MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 209fdb1e0d3624b400c9c6d348c05a92062c8cb771d240f1d490a7b1a631b80d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	209fdb1e0d3624b400c9c6d348c05a92062c8cb771d240f1d490a7b1a631b80d
SHA3-384 hash:	4ef98741e51d2379fd48629d1e79681ff65147770a39c9d94accfa4541e618631987c477afdb49b831894e92ab29a297
SHA1 hash:	8d1990ca06305c8a4bd206ffd2b1ca75e11b68f7
MD5 hash:	cbc42d76c05b9e89b481b7bcbaf259d1
humanhash:	speaker-nineteen-alaska-kentucky
File name:	cbc42d76c05b9e89b481b7bcbaf259d1.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	286'720 bytes
First seen:	2023-04-05 12:04:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4e8985592f7d1f2b5d9b1d9584b1f35e (1 x GCleaner)
ssdeep	6144:3c7qjHl2c2Dq4CEKf2wxHe9ExV9uTeNxT:3YqRjVx+EYEgi
Threatray	10 similar samples on MalwareBazaar
TLSH	T18D54D0013950C872E85661308871D7A6267FBC735B609BC77BB43B6F6D322C27A35786
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	84e0e0e0e0e0d862 (1 x GCleaner)
Reporter	abuse_ch
Tags:	exe gcleaner

Intelligence

File Origin

# of uploads :

# of downloads :

230

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cbc42d76c05b9e89b481b7bcbaf259d1.exe

Verdict:

Malicious activity

Analysis date:

2023-04-05 12:07:30 UTC

Tags:

gcleaner

Link:

https://app.any.run/tasks/83342644-6947-4a97-b6d9-b8d1cca4570a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Nymaim

Link:

https://www.capesandbox.com/analysis/380274/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/642d63f05df5c94ab9b879c0/reports/6964d039-e197-480f-8fff-bdfb36a0a0ed/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/209fdb1e0d3624b400c9c6d348c05a92062c8cb771d240f1d490a7b1a631b80d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f761c15-0c34-45b9-a512-7c191fda3629

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/209fdb1e0d3624b400c9c6d348c05a92062c8cb771d240f1d490a7b1a631b80d/

Threat name:

Win32.Trojan.Lockbit

Status:

Malicious

First seen:

2023-04-05 12:05:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ecp5whqngysliagjy3jurqc2sidczdfxohjeb4ousct3djrrxagq._file

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner loader

Link:

https://tria.ge/reports/230405-n86b9sge5t/

Behaviour

Program crash

Downloads MZ/PE file

GCleaner

Malware Config

C2 Extraction:

45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75

Unpacked files

SH256 hash:

16d83341ac209c9ed19f2047051cd92b023990254d9a6e5b70182efd31ac3b8b

MD5 hash:

55020deabd33896bf93dd5d46c233899

SHA1 hash:

9d3646225a6e4a7d33d0df7c3dbdc6ff94bd23d0

Detections:

Nymaim

win_nymaim_g0

win_gcleaner_w0

win_gcleaner_auto

Link:

https://www.unpac.me/results/d42cef8c-5f55-4eb1-bd08-83362a5c2e19/

Parent samples :

d60e0e8b2261c2e7f926b9c3ba901bfab250d86b383833a987efcd53fe69104a
8d373fe483977f095f6017d9d62190c73a48e75b55dbd81b933af93edb7de72b
209fdb1e0d3624b400c9c6d348c05a92062c8cb771d240f1d490a7b1a631b80d

SH256 hash:

209fdb1e0d3624b400c9c6d348c05a92062c8cb771d240f1d490a7b1a631b80d

MD5 hash:

cbc42d76c05b9e89b481b7bcbaf259d1

SHA1 hash:

8d1990ca06305c8a4bd206ffd2b1ca75e11b68f7

Link:

https://www.unpac.me/results/d42cef8c-5f55-4eb1-bd08-83362a5c2e19/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/209fdb1e0d3624b400c9c6d348c05a92062c8cb771d240f1d490a7b1a631b80d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/380274/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample