MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 341c70ac74087e45fe53487b959dfb0fc7777f276b95831aa0756e7d7f132300. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	341c70ac74087e45fe53487b959dfb0fc7777f276b95831aa0756e7d7f132300
SHA3-384 hash:	40c77ecc4e0513ee8de09e8c4435e6f9b458f8911eb3f8a6261508fd3310ed04d716781e44635fff88a8ca8840d586c0
SHA1 hash:	14b0049dc9f4428c7806c926bb60b121f57e5338
MD5 hash:	c4e826b5fc5358b72734b891b4250867
humanhash:	princess-illinois-mobile-michigan
File name:	c4e826b5fc5358b72734b891b4250867.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	441'344 bytes
First seen:	2023-04-19 16:04:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7137110313ae94daa2401b00bdc7c7a9 (3 x GCleaner, 1 x Rhadamanthys, 1 x TeamBot)
ssdeep	6144:qnZOKAJUUG2qiZmRgBaJmtAAFddm6fHGMUh5h+2+I9rHIv:qZxA/G2qiDB0Pqw5u2rov
Threatray	86 similar samples on MalwareBazaar
TLSH	T1EC948D8222F0A831E7675A718E2ECAF8267EF5505F15BBDB27595A3F0D302E1D232315
TrID	39.5% (.EXE) InstallShield setup (43053/19/16) 28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.6% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	bcd0c0f0e0e0c842 (1 x GCleaner)
Reporter	abuse_ch
Tags:	exe gcleaner

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c4e826b5fc5358b72734b891b4250867.exe

Verdict:

Malicious activity

Analysis date:

2023-04-19 16:08:31 UTC

Tags:

installer

Link:

https://app.any.run/tasks/fb8f18b1-26e6-4ef7-b2ac-d75a4fe0330c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Nymaim

Link:

https://www.capesandbox.com/analysis/383442/

Detection(s):

Sanesecurity.Malware.29230.BadIN.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/644011308c1908d5b414cd1b/reports/8e116968-f21a-4d97-9ac3-8249d99cca89/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/341c70ac74087e45fe53487b959dfb0fc7777f276b95831aa0756e7d7f132300

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bba51120-34ea-4c58-ae67-54be3e21bb6e

Result

Threat name:

Nymaim

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1217326

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/341c70ac74087e45fe53487b959dfb0fc7777f276b95831aa0756e7d7f132300/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-04-18 22:56:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gqohbldubb7el7stjb5zlhp3b7dxo7zhnokyggvaovxh27ytemaa._file

Verdict:

malicious

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner loader

Link:

https://tria.ge/reports/230419-tjjpvsdf2z/

Behaviour

Program crash

Downloads MZ/PE file

GCleaner

Malware Config

C2 Extraction:

45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75

Unpacked files

SH256 hash:

100fe6851f1f743c9abaa108b5cd19367f7b56bca54ab80699da04da34a75b40

MD5 hash:

b625fddb905b3328a712cd39d26c4a05

SHA1 hash:

4e6af66ab9738b32f703dba5f971bc4c4acdd7eb

Detections:

Nymaim

win_nymaim_g0

win_gcleaner_w0

win_gcleaner_auto

Link:

https://www.unpac.me/results/ae0df9db-2f5a-4fb8-9e36-f50f0f3c2c4d/

Parent samples :

f1bcd722667511c3dbc6333ea198d2aacbac786495b507984ff1d0089071e174
4fcfd3b7154bfce760b51d76b2512e1f94fe166c10423cfaa282a91207f27993
3ce8151f750a8b4153accfec20ebff244d462ffd5ed1efbd7ad9b8a868e79015
da639a877dc33fe3de6d5a0488918748a75c674e1b2e20cfc87b79c4723df3b4
fb8edf41ac89e97ac2b214457af0bcb145d587b3a2a52bd703e2501e19aa4c6d
f8c69037e2121108936e7db81791bf7bfc0b627c4f01a2429afde9419e731b48
a6fa889d4997e972e3ad726d36a7546066acf63cf097856062aa644eddd0c7d3
782f9a51fd468803f5f5a43120181580c5ea565c450bb4d291d6cb4eacfbec19
8242ec76a68c23f1395728dfad8eb6449e49b2c5d5cdb67229b9d2dbd8894503
f84c4757e5e61e1d8d66303d5b91944726caa1b0f209c56d36b17957e6a6a884
f4566e61a5e837646a63aa00784e895d353f051013f30a00bf0d6838af7addf1
b00428cb1958bb18fba9e688e1ea13138de89195fe10e98524891d309f4ab47a
be6b59ebb78eae90d730fe77a0cbb28eabf28e19856307134ff892f595d496dd
6e8d47ab5cc60a8ef448fc3fbf1b5545a6fa29e06560ca5a4d8fa25f244d0548
82ee67c2a16400be3102e0c51138cc29118eaabcf1af2ecb6282ef79c4e1cb78
73d52a0e2acc955318c84f67c8f83b04c0e0455031d11e29fabbfd52b09d3771
01050a830b3288b3e4ab09e7e669bdd0ef039520e3ce2f16b3b7c7a9f7c39696
45b5b4972cd637a4b69b650a10e956a8071a46784429d7434b226675bf72a21a
71dfa64187315a09becab456d32e70e43ae68afbff5a601a9227089241b9c460
d3148cbb2b5663ac590670892f28fd4207c978f0aaadfef5024fe04727cb6378
d6e595778c9ee6696003c13a4c6545818035e593e8ebab769e74e103c18014e2
fcab2c1dee3d1b9f248c302758c568afd50adedf778c8deed27ef00c0ee217f2
e28224f0ffce7cf0069c41321c3b162a3c7fe53f4d6875a61ecf846bf30c1ee4
cf2d284d8055d732d087c1c9fe1dc69e6165cb5bee28c048a2752ba71ea8b24f
89bdac2cfc9747cc5d7d01272dac3f58a4e0ec56a6afbe2acac32f702840d51f
5559d3e43563d36e1a97caba8f205acdc978b43c38337c5e1d24c750ed38f842
341c70ac74087e45fe53487b959dfb0fc7777f276b95831aa0756e7d7f132300
274cb95b917882e4392516f6f78c12bf63eb96de873984d048d79a7a58823348
5c3e93d0d5cdec0c69be6c16345b484363b92204dbae3e9f2617ceb398a6b084
5df5d338fcd2cf967c08d5d50aef81f7e27ae868b94f1d0d8bf1aeee86fdcda3
8e32b2687a885a24983a14bf0ad0408bdd972b2c6bc8baee21b61dacaf6627d5
bc5de7ed331b9ff5f10a4f73dc79b99622410930fab1b76340505a150ff4877c
1eaae4ab4338872748b06dfde87deede2e51e7fe3528e9bfd15d4d6154a212c9

SH256 hash:

341c70ac74087e45fe53487b959dfb0fc7777f276b95831aa0756e7d7f132300

MD5 hash:

c4e826b5fc5358b72734b891b4250867

SHA1 hash:

14b0049dc9f4428c7806c926bb60b121f57e5338

Link:

https://www.unpac.me/results/ae0df9db-2f5a-4fb8-9e36-f50f0f3c2c4d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/341c70ac74087e45fe53487b959dfb0fc7777f276b95831aa0756e7d7f132300

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/383442/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample