented on 2024-01-18 04:54:42 UTC

url : hxxp://185.172.128.109/InstallSetup2.exe