MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327
SHA3-384 hash: bac3e7031846e37ed7d27fca65cef094f1b3ee526c957fed7bccb4ca9eda6c58e5950042c2db20983c6b1a8b9af3a5f8
SHA1 hash: 114d19d380744159c8af59513b652104ea61ed4b
MD5 hash: d30e54f53559860093096109d25ecabb
humanhash: emma-pip-moon-sodium
File name:d30e54f53559860093096109d25ecabb.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'766'781 bytes
First seen:2023-05-28 07:13:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (258 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/fGqKGKic6QL3E2vVsjECUAQT45deRV9RW:sBuZrEU6wKIy029s4C1eH9Q
Threatray 5'471 similar samples on MalwareBazaar
TLSH T1EC85BF3FF268A13EC46E1B3245739220997BBA61B81A8C1E47FC344DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d30e54f53559860093096109d25ecabb.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-28 07:14:38 UTC
Tags:
installer
Link:
https://app.any.run/tasks/f248b1ee-cca1-47d6-b3c3-c1076c3adf67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/392715/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.21314.3216.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88297/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6472ff3d551c737d52c06b2e/reports/e6e92457-72d9-4b6b-aeca-5629192407c4/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332545
Link:
https://www.hybrid-analysis.com/sample/361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cbf72990-a6ad-49a2-ab4e-ffc7670658f0
Result
Threat name:
Nymaim, RedLine, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spre.spyw.mine
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1243968
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found strings related to Crypto-Mining
Infects executable files (exe, dll, sys, html)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 876978 Sample: B6gXqbOxy7.exe Startdate: 28/05/2023 Architecture: WINDOWS Score: 80 158 45.12.253.72 CMCSUS Germany 2->158 160 45.12.253.98 CMCSUS Germany 2->160 192 Snort IDS alert for network traffic 2->192 194 Multi AV Scanner detection for domain / URL 2->194 196 Found malware configuration 2->196 198 9 other signatures 2->198 14 B6gXqbOxy7.exe 2 2->14         started        18 msiexec.exe 2->18         started        20 VC_redist.x64.exe 2->20         started        signatures3 process4 file5 148 C:\Users\user\AppData\...\B6gXqbOxy7.tmp, PE32 14->148 dropped 216 Obfuscated command line found 14->216 22 B6gXqbOxy7.tmp 3 27 14->22         started        150 C:\Windows\System32\vcruntime140_1.dll, PE32+ 18->150 dropped 152 C:\Windows\System32\vcruntime140.dll, PE32+ 18->152 dropped 154 C:\Windows\System32\vcomp140.dll, PE32+ 18->154 dropped 156 45 other files (22 malicious) 18->156 dropped 218 Infects executable files (exe, dll, sys, html) 18->218 27 VC_redist.x64.exe 20->27         started        signatures6 process7 dnsIp8 168 45.12.253.74, 49745, 80 CMCSUS Germany 22->168 170 log.angersummer.xyz 172.67.152.155, 49736, 80 CLOUDFLARENETUS United States 22->170 172 4 other IPs or domains 22->172 104 C:\Users\user\AppData\Local\Temp\...\s3.exe, PE32 22->104 dropped 106 C:\Users\user\AppData\Local\Temp\...\s2.exe, PE32 22->106 dropped 108 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 22->108 dropped 110 3 other files (2 malicious) 22->110 dropped 200 Performs DNS queries to domains with low reputation 22->200 29 s0.exe 2 22->29         started        33 s2.exe 22->33         started        35 s1.exe 15 22->35         started        38 VC_redist.x64.exe 27->38         started        file9 signatures10 process11 dnsIp12 142 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 29->142 dropped 208 Obfuscated command line found 29->208 40 s0.tmp 26 21 29->40         started        144 C:\Users\user\AppData\Local\Temp\...\s2.tmp, PE32 33->144 dropped 44 s2.tmp 33->44         started        166 45.12.253.56, 49880, 80 CMCSUS Germany 35->166 210 Multi AV Scanner detection for dropped file 35->210 212 Detected unpacking (changes PE section rights) 35->212 214 Detected unpacking (overwrites its own PE header) 35->214 47 cmd.exe 35->47         started        49 WerFault.exe 35->49         started        51 WerFault.exe 35->51         started        53 6 other processes 35->53 146 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 38->146 dropped file13 signatures14 process15 dnsIp16 112 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 40->112 dropped 114 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 40->114 dropped 116 C:\...\unins000.exe (copy), PE32 40->116 dropped 126 7 other files (none is malicious) 40->126 dropped 202 Obfuscated command line found 40->202 55 cmd.exe 1 40->55         started        57 wmiprvse.exe 18 40->57         started        61 cmd.exe 1 40->61         started        63 cmd.exe 13 40->63         started        186 143.204.9.109, 443, 49888, 49889 AMAZON-02US United States 44->186 188 api.joinmassive.com 143.204.9.49, 443, 49885 AMAZON-02US United States 44->188 190 aka.ms 104.83.112.120, 443, 49886 AKAMAI-ASUS United States 44->190 118 C:\Users\user\...\vc_redist.x64.exe (copy), PE32 44->118 dropped 120 C:\Users\user\AppData\Local\...\is-NC5ML.tmp, PE32 44->120 dropped 122 C:\Users\user\AppData\...\PEInjector.dll, PE32 44->122 dropped 124 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->124 dropped 65 vc_redist.x64.exe 44->65         started        68 conhost.exe 47->68         started        70 taskkill.exe 47->70         started        file17 signatures18 process19 dnsIp20 72 expand.exe 21 55->72         started        75 conhost.exe 55->75         started        174 94.103.83.37, 1203, 49694 VDSINA-ASRU Russian Federation 57->174 176 geography.netsupportsoftware.com 62.172.138.67, 49729, 80 BTGB United Kingdom 57->176 178 geo.netsupportsoftware.com 57->178 204 Contains functionality to modify clipboard data 57->204 77 reg.exe 1 1 61->77         started        80 conhost.exe 61->80         started        82 chrome.exe 1 63->82         started        85 conhost.exe 63->85         started        100 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 65->100 dropped 87 vc_redist.x64.exe 65->87         started        file21 signatures22 process23 dnsIp24 128 C:\ProgramData\...\wmiprvse.exe (copy), PE32 72->128 dropped 130 C:\ProgramData\...\remcmdstub.exe (copy), PE32 72->130 dropped 132 C:\ProgramData\...\pcicapi.dll (copy), PE32 72->132 dropped 138 15 other files (13 malicious) 72->138 dropped 206 Creates an undocumented autostart registry key 77->206 162 192.168.2.1 unknown unknown 82->162 164 239.255.255.250 unknown Reserved 82->164 89 chrome.exe 82->89         started        134 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 87->134 dropped 136 C:\Windows\Temp\...\wixstdba.dll, PE32 87->136 dropped 92 VC_redist.x64.exe 87->92         started        file25 signatures26 process27 dnsIp28 180 axsboe-campaign.com 104.21.37.216, 443, 49697 CLOUDFLARENETUS United States 89->180 182 aefd.nelreports.net 89->182 184 6 other IPs or domains 89->184 140 C:\ProgramData\...\VC_redist.x64.exe, PE32 92->140 dropped 95 VC_redist.x64.exe 92->95         started        file29 process30 process31 97 VC_redist.x64.exe 95->97         started        file32 102 C:\Windows\Temp\...\wixstdba.dll, PE32 97->102 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-28 07:14:08 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gypnkskhnnxmqd44svlezr7ds6ni4xjr7d4v5nghdrdiadyl6mtq._file
Verdict:
malicious
Similar samples:
03f22c6859c5373a849fc2307700014405b28253e9e4ba643e0ca7cc4835888a
GCleaner
131e8b4cfd3d6911aa1a5a7109767a094b0593c405722d1691ee7422eeb00ea2
GCleaner
3500abcc8f0c8af8f665b03f8bab9c712fe8b4a073ea1f35618e68c7b7075794
GCleaner
79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863
GCleaner
cbe9dedc91d7a886adf9f3f8a3b01d525279fd935616f10a5eb08f64882f0654
GCleaner
f388fde192c9233fde404cdf139894b3506bba91dc87261e6ccd341e4e30d14a
GCleaner
fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
GCleaner
+ 5'461 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230528-h2mzfsee53/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/392715/

Comments