MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1177adfb95bdd9a54a339005976ed4096d23fb4dd2099e91c35fc526c9a7cdbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1177adfb95bdd9a54a339005976ed4096d23fb4dd2099e91c35fc526c9a7cdbd
SHA3-384 hash: 6fd8a648be906b7e57391fe6a85d68a15bab53918be089467a9f460a19a8b8ca1b45467f19dffc19a61483fbc60b2953
SHA1 hash: 3a125534a5a2225a0cf3f875b2fd249cc3c69c78
MD5 hash: ef7be4b895b06eaf7779ae2642ff51b7
humanhash: indigo-six-connecticut-idaho
File name:ef7be4b895b06eaf7779ae2642ff51b7.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'766'227 bytes
First seen:2023-05-24 18:05:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (260 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/MGqK7Kic6QL3E2vVsjECUAQT45deRV9RZ:sBuZrEUZpKIy029s4C1eH9r
TLSH T15385CF3FF268A13EC46E1B3245B39210997BBA61B81A8C1E47FC344DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ef7be4b895b06eaf7779ae2642ff51b7.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-24 18:05:59 UTC
Tags:
installer
Link:
https://app.any.run/tasks/4908a973-4e99-458a-b517-1273f2e34a89

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/391261/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.31108.10442.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/87746/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/646e51d174f29291dfe65112/reports/875ed650-8e2a-452a-ade7-6b8ebe3a0487/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/1177adfb95bdd9a54a339005976ed4096d23fb4dd2099e91c35fc526c9a7cdbd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8fa2bad7-11b6-4b2c-a7a6-43d367f8d1f0
Result
Threat name:
Nymaim, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.rans.phis
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1241891
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 874902 Sample: WwTL6UdQo7.exe Startdate: 24/05/2023 Architecture: WINDOWS Score: 92 90 wcdownloadercdn.lavasoft.com 2->90 92 wc-update-service.lavasoft.com 2->92 94 rt.webcompanion.com 2->94 120 Snort IDS alert for network traffic 2->120 122 Found malware configuration 2->122 124 Malicious sample detected (through community Yara rule) 2->124 126 11 other signatures 2->126 11 WwTL6UdQo7.exe 2 2->11         started        signatures3 process4 file5 84 C:\Users\user\AppData\...\WwTL6UdQo7.tmp, PE32 11->84 dropped 134 Obfuscated command line found 11->134 15 WwTL6UdQo7.tmp 3 22 11->15         started        signatures6 process7 dnsIp8 112 45.12.253.74, 49697, 80 CMCSUS Germany 15->112 114 webcompanion.com 104.18.212.25 CLOUDFLARENETUS United States 15->114 116 log.angersummer.xyz 172.67.152.155 CLOUDFLARENETUS United States 15->116 58 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 15->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\s0.exe, PE32 15->60 dropped 62 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 15->62 dropped 64 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->64 dropped 118 Performs DNS queries to domains with low reputation 15->118 20 s0.exe 35 15->20         started        24 s1.exe 15->24         started        file9 signatures10 process11 dnsIp12 96 45.12.253.56, 49698, 80 CMCSUS Germany 20->96 98 45.12.253.72, 49699, 80 CMCSUS Germany 20->98 100 2 other IPs or domains 20->100 66 C:\Users\user\AppData\...\UrvOFtni34.exe, PE32 20->66 dropped 68 C:\Users\user\AppData\...\gzhMzkcH5t.exe, PE32 20->68 dropped 70 C:\Users\user\AppData\Roaming\...\KwfvBnt.exe, PE32 20->70 dropped 78 7 other malicious files 20->78 dropped 27 gzhMzkcH5t.exe 20->27         started        31 KwfvBnt.exe 20->31         started        34 cmd.exe 20->34         started        38 12 other processes 20->38 72 C:\...\WebCompanionInstaller.resources.dll, PE32 24->72 dropped 74 C:\...\WebCompanionInstaller.resources.dll, PE32 24->74 dropped 76 C:\...\WebCompanionInstaller.resources.dll, PE32 24->76 dropped 80 10 other malicious files 24->80 dropped 132 Multi AV Scanner detection for dropped file 24->132 36 WebCompanionInstaller.exe 24->36         started        file13 signatures14 process15 dnsIp16 102 t.me 149.154.167.99, 443, 49703 TELEGRAMRU United Kingdom 27->102 104 116.202.7.239, 30303, 49704 HETZNER-ASDE Germany 27->104 106 lodar2ben.top 27->106 136 Multi AV Scanner detection for dropped file 27->136 138 Detected unpacking (changes PE section rights) 27->138 140 Detected unpacking (overwrites its own PE header) 27->140 142 3 other signatures 27->142 86 C:\Users\user\AppData\Local\...\edlfabwpo.dat, PE32+ 31->86 dropped 40 cmd.exe 31->40         started        43 Cleaner.exe 34->43         started        47 conhost.exe 34->47         started        108 flow.lavasoft.com 104.17.8.52 CLOUDFLARENETUS United States 36->108 88 C:\Users\user\AppData\...\f9030d4j70.exe, PE32 38->88 dropped 49 conhost.exe 38->49         started        51 taskkill.exe 38->51         started        file17 signatures18 process19 dnsIp20 82 C:\Users\user\AppData\Local\...\conhost.exe, PE32 40->82 dropped 53 conhost.exe 40->53         started        56 conhost.exe 40->56         started        110 iplogger.org 148.251.234.83 HETZNER-ASDE Germany 43->110 144 Multi AV Scanner detection for dropped file 43->144 146 May check the online IP address of the machine 43->146 file21 signatures22 process23 signatures24 128 Found evasive API chain (may stop execution after checking system information) 53->128 130 Found API chain indicative of debugger detection 53->130
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1177adfb95bdd9a54a339005976ed4096d23fb4dd2099e91c35fc526c9a7cdbd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-24 18:05:09 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cf32364vxxm2ksrtsaczo3wubfwsh62n2iez5eodl7csnsnhzw6q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230524-wn6rasec61/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/5b235500-0fac-4bf1-a6d6-30570fbdd07c/
SH256 hash:
a593d5d78b87116f68d4702a40702e57e7a68b7e490f25d1f5e216f63113816a
MD5 hash:
bc0bc05239efe322dd8b70450aeb845e
SHA1 hash:
f08f0bce1b5b1e942b9c6a3449cb70067becb9b0
Link:
https://www.unpac.me/results/5b235500-0fac-4bf1-a6d6-30570fbdd07c/
SH256 hash:
1177adfb95bdd9a54a339005976ed4096d23fb4dd2099e91c35fc526c9a7cdbd
MD5 hash:
ef7be4b895b06eaf7779ae2642ff51b7
SHA1 hash:
3a125534a5a2225a0cf3f875b2fd249cc3c69c78
Link:
https://www.unpac.me/results/5b235500-0fac-4bf1-a6d6-30570fbdd07c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1177adfb95bdd9a54a339005976ed4096d23fb4dd2099e91c35fc526c9a7cdbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/391261/

Comments