MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3661431d0e8705b3504d36a00a3131a8ef0f3822fd69dc93f3bf269fa6ae51f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3661431d0e8705b3504d36a00a3131a8ef0f3822fd69dc93f3bf269fa6ae51f0
SHA3-384 hash: 8d88e2bc6cae0878ac221c349c23fc5b016dbeef1358c0b20ccc0af356687f7f231844c1723049e90ffa142630eff2b7
SHA1 hash: 82504c3a573d0b2968f4f7d957a1dce6d9779807
MD5 hash: 45e11418243036131bd781223f7ba55f
humanhash: early-cold-carolina-helium
File name:45e11418243036131bd781223f7ba55f.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:349'184 bytes
First seen:2022-09-15 07:43:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a6dbeee9e4f054e2e2505d721bd1e347 (4 x GCleaner, 1 x DanaBot, 1 x RecordBreaker)
ssdeep 6144:rG2hJtLfyT69ENqNzy5gwVMymY8ze1Zoe4zH7Fr5x516ds6G0U4Nniga:rGEJt7o6yNezy6wVBJ8zKoHzt5X1AbnE
TLSH T1E074E072B992D431C8656D308532DFA42ABFBC612A205643F3B4774EBE327D0616238F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f0e8c8d8d8e868 (1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310176/
Detection(s):
Win.Packed.Tofsee-9951336-0
Create hunting rule

Win.Malware.Ransomx-9967933-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37687/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6322d85636ccf428b25df7c1/reports/97c95df8-20f0-475d-a838-0a7a6cacf4a9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a901dfc-ec68-4ee9-ad67-395883b5edc7
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1070770
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3661431d0e8705b3504d36a00a3131a8ef0f3822fd69dc93f3bf269fa6ae51f0/
Threat name:
Win32.Trojan.RATLoader
Create hunting rule
Status:
Malicious
First seen:
2022-09-15 07:44:08 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
21 of 40 (52.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzqughioq4c3gucng2qaumjrvdxq6obc7vu5ze7tx4tj7jvokhya._file
Verdict:
malicious
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/220915-jktw4sgacq/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
NyMaim
Malware Config
C2 Extraction:
208.67.104.97
85.31.46.167
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5e9212c2-2ad7-43e2-84ac-d401247caa96
Unpacked files
SH256 hash:
9ca554371738b4c54ef9bdb9fe1000ce3913b3cc89f7af366999232aa59a6bc8
MD5 hash:
318f53e58ac5de8f16ba8292290a4163
SHA1 hash:
b5fb40a9a816dbb7cc1320843f6dbaa5b564a12e
Detections:
win_nymaim_g0
Create hunting rule
Link:
https://www.unpac.me/results/add32ed7-b61d-4caf-b35e-46c744545a36/
Parent samples :
606325e9d37cb293eec47b365f7780ca76df929898d4960e5a3886dac277feb2
21399a0ba530065b123a8e27789516d3b5bc3524f399b54fcec1df2a8cf54a01
8a809ac00add47eef66616c51152849c7830604eeb46a195a6d25c81b04eddfd
3661431d0e8705b3504d36a00a3131a8ef0f3822fd69dc93f3bf269fa6ae51f0
b9160a9dda6567e86f5c88a887ab3f51be66fd0a953b75eafc436e14e90c9f62
c33f78d664450a07d13c54d23d783d489ccfdc027f630222228bebbff1569722
4fac6b7ba62eb87706115780fac65dcc62cf6c5c025747447e41341b242715cd
5791b0f08e138225727bc2583ac2ca0d450e1e8806a4a629f2898b03fc9b9d52
96e4cd33506a7cac32f459e8ce2062bb9f8b5b32c8b9270710c1d141273cd867
dbd564c49bdb7304272ef7bb82fe535b79e1fad2db68f1381ccf14452582b2cb
5d680b566b484f1d7ddf787462139c16ccd2ca1aeb3ecc4167a95c2cdd80809c
2a9742705fc151b37c3b2b46047ecc1cb873d0acb3ce09630954594d6d391305
4f0a99d88ea59bdde7193bf07b72a12dee3d65424ae878b0cea52e656c666b4b
cadfc08401c39678b1d87587949d0208e0a2ef91c4f1d09339d733cfe1c7cc63
fc6dcfb4f08b783ffc70b3d264e36de114d78da4f62abdbc5438820b0123ebd6
3d30171e97dd5dd913a05f8af355c7fe1eb4ecee60ddb5a31f29ae472e23bac2
4f922b7521b942f7cfd05090be2df6b17b65a5b35282ec5255ebceaee260599d
8c74789a227e0d573e0366033c1e55e5e6104834d5db9fdf6c13f8c6251ad7da
39e18ae1185a6b9229d15f8670f52e2ed098485e274e93fd9a48d30eab4a9a8d
823faf7e05c803f4832e209517a3db8ea0a17dfe83e3c3b612bca43eddb1d226
c5e51b5b4948e9f692f1aa6c10122be201bc8328ab29b584588e35b3f6858b81
8bd2c018f4b7e8991317131ae43241037f3060a441ce75cfbec1af1b89fd4e42
bac8612872fafe0d618a296ed1c45b88e25b9ed6a8e70977ce227fe6534c1846
4abd3d8bc4d7856212fb30884585e7c0c86b248bf97486863ecc059aa65d4ed4
1128ed17cabc0ab11e2f2ec898e58cce98ff867ba513bb32d3f8d6323eb24411
70b008ff0302cbaf1d8fce286095dcdad834b2a23ea96a929433fe6fac51e6ad
e337611448cb3d6ad0c64ede2d17283d1590657a41e5f9272763d7ef13020e37
75969ec79b24f7cd86c4d37c523854e964d5e839704d5bb6fc0212b0b0556b35
39ec9b6ad82caa29d5d610e3168d68cafcfa007a529d782be2e5268ebf87200e
5ad7bdd389745dec1a0b0b8b3de96281984000057fe73178e78732db937775db
6bef62653d807b4916c39deb44dcc47e908158a74439903172583c8685cf2077
5e1d69f4f539b3d126aa398e3596f706fc55207ad9fdd7285a5d267c1658087d
81c84e6f68c115dcceb202caebf3da740f2b6da10658cbf29fb425706bb6f07b
becdcaa3af7c4bed39f9ac29705a3c844d17f4ca7e60d716869bd16390d9528c
e2f1e826e666cb407f249b27ac29ebc27990b40e3902cd3a240e48db81161b14
6fd3325f874a25d4953b17d1197452f3e61fca38c40492e41bb17a8eec3fdb37
7323b89a9be650eeebc4b054d30b3165b57d5f8357c51fe2a2961e1cf1bd724c
baceb205a6b210fe454fcd27b2cd6e0a4442b05dbb40de0b4d913bbdd4884df4
6e1b0aeadf4e9b3884f029142a921582d219840fdd7333494a63fcd4886bc5ec
SH256 hash:
3661431d0e8705b3504d36a00a3131a8ef0f3822fd69dc93f3bf269fa6ae51f0
MD5 hash:
45e11418243036131bd781223f7ba55f
SHA1 hash:
82504c3a573d0b2968f4f7d957a1dce6d9779807
Link:
https://www.unpac.me/results/add32ed7-b61d-4caf-b35e-46c744545a36/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3661431d0e8705b3504d36a00a3131a8ef0f3822fd69dc93f3bf269fa6ae51f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 3661431d0e8705b3504d36a00a3131a8ef0f3822fd69dc93f3bf269fa6ae51f0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2276314/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/310176/

Comments