MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 121a989787cc300ec5239c8e4da3823e38d302604f0b14ccb1c560294b33f462. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 121a989787cc300ec5239c8e4da3823e38d302604f0b14ccb1c560294b33f462
SHA3-384 hash: cfde99e9aed8d590d39f53014396b188a3fc0402ee2e0e31eb9b1463823ad18f4fa8ecb60102bb7ef3582c11cddc4740
SHA1 hash: 2619f0c95eaadf24dc3485073023920faf9a0ee1
MD5 hash: d3ab6b9bc97019f87ddf791c4c916503
humanhash: king-oranges-beryllium-stairway
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:2'670'178 bytes
First seen:2023-05-01 15:08:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash da86ff6d22d7419ae7f10724a403dffd (1'679 x GCleaner, 1 x Socks5Systemz)
ssdeep 49152:gUhI7KpEJ43YHWboJcg1Qyp9yGXUhouP5MCrHHKUReja9GYc6csC8N2rVAG5ca:gV+pg430pyV897CouRTrHHKMe+92jHr7
Threatray 3'093 similar samples on MalwareBazaar
TLSH T15AC533405EE2C1F9E867DE325D4D8010A2347A13FCE9E0B59A686D6FBB3D5E0E4142DB
TrID 81.0% (.EXE) Inno Setup installer (109740/4/30)
10.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
1.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:exe gcleaner


Avatar
andretavare5
Sample downloaded from http://45.12.253.74/pineapple.php?pub=mixinte

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-01 15:11:27 UTC
Tags:
installer loader gcleaner rat redline laplasclipper
Link:
https://app.any.run/tasks/77f9b931-fbad-4624-a582-c94eb719cf4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385839/
Detection(s):
PUA.Win.Packer.Overlay-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Modifying a system file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82109/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware installer overlay packed
Link:
https://www.filescan.io/uploads/644fd60f463eacbc57db3f98/reports/39a1d25d-99b3-458a-b1d4-36a7d8b5f80e/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/121a989787cc300ec5239c8e4da3823e38d302604f0b14ccb1c560294b33f462
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b531a63-ecff-4328-bef8-24c938998ae6
Result
Threat name:
MinerDownloader, Laplas Clipper, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1224086
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected Laplas Clipper
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 857038 Sample: file.exe Startdate: 01/05/2023 Architecture: WINDOWS Score: 100 114 api.ip.sb 2->114 130 Snort IDS alert for network traffic 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 Antivirus detection for URL or domain 2->134 136 12 other signatures 2->136 15 file.exe 2 2->15         started        signatures3 process4 file5 112 C:\Users\user\AppData\Local\...\is-QMUEO.tmp, PE32 15->112 dropped 18 is-QMUEO.tmp 10 23 15->18         started        process6 file7 86 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->86 dropped 88 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->88 dropped 90 C:\...\unins000.exe (copy), PE32 18->90 dropped 92 5 other files (4 malicious) 18->92 dropped 21 Rec51.exe 33 18->21         started        process8 dnsIp9 122 45.12.253.56, 49690, 80 CMCSUS Germany 21->122 124 45.12.253.72, 49691, 80 CMCSUS Germany 21->124 126 45.12.253.75, 49692, 80 CMCSUS Germany 21->126 98 C:\Users\user\AppData\...\koQl97qx.exe, PE32 21->98 dropped 100 C:\Users\user\AppData\...\K0V2C5R4.exe, PE32+ 21->100 dropped 102 C:\Users\user\AppData\Roaming\...\K8wFliC.exe, PE32 21->102 dropped 104 4 other malicious files 21->104 dropped 25 CSPJOQ.exe 12 21->25         started        29 K0V2C5R4.exe 2 21->29         started        31 K8wFliC.exe 3 21->31         started        33 2 other processes 21->33 file10 process11 file12 106 C:\Users\user\AppData\...\w6jqhmvtxtz90x.exe, PE32 25->106 dropped 108 C:\Users\user\AppData\...\nqq6wdble6.exe, PE32 25->108 dropped 110 C:\Users\user\AppData\Local\...\Kfpek234.exe, PE32 25->110 dropped 148 Multi AV Scanner detection for dropped file 25->148 35 cmd.exe 25->35         started        150 Query firmware table information (likely to detect VMs) 29->150 152 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->152 154 Tries to evade debugger and weak emulator (self modifying code) 29->154 162 2 other signatures 29->162 156 Suspicious powershell command line found 31->156 158 Very long command line found 31->158 160 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 31->160 38 powershell.exe 31->38         started        40 conhost.exe 33->40         started        42 taskkill.exe 33->42         started        signatures13 process14 signatures15 138 Encrypted powershell cmdline option found 35->138 140 Uses schtasks.exe or at.exe to add and modify task schedules 35->140 44 nqq6wdble6.exe 35->44         started        47 w6jqhmvtxtz90x.exe 35->47         started        49 Kfpek234.exe 35->49         started        54 2 other processes 35->54 52 conhost.exe 38->52         started        process16 file17 166 Multi AV Scanner detection for dropped file 44->166 168 Writes to foreign memory regions 44->168 170 Allocates memory in foreign processes 44->170 172 Sample uses process hollowing technique 44->172 56 RegSvcs.exe 44->56         started        59 RegSvcs.exe 44->59         started        61 WerFault.exe 44->61         started        174 Injects a PE file into a foreign processes 47->174 63 WerFault.exe 47->63         started        66 RegSvcs.exe 47->66         started        84 C:\Users\user\AppData\...\svcservice.exe, PE32 49->84 dropped 176 Antivirus detection for dropped file 49->176 178 Machine Learning detection for dropped file 49->178 signatures18 process19 dnsIp20 144 Writes to foreign memory regions 56->144 146 Injects a PE file into a foreign processes 56->146 68 AppLaunch.exe 56->68         started        73 conhost.exe 56->73         started        128 192.168.2.1 unknown unknown 63->128 signatures21 process22 dnsIp23 116 github.com 140.82.121.3, 443, 49702, 49703 GITHUBUS United States 68->116 118 raw.githubusercontent.com 185.199.108.133, 443, 49705, 49706 FASTLYUS Netherlands 68->118 120 pastebin.com 104.20.67.143, 443, 49701 CLOUDFLARENETUS United States 68->120 94 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 68->94 dropped 96 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 68->96 dropped 142 Sample is not signed and drops a device driver 68->142 75 cmd.exe 68->75         started        78 cmd.exe 68->78         started        80 cmd.exe 68->80         started        file24 signatures25 process26 signatures27 164 Encrypted powershell cmdline option found 75->164 82 conhost.exe 75->82         started        process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/121a989787cc300ec5239c8e4da3823e38d302604f0b14ccb1c560294b33f462/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-01 15:09:09 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cinjrf4hzqya5rjdtshe3i4chy4ngataj4frjtfryvqcsszt6rra._file
Verdict:
malicious
Similar samples:
09444ad9b6f2aea90103852cee9616d45ab2bcd839d13f173ce9ad1df441808b
GCleaner
113819847de16fc122a5f16efe077489ee1fc94b787e8f51cf25222aec03fb1c
GCleaner
41f8f85028964f278928592973983638df1fe6a744b02d68450a3b09bd957939
GCleaner
51bb969cbf1cc8ab42deae718145a9f5cb5255c1dfdc22691428159eb3ce5768
GCleaner
772262dd6ef1fbb8d4143b7a79b84df082c442e74e1b694d45d02eaa47cc2277
GCleaner
78a9d3fc45796299c1ea2517629159e6db3cf3baea91e80dfffdb688b5bd772b
GCleaner
88c55860a6280c5ca5d851d19ebcf4450c3250a6e9204148cc8cb5de0d058497
GCleaner
9250c83d88932c3ac2c2b24dd9c1d1bef596c82c08da9b9d1800f3949a794938
GCleaner
9bda755d5bb22951293435c550ba38e85ccca29897523fc29e1c174fc093ffe9
GCleaner
bf7d9b82ff0c3842fbd1dff7ffa94389d376af2b5d01ce504072f7985b556325
GCleaner
+ 3'083 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/230501-sjfgrsae6y/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
6a7231c1edfac49f992155f4c7d2404673f3f8bbc803ef1d267735b136f219f8
MD5 hash:
35486068a443130aecd8ea814f5d7caf
SHA1 hash:
d96f3f7896ca9f3475ca439c787d50586f881ac3
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/0be58cc6-9f50-4964-9833-8a79fd43d5c1/
SH256 hash:
8c722a1160ce7e20b23539c701b763a9c9b211965d662ce2bd69afdf4a168687
MD5 hash:
5e1a80c96ea6781e6158bdfcae3dd9a3
SHA1 hash:
f665d6645f58bff05aba3aced4ee47d2fc386873
Link:
https://www.unpac.me/results/0be58cc6-9f50-4964-9833-8a79fd43d5c1/
SH256 hash:
f76ec76613ac99c2074f64132072c35d87237c363c55656d6d40bb8b7fa2c801
MD5 hash:
951a2dd5698b7bedace9178c70a5c515
SHA1 hash:
e414aad262ba69251cc108132ff6fa67d4dfa3c6
Link:
https://www.unpac.me/results/0be58cc6-9f50-4964-9833-8a79fd43d5c1/
SH256 hash:
121a989787cc300ec5239c8e4da3823e38d302604f0b14ccb1c560294b33f462
MD5 hash:
d3ab6b9bc97019f87ddf791c4c916503
SHA1 hash:
2619f0c95eaadf24dc3485073023920faf9a0ee1
Link:
https://www.unpac.me/results/0be58cc6-9f50-4964-9833-8a79fd43d5c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/121a989787cc300ec5239c8e4da3823e38d302604f0b14ccb1c560294b33f462

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/385839/

Comments