MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30bed3d9aafd3aa38664887f1840728db524e7f268bcb385f588764642b06b7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30bed3d9aafd3aa38664887f1840728db524e7f268bcb385f588764642b06b7f
SHA3-384 hash: 5ec5ce365b6b23b9f0b89c698396b52097fdf9213f6d9f2a4313b857a37550ec509b9967861526ad7fde249dcd491d36
SHA1 hash: d4a916ef04c3cb4b1180c270bcd924d7ae7a9d73
MD5 hash: 0feb0ed834d41cb1679420de40a5510e
humanhash: florida-potato-iowa-papa
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:437'760 bytes
First seen:2024-11-19 12:22:37 UTC
Last seen:2024-11-19 12:23:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 28a7972fc95d2d60fdf9b2cb63f6d190 (1 x GCleaner)
ssdeep 6144:giILFBm9kDZNRWyoAplNpwhBbi5Z6An7FTS0w4z1T:giIJBm9kb6Q3pwJimAn70Oh
Threatray 1 similar samples on MalwareBazaar
TLSH T1A894C00396D2BCA0D9654B319D2DC6E8362EB9214E192F7B33682F2F19B1173D273719
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 486462e0e1e1f1f0 (1 x GCleaner)
Reporter Bitsight
Tags:exe gcleaner


Avatar
Bitsight
url: http://31.41.244.11/files/mixeleven.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
429
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-19 12:25:10 UTC
Tags:
gcleaner loader
Link:
https://app.any.run/tasks/ebd2e130-721b-4cba-81b6-76f69bb2e3f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673c84375107a56eacc7f4c3
Tags:
azorult cobalt madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Connection attempt
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint microsoft_visual_cc
Link:
https://www.filescan.io/uploads/673c8330c29f5b493617b390/reports/3a0f5e77-240c-4565-b145-9692f6853a35/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/30bed3d9aafd3aa38664887f1840728db524e7f268bcb385f588764642b06b7f
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6fdde6e-e370-47d5-aef1-44acb9d1128a
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1558438
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/30bed3d9aafd3aa38664887f1840728db524e7f268bcb385f588764642b06b7f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30bed3d9aafd3aa38664887f1840728db524e7f268bcb385f588764642b06b7f/
Threat name:
Win32.Trojan.Nymaim
Create hunting rule
Status:
Malicious
First seen:
2024-11-19 12:23:05 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gc7nhwnk7u5khbterb7rqqdsrw2sjz7snc6lhbpvrb3emqvqnn7q._file
Verdict:
malicious
Label(s):
shellcode_loader_002
Create hunting rule
gcleaner
Create hunting rule
Similar samples:
30bed3d9aafd3aa38664887f1840728db524e7f268bcb385f588764642b06b7f
GCleaner
error
GCleaner
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/241119-pkfx5swbka/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Downloads MZ/PE file
Detect Socks5Systemz Payload
Socks5Systemz
Socks5systemz family
Verdict:
Malicious
Tags:
Win.Packer.pkr_ce1a-9980177-0
YARA:
n/a
Link:
https://app.threat.zone/submission/4ae09092-cc5f-4386-b42b-122f72f95eac
Unpacked files
SH256 hash:
a3eefdfc11dfe079f42ce5a79ed3037bef1cbbcf40b85eeaf59c77bcccd42bcc
MD5 hash:
2cb09a537d5179a588b7aa525407f83d
SHA1 hash:
4dadfafb9f8d1aff848531ad26d40bdd92cdbc81
Link:
https://www.unpac.me/results/21991bf9-9478-449e-9d8d-fbcabd46ae6c/
SH256 hash:
30bed3d9aafd3aa38664887f1840728db524e7f268bcb385f588764642b06b7f
MD5 hash:
0feb0ed834d41cb1679420de40a5510e
SHA1 hash:
d4a916ef04c3cb4b1180c270bcd924d7ae7a9d73
Link:
https://www.unpac.me/results/21991bf9-9478-449e-9d8d-fbcabd46ae6c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30bed3d9aafd3aa38664887f1840728db524e7f268bcb385f588764642b06b7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 30bed3d9aafd3aa38664887f1840728db524e7f268bcb385f588764642b06b7f

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3296071/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleInputA
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleInputA
KERNEL32.dll::SetConsoleCP
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::GetTempFileNameA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW

Comments