MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38066ee9fea009a8a6c2575e1a05fadd49a2cfe205dd8a6604eea85f5c7a42bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 7 File information Comments

SHA256 hash:	38066ee9fea009a8a6c2575e1a05fadd49a2cfe205dd8a6604eea85f5c7a42bd
SHA3-384 hash:	cd567edf3d30c7f1647361253b106a0a3ce37b7c2336179fcd6fec1a782cb120ec8fe1c621ab72b90bfa45ca21167bba
SHA1 hash:	de9a04bb02a531451d335b1eb8f752db42a21050
MD5 hash:	a8728dd1eeffcc3e1fc073e23fa81d05
humanhash:	fish-golf-west-shade
File name:	a8728dd1eeffcc3e1fc073e23fa81d05.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	9'911'846 bytes
First seen:	2022-01-22 07:56:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep	196608:xpLUCggVcHcMrB8Yfp32lQAq6udXSFi4N1nI7jJ6Cskk4BU2cFu:xpdgQcnrBrf4lQVjdX4N1nEUkkaL
TLSH	T1A1A6335AF4D65CFAF82301B045A873ED6CB407C45E10C72FA79D1B99DB66988CB48CE8
File icon (PE):
dhash icon	848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter	abuse_ch
Tags:	exe gcleaner

abuse_ch

GCleaner C2:
185.105.119.120:48759

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.105.119.120:48759	https://threatfox.abuse.ch/ioc/311270/

Intelligence

File Origin

# of uploads :

# of downloads :

263

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a8728dd1eeffcc3e1fc073e23fa81d05.exe

Verdict:

No threats detected

Analysis date:

2022-01-22 08:56:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1440ecdf-88d6-46e3-8c70-30cc61272dd8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/221607/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a process from a recently created file

Running batch commands

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Launching a process

Creating a window

Unauthorized injection to a recently created process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61ebb897d32385db631a28b0/reports/d4dd6233-6ed4-455b-a44f-4bca03a1723b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

Raccoon SmokeLoader Socelars Vidar onlyL

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/925589

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Antivirus detection for dropped file

Antivirus detection for URL or domain

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Disable Windows Defender real time protection (registry)

Disables Windows Defender (via service or powershell)

Downloads files with wrong headers with respect to MIME Content-Type

Found C&C like URL pattern

Machine Learning detection for dropped file

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Performs DNS queries to domains with low reputation

Sigma detected: Powershell Defender Exclusion

Sigma detected: Regsvr32 Command Line Without DLL

Sigma detected: Suspicious Script Execution From Temp Folder

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected onlyLogger

Yara detected Raccoon Stealer

Yara detected SmokeLoader

Yara detected Socelars

Yara detected Vidar stealer

Yara detected WebBrowserPassView password recovery tool

Yara Genericmalware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/38066ee9fea009a8a6c2575e1a05fadd49a2cfe205dd8a6604eea85f5c7a42bd/

Threat name:

Win32.Backdoor.Zapchast

Status:

Malicious

First seen:

2022-01-19 07:24:00 UTC

File Type:

PE (Exe)

Extracted files:

684

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hadg52p6uae2rjwck5pbubp23ve2ft7caxoyuzqe52uf6xd2ik6q._file

Verdict:

malicious

Label(s):

ryuk

Result

Malware family:

vidar

Score:

10/10

Tags:

family:onlylogger family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:8fc55a7ea41b0c5db2ca3c881e20966100c28a40 botnet:915 botnet:media23nps botnet:v3user1 aspackv2 backdoor infostealer loader spyware stealer suricata trojan

Link:

https://tria.ge/reports/220122-jsn1tsadbn/

Behaviour

Kills process with taskkill

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

NirSoft WebBrowserPassView

Nirsoft

OnlyLogger Payload

Vidar Stealer

OnlyLogger

Process spawned unexpected child process

Raccoon

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

Malware Config

C2 Extraction:

http://www.biohazardgraphics.com/
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
65.108.69.168:13293
159.69.246.184:13127
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/

Unpacked files

SH256 hash:

669133ab9bcb3f73839fa828bd163e9ae96f41560f1c2e7377e9e2234da7c22b

MD5 hash:

082efbc195990f408078651b90202292

SHA1 hash:

3810c57644acd3defebf222ddb8575fb425207c7

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

401935cb5b36f0bf8f1ce0d20c25872382dd558420e5c26d3a2a653ed4111165

MD5 hash:

cf04bade8690a9b8bc7cedfe52253911

SHA1 hash:

30fc986df06c53052e6e91083f37b32e470526d5

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

e40a6e65dd6776e8b0d861b40455fb8002da8ebe7802eba89b01da744d95ca49

MD5 hash:

4797bfe49da816ece94702f3b1c84c44

SHA1 hash:

196193b425627528bdc8ba27b9d4afbdc801176b

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

81f27af607f96da8369b94617f47a68fd66e48180dd825e748271c5daf62e4cb

MD5 hash:

8f4b7adc01da06fea970093c7a3c66dd

SHA1 hash:

13dee23db758c33942c135eb55e3466494e5effa

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

f45daafd61371b1f080a92eea8e9c8bfc9b710f22c82d5a06a1b1bf271c646ad

MD5 hash:

7e32ef0bd7899fa465bb0bc866b21560

SHA1 hash:

115d09eeaff6bae686263d57b6069dd41f63c80c

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

0fbc2875f1e9249bd91eb89c818c66ccdf87dbea1522987ba4b9c422113343e0

MD5 hash:

1ec5ada63bd6736fb59bf14bac9797d8

SHA1 hash:

0fc085566f50fcc9b78970351cf9a307649bfe63

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

012c3d22b5374c4f595fcf1986bf2a67697f322f36e8bb6456809334f98f5781

MD5 hash:

8bacb64db8fb73308faefd14b863fd43

SHA1 hash:

c5bf54f8b9cc198d6d380f3ee7a74df2feadf32a

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

9dac78cf97a753e813b02cb654f076cdea03155bc9a98ed64ec248729ead52ec

MD5 hash:

29fa5c5ade39d4ae5a0f564949278923

SHA1 hash:

376051004220051779d97fcb44065a8724de370b

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

e7b8877389f0bfb5fb95f08a799a0e7d06a2f7161a0287552ff3eadf06bd1dd1

MD5 hash:

e9eb471509abbfb4456285e82b25d1c9

SHA1 hash:

b96ef576c147ea8a1b3e0bd5430117ba9ad31096

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

4f7016fb630595204b4cb47d03f4cdf9a75597d2586fa9bbd244a0407a567748

MD5 hash:

ec94b9dbbb8502ae096f9d7e1f33901c

SHA1 hash:

d5f73eaaa6df419e83bb2c58f30d28ba2e348b72

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

Parent samples :

e4fb57012d7a31e6511c4bac952323093e8bb51f138841f994f58259162dfd6e
24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893

SH256 hash:

a5cb08b5c9d66e3751795d06b6a15ccfe0f5c30519cd151ca46ba550696714d8

MD5 hash:

457ebf3cd64e9e5ee17e15b9ee7d3d52

SHA1 hash:

bd9ff2e210432a80635d8e777c40d39a150dbfa1

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

6d9d8579d6481cb2bb9ad112346d6dbf90663b8e8278e0fab1c074ba8f80b54a

MD5 hash:

444be29d42f42ab530599f00c425adb6

SHA1 hash:

095b2090601240f2a3fc51a8a3ab03f6e69418b7

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

a353cccaf3503ef523fef2753a7e96883b63039d7f84a6b3aaee1a2bad4d44f2

MD5 hash:

590ab3e1eababa328115052b10724ec3

SHA1 hash:

220c48634b674597d3d64c9a1560f209e6fefc20

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

fa15f2ac023eba1719507fb3691ac9c37b078a9eeac0ae7da84113659c4e034d

MD5 hash:

fbbc7aded4f3f666ad366b8482f3e17a

SHA1 hash:

3f382e01bae73eebd03e72f66e5e24dbe3a33e4a

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

858862d1c0e787d72e1884c6ffb4df67dfabcc5818c71ef06e8f58c0f96b562f

MD5 hash:

7389dc193e04f24cb41536b2247e99a6

SHA1 hash:

9759a0e7dd67a00ca9cf0629438be123abf46947

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

d8529ba630b7a5ab4346b5151f267ede70b2c61c01d4241841dfce5e5c8a6bcb

MD5 hash:

666a7f1b97be34d4577b8641a6e812da

SHA1 hash:

f07b4d843ac67f6e790ea3cbc0c0b3af8b2425cd

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

d21e7509cb095eb78f64483913aa29d033e18044536a0b28bf8b7b3b4c7544dc

MD5 hash:

c6a43268218b2580c13c11832e129233

SHA1 hash:

7cc074d8718e2a98912d0273ab83a0d1a9e16e40

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

20cff752d7bd9a652a0e9279b25cde7bf705ddc600876048f8befb1599199ea0

MD5 hash:

ba71f0ec467cc9cc55e47f92ca0c9e14

SHA1 hash:

9c08248f38cb46fbe961b3d342076d8aa5612c84

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

3838a3056d2ffcadce93fc3308e8b05ab1a9ba80d62ab1e5795b3a93059ddda3

MD5 hash:

eef5aa795b8c7bd8cde26f28ae865417

SHA1 hash:

c3f7e948d95d11295cd1e6d6827664df6bea2fef

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

e7663a77d421e54fcd7bf1db27b3df8750b7342bbc5e2cfb28b3ba6c879fe908

MD5 hash:

777a6f070465d87a0bea066952204b1c

SHA1 hash:

ec346c28f676d9ce4e2df4e195ed737025434c7e

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

9ebab0d71e72ff28f80b0c85aa2786f7e19d27c0fac61e69935f876294f05785

MD5 hash:

a5a3e43dd52ba845adc66f97737e80af

SHA1 hash:

22192dab18e74e1f807c77b2dfdf69ecbf8aa13c

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599

MD5 hash:

ded1c6e8c89148495fc19734e47b664d

SHA1 hash:

3a444aeacd154f8d66bca8a98615765c25eb3d41

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

Parent samples :

3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893

SH256 hash:

a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec

MD5 hash:

6faec01bf7a3d7f5c5dee2e6e3143a58

SHA1 hash:

603a36f817cab5574e58ab279379e5c112e5fb37

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

5875c9dc474991a58856746cb1c22857b3eddbc34505989332771073ddad3e12

MD5 hash:

e3d54624f32b464a8083869e8d7143d3

SHA1 hash:

e39f9740fd160138c07387f60a7e3b7726291591

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19

MD5 hash:

f6271f82a952f96ba9271a4a27c9f22f

SHA1 hash:

d12708b9e39a0cd06add96316b65f1668d6a1246

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

e1db45f1c802a679a21ad4a955a54c846beb1830afd65771f898379400f06602

MD5 hash:

f0c4116dc4fc9af57d30daeff4ec27f3

SHA1 hash:

abed45e60e3bc04725331f3648d97abb001b7fab

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

bdaed9486223e2becc934935671ea8e85a3c073f321d8890066b62e363aadab6

MD5 hash:

a7f979fbdd6a11090cec150dc311c0e4

SHA1 hash:

a825cec4b91a32b42ec1790da2f68af2c1508561

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

dcc1725b855ec8f21f1a78a72bc3951682a20709b129d16051cbbbfca2361c2a

MD5 hash:

851857aa313098b41716720126d1e9e1

SHA1 hash:

748d3a025f04a0526678af71a341097570c88e7e

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

f31287ab8b1ede2b692616ff7447ce6d4655484345838c82e6bc583f0d37c179

MD5 hash:

41db061001e3f239e151b56d1fb3cc42

SHA1 hash:

3f4c998d83e91dd46409dfc5a64f2f2a5b37a48d

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

SH256 hash:

38066ee9fea009a8a6c2575e1a05fadd49a2cfe205dd8a6604eea85f5c7a42bd

MD5 hash:

a8728dd1eeffcc3e1fc073e23fa81d05

SHA1 hash:

de9a04bb02a531451d335b1eb8f752db42a21050

Link:

https://www.unpac.me/results/0831e5b1-9e5d-4397-8c05-2316a86b2d23/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_DLInjector06 Create hunting rule
Author:	ditekSHen
Description:	Detects downloader / injector

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/221607/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample