MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2686a649c29df76f437b54c815f359d0652155a4657aaf8479b6398d8cfc78aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	2686a649c29df76f437b54c815f359d0652155a4657aaf8479b6398d8cfc78aa
SHA3-384 hash:	b865b2681d8e958d862a4b943bfc1e8d366d81920373234778eb52615bad884c6563608b85593c4290a0c16828d862bd
SHA1 hash:	176af50d83a368f1773a70cd3611556cd5f573e2
MD5 hash:	b821882af0b80996c5a5e5ff6e29ff27
humanhash:	mexico-snake-maine-tango
File name:	b821882af0b80996c5a5e5ff6e29ff27.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	15'000 bytes
First seen:	2026-03-18 09:15:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e13d1ae0a2d96c4ad22442e33bfbb444 (1 x GCleaner)
ssdeep	192:kzHiDbnPb7MM6epPqid3qbdULc8pq8RuwdmL4pUQrNy5hTxtT/:kzHiHD5d3qb+y8RbmL4nNy5hTr
TLSH	T1F5626BB388606C06DE1BDD75F4C9C92BFEB672816DC0C2D72149C8508B90BC77B9E5A9
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	abuse_ch
Tags:	exe gcleaner signed

Code Signing Certificate

Organisation:	SIFE SOFTWARE LLC
Issuer:	GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-03-16T00:00:00Z
Valid to:	2027-03-15T23:59:59Z
Serial number:	0b9ffb5061c28b5c82afaa11ddc55210
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	167b128d4e2c1034c92f0097334d9a6038ad38b079e57753527f0c07af3246b3
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

vidar

ID:

File name:

x0a62eff6274768f403e7a23e48220e573d68db17484ef935918cdbf6aeb6359e.exe

Verdict:

Malicious activity

Analysis date:

2026-03-18 03:40:53 UTC

Tags:

m0yv phishing evasion sinkhole stealc stealer xor-url generic golang loader auto-startup auto anti-evasion inno installer delphi vidar sainbox rat auto-reg

Link:

https://app.any.run/tasks/35f70eb9-b5f1-44ea-8a82-d0c40cbe6900

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/57919/

Verdict:

Clean

Score:

84.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ba6d6288c80c01586b928a

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending an HTTP GET request to an infection source

Sending a custom TCP request

Connection attempt to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

microsoft_visual_cc packed signed

Link:

https://www.filescan.io/uploads/69ba6d5f677ac46843a66f4e/reports/e1a262fd-c818-40aa-923b-4dd7533739e1/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/2686a649c29df76f437b54c815f359d0652155a4657aaf8479b6398d8cfc78aa

Verdict:

Malicious

File Type:

exe x64

Link:

https://opentip.kaspersky.com/2686a649c29df76f437b54c815f359d0652155a4657aaf8479b6398d8cfc78aa/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/d5f413fa-f459-4607-b1d9-140560bb33cd

Result

Threat name:

n/a

Detection:

clean

Classification:

n/a

Score:

0 / 100

Link:

https://www.joesandbox.com/analysis/1885461

Behaviour

Behavior Graph:

n/a

Score:

80%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2686a649c29df76f437b54c815f359d0652155a4657aaf8479b6398d8cfc78aa

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2686a649c29df76f437b54c815f359d0652155a4657aaf8479b6398d8cfc78aa/

Verdict:

Malicious

Threat:

Family.GCLEANER

Link:

https://tip.neiki.dev/file/2686a649c29df76f437b54c815f359d0652155a4657aaf8479b6398d8cfc78aa

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e2dkmsoctx3w6q33ktebl42z2bsscvnemv5k7bdzwy4y3dh4pcva._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/260318-k8lfbacv3m/

Unpacked files

SH256 hash:

2686a649c29df76f437b54c815f359d0652155a4657aaf8479b6398d8cfc78aa

MD5 hash:

b821882af0b80996c5a5e5ff6e29ff27

SHA1 hash:

176af50d83a368f1773a70cd3611556cd5f573e2

Link:

https://www.unpac.me/results/34b17e7e-ef93-41bc-a93c-4a5e1e282d89/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/2686a649c29df76f437b54c815f359d0652155a4657aaf8479b6398d8cfc78aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/57919/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample