MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19cafd1420ebb5cb96c1d1ed2c0f9a8f59c95ef90316717c733ce78eb45e72cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	19cafd1420ebb5cb96c1d1ed2c0f9a8f59c95ef90316717c733ce78eb45e72cc
SHA3-384 hash:	f66670028c42007b41bec15d530a21f51692a6823b7a6c66003b7e807cae1cc0981a81d59c9039676df0214218cb1ea5
SHA1 hash:	675e27f425ac891419bd438293912c14fdc4dfda
MD5 hash:	b739051cf9cac6187cefb29d092c1fc1
humanhash:	mobile-high-dakota-king
File name:	SecuriteInfo.com.Win32.CrypterX-gen.21396.26717
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	260'608 bytes
First seen:	2024-07-11 08:44:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	771017c278fef57ba7b642e7fe3eb5df (1 x GCleaner)
ssdeep	3072:5oLQbzU0LjhkMbJ2de61aH6GsLbeIRmEfDuxmfRIXL3Gzzs93REmkzez5sjDRiZ1:2LuzfMdl7G6PRmbuRQqvw3REhN8F
TLSH	T1A844AE6176F6A132F7FB5A3419B4A7E45A7BBD733A34828E2150135F4D326C28E60B13
TrID	46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	104cc8b0d4e87192 (1 x GCleaner)
Reporter	SecuriteInfoCom
Tags:	exe gcleaner

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

19cafd1420ebb5cb96c1d1ed2c0f9a8f59c95ef90316717c733ce78eb45e72cc.exe

Verdict:

Malicious activity

Analysis date:

2024-07-11 08:46:42 UTC

Tags:

gcleaner loader

Link:

https://app.any.run/tasks/94b92b78-8368-443f-846c-eccf5501d4d3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.21396.26717.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=668f9b9350cbfd4734a8a709win10vpnfull_triage

Tags:

Execution Infostealer Network Stealth Convagent

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/668f9b937731d034e8820f83/reports/87e238d7-1abf-45ab-ba4a-c6ef72099436/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/19cafd1420ebb5cb96c1d1ed2c0f9a8f59c95ef90316717c733ce78eb45e72cc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c71f9081-8903-4f8d-8c79-5579c448fee7

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/19cafd1420ebb5cb96c1d1ed2c0f9a8f59c95ef90316717c733ce78eb45e72cc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/19cafd1420ebb5cb96c1d1ed2c0f9a8f59c95ef90316717c733ce78eb45e72cc/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2024-07-11 08:30:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dhfp2fba5o24xfwb2hwsyd42r5m4sxxzamlhc7dthtty5nc6olga._file

Verdict:

malicious

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner loader

Link:

https://tria.ge/reports/240711-knqjja1dqh/

Behaviour

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Deletes itself

GCleaner

Malware Config

C2 Extraction:

185.172.128.90
77.105.160.30
185.172.128.69

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d6a55dd0-e06f-4907-a253-e3520ca06582

Unpacked files

SH256 hash:

4952bdcedd7e1b79a220f6aa4e60e8161e5b18a6dc587c14f98052be633df538

MD5 hash:

217b817f890ef7fc49dc9207d55d2a01

SHA1 hash:

c25b4b908a3f7e2ebc24a837fc311f2cba168447

Detections:

GCleaner

win_gcleaner_auto

Link:

https://www.unpac.me/results/7123ef59-3442-41bc-8463-ae6a483e4adc/

Parent samples :

4952bdcedd7e1b79a220f6aa4e60e8161e5b18a6dc587c14f98052be633df538
0a2f129fb15bb15a37b7726f2b827d2d69e99ec84ca7b067d2b25df43f0d1886
4787c7c6c84642962db915599fbf74082e5bfb52facd4ce1142d38f37813d6ff
373f1a98cafb50508a6310576eaaf8dff1a3da118a185306fcdb1973b6c7e355
abc8791aca686d175c4059f78713272c2da4ccc0897a51505b5ec5eec3e41dab
5fff5f8ae81b7a71be4c1ab4f92b118306685af72ac5ef643e7deb05b2893a51
d6aee306a241b3b165cd50ad39c534ee90aa266ce1d7acdf4bf30313e43ca3ae
19cafd1420ebb5cb96c1d1ed2c0f9a8f59c95ef90316717c733ce78eb45e72cc
c0e2aebe3df9bf336b27eb540853b8dd9987be95749f4145002b1b4465d3bda1

SH256 hash:

19cafd1420ebb5cb96c1d1ed2c0f9a8f59c95ef90316717c733ce78eb45e72cc

MD5 hash:

b739051cf9cac6187cefb29d092c1fc1

SHA1 hash:

675e27f425ac891419bd438293912c14fdc4dfda

Link:

https://www.unpac.me/results/7123ef59-3442-41bc-8463-ae6a483e4adc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/19cafd1420ebb5cb96c1d1ed2c0f9a8f59c95ef90316717c733ce78eb45e72cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

exe 19cafd1420ebb5cb96c1d1ed2c0f9a8f59c95ef90316717c733ce78eb45e72cc

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2934399/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2934398/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::FindFirstVolumeW KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleA KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleTitleA KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleAliasesLengthW KERNEL32.dll::GetConsoleAliasesA KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::SetVolumeMountPointA
WIN_HTTP_API	Uses HTTP services	WINHTTP.dll::WinHttpAddRequestHeaders

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample