MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a63d841127db00b33801e3adea64957fed311ed975c859b94268ae0691753f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a63d841127db00b33801e3adea64957fed311ed975c859b94268ae0691753f9
SHA3-384 hash: d121a0d4659ea5ac7875d2b1d424abdc566bc4faa26322b36aa1e6cb6f0833605e0027d98306e5fd0c7854f753d8f690
SHA1 hash: da0816cb19f9d96d8768f11b4e56121f4a82e8f2
MD5 hash: 636c21e531330b3a592a840dee2fdb01
humanhash: berlin-washington-alpha-aspen
File name:636c21e531330b3a592a840dee2fdb01.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:315'392 bytes
First seen:2022-07-01 18:40:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4799df0710a3b27ec47232c7b28f1a45 (2 x Amadey, 1 x Smoke Loader, 1 x GCleaner)
ssdeep 6144:9VLWVawuiN9ksP619f1K8GLpVj83sAcsz/lLxcl:76VaViN248kVj83s4lLx
TLSH T15164DF1075E0C032E59B25364420CBB58BBFB96625361A8FAFD92BB95F317D1DA3130E
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33f0686969696969 (75 x GCleaner, 4 x Nymaim, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285007/
Detection(s):
Win.Packed.Pwsx-9954187-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62bf4003b0578633c8b93ae4/reports/b2e5b2a5-3d44-4c00-9b5f-aa244a26c7d9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a503ba8-67e6-4068-a905-8b4138134637
Result
Threat name:
Nymaim, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1023372
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Autohotkey Downloader Generic
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 655867 Sample: H9mSYpAxqa.exe Startdate: 01/07/2022 Architecture: WINDOWS Score: 100 52 nyvzki07.top 2->52 54 juspus52.top 2->54 56 iplogger.org 2->56 74 Snort IDS alert for network traffic 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 16 other signatures 2->80 9 H9mSYpAxqa.exe 29 2->9         started        signatures3 process4 dnsIp5 60 45.141.237.38, 49733, 80 SPECTRAIPSpectraIPBVNL Netherlands 9->60 62 212.192.241.16, 49800, 80 RAPMSB-ASRU Russian Federation 9->62 64 2 other IPs or domains 9->64 34 C:\Users\user\AppData\...\uWC56x7PckT.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\Roaming\...36LZ9fJ.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\...\9IhrKIut9.exe, PE32 9->38 dropped 40 6 other files (4 malicious) 9->40 dropped 13 9IhrKIut9.exe 8 9->13         started        18 NLZ9fJ.exe 23 9->18         started        20 uWC56x7PckT.exe 8 9->20         started        file6 process7 dnsIp8 66 dfsgbhnjmnyhtbgrvfd.top 34.154.108.245, 49762, 80 ATGS-MMD-ASUS United States 13->66 68 iplogger.org 148.251.234.83, 443, 49759, 49812 HETZNER-ASDE Germany 13->68 42 C:\Users\user\AppData\...\strongix.exe, PE32 13->42 dropped 90 Detected unpacking (changes PE section rights) 13->90 92 Detected unpacking (overwrites its own PE header) 13->92 94 May check the online IP address of the machine 13->94 108 3 other signatures 13->108 22 strongix.exe 5 13->22         started        70 t.me 149.154.167.99, 443, 49750 TELEGRAMRU United Kingdom 18->70 72 107.189.11.124, 49752, 80 PONYNETUS United States 18->72 44 C:\ProgramData\vcruntime140.dll, PE32 18->44 dropped 46 C:\ProgramData\softokn3.dll, PE32 18->46 dropped 48 C:\ProgramData\nss3.dll, PE32 18->48 dropped 50 3 other files (none is malicious) 18->50 dropped 96 Detected unpacking (creates a PE file in dynamic memory) 18->96 98 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->98 100 Tries to steal Mail credentials (via file / registry access) 18->100 110 2 other signatures 18->110 26 cmd.exe 1 18->26         started        102 Antivirus detection for dropped file 20->102 104 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->104 106 Query firmware table information (likely to detect VMs) 20->106 112 3 other signatures 20->112 file9 signatures10 process11 dnsIp12 58 185.215.113.70, 21508, 49790 WHOLESALECONNECTIONSNL Portugal 22->58 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->82 84 Machine Learning detection for dropped file 22->84 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->86 88 2 other signatures 22->88 28 taskkill.exe 1 26->28         started        30 conhost.exe 26->30         started        32 timeout.exe 1 26->32         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a63d841127db00b33801e3adea64957fed311ed975c859b94268ae0691753f9/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-07-01 18:41:07 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjr5qqispwyawm4ady5n5jsjk77ngepns5oilg4ue2foa2ixkp4q._file
Verdict:
malicious
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/220701-xbq1racba5/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
NyMaim
Malware Config
C2 Extraction:
45.141.237.3
31.210.20.149
212.192.241.16
Unpacked files
SH256 hash:
24fb26cf1a1694c045a8bd48b86b2cc026b00960d0aa022670bca7e718313d85
MD5 hash:
5a89f9889d5ce2eecebf296c97b7dcd0
SHA1 hash:
51a8fb4460799abd78a6f350a1dcc126514063bf
Detections:
win_nymaim_g0
Create hunting rule
Link:
https://www.unpac.me/results/d954cc70-3c20-4837-85fe-b8158d477605/
Parent samples :
3a63d841127db00b33801e3adea64957fed311ed975c859b94268ae0691753f9
18611dcae62b67c4c20668fc9c2a68951771ab8f98106324a0ad00bc3a0fc88a
1d7adfdf90ca831a45425d3efd6ce639f2fece4f48f5b0a55d7fc5a645b9acc4
e1db3adcc4c401e8c97ac2e611646ab215343319b265c86346dff8b4e2bf905d
afb05f48bbae2b98bac394587d1352b9e5569e930d695230b21b73669be9c535
92af5f6f914082eaa1235c9ad0a2826db0beead07c3b25795829f7da90f83d59
371592f94e67f272e53786a8643058131f7d48edea6c709b6a7c4731ec6d2839
ba190bed2c9d862bae6ff089259090d300df3a253d1094314cc679af8ad890b2
bbc5780d11e999375d901fa9ebd8c3b4c9b3eff78513aa20774000ebd84e5b1c
a61814efa6a532d5e946f145a5452da57326e3b048a26afd9882237af674a7aa
b0b7af84e61ce5805ad317b113981aee691d96cbca0970a4db6d7777f4706b58
6f5943433e4cd2d3a1021f376334be10b3dd81757a5f30e928e12f5dc8cf154a
ebef7dcb2d186e10e2ab8da7c5eb75da1461ed684bf90c3abd54afa27ef79874
168db9afbe5c293f3ec6cabb476242e81add823382a5879ab78ecf7af6035f2a
1b0978a0a98bd88a39ecf38e36ed18b3d96a1db98eec62f7e5257e2bf7a4a153
ca0d985323d0497a5261faefad130b084d1084c28f748d964f1e5d4aaaf351d7
SH256 hash:
3a63d841127db00b33801e3adea64957fed311ed975c859b94268ae0691753f9
MD5 hash:
636c21e531330b3a592a840dee2fdb01
SHA1 hash:
da0816cb19f9d96d8768f11b4e56121f4a82e8f2
Link:
https://www.unpac.me/results/d954cc70-3c20-4837-85fe-b8158d477605/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 3a63d841127db00b33801e3adea64957fed311ed975c859b94268ae0691753f9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2212368/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/285007/

Comments