MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
SHA3-384 hash: 5372e271877f93514c08f4320d199e427370ad4012bb7e86d95b3fcee062b13e40289b3f9afe471d4dd7b729de41a989
SHA1 hash: 1e8b6acec7e226c0ec48d23e03ae9960d49a1c7b
MD5 hash: 6dc7b9bc3481a03df173cfab16eb50aa
humanhash: white-sink-potato-lemon
File name:3BADEBCEFB9E7153384CAE83BAAA119F6317C9381E850.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:2'504'052 bytes
First seen:2021-11-17 02:11:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9gq5S5xtEpwmaMpbUAooi6yxaePNIHRBShSbXEt29WM2yHS9+iImeshj0CKnJz:yz/dmaMZUAo1UePq8t2WM2yHyEO0CKJz
Threatray 504 similar samples on MalwareBazaar
TLSH T18BC533A54A06DBFBD3A92177C53D4BA53EB6442E6784F67F0F2021BE35093908C9F462
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://postbackstat.biz/check.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://postbackstat.biz/check.php https://threatfox.abuse.ch/ioc/249947/
37.9.13.169:63912 https://threatfox.abuse.ch/ioc/249948/

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://crackdev.com/windows-10-activator-full-product-key/
Verdict:
Malicious activity
Analysis date:
2021-08-16 05:34:51 UTC
Tags:
trojan evasion stealer vidar loader rat redline opendir raccoon phishing danabot
Link:
https://app.any.run/tasks/02b4c0b2-0930-4bd6-a63e-cf3626ef08a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206680/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Upatre-9891078-1
Create hunting rule

Win.Dropper.Upatre-9891085-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Sending a custom TCP request
Running batch commands
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Reading critical registry keys
Delayed reading of the file
Unauthorized injection to a recently created process
Query of malicious DNS domain
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed zusy
Link:
https://www.filescan.io/uploads/619464f443e8f62b66964184/reports/8503d16a-457e-4c22-93bb-41b838aa23f1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0883d9d9-bda0-4696-b9a8-8654dca1fb15
Result
Threat name:
Cryptbot RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/890882
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cryptbot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 523355 Sample: 3BADEBCEFB9E7153384CAE83BAA... Startdate: 17/11/2021 Architecture: WINDOWS Score: 100 84 thegymmum.com 2->84 86 s.lletlee.com 2->86 88 7 other IPs or domains 2->88 98 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for URL or domain 2->102 104 16 other signatures 2->104 11 3BADEBCEFB9E7153384CAE83BAAA119F6317C9381E850.exe 10 2->11         started        signatures3 process4 file5 54 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->54 dropped 14 setup_installer.exe 16 11->14         started        process6 file7 56 C:\Users\user\AppData\...\setup_install.exe, PE32 14->56 dropped 58 C:\Users\user\...\Mon02ff088c2bbea6d55.exe, PE32+ 14->58 dropped 60 C:\Users\user\AppData\...\Mon02c3759cf1.exe, PE32 14->60 dropped 62 11 other files (6 malicious) 14->62 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 64 127.0.0.1 unknown unknown 17->64 66 s.lletlee.com 17->66 68 marisana.xyz 17->68 94 Performs DNS queries to domains with low reputation 17->94 96 Adds a directory exclusion to Windows Defender 17->96 21 cmd.exe 1 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 17->25         started        27 7 other processes 17->27 signatures10 process11 signatures12 30 Mon0269098d2baabd1.exe 21->30         started        33 Mon02c3759cf1.exe 23->33         started        36 Mon027b24b1e88808011.exe 25->36         started        106 Adds a directory exclusion to Windows Defender 27->106 39 Mon02a16beb9622.exe 27->39         started        41 Mon027934a460.exe 27->41         started        43 Mon0245f3b97d810.exe 27->43         started        45 3 other processes 27->45 process13 dnsIp14 108 Antivirus detection for dropped file 30->108 110 Multi AV Scanner detection for dropped file 30->110 112 Detected unpacking (changes PE section rights) 30->112 126 4 other signatures 30->126 78 4 other IPs or domains 33->78 114 Detected unpacking (overwrites its own PE header) 33->114 116 May check the online IP address of the machine 33->116 118 Performs DNS queries to domains with low reputation 33->118 70 212.193.30.21 SPD-NETTR Russian Federation 36->70 72 37.0.11.8 WKD-ASIE Netherlands 36->72 80 7 other IPs or domains 36->80 50 C:\Users\...\Wxrfm7Ab0ChPSEn2VlvqIrfw.exe, PE32+ 36->50 dropped 52 C:\Users\user\...52iceProcessX64[1].bmp, PE32+ 36->52 dropped 120 Disable Windows Defender real time protection (registry) 36->120 122 Machine Learning detection for dropped file 39->122 124 Tries to harvest and steal browser information (history, passwords, etc) 39->124 74 185.215.113.15 WHOLESALECONNECTIONSNL Portugal 41->74 76 s.lletlee.com 45->76 82 2 other IPs or domains 45->82 47 Mon026bb7e8c1.exe 45->47         started        file15 signatures16 process17 dnsIp18 90 s.lletlee.com 47->90 92 live.goatgame.live 47->92
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 14:17:24 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=how6xtx3tzyvgocmv2b3vkqrt5rrpsjyd2cqblbikvufsdqkxwba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26b39a6144607e13d34c60b5ce9b325151e267a3398de1c2f2cf0e87809c6cf7
GCleaner
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
GCleaner
59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280
GCleaner
a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062
GCleaner
ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3
GCleaner
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
GCleaner
dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287
GCleaner
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
GCleaner
ebe82a7d2f2f9989a5e4ef6a4602a8224abdff7aef5baa6beacb5977c02ac3e0
GCleaner
+ 494 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:pab3 aspackv2 backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211117-cmvsvsgfe8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Vidar
CryptBot
CryptBot Payload
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
lysuht78.top
morisc07.top
https://lenak513.tumblr.com/
185.215.113.15:61506
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://www.gianninidesign.com/
Unpacked files
SH256 hash:
1ab460eac81001bfa0da8cbadfd4fba0ad0f371742a2c725ff5cf71bdd8e2b9f
MD5 hash:
1dc95107f7dd6d1392bb8d9b53b76916
SHA1 hash:
b26f9c90ad4656d2ddf3e96da967e0f65a9623e1
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
d1ff2f8a510fb4d25dd861e4cd5196585ccdd66cd6e941941e13d634da825f32
MD5 hash:
e3ed5e6a62ece3cf158688bce4161fbf
SHA1 hash:
5a8c4dddf69e8650952b0d29987cc6edfe25fb0b
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
ab9bb888f6235eaee1ad52cd9b4d1f960ea09743ff80919d0095383f3683c583
MD5 hash:
eff546ee925781db419befdf93bd045d
SHA1 hash:
1129b509403fa589b50310f99f77c69ecc7f8314
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
81bad1da373bd8be8c2b806de79ccda8565f10955a191f70b177a03204c11cc3
MD5 hash:
47bad6385c03fc30723fe50857491689
SHA1 hash:
66810a2c2a9c80134b3e850a2866e2662a753c7b
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
558e587a3f0eae11fb9fb06d11e5836517d3cf197d71e8f5e8c1157f46330f41
MD5 hash:
101f2ca187a77736844fab6ad0c2fad0
SHA1 hash:
51c054b11b82caec19e2da0213c9d0c3eefbdf1b
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
101ad0a5ba299546ee3840f217bf7931f94dee6b026b28835b3c537f4addd18f
MD5 hash:
140dc08643ba6cdd449f7cbab6901898
SHA1 hash:
267884de54c70c0de477996bb4af92dede6b900a
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
2d6e2e392d2f113ba36f21860d1acfbbd764f171896b011fe235325aa0ebdab0
MD5 hash:
ea68e0ccbd0dec2b638d1c299d4f99f3
SHA1 hash:
4f89cb8e5f65793fc07e1a0f751140ac86cb2f4c
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
a49ae7155dfc48ec360cc92b7f9906232121c46639acaa84690d1c49051574c8
MD5 hash:
158fe1aadf0c738824e913aaf8314035
SHA1 hash:
5c80665fe3d244bc1ff203f9e091121dd5086f69
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
Parent samples :
450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
aa9830b26f9c0db4c3da3c04a96199550b57251b56f8c4ccb922b264a24e8de1
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
SH256 hash:
d261f9841f010fe2b5e08413ac6476e69a6035921cb161b802a7ee0773c1958c
MD5 hash:
2c2c014964f12353e6de78daa88c8437
SHA1 hash:
b92ea34b293d018dbf1163737eafd1739d7a4416
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
37eff9c7f9faa84179e3326978770b2c7972ec421f599399da4e23998488f53a
MD5 hash:
d50949b264129979f42b53d0e95e2fb4
SHA1 hash:
e84f3833026829cd0bc6e27648d58f73ee873237
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
9daf70af4e713b9f0e9f6fdc35222912417aa2f2966201e647f91e1b0af17ce1
MD5 hash:
ab25b3f53ea97cb5c6324651141d4fa1
SHA1 hash:
bea8d13b4cec495b08c406c19a9238b7c6a9afb2
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
SH256 hash:
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
MD5 hash:
6dc7b9bc3481a03df173cfab16eb50aa
SHA1 hash:
1e8b6acec7e226c0ec48d23e03ae9960d49a1c7b
Link:
https://www.unpac.me/results/36e8769d-a54f-4627-9a0f-39e5907c0957/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:unastealer3_other
Create hunting rule
Author:James_inthe_box
Description:Una Stealer
Reference:https://www.hybrid-analysis.com/string-search/results/54fb74afabde582ae0a730401ea31ee5e0d9cf33582c8a64d634350150cdd78b
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/206680/

Comments