MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10847ef36961204caf2bee7e2f1b902f7f94e16955a9df076b2c41e7728f3ca3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 15


Intelligence 15 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10847ef36961204caf2bee7e2f1b902f7f94e16955a9df076b2c41e7728f3ca3
SHA3-384 hash: 2b27ac3cc03afc082e2c155185d96150590ce373e3be3647b462dfadf43f424cc0a40b100c6c37c1af5a7892c648333d
SHA1 hash: 1e5843a277c698a8bfd62c9b290dfe7469841176
MD5 hash: b13cabb5d9cb6335cf7ab3d387acaaff
humanhash: louisiana-november-five-march
File name:2lapisunivnocom.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:708'096 bytes
First seen:2026-05-01 15:26:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e772ed2994ba9b8b6608cbd1b812a317 (1 x GCleaner)
ssdeep 12288:ROnHL01TBcI0ODlRsl/ChyGpvuH5Z/79P3wNGWip197WM/H2nBJE39k:RgHQgI0ODlRsl/feuZ1N3AGWSvX39
TLSH T1FDE48E23A1B14833D5725B7C9D1BA35C9C3A7E003D2C984A6FE41F485E3E69137AA2D7
TrID 69.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.4% (.EXE) Win32 Executable (generic) (4504/4/1)
0.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter aachum
Tags:dropped-by-OffLoader exe gcleaner


Avatar
iamaachum
http://158.94.209.95/setup?name=euone

GCleaner C2: 185.156.73.98

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
ES ES
Vendor Threat Intelligence
Gathering data
Malware family:
tofsee
Create hunting rule
ID:
1
File name:
BIGFILMS 8211 INFERNO Pack Create Epic Blockbuster Scenes.exe
Verdict:
Malicious activity
Analysis date:
2026-05-01 15:03:01 UTC
Tags:
auto generic adware loader gcleaner arch-exec websocket reverseloader stego payload ta558 apt stegocampaign susp-powershell anti-evasion advancedinstaller tofsee botnet sainbox rat takemyfile delphi inno installer telegram
Link:
https://app.any.run/tasks/7be0588c-080a-4bc1-89a2-d4684e3aa82d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64190/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader49.42258.76631942.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi fingerprint installer-heuristic keylogger packed
Link:
https://www.filescan.io/uploads/69f4c65786e92bda701aafd5/reports/baebfcba-86e4-48e5-a429-d1ef2435ef6e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/10847ef36961204caf2bee7e2f1b902f7f94e16955a9df076b2c41e7728f3ca3
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-01T12:31:00Z UTC
Last seen:
2026-05-02T02:48:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Evilch.gen PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/10847ef36961204caf2bee7e2f1b902f7f94e16955a9df076b2c41e7728f3ca3/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8d1812be-b3cf-47e5-81cd-b7b512288888
Result
Threat name:
CryptOne, GCleaner
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1907344
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
System process connects to network (likely due to code injection or exploit)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected GCleaner
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/10847ef36961204caf2bee7e2f1b902f7f94e16955a9df076b2c41e7728f3ca3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10847ef36961204caf2bee7e2f1b902f7f94e16955a9df076b2c41e7728f3ca3/
Verdict:
Malicious
Threat:
Family.GCLEANER
Link:
https://tip.neiki.dev/file/10847ef36961204caf2bee7e2f1b902f7f94e16955a9df076b2c41e7728f3ca3
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-05-01 15:27:03 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
14 of 24 (58.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ccch543jmeqezlzl5z7c6g4qf57zjyljkwu56b3lfra6o4uphsrq._file
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/260501-svthrscx5q/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Family: GCleaner
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
185.156.73.98
Unpacked files
SH256 hash:
10847ef36961204caf2bee7e2f1b902f7f94e16955a9df076b2c41e7728f3ca3
MD5 hash:
b13cabb5d9cb6335cf7ab3d387acaaff
SHA1 hash:
1e5843a277c698a8bfd62c9b290dfe7469841176
Link:
https://www.unpac.me/results/735097e5-4132-4b53-beb3-3236a8affa55/
SH256 hash:
8230dcf69fe2a4c60118c6640cdfa787e740bbc087fc81b4583610a06ca997fc
MD5 hash:
600dd6c96c823fcb1451116f8c265602
SHA1 hash:
f8534964ad37b70ba3daf753e6be3a0bbbcf75df
Detections:
GCleaner
Create hunting rule
Link:
https://www.unpac.me/results/735097e5-4132-4b53-beb3-3236a8affa55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/10847ef36961204caf2bee7e2f1b902f7f94e16955a9df076b2c41e7728f3ca3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 10847ef36961204caf2bee7e2f1b902f7f94e16955a9df076b2c41e7728f3ca3

(this sample)

  
Link
https://tria.ge/260501-sjf4asgw9s/behavioral2
  
Dropped by
OffLoader
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/64190/

Comments