MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs 5 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
SHA3-384 hash: b18152ba7cac9fd47b8836d00b20e016c97357b025d8d0864fb69dba0050132f688fd1db02317b96a25841b9110c82fe
SHA1 hash: 9f79361ac3b2d4eae624b8a0c5edf060e4c8d2ff
MD5 hash: 2f8eb2e173c93dae1ddd17031ee8aa0e
humanhash: india-nitrogen-connecticut-india
File name:365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:6'071'491 bytes
First seen:2021-10-23 21:35:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yo+BLKm54bo+f1XhdeQ9jVRUgwuZnQtgmqQI81pPQ92RSM6r+rNnYi:yo+ZKmqo4rLfUpuWJI81pqnQyi
Threatray 1'226 similar samples on MalwareBazaar
TLSH T1035633A0D275DBB7C1153BB20A27B55EC693511310FF8ABA1331E44BB3669C0F6A876C
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
195.2.93.217:18524

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.129.99.59:80 https://threatfox.abuse.ch/ioc/236780/
144.76.183.53:5634 https://threatfox.abuse.ch/ioc/236825/
45.14.49.184:55842 https://threatfox.abuse.ch/ioc/236831/
91.206.15.183:15322 https://threatfox.abuse.ch/ioc/236832/
195.2.93.217:18524 https://threatfox.abuse.ch/ioc/236833/

Intelligence

File Origin
# of uploads :
1
# of downloads :
580
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199608/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Upatre-9890301-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6174f69f9a5a1e91c5d1f478/reports/1a85181b-845d-485a-ace7-f399ede3ca01/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52ea4252-90a1-4c28-af2f-bf2fa989466d
Result
Threat name:
Cryptbot RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875712
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cryptbot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 508145 Sample: 365F984ABE68DDD398D7B749FB0... Startdate: 23/10/2021 Architecture: WINDOWS Score: 100 93 live.goatgame.live 2->93 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for URL or domain 2->127 129 17 other signatures 2->129 12 365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exe 10 2->12         started        signatures3 process4 file5 73 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->73 dropped 15 setup_installer.exe 16 12->15         started        process6 file7 75 C:\Users\user\AppData\...\setup_install.exe, PE32 15->75 dropped 77 C:\Users\user\...\Sun15e1d2d2ead4a.exe, PE32 15->77 dropped 79 C:\Users\user\AppData\...\Sun15b869d1266d.exe, PE32+ 15->79 dropped 81 11 other files (6 malicious) 15->81 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 95 127.0.0.1 unknown unknown 18->95 97 marisana.xyz 18->97 131 Performs DNS queries to domains with low reputation 18->131 133 Adds a directory exclusion to Windows Defender 18->133 22 cmd.exe 1 18->22         started        24 cmd.exe 18->24         started        26 cmd.exe 18->26         started        28 8 other processes 18->28 signatures10 process11 signatures12 31 Sun15b6c95dba344c935.exe 22->31         started        34 Sun152c6e5fac04c1.exe 24->34         started        37 Sun15e1d2d2ead4a.exe 26->37         started        135 Adds a directory exclusion to Windows Defender 28->135 39 Sun151b41f669.exe 28->39         started        42 Sun153b63e3ae.exe 28->42         started        44 Sun15a9b9c6cb2b0dc.exe 28->44         started        46 3 other processes 28->46 process13 dnsIp14 137 Multi AV Scanner detection for dropped file 31->137 139 Detected unpacking (changes PE section rights) 31->139 141 Machine Learning detection for dropped file 31->141 161 4 other signatures 31->161 48 explorer.exe 31->48 injected 99 185.230.143.16, 32115 HostingvpsvilleruRU Russian Federation 34->99 143 Query firmware table information (likely to detect VMs) 34->143 145 Tries to detect sandboxes and other dynamic analysis tools (window names) 34->145 147 Hides threads from debuggers 34->147 149 Tries to detect sandboxes / dynamic malware analysis system (registry check) 34->149 107 2 other IPs or domains 37->107 151 Detected unpacking (overwrites its own PE header) 37->151 153 May check the online IP address of the machine 37->153 155 Performs DNS queries to domains with low reputation 37->155 101 212.192.241.62, 49776, 49783, 49788 RAPMSB-ASRU Russian Federation 39->101 103 37.0.11.8, 80 WKD-ASIE Netherlands 39->103 109 7 other IPs or domains 39->109 69 C:\Users\user\...69iceProcessX64[1].bmp, PE32+ 39->69 dropped 71 C:\Users\...\VSOlEYlf68w7W_CiWqWzJ8LS.exe, PE32+ 39->71 dropped 157 Disable Windows Defender real time protection (registry) 39->157 159 Tries to harvest and steal browser information (history, passwords, etc) 42->159 53 WerFault.exe 42->53         started        111 2 other IPs or domains 44->111 55 WerFault.exe 44->55         started        57 WerFault.exe 44->57         started        59 WerFault.exe 44->59         started        105 s.lletlee.com 104.21.17.130, 443, 49760 CLOUDFLARENETUS United States 46->105 61 Sun154a2227a6e0.exe 46->61         started        63 WerFault.exe 46->63         started        file15 signatures16 process17 dnsIp18 83 thegymmum.com 48->83 85 nasufmutlu.com 48->85 91 4 other IPs or domains 48->91 67 C:\Users\user\AppData\Roaming\dfisdrt, PE32 48->67 dropped 113 System process connects to network (likely due to code injection or exploit) 48->113 115 Benign windows process drops PE files 48->115 117 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->117 87 live.goatgame.live 61->87 89 192.168.2.1 unknown unknown 61->89 65 conhost.exe 61->65         started        file19 119 May check the online IP address of the machine 87->119 121 Performs DNS queries to domains with low reputation 87->121 signatures20 process21
Gathering data
Threat name:
Win32.Infostealer.Reline
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 06:20:11 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzpzqsv6ndo5hggxw5e7wdtjwdzj3l4g6dr6hgxtk453pcrgl24q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
GCleaner
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
GCleaner
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
GCleaner
450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
GCleaner
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
GCleaner
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
GCleaner
aa9830b26f9c0db4c3da3c04a96199550b57251b56f8c4ccb922b264a24e8de1
GCleaner
+ 1'216 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:redline family:smokeloader family:vidar botnet:706 aspackv2 backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/211023-1fw94scde9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
CryptBot
CryptBot Payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
lysuht78.top
morisc07.top
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Unpacked files
SH256 hash:
0e172b5a0cba00d3eeb9a73eef22c55ae1b18ab3da2c483acd62b03f6bf25b48
MD5 hash:
b00a2072a44e05d8bfbf99f7b198ed73
SHA1 hash:
eeb5fc7154cc8b9ef84ad69002697fa292fef756
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
51f0902e3719494d303107e7694e09bdb274cc9fa6351ba28f91d06b2554a82b
MD5 hash:
24dad787e4c80e380b01ea041c52b48f
SHA1 hash:
3ae7845714b28b84015a64f0c45911a7cae132a9
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
52f017f160936494144aa647f23872d0118bae60cdffee958335227a3ff1bcf9
MD5 hash:
36faabbeff47e743400ca0ec40c19734
SHA1 hash:
1716f91c9e835331d49dc99a885add1142f128af
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
5b571dec2a6db1b1068c5e53a66c0a7d901741fe73e039e99418a45beaef75f2
MD5 hash:
5d01f33ba9e7308ea2485d1e46ce5f4a
SHA1 hash:
a67d7683238adb04f34c63f5947990325efaa4e7
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
1574995aa960d63b1d9426940fe4412e58106b185060fe95bab6252b8cc94780
MD5 hash:
4925f80c86219fd43a567a136d87f2f3
SHA1 hash:
68cd3e721a17b039f89caa5acf9dcb87a48c8f43
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
c83c6bbdf2a042df0c8343aed3d04a09e2f09b7c97ca13da4e141b2ee6b73e24
MD5 hash:
bd04c2aaa95597b44e601173a12ff67a
SHA1 hash:
6482176bc16a64fe9df5f4615c30dfddc083dcfc
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
b64b050ef0ea8e26686bcbaf4cc62dd2a908ea913292718cbd14c9ec1e36b34f
MD5 hash:
3af909fd7f79b1e0da20a0303b103b40
SHA1 hash:
3b35f56c1a58a97d76cc6b53daacda301b8a78b3
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
09847a0d6d819ff226290bb2b31c85c6e4c2dd777ebc71bb941dcbd99720ac10
MD5 hash:
d186a8187fec966c83e3f0325a5d3283
SHA1 hash:
1e9f49decab0c66b01e52af70cbe6131a3667a67
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
e9cd326d6d4fb4eb28709434a1cc6a72263ff49989e4631e65b42abf4ef10bf5
MD5 hash:
7ec844f097654abdbd2c68ff74241fbc
SHA1 hash:
12a6b6a95d14d9a85f0ac1b7d78f113c52fd01aa
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
a49ae7155dfc48ec360cc92b7f9906232121c46639acaa84690d1c49051574c8
MD5 hash:
158fe1aadf0c738824e913aaf8314035
SHA1 hash:
5c80665fe3d244bc1ff203f9e091121dd5086f69
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
Parent samples :
450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
aa9830b26f9c0db4c3da3c04a96199550b57251b56f8c4ccb922b264a24e8de1
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
SH256 hash:
4eba29ddc02766eb46bc30e67a6f3c29f9e7db07cf42576bf67fa8e4934e21da
MD5 hash:
5e2c685a38103d25d2ad03f779b2b275
SHA1 hash:
28271e39a992ae7b3f0d72a0bd00abe7ab126c42
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
54fe6566ef63d4bfedb581f8810f07dedb720d47c6af11d29bf4a95ff03c48d2
MD5 hash:
72d97e52bfb12974cff2c8aaccbbf058
SHA1 hash:
a0ac20cc11071be0e3b424f9c6a216b4827abac4
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
5014447ed9566019fdbf830c83459e79cfea6eb3f7bfaf21f00aa37517ce607c
MD5 hash:
4cc3085dc13f634744dc95d0d6d2acd2
SHA1 hash:
f81882d4d94fbdc42322258dabec9b78ff09a1ca
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
SH256 hash:
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
MD5 hash:
2f8eb2e173c93dae1ddd17031ee8aa0e
SHA1 hash:
9f79361ac3b2d4eae624b8a0c5edf060e4c8d2ff
Link:
https://www.unpac.me/results/06789400-d807-4d78-8dbb-4f61d38c8fe9/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/365f984abe68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199608/

Comments