MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27056b49e0fe09639113c638bacd8773445ce3365b11059a8f66a436ca57c10d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 1 File information Comments

SHA256 hash:	27056b49e0fe09639113c638bacd8773445ce3365b11059a8f66a436ca57c10d
SHA3-384 hash:	c1c011b4fb2941dbd5ca2c7f8d412ec646b0697dc46bb8fdf4061c5285b5be77891b92b07645b3ef3ec43747598980ec
SHA1 hash:	767f2b25a2457bd29fd19eb7ad9d09cd9c488ea5
MD5 hash:	c566c71c00095c6246783790cd1556b5
humanhash:	lactose-zulu-blue-colorado
File name:	C566C71C00095C6246783790CD1556B5.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	394'240 bytes
First seen:	2021-08-08 16:25:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8aa54a1ff76755cd8a1e65ca9aab3463 (1 x RaccoonStealer, 1 x GCleaner)
ssdeep	6144:yh+APDQ126OvAVJyD1kGmeXC78Ly/zC7j+cyXEDsCN:RAPk126OYVJFGme2rzg+XazN
Threatray	310 similar samples on MalwareBazaar
TLSH	T15B84AE30B690C039E0F712F845BA937C652D7EA26B3490CBA2D53AEE56356E4DC30797
dhash icon	b6714cbc74dcf166 (4 x GCleaner)
Reporter	abuse_ch
Tags:	exe gcleaner

abuse_ch

GCleaner C2:
http://gc-prtnrs.top/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://gc-prtnrs.top/decision.php	https://threatfox.abuse.ch/ioc/166045/

Intelligence

File Origin

# of uploads :

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SYNAPSE+X+CRACKED.rar

Verdict:

Malicious activity

Analysis date:

2021-07-29 14:59:06 UTC

Tags:

evasion trojan kelihos autoit rat redline stealer vidar

Link:

https://app.any.run/tasks/4519e1ca-cac7-4d20-8818-8532d3e75195

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Gcleaner

Link:

https://www.capesandbox.com/analysis/177283/

Detection(s):

Win.Malware.Generic-9882390-0

Win.Malware.Generic-9882656-0

Win.Packed.Generic-9882710-0

Win.Malware.Generic-9882754-0

Win.Packed.Raccoon-9882823-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching the default Windows debugger (dwwin.exe)

DNS request

Connection attempt

Sending an HTTP GET request

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Launching a tool to kill processes

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/46e96984-7a58-4b14-84ed-9eb9419ee367

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/27056b49e0fe09639113c638bacd8773445ce3365b11059a8f66a436ca57c10d/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-07-29 19:00:44 UTC

AV detection:

26 of 27 (96.30%)

Threat level:

5/5

Verdict:

unknown

GCleaner

4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b

GCleaner

9acf427d5b2f5b47e10103ec65c0a2cebe40679360ff759bab01672fe26dcc4e

GCleaner

b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317

GCleaner

c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0

GCleaner

d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702

GCleaner

f70d4b4fc9941796d149798614345b8e8bf6e0c69022ac407cb8b03bf26fdc7c

GCleaner

+ 300 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/210808-aezbwex6dj/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Deletes itself

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE GCleaner Downloader Activity M1

Unpacked files

SH256 hash:

f80c996bc4708b9da7c7d7b79ea2ac9d357b60fbadf5c93a9da067e5ed83db2d

MD5 hash:

2e697bd7ecd658f770437f062f0458f5

SHA1 hash:

f3e8a2242439a19edb94c50c1a5a5cf7de597a02

Link:

https://www.unpac.me/results/a1724fd7-f225-47c7-bc7e-932a521772a1/

SH256 hash:

27056b49e0fe09639113c638bacd8773445ce3365b11059a8f66a436ca57c10d

MD5 hash:

c566c71c00095c6246783790cd1556b5

SHA1 hash:

767f2b25a2457bd29fd19eb7ad9d09cd9c488ea5

Link:

https://www.unpac.me/results/a1724fd7-f225-47c7-bc7e-932a521772a1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/27056b49e0fe09639113c638bacd8773445ce3365b11059a8f66a436ca57c10d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/177283/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample