MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 140b117ebb69f027d931787d2a3b0bb445a655e5460c1100b808297c482ae1f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 140b117ebb69f027d931787d2a3b0bb445a655e5460c1100b808297c482ae1f5
SHA3-384 hash: 573f11423046f1898cb401dc12a63bec4e5bb09abad0a6e5abedeeb14506b51b6f18b1b7f211eaccc03edd456dca6420
SHA1 hash: c527022d7a129c12c5b71116da750f41cf9d868f
MD5 hash: d62c0adb7bb8113e33b6d1edc9a1a511
humanhash: lake-fifteen-arizona-moon
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'848'592 bytes
First seen:2023-01-21 11:00:46 UTC
Last seen:2023-01-21 17:34:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 848cc806b5445d436485e2ece322aa0e (2 x Rhadamanthys, 1 x GCleaner)
ssdeep 49152:VKX23JkRwZq810P9GNu8Tj05WQOmtgEdnXROt0OQ:VKm3KRwZq810PgN1QwmtgEdnXROK9
Threatray 322 similar samples on MalwareBazaar
TLSH T14485CF72E452C635D0D66BB4AB1B65BC105A5406BBF03800A7F19B6F7620FE3E4EB271
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 030359716571233e (1 x GCleaner)
Reporter andretavare5
Tags:exe gcleaner


Avatar
andretavare5
Sample downloaded from https://www.isurucabs.lk/SAM.exe

Intelligence

File Origin
# of uploads :
11
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-21 11:03:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/137c79e4-2a99-49f6-a62a-d4de6131d154

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355321/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Creating a file in the %temp% directory
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Detecting VM
Sending an HTTP GET request
Creating a file in the %AppData% directory
Deleting a recently created file
Reading critical registry keys
Searching for the window
Possible injection to a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62013/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63cbc5ef696b2d972573ecb5/reports/633bddf5-cc50-4503-adb9-f27cb46715c3/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84f60992-1f6b-4382-afb6-28535436d3e7
Result
Threat name:
RHADAMANTHYS, lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156152
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected lgoogLoader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 788883 Sample: file.exe Startdate: 21/01/2023 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic 2->70 72 Antivirus detection for URL or domain 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 8 other signatures 2->76 11 file.exe 9 2->11         started        process3 dnsIp4 62 nanxisf1qjvdnpn6gk5erj9ozhxk.znggxzni 11->62 56 C:\Users\user\AppData\Local\...\4996625.dll, PE32 11->56 dropped 108 Writes to foreign memory regions 11->108 110 Allocates memory in foreign processes 11->110 112 Injects a PE file into a foreign processes 11->112 16 fontview.exe 1 11->16         started        21 ngentask.exe 11->21         started        23 WerFault.exe 24 9 11->23         started        25 2 other processes 11->25 file5 signatures6 process7 dnsIp8 60 109.206.243.168, 49697, 49707, 49709 AWMLTNL Germany 16->60 48 C:\Users\user\AppData\...\nsis_uns4c971d.dll, PE32+ 16->48 dropped 78 Query firmware table information (likely to detect VMs) 16->78 80 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 16->80 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->82 90 4 other signatures 16->90 27 rundll32.exe 16->27         started        84 Contains functionality to infect the boot sector 21->84 86 Contain functionality to detect virtual machines 21->86 88 Contains functionality to inject code into remote processes 21->88 50 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->50 dropped 52 C:\ProgramData\Microsoft\...\Report.wer, Unicode 25->52 dropped file9 signatures10 process11 signatures12 100 System process connects to network (likely due to code injection or exploit) 27->100 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->102 104 Tries to steal Mail credentials (via file / registry access) 27->104 106 4 other signatures 27->106 30 dllhost.exe 14 5 27->30         started        35 WerFault.exe 27->35         started        process13 dnsIp14 66 transfer.sh 144.76.136.153, 443, 49708 HETZNER-ASDE Germany 30->66 58 C:\Users\user\AppData\Local\...\Library.exe, PE32+ 30->58 dropped 68 System process connects to network (likely due to code injection or exploit) 30->68 37 Library.exe 1 6 30->37         started        file15 signatures16 process17 file18 54 C:\Users\user\AppData\Roaming\...\IGCPU.exe, PE32+ 37->54 dropped 92 Creates an undocumented autostart registry key 37->92 94 Machine Learning detection for dropped file 37->94 96 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 37->96 98 4 other signatures 37->98 41 powershell.exe 37->41         started        43 MSBuild.exe 37->43         started        signatures19 process20 dnsIp21 46 conhost.exe 41->46         started        64 45.159.189.105, 49711, 80 HOSTING-SOLUTIONSUS Netherlands 43->64 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/140b117ebb69f027d931787d2a3b0bb445a655e5460c1100b808297c482ae1f5/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqfrc7v3nhycpwjrpb6suoylwrc2mvpfiygbcafybauxysbk4h2q._file
Verdict:
malicious
Similar samples:
2be47a55c0d9a863fb620ba88c0c276c2f97fa775eaa435c20d8065af267784e
GCleaner
590420a09891c0a91ecdc29942328e707cc3f0243f5c9907c96150eb15fe1052
GCleaner
9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7
GCleaner
b0a22e9a9850fa4356f5603905f45645489ae04d60d630772b3b8227a21b1956
GCleaner
c0178dc0e1f125da7b6bab419edc783fdff63a376019140e086e6bc10ec588bd
GCleaner
dc97a6f3209e48c6b45354965214110cc515209135483152672cc73f149cfbcf
GCleaner
ee8ea5570b0a2c9f6aef8e551cc0d3fbd0be45dc5c11c50ca7056eef2d85d77d
GCleaner
f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd
GCleaner
fee1d36af03a162f70a627c7cd3efa55b0557530d7eefbe8c72026f48b904595
GCleaner
+ 312 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader family:rhadamanthys downloader stealer
Link:
https://tria.ge/reports/230121-m4jr2abh28/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Detect rhadamanthys stealer shellcode
Detects LgoogLoader payload
LgoogLoader
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
5166463a11332c88c5694f8ddc1c63223245d34218e75a86a959e7b6e2384062
MD5 hash:
a6a8451e5ec3e4369407b62e24ce87f5
SHA1 hash:
246bcd9b549dff03b2582208a9268d7306fb827d
Link:
https://www.unpac.me/results/7c68f1d7-671e-461a-9adf-abcc446019d9/
SH256 hash:
140b117ebb69f027d931787d2a3b0bb445a655e5460c1100b808297c482ae1f5
MD5 hash:
d62c0adb7bb8113e33b6d1edc9a1a511
SHA1 hash:
c527022d7a129c12c5b71116da750f41cf9d868f
Link:
https://www.unpac.me/results/7c68f1d7-671e-461a-9adf-abcc446019d9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/140b117ebb69/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/140b117ebb69f027d931787d2a3b0bb445a655e5460c1100b808297c482ae1f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_gcleaner_de41
Create hunting rule
Author:Johannes Bader
Description:detects GCleaner
Rule name:win_gcleaner_w0
Create hunting rule
Author:Johannes Bader @viql
Description:detects GCleaner

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2509599/
Cape
Cape
https://www.capesandbox.com/analysis/355321/

Comments