MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3eb501b1e2997a3cdbb81db7781b9c0bc9860e101ab8118d7c1c228e3259b75f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3eb501b1e2997a3cdbb81db7781b9c0bc9860e101ab8118d7c1c228e3259b75f
SHA3-384 hash: caabb358293ed81acd046f6365a285240f09864c696682fc694c1b2140caf51edad0bf7487040a8816287e70eb99e42e
SHA1 hash: 6d7b2b4c4939afbd3409966b06b06f342ef03488
MD5 hash: 08f0fbdf155a9d73357e3e5b7a29d68e
humanhash: apart-eleven-kansas-freddie
File name:08f0fbdf155a9d73357e3e5b7a29d68e.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:326'144 bytes
First seen:2022-05-29 13:06:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3b5b71419f19c89ea7002a31140d85fe (2 x RedLineStealer, 2 x Smoke Loader, 1 x GCleaner)
ssdeep 6144:JlmysYuzNO935M//qDtUgrKuKBf8vEC3qNoUllf0V:xqe5iyDCg+u0nYqNoUlKV
TLSH T16664F1547DA09C31EDA579348C71CA212A3BBC623139994B75F4375A6E33782BA30BD3
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 93f0ece8e4e4ecf8 (2 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
356
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
08f0fbdf155a9d73357e3e5b7a29d68e.exe
Verdict:
Suspicious activity
Analysis date:
2022-05-29 13:07:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d31325da-6d0c-4790-9f6d-41288317ed64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275244/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.61829.11702.3569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/20416/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62937011afb61a386666ad16/reports/55f383c4-e310-4b56-a3f2-d00b1d2cdfe0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b770b3c-3176-4e25-a990-fd65e595e348
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1003249
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635741 Sample: fcLPQ4YSXc.exe Startdate: 29/05/2022 Architecture: WINDOWS Score: 60 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Nymaim 2->41 43 Machine Learning detection for sample 2->43 7 fcLPQ4YSXc.exe 14 2->7         started        process3 dnsIp4 37 37.0.8.39, 49767, 80 WKD-ASIE Netherlands 7->37 10 WerFault.exe 9 7->10         started        13 WerFault.exe 9 7->13         started        15 WerFault.exe 9 7->15         started        17 7 other processes 7->17 process5 file6 23 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 10->23 dropped 25 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->25 dropped 27 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->27 dropped 29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->29 dropped 31 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->31 dropped 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->33 dropped 35 3 other malicious files 17->35 dropped 19 conhost.exe 17->19         started        21 taskkill.exe 17->21         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3eb501b1e2997a3cdbb81db7781b9c0bc9860e101ab8118d7c1c228e3259b75f/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-05-29 03:49:51 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220529-qcmldsdfd7/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
Unpacked files
SH256 hash:
a0b348ae08664e5ccc0f3596020aecc5cc779c56b1db07f726a163a152cd9457
MD5 hash:
0eea16edb874efb6cbbf2d1dc71c6480
SHA1 hash:
c948bd3f07e1785a160d272c533d2d11fe79cf7c
Link:
https://www.unpac.me/results/4085bed1-c220-42fc-87ee-ab778e2fc043/
Parent samples :
b14fb1b11ccf9793912a1bbda9a027c01c75155135b1cb177b77c0de7a4d6b34
45f64ad405eaa4ed35eb74b4e773cb1041c377abdc2b80599168018a2e1406bc
4eecbfc54480c8b8e98d3abba71b70d63575355141f4892a55d49631841ebfba
190a63203f7970e14c4f9f886ad814bbb5b30160dcba66d22b78583baaae478e
d97409bc67beeca578cfa94b5058501dd8951e4206a18a019702e039966a22dc
81a110de18613503c0f3075da56cdbe363091cebcd8c52423ac1d63aa791bb22
cd8fdfee914d46d345bedd2868f2aec93c48fd00385492e377793f06cd42dc1f
6763b0b45f0fd8e32e29377a207058fc42a02bb6d1db368c76fd0af470abc341
5ec64b926c9e2f1d2c69f92b69b5c9169b23d533f327ac944776e8e266eaab99
SH256 hash:
3eb501b1e2997a3cdbb81db7781b9c0bc9860e101ab8118d7c1c228e3259b75f
MD5 hash:
08f0fbdf155a9d73357e3e5b7a29d68e
SHA1 hash:
6d7b2b4c4939afbd3409966b06b06f342ef03488
Link:
https://www.unpac.me/results/4085bed1-c220-42fc-87ee-ab778e2fc043/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3eb501b1e2997a3cdbb81db7781b9c0bc9860e101ab8118d7c1c228e3259b75f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 3eb501b1e2997a3cdbb81db7781b9c0bc9860e101ab8118d7c1c228e3259b75f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2212368/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/275244/

Comments