MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba2dece7e8dd30f7719af81ab01c9666ce37d0236c90bde92c98d84060c4024. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ba2dece7e8dd30f7719af81ab01c9666ce37d0236c90bde92c98d84060c4024
SHA3-384 hash: 65e0f608e0bead9efe4a155a5f64bcabdd41226798caf707a3571936c0ca503565aedc831455ed0275ef439ab3ce6bfc
SHA1 hash: 400c6677d29610b88e2be5957a46d00689ea550d
MD5 hash: 9fda21eb0955b3af2c5c5207afb89f07
humanhash: massachusetts-finch-ten-eighteen
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'364'048 bytes
First seen:2025-10-30 21:20:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7a337ff2ab8420c93b38276d6869db84 (3 x GCleaner)
ssdeep 98304:gWJ0r6ODSvou0CUpZCO8krZZgzgjZrQ3L:M6ODSvouX3nEbjZ07
TLSH T1B016CF73F1615036C1D10EB8541E06A6E7907621E9EBBE781FB01D34FE2A376A11D3AB
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe gcleaner


Avatar
Bitsight
url: http://178.16.55.189/files/unique2/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-10-30 21:23:24 UTC
Tags:
delphi auto generic gcleaner loader rhadamanthys stealer
Link:
https://app.any.run/tasks/245499bf-cd11-4f6b-a936-8492d423c86f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34857/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6903d6b99942f1282ecab19b
Tags:
delphi cobalt emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Labled as:
Application.Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/1ba2dece7e8dd30f7719af81ab01c9666ce37d0236c90bde92c98d84060c4024
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-30T18:33:00Z UTC
Last seen:
2025-11-01T05:29:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/1ba2dece7e8dd30f7719af81ab01c9666ce37d0236c90bde92c98d84060c4024/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8980153c-7c47-4f5f-a027-e2bf48fdb970
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1ba2dece7e8dd30f7719af81ab01c9666ce37d0236c90bde92c98d84060c4024
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/9fda21eb0955b3af2c5c5207afb89f07
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ba2dece7e8dd30f7719af81ab01c9666ce37d0236c90bde92c98d84060c4024/
Verdict:
Malicious
Threat:
Family.GCLEANER
Link:
https://tip.neiki.dev/file/1ba2dece7e8dd30f7719af81ab01c9666ce37d0236c90bde92c98d84060c4024
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2025-10-30 21:21:42 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dorn5tt6rxjq65yzv6a2waojmzwog7icg3eqxxuszggyibqmiasa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/251030-z65thatrhs/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Downloads MZ/PE file
Unpacked files
SH256 hash:
1ba2dece7e8dd30f7719af81ab01c9666ce37d0236c90bde92c98d84060c4024
MD5 hash:
9fda21eb0955b3af2c5c5207afb89f07
SHA1 hash:
400c6677d29610b88e2be5957a46d00689ea550d
Link:
https://www.unpac.me/results/3f35fff8-b1f5-49cb-a260-d163c6e9b304/
SH256 hash:
22bde5212a3ef6a1fbc4dd0ba295b0d1e1ecaea3405ff9ad456c7e4d82d4ff2f
MD5 hash:
34a0922b45675d1f93bd6653c4188b6f
SHA1 hash:
659b60c0215ffae8e2723e6fc685ae34e202aba8
Detections:
GCleaner
Create hunting rule
Link:
https://www.unpac.me/results/3f35fff8-b1f5-49cb-a260-d163c6e9b304/
SH256 hash:
d3d3224b50e7ff955cba76e05f5058471add627c6f15658420146040192b3e1b
MD5 hash:
61f30fea94c55ee3199526448a73e58f
SHA1 hash:
71c175173df87bda7ffc77b2208b28f04bbdc628
Link:
https://www.unpac.me/results/3f35fff8-b1f5-49cb-a260-d163c6e9b304/
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ba2dece7e8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1ba2dece7e8dd30f7719af81ab01c9666ce37d0236c90bde92c98d84060c4024

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 1ba2dece7e8dd30f7719af81ab01c9666ce37d0236c90bde92c98d84060c4024

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/34857/

Comments