MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ae81612a07bd1a1f8e15cbf91f98d1d077702f92becebabc90631191ddf998d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ae81612a07bd1a1f8e15cbf91f98d1d077702f92becebabc90631191ddf998d
SHA3-384 hash: eb6507f39b7c2f66ee0e588265ddd1130f7790b25278f484060b66e2c500a9a87c26d0430a5ee32bb2a2060997539054
SHA1 hash: d5c099874196910bb8c3377491afe09bba927d00
MD5 hash: b24eab642f6d03f7d60a1896760572f5
humanhash: high-alanine-aspen-delaware
File name:b24eab642f6d03f7d60a1896760572f5
Download: download sample
Signature GCleaner
Create hunting rule
File size:293'376 bytes
First seen:2024-01-13 22:39:32 UTC
Last seen:2024-01-14 00:47:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ed00a86888d3bcd71c89e026f9d181b (2 x GCleaner)
ssdeep 6144:y3VlZUAx/6rS1PT4h+MOoQE7bZ3U2eILY:y3VlZR/6ruT4h9X7xp
Threatray 38 similar samples on MalwareBazaar
TLSH T14554AE1175F5C532F2B3697A4831CBB94ABBB8726E319A8F36C046BD4F256C1CA25307
TrID 46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon d2f1e4c4ecf9c7f9 (2 x GCleaner, 1 x Tofsee)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
565
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470756/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.3598.27403.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Connecting to a non-recommended domain
Sending an HTTP GET request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65a311433c61cd5b424ffa47/reports/fc9bb4e2-1372-4ddc-97f3-e2a52c4f24bd/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1ae81612a07bd1a1f8e15cbf91f98d1d077702f92becebabc90631191ddf998d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a28a229-cea5-4478-9e65-e50cdbc512ba
Result
Threat name:
GCleaner
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1374325
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GCleaner
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1ae81612a07bd1a1f8e15cbf91f98d1d077702f92becebabc90631191ddf998d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ae81612a07bd1a1f8e15cbf91f98d1d077702f92becebabc90631191ddf998d/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-13 22:40:06 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dlubmevappi2d6hbls7zd6mndudxoaxzfpwoxk6jayyrsho7tggq._file
Verdict:
malicious
Similar samples:
1ae81612a07bd1a1f8e15cbf91f98d1d077702f92becebabc90631191ddf998d
GCleaner
1c6b17bfcc95be957e2a0a79281b810c05a993111b142d63fb1e32a351d789c1
GCleaner
36ec44ea896af1e6cf3bd5282b0cc6147a4955d85ee507230bf6fb4fe0adb4e6
GCleaner
6db92d356c49fcefe97ff35fe415bbf0d83a94e33272c5ff2197a42af44b5fc8
GCleaner
70c7a7f6c67627aa68aa90151740de9d18661b327d7220cb89ef899974a3384b
GCleaner
daa04918303463f10846507f938cc4f288de4119b710fad9dd894ddc3b383b0c
GCleaner
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240113-2lhjksfcep/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Unpacked files
SH256 hash:
bbdbec4d910262daf43a4cea874173fd4c790cb3ec142e65de6c1a74520dc4d7
MD5 hash:
8a6150d9aeecaf24aa06b669096bb465
SHA1 hash:
4f516bb16d3d8b241a38a4c22c58e4f4f5883cc4
Link:
https://www.unpac.me/results/4301853c-9a94-4731-9922-d2ba03f81d98/
SH256 hash:
1ae81612a07bd1a1f8e15cbf91f98d1d077702f92becebabc90631191ddf998d
MD5 hash:
b24eab642f6d03f7d60a1896760572f5
SHA1 hash:
d5c099874196910bb8c3377491afe09bba927d00
Link:
https://www.unpac.me/results/4301853c-9a94-4731-9922-d2ba03f81d98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ae81612a07bd1a1f8e15cbf91f98d1d077702f92becebabc90631191ddf998d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 1ae81612a07bd1a1f8e15cbf91f98d1d077702f92becebabc90631191ddf998d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/470756/
  
URLhaus
https://urlhaus.abuse.ch/url/2746359/
  
URLhaus
https://urlhaus.abuse.ch/url/2748628/

Comments


Avatar
zbet commented on 2024-01-13 22:39:33 UTC

url : hxxp://91.92.241.168/download.php?pub=twointe/