MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42f718d38b80450b4d1c6d938cafa8f4435e9464a616c70b1b284082af216813. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42f718d38b80450b4d1c6d938cafa8f4435e9464a616c70b1b284082af216813
SHA3-384 hash: d12f09f7f7985f8f9ad3b76e405ef51c82aa30e3383d335f339d56fb5858b0100dc03927fe460df340248f17bf80b053
SHA1 hash: afb42d99c3d123078089671a3138d40223f41ec5
MD5 hash: d20f9c35425251a298a30170493d0d9a
humanhash: eight-spaghetti-monkey-alpha
File name:d20f9c35425251a298a30170493d0d9a.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:359'936 bytes
First seen:2022-06-06 05:25:50 UTC
Last seen:2022-06-06 05:34:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8098e148e55b22e8d4608c3cad42db52 (2 x RedLineStealer, 1 x GCleaner)
ssdeep 6144:wia/r5z9t2olq2Vgf9A/8waTWps8VVhdCVe1BgdgW/lYQyqn:wia9zOkq2Vge/BaTWpsK3YgggW9L
TLSH T16674BF10BA90C034F5F725F489BAD3A9653FBEA11B2494CBA2E427ED46356D5EC3034B
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 1ae6e0d0d8c8d0d2 (1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d20f9c35425251a298a30170493d0d9a.exe
Verdict:
Malicious activity
Analysis date:
2022-06-06 05:26:52 UTC
Tags:
loader evasion
Link:
https://app.any.run/tasks/6005b5be-3a99-410a-a9f3-b709f1367d99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/276872/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.63364.9905.26592.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/629d8ffc635bd7ad01ca20a8/reports/140de570-af90-4ff0-97dc-0f8f6ca1e3ab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da584551-c20c-4bb1-881e-4a226fb921e9
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1007077
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 639573 Sample: QOucpgiGze.exe Startdate: 06/06/2022 Architecture: WINDOWS Score: 60 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Nymaim 2->41 43 Machine Learning detection for sample 2->43 7 QOucpgiGze.exe 14 2->7         started        process3 dnsIp4 37 37.0.8.39, 49752, 80 WKD-ASIE Netherlands 7->37 10 WerFault.exe 9 7->10         started        13 WerFault.exe 9 7->13         started        15 WerFault.exe 9 7->15         started        17 6 other processes 7->17 process5 file6 23 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 10->23 dropped 25 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->25 dropped 27 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->27 dropped 29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->29 dropped 31 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->31 dropped 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->33 dropped 35 2 other malicious files 17->35 dropped 19 conhost.exe 17->19         started        21 taskkill.exe 17->21         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42f718d38b80450b4d1c6d938cafa8f4435e9464a616c70b1b284082af216813/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-05 19:46:17 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=il3rru4lqbcqwti4nwjyzl5i6rbv5fdeuylmocy3fbaiflzbnajq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220606-f4t5faaecj/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
Unpacked files
SH256 hash:
a0b348ae08664e5ccc0f3596020aecc5cc779c56b1db07f726a163a152cd9457
MD5 hash:
0eea16edb874efb6cbbf2d1dc71c6480
SHA1 hash:
c948bd3f07e1785a160d272c533d2d11fe79cf7c
Link:
https://www.unpac.me/results/b03bee00-6579-4743-9687-0382014976e8/
Parent samples :
b14fb1b11ccf9793912a1bbda9a027c01c75155135b1cb177b77c0de7a4d6b34
45f64ad405eaa4ed35eb74b4e773cb1041c377abdc2b80599168018a2e1406bc
4eecbfc54480c8b8e98d3abba71b70d63575355141f4892a55d49631841ebfba
190a63203f7970e14c4f9f886ad814bbb5b30160dcba66d22b78583baaae478e
d97409bc67beeca578cfa94b5058501dd8951e4206a18a019702e039966a22dc
81a110de18613503c0f3075da56cdbe363091cebcd8c52423ac1d63aa791bb22
cd8fdfee914d46d345bedd2868f2aec93c48fd00385492e377793f06cd42dc1f
6763b0b45f0fd8e32e29377a207058fc42a02bb6d1db368c76fd0af470abc341
5ec64b926c9e2f1d2c69f92b69b5c9169b23d533f327ac944776e8e266eaab99
SH256 hash:
42f718d38b80450b4d1c6d938cafa8f4435e9464a616c70b1b284082af216813
MD5 hash:
d20f9c35425251a298a30170493d0d9a
SHA1 hash:
afb42d99c3d123078089671a3138d40223f41ec5
Link:
https://www.unpac.me/results/b03bee00-6579-4743-9687-0382014976e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42f718d38b80450b4d1c6d938cafa8f4435e9464a616c70b1b284082af216813

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 42f718d38b80450b4d1c6d938cafa8f4435e9464a616c70b1b284082af216813

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2212368/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/276872/

Comments