MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12bf2077585309178ee48876b4a32c87552ec1334236fd0ea8dd8ac80e6579f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12bf2077585309178ee48876b4a32c87552ec1334236fd0ea8dd8ac80e6579f5
SHA3-384 hash: a41aae0846b88dbe1681bcb47ce78771257622ff99530e278dfc8be1bf9f721d3dcce7a4cf8d3dfd44944edb7c29b23d
SHA1 hash: aeb0e32cbbc95d289e0b10aa625e82514995cf45
MD5 hash: a6f5ac33717a34ac8f2c7cbfec532500
humanhash: violet-cola-autumn-spaghetti
File name:a6f5ac33717a34ac8f2c7cbfec532500.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:802'816 bytes
First seen:2021-12-28 00:21:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9734ba8626408cec04bb8fa7d8bb6e83 (4 x PrivateLoader, 3 x GCleaner, 2 x RedLineStealer)
ssdeep 24576:o7ww87NKA/ld60S/wOBHk0ujqeRHZyvGnA:8wtNf9g0SJBHk32eR5yvf
Threatray 207 similar samples on MalwareBazaar
TLSH T1D1059E31A2C5E481E9B21031ED6EF799AC3C1730AF54FCCBBBC56D390975AC1A124A97
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
45.144.29.24:8670

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.144.29.24:8670 https://threatfox.abuse.ch/ioc/288165/

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6f5ac33717a34ac8f2c7cbfec532500.exe
Verdict:
No threats detected
Analysis date:
2021-12-28 00:24:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a4780b26-cca1-4be8-9887-f3d3f74ef878

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216614/
Detection(s):
Win.Dropper.Expiro-9918730-0
Create hunting rule

Win.Dropper.Expiro-9918731-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3366/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
fingerprint greyware packed raccoon virus wacatac
Link:
https://www.filescan.io/uploads/61ca58b0ec6c6c14a9f7d00e/reports/8a594804-e2c0-44a5-b519-70da8bdda901/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62457c23-0ed3-4310-b671-976a00b21464
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913311
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops executable to a common third party application directory
Drops PE files to the document folder of the user
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected SmokeLoader
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545789 Sample: WhCaRe7XsR.exe Startdate: 28/12/2021 Architecture: WINDOWS Score: 100 113 208.95.112.1 TUT-ASUS United States 2->113 115 151.115.10.1 OnlineSASFR United Kingdom 2->115 117 2 other IPs or domains 2->117 129 Antivirus detection for URL or domain 2->129 131 Antivirus detection for dropped file 2->131 133 Antivirus / Scanner detection for submitted sample 2->133 135 13 other signatures 2->135 8 WhCaRe7XsR.exe 18 2->8         started        13 PowerControl_Svc.exe 17 2->13         started        15 PowerControl_Svc.exe 16 2->15         started        signatures3 process4 dnsIp5 123 149.154.167.99 TELEGRAMRU United Kingdom 8->123 125 212.193.30.29 SPD-NETTR Russian Federation 8->125 127 4 other IPs or domains 8->127 81 C:\Users\...\f14TfEaslmCTZEBepUp5RWF8.exe, PE32 8->81 dropped 83 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 8->83 dropped 85 C:\...\PowerControl_Svc.exe, PE32 8->85 dropped 87 C:\...\PowerControl_Svc.exe:Zone.Identifier, ASCII 8->87 dropped 151 Drops PE files to the document folder of the user 8->151 153 Uses schtasks.exe or at.exe to add and modify task schedules 8->153 17 f14TfEaslmCTZEBepUp5RWF8.exe 4 39 8->17         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        89 C:\Users\...\s6R3o8oe1r6Z8dSIAn_xsIYX.exe, PE32 13->89 dropped 91 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 13->91 dropped 93 C:\Program Files (x86)\...\jkpinaid.tmp, PE32 13->93 dropped 95 C:\Program Files (x86)\...\armsvc.exe, PE32 13->95 dropped 155 Creates an undocumented autostart registry key 13->155 157 Drops executable to a common third party application directory 13->157 159 Infects executable files (exe, dll, sys, html) 13->159 26 s6R3o8oe1r6Z8dSIAn_xsIYX.exe 13->26         started        28 schtasks.exe 13->28         started        30 schtasks.exe 13->30         started        97 C:\Users\user\AppData\Local\...\cmd.exe, PE32 15->97 dropped 32 s6R3o8oe1r6Z8dSIAn_xsIYX.exe 40 15->32         started        34 schtasks.exe 15->34         started        36 schtasks.exe 15->36         started        file6 signatures7 process8 dnsIp9 99 148.251.234.93 HETZNER-ASDE Germany 17->99 101 85.209.157.230 ENZUINC-US Netherlands 17->101 107 9 other IPs or domains 17->107 59 C:\Users\...\kXFt_jii90NivzJti0rNhXcW.exe, PE32 17->59 dropped 61 C:\Users\...\efFOJsN17Tz2ZXfM8OtGGltx.exe, PE32 17->61 dropped 63 C:\Users\...\aXxpoh1qLI17wB6YLclPD0TZ.exe, PE32 17->63 dropped 71 13 other files (7 malicious) 17->71 dropped 137 Detected unpacking (creates a PE file in dynamic memory) 17->137 139 Creates HTML files with .exe extension (expired dropper behavior) 17->139 141 Disable Windows Defender real time protection (registry) 17->141 38 efFOJsN17Tz2ZXfM8OtGGltx.exe 17->38         started        53 5 other processes 17->53 57 2 other processes 22->57 41 conhost.exe 24->41         started        103 104.21.92.223 CLOUDFLARENETUS United States 26->103 109 2 other IPs or domains 26->109 65 C:\Users\...\3JIxLRCNPbDexmgMkiZSGw0I.exe, PE32+ 26->65 dropped 73 15 other files (4 malicious) 26->73 dropped 143 Tries to harvest and steal browser information (history, passwords, etc) 26->143 43 conhost.exe 28->43         started        45 conhost.exe 30->45         started        105 162.159.130.233 CLOUDFLARENETUS United States 32->105 111 3 other IPs or domains 32->111 67 C:\Users\...\V_Z9h2RdejIiTPinSDNbZuMU.exe, PE32+ 32->67 dropped 69 C:\Users\user\AppData\Local\...\SFold1[1].exe, PE32 32->69 dropped 75 14 other files (3 malicious) 32->75 dropped 47 conhost.exe 32->47         started        49 conhost.exe 34->49         started        51 conhost.exe 36->51         started        file10 signatures11 process12 dnsIp13 145 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->145 147 Checks if the current machine is a virtual machine (disk enumeration) 38->147 119 148.251.234.83 HETZNER-ASDE Germany 53->119 121 192.168.2.1 unknown unknown 53->121 77 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 53->77 dropped 79 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 53->79 dropped 149 Hides threads from debuggers 53->149 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12bf2077585309178ee48876b4a32c87552ec1334236fd0ea8dd8ac80e6579f5/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-12-25 07:24:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
32 of 43 (74.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ck7sa52ykmerpdxerb3ljizmq5ks5qjtii3p2dvi3wfmqdtfph2q._file
Verdict:
malicious
Similar samples:
03430361a6d2fe6c89d6b237ca9b887cc6269187b305afc9ef3d8642533698c4
GCleaner
1b0daf8b1b8a09ae26a72e30fa638b000a991a7dfaf7c9297bec5c7f9d277574
GCleaner
6e662c3d403396c5bfec2b051dd49b39662c3ff80f39c16ece3ebc2e1c469208
GCleaner
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
GCleaner
dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287
GCleaner
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
GCleaner
f1b2cc9a9fed9992129c1673d423647dd8307aada8ccff1b3d0fea35c2c3e741
GCleaner
fea660657f6285124e61fe5dcafe9374344d941e6fbeaa89f3a2640572ccc784
GCleaner
+ 197 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion spyware stealer trojan
Link:
https://tria.ge/reports/211228-anx89sdcd9/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
a3f886db3d2691794e9ec27dca65dcc5d96e6095ec1de5275967a6e6d156d1f7
MD5 hash:
d4c5a976210d883871c293d3e399647b
SHA1 hash:
6e992a2e6b717ba9619dc259392f173181e77ab5
Link:
https://www.unpac.me/results/c7831caa-5dc4-452d-8922-b3280528dd4a/
SH256 hash:
12bf2077585309178ee48876b4a32c87552ec1334236fd0ea8dd8ac80e6579f5
MD5 hash:
a6f5ac33717a34ac8f2c7cbfec532500
SHA1 hash:
aeb0e32cbbc95d289e0b10aa625e82514995cf45
Link:
https://www.unpac.me/results/c7831caa-5dc4-452d-8922-b3280528dd4a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12bf2077585309178ee48876b4a32c87552ec1334236fd0ea8dd8ac80e6579f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216614/

Comments