MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2255037ecaa8bae5f9f8635acc752d13d2bef93b2a8db06dcc19c56325fba36f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	2255037ecaa8bae5f9f8635acc752d13d2bef93b2a8db06dcc19c56325fba36f
SHA3-384 hash:	b5b10334b00e54aa73beb879b971c263aa0bc12582df85dc234117ad1ca0c65a5216182b6d74adba36570f35b4e6a4f6
SHA1 hash:	7bf6f4eaa9f0aa513a1d2d889add6cb7aa542f13
MD5 hash:	1bbcaa5917549e54c4a7ee283cabafb7
humanhash:	earth-salami-steak-idaho
File name:	file
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	348'160 bytes
First seen:	2024-01-09 20:31:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9991cccd9d91607f602f8d05722efa5d (1 x GCleaner)
ssdeep	3072:YIEML2e8NfkOuny0usgjHg9y8IB4nnt8ACMbrdKNnDK5PE8nR1hidO:YI5Lr8Nsh1u3AL/nnt/CcKnMRRji
Threatray	3 similar samples on MalwareBazaar
TLSH	T12A74A35382E23D44E9268B73DF5F86ECB71DF6508E4A77691219EE1F00B50BAC2A3714
TrID	34.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.8% (.EXE) InstallShield setup (43053/19/16) 18.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 6.3% (.EXE) Win64 Executable (generic) (10523/12/4) 3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon	183070c0c080c000 (1 x GCleaner)
Reporter	andretavare5
Tags:	exe gcleaner

andretavare5

Sample downloaded from https://vk.com/doc418490229_670558390?hash=zfwioQfsDA7zB6WvT7P6hyKGR2JLS7sEbKcqEffRJTk&dl=2zezmiCzdw5bwwj7KTsbnWMZ6K2KUZZ7Rm0aICyJHoT&api=1&no_preview=1#twointe

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/470088/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin packed shell32

Link:

https://www.filescan.io/uploads/659dad43784d3498d73b3020/reports/b46f2d52-a7a8-45c6-9be6-4132aab9a582/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/2255037ecaa8bae5f9f8635acc752d13d2bef93b2a8db06dcc19c56325fba36f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bb321d2c-439d-46cb-9d35-5b1cf9b7a186

Result

Threat name:

GCleaner

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1372054

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected GCleaner

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2255037ecaa8bae5f9f8635acc752d13d2bef93b2a8db06dcc19c56325fba36f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2255037ecaa8bae5f9f8635acc752d13d2bef93b2a8db06dcc19c56325fba36f/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2024-01-09 20:32:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 37 (37.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ejkqg7wkvc5ol6pymnnmy5jncpjl56j3fkg3a3omdhcwgjp3unxq._file

Verdict:

malicious

GCleaner

cea47650f92e6b73107d0eddc5e8e66ac5725fe1a0002ddc38b4f500fd15dfed

GCleaner

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240109-za9skshgep/

Unpacked files

SH256 hash:

5a22ab1e1ae4a06930bdfafd6c3bca7b0b04c9c48da469e2361c3cfda07d169a

MD5 hash:

f62e975fc066f3b3c9b8a439463284b5

SHA1 hash:

ef759f4618ccd2dd3a3191f961edd28e86d9885e

Link:

https://www.unpac.me/results/b48951ef-6760-4c5d-89b5-dc0c4825fa80/

SH256 hash:

2255037ecaa8bae5f9f8635acc752d13d2bef93b2a8db06dcc19c56325fba36f

MD5 hash:

1bbcaa5917549e54c4a7ee283cabafb7

SHA1 hash:

7bf6f4eaa9f0aa513a1d2d889add6cb7aa542f13

Link:

https://www.unpac.me/results/b48951ef-6760-4c5d-89b5-dc0c4825fa80/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2255037ecaa8bae5f9f8635acc752d13d2bef93b2a8db06dcc19c56325fba36f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2746359/

Cape

https://www.capesandbox.com/analysis/470088/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample