MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3964a1e13d2b3ee0c3c34b50d4785907c3ffd560dc3e4a8b22906893c8db9848. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs 4 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3964a1e13d2b3ee0c3c34b50d4785907c3ffd560dc3e4a8b22906893c8db9848
SHA3-384 hash: d5450cb402ff4e7b4a520b7f8b207ad6e087f2ae15795d8384dc6132ca34af1b62a4230c2dbf58a399dfce8490c67f48
SHA1 hash: d8cb7816fcc2b652df45a8da892d04dd9aa5c45f
MD5 hash: 678dc8e63902a1aadb46ad4a08de7f1c
humanhash: stream-utah-oxygen-mike
File name:3964A1E13D2B3EE0C3C34B50D4785907C3FFD560DC3E4.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:6'752'316 bytes
First seen:2022-01-17 19:37:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:x0LUCg4/50QR/zm+Oy6kcSpFokECzoMN+Ec:x4dg+m+Otk8kqzEc
Threatray 1'017 similar samples on MalwareBazaar
TLSH T1186633103AF585F9C987F2379E895B7538FD47200813CEABAB24C717162A7C3D56E09A
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
95.216.112.164:17929

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
138.201.198.8:58909 https://threatfox.abuse.ch/ioc/297409/
95.216.112.164:17929 https://threatfox.abuse.ch/ioc/297593/
91.243.59.110:44301 https://threatfox.abuse.ch/ioc/297594/
176.9.244.86:48790 https://threatfox.abuse.ch/ioc/297581/

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3964A1E13D2B3EE0C3C34B50D4785907C3FFD560DC3E4.exe
Verdict:
No threats detected
Analysis date:
2022-01-17 19:38:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6d4066b2-ece5-4d6c-8309-392c4f716081

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219911/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Sending an HTTP GET request
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4494/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer barys overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61e5c562d32385db63fce9a1/reports/288841d6-bec2-47fa-9f75-186bb4bd4db8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a128ddb5-bd02-4355-9e6c-58667f702051
Result
Threat name:
RedLine Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/922011
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 554485 Sample: 3964A1E13D2B3EE0C3C34B50D47... Startdate: 17/01/2022 Architecture: WINDOWS Score: 100 58 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 2->58 60 103.155.92.143 TWIDC-AS-APTWIDCLimitedHK unknown 2->60 62 27 other IPs or domains 2->62 74 Antivirus detection for dropped file 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 19 other signatures 2->80 9 3964A1E13D2B3EE0C3C34B50D4785907C3FFD560DC3E4.exe 24 2->9         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\setup_install.exe, PE32 9->50 dropped 52 C:\Users\user\...\Wed09f4103eb8a77632.exe, PE32 9->52 dropped 54 C:\Users\user\AppData\...\Wed09ea5ef44643.exe, PE32 9->54 dropped 56 19 other files (14 malicious) 9->56 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 64 8.8.8.8 GOOGLEUS United States 12->64 66 127.0.0.1 unknown unknown 12->66 106 Adds a directory exclusion to Windows Defender 12->106 108 Disables Windows Defender (via service or powershell) 12->108 16 cmd.exe 12->16         started        18 cmd.exe 12->18         started        20 cmd.exe 12->20         started        22 9 other processes 12->22 signatures8 process9 signatures10 25 Wed091e35736181d5e0.exe 16->25         started        28 Wed099bff84222f2.exe 18->28         started        31 Wed09ea5ef44643.exe 20->31         started        82 Adds a directory exclusion to Windows Defender 22->82 84 Disables Windows Defender (via service or powershell) 22->84 33 Wed090987db5925e2.exe 22->33         started        35 Wed099729c11cc.exe 22->35         started        38 Wed09653ca1940.exe 22->38         started        40 4 other processes 22->40 process11 dnsIp12 86 Antivirus detection for dropped file 25->86 88 Multi AV Scanner detection for dropped file 25->88 90 Machine Learning detection for dropped file 25->90 104 3 other signatures 25->104 68 172.217.168.14 GOOGLEUS United States 28->68 70 35.205.61.67 GOOGLEUS United States 28->70 72 4 other IPs or domains 28->72 92 Detected unpacking (changes PE section rights) 28->92 94 Detected unpacking (overwrites its own PE header) 28->94 96 Sample uses process hollowing technique 31->96 98 Injects a PE file into a foreign processes 31->98 42 Fphrgjtnjgrqbtroch...021-10-24_21-38.exe, PE32 35->42 dropped 44 C:\Users\user\AppData\Roaming\...\Qekdqa.exe, PE32+ 35->44 dropped 46 C:\Users\user\AppData\Local\...\MSBuild.exe, PE32+ 35->46 dropped 100 Creates an undocumented autostart registry key 35->100 48 C:\Users\user\AppData\...\Wed09653ca1940.tmp, PE32 38->48 dropped 102 Obfuscated command line found 38->102 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3964a1e13d2b3ee0c3c34b50d4785907c3ffd560dc3e4a8b22906893c8db9848/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 19:08:44 UTC
File Type:
PE (Exe)
Extracted files:
137
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfskdyj5fm7obq6djnini6cza7b77vla3q7evczcsbujhsg3tbea._file
Verdict:
malicious
Similar samples:
00b5c410d204d6a92f6636e23998777d2716e8928f96b56826b093c9177afaae
GCleaner
0d054d4b3068ea7f877963a9be8a71581cb0396a309f65e0a95a45ac1e758d62
GCleaner
2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df
GCleaner
3a6ca6a75525505890dc5d13ab3d888135b1cb4922605be0ee447579305b5e4b
GCleaner
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
GCleaner
6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
GCleaner
780426de24ae46f300fdaf9cbf597c8f2164f7b6c525c0bbcc07dca087be768c
GCleaner
+ 1'007 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:chris botnet:media26 botnet:pub2 aspackv2 backdoor infostealer stealer trojan
Link:
https://tria.ge/reports/220117-ybtmbacae9/
Behaviour
Kills process with taskkill
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
autoit_exe
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
91.121.67.60:23325
194.104.136.5:46013
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
185.215.113.46:80
Unpacked files
SH256 hash:
7ad9edd79f03fb782d1a8490f9b56ea25f8e9cd33f10ca5017f8ff5aac6b5eda
MD5 hash:
1ee5fb8981ebc7fb9ddacb9d8607d35c
SHA1 hash:
eefc86ed0839384d351d7229fea251714a5cae1e
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
92bc70b3e7e6c99bc93dec85ecd8db8b101a766917bee4967d36b20f5522ff57
MD5 hash:
b78915e5316a375923d57cd80d805845
SHA1 hash:
5ad907aa1adc5f7899a9304b4e814b381e4909de
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
4887918b59cd66475a12a9c512ec570e6f900c23ef69ff7513e2b5cd63fd2ef2
MD5 hash:
4d3446a7e14d3250e1030b67e202c8dd
SHA1 hash:
cd8fdfdfed34fcd05700293658bfcf8528e68802
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
Parent samples :
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
SH256 hash:
18c5c91d5f256c8c1e24936dbee5fd7fa6b7b91a5464cbefdc1a36b6dfed27be
MD5 hash:
e49f343a65b938acd1b6d91601240b81
SHA1 hash:
dffa8a42250c65ea9b6b05e627805438e01191af
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
c58864f83621d81a5054403310f4bff876321bbfb93c62ed9a9d6e2153681a4e
MD5 hash:
7b075d4fee20763ec3d3a86177f56318
SHA1 hash:
f86577ebc1c0b33577c44f4a63ace3840de2954f
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
eb8ffea34c1766bf42f4118fee7407047f71815ef92dec221121baf95338460d
MD5 hash:
138a0694a61a8f01bec3075df64aba30
SHA1 hash:
db4e3180dc492536e7d6a42f086c9b2b4c133e13
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
2c964c5070502f6000bbb3f66f200a18ac7c394c5d6764c1d1f726783959d40a
MD5 hash:
5b68c333ae0c1d013619eda08f6665db
SHA1 hash:
d616077f94916d44662b6c6bf19b177e32454559
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
b6c65651103b55fdc346bb43e3660869ce5af46228f44115e1351eb1c5851e5b
MD5 hash:
62fabcdf136847f2574e038a054bd302
SHA1 hash:
d2641f2acd45902d4426acb8db57a54d7180e799
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
2f45da2bb8398141d7d4842fef6ca688f7ddda6bd266674ec0e2727f038369a0
MD5 hash:
70ef88dc1d5301e62e13d9c18571b062
SHA1 hash:
c76e0c9f9cc2480b45a7fd47efdd60e0463ee0e8
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
48666d1ceca6eeae01dcd0e7999b1cda3784de260c60278c460197832110fe6e
MD5 hash:
0b36a43fe4386deb765488c537a9afed
SHA1 hash:
b97fe47163ba3af8849725b2229f7bea3fca043d
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
bdefe1cea6f1db6a05a0d89dbdcdb6db6fa3b9fb4c4271c657ff6ff63a815cb0
MD5 hash:
1fc05e8276ef44ccff17e53782d0e4c4
SHA1 hash:
acc456f37f1ef2386ac42d417e9cf7205197570f
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
2ee889b5f922f0d45510a1f66f1bb8a6862e25fa4ed49976deb33895bdab2ec5
MD5 hash:
ead2ccdde66b355210249b2acbbd9f6b
SHA1 hash:
33a9165a45fd28b53788695c5b45a9b1c2452a9b
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
e8727c5e9114f3234d77075effca68c32072c6cb18377762da8c7c5c4bc7b650
MD5 hash:
769483334615f2ad86cbc8d4490fe1bf
SHA1 hash:
24153cc67f9ee102e63caa1877cc9ef3075b5363
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
5caad938f8484e5143160cde9efd5368a7fdd3ce54a315a16e3a6f16c55145f9
MD5 hash:
772dce18b5cfec2ee9eb924aaed3949f
SHA1 hash:
02e6d7c13682157b44c2194063c4afbd4041729b
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
e297e89e11933aa6fc67cbd8da44fc0f6b8d8030166738b111b31673d41e4d19
MD5 hash:
2a2667d1fbcd8fde9ca0bd6f50827c79
SHA1 hash:
f6838f02651e1430613bf78de99e240dbcb8d3c7
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
88b2d8a7fbf025987947226c9d6d72c72f93bdc182d05857893027289059ef09
MD5 hash:
3addf1aab7f2237dd61b6857f2832c9c
SHA1 hash:
2e9f422f0717ca2e8fd9d0b4fff720dcd367e2c4
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
fb914e0079c63ed7d1355f7280c2dee5553644e7430bf69764fbf9f20b183930
MD5 hash:
22fbc2b9332b6756c7dd6d718aced5e0
SHA1 hash:
ed8c8b77e347877f6904142a212c19a153a50eed
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
5163541f7b3b98cb90954032efac5e36f7bd04f1b5da0a20ada61121e1790e0b
MD5 hash:
2dcfbee9ff8e54ef4b9e93fe8381d04c
SHA1 hash:
601c672c5f6dbc4f4a66fff7a9b670641428f5d6
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
5cd7b2810813226356371fc1051d49d27c9957f1e2349077f53369409873b5b9
MD5 hash:
b098043f5d0c1c0dac303b2a2603cdd9
SHA1 hash:
7f7f8a39fa0237f5c6ecd59f2a083ab8b8f93f8c
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
8efc2b0862a65cb6f4e50d8a24ebec9785921561fcbf44e7df2f1ccc067a5a85
MD5 hash:
f317fa772cc7ddac5822e79942010546
SHA1 hash:
c81f27c7122f8efac9b68dd64c4b319a569b3189
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
67dff5eba42e2444dd44e28f95e224837ddc4942b928d8414450d0291c948bd3
MD5 hash:
04e5a53a72ce20c67f0373679d4adbf2
SHA1 hash:
dba4e7ec51153d36052cdfe4e39b3bb94bbfa7c9
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
SH256 hash:
3964a1e13d2b3ee0c3c34b50d4785907c3ffd560dc3e4a8b22906893c8db9848
MD5 hash:
678dc8e63902a1aadb46ad4a08de7f1c
SHA1 hash:
d8cb7816fcc2b652df45a8da892d04dd9aa5c45f
Link:
https://www.unpac.me/results/58cef020-9213-4c28-9744-6042004978fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3964a1e13d2b3ee0c3c34b50d4785907c3ffd560dc3e4a8b22906893c8db9848

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219911/

Comments