MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44a0f733868fdc74689b32d99ce72739620ce45b816412b70cd530303ecddba9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44a0f733868fdc74689b32d99ce72739620ce45b816412b70cd530303ecddba9
SHA3-384 hash: f6cc2e7f307a2bf44b98942f7ab772fb4f464c6a3fc95f6d65978679712c0af7db925aab8aea59437bb61e63c7beb435
SHA1 hash: ac86ae5bbb7c7ca171fa8f465daf00738e41cf3d
MD5 hash: 1d23fdee8b23e49a515e93412ecd44d0
humanhash: maine-louisiana-monkey-hamper
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:406'016 bytes
First seen:2022-10-07 16:47:49 UTC
Last seen:2022-10-07 17:26:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1bacaa202b04780a118279e1ca78b13f (3 x Amadey, 3 x GCleaner, 1 x ArkeiStealer)
ssdeep 12288:Hl15BAl/aCt3L/7zJ9eDgLBOstO6unnbsc:FL6l/rjCDAOsYQ
TLSH T17984F130BDAAD871D4A725708571EBA1173BB9312174944B3B34125A4EB3ECC9AF236F
TrID 39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 32f0e96160686961 (1 x GCleaner)
Reporter andretavare5
Tags:exe gcleaner


Avatar
andretavare5
Sample downloaded from http://95.214.24.96/load.php?pub=mixinte

Intelligence

File Origin
# of uploads :
13
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317690/
Detection(s):
Win.Malware.Azorult-9949206-0
Create hunting rule

Win.Packed.Zard-9972749-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file in the system32 subdirectories
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending an HTTP GET request
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6340584349c58ce767c68b71/reports/9d7a75ad-635a-4fcc-9011-8b9106293322/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b383d862-ff74-4da6-8ea2-3513275c854a
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1085908
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 718465 Sample: file.exe Startdate: 07/10/2022 Architecture: WINDOWS Score: 88 40 85.31.46.167 CLOUDCOMPUTINGDE Germany 2->40 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 3 other signatures 2->54 8 file.exe 23 2->8         started        signatures3 process4 dnsIp5 42 208.67.104.97, 49703, 80 GRAYSON-COLLIN-COMMUNICATIONSUS United States 8->42 44 107.182.129.235, 49704, 80 META-ASUS Reserved 8->44 46 171.22.30.106, 49705, 80 CMCSUS Germany 8->46 26 C:\Users\user\AppData\...\Jlg2SQso1kC3.exe, PE32 8->26 dropped 12 Jlg2SQso1kC3.exe 8->12         started        15 WerFault.exe 9 8->15         started        18 WerFault.exe 9 8->18         started        20 7 other processes 8->20 file6 process7 file8 56 Multi AV Scanner detection for dropped file 12->56 28 C:\ProgramData\Microsoft\...\Report.wer, Unicode 15->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->36 dropped 38 3 other malicious files 20->38 dropped 22 conhost.exe 20->22         started        24 taskkill.exe 20->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44a0f733868fdc74689b32d99ce72739620ce45b816412b70cd530303ecddba9/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-07 16:48:08 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=isqpom4gr7ohi2e3glmzzzzhhfrazzc3qfsbfnym2uydapwn3ouq._file
Verdict:
malicious
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/221007-va38ksche7/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
NyMaim
Malware Config
C2 Extraction:
208.67.104.97
85.31.46.167
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/279a6718-8d28-48dd-85c2-94f959622a14
Unpacked files
SH256 hash:
8658c47bc839e47c8a17e8659d916efb22e96d55168b43b879a77feea35587a9
MD5 hash:
4f1d53076a120e4905fc59c2447346c0
SHA1 hash:
202ac180e86fc441164d7fd3942945c2f9a6f397
Detections:
win_nymaim_g0
Create hunting rule
Link:
https://www.unpac.me/results/95b59fc6-7d09-48be-b0fd-b66b3d553b12/
Parent samples :
76c9f435ea9d10ec2eede38b6ec1c9904a1100d2d40521746abc05ccacf9177a
337d92582a77122f436bc91e14e0efa7d2493139be52615abcd663df45127533
0530372432e62bebb038982eb37cf5934d3a892048fa42139010937406a080cc
0cf0ecae153842e1f4b497e76547828e120d9d9e25d66ba4b59259ca9fb7abe4
4fa9c86ecf04fd084ea2231e705c94da09f25e131f9a50470643acb898fc77c1
f89eeaa6aecf68d0e2e464fa2fcba98057a1cd5e96f7b586d5e3405f4006cfd2
cc046feb563db2c4bae91e1c39374268dd67dbe61970dfc5ba1256c8a954eec5
d36e88d82a4310267a2905ee193647a695373ee984de650d8e388ef50fecfddb
1419f2c7a7f5ac1e6e06dacedba01999a941c1a9100716578ed48707b25dd045
76e36d8a69d09ef26a2689fe0edc4d6bd28d1cdbb27a871b7566357b59a9427f
1a561c773b702d46a5136233cbdde4ed17cbc1621b1025ca49c668df7ec540de
e1519c56c47e28e2a97679678dccc2f124965ebbeb3efa18d50a1ecc11d21c4c
b6f4bcd06f4d8a9f7e45c763fc7cad24e3b4c7677f7e6a39dfed6962ef7956a1
2e62aa1576a4a77f2686402b08c7835fabef0a9e8e6b22a2fb093bad76e18c00
1028f78a6f4f388f40cce555de4ca7726b6ed40b110dbe8bf7e8430118cc0356
05d42ab78cbd67bbfc7c7141462443a5931bf3c3434fbdc1b47e290ad4150fa0
c95961f7c6a46bad23672dac5a1523c51c6ddfa3511d2f767b813200e6d3eb66
be61ee8c798e3c3df395c88d5ede25bd8b2c825792edfce53d424b294675e201
23ca061ab261706f4dc80f377a353c2c3cff7888869c094ad89c64a6a8ac5fd8
4d9fbef8dbf505ce116fc43c6e2b16076324c9c8523de9f0439991bfcc09b687
549c367df5120410d94251b7806ddfdd101d1355621c9f43b6fe2887ad28ffe4
5725df2dbbe09331f16074f691e23ad36d54dff5682fd669d1c273ed4ab0d775
85854e5af52cf9bd844749c8c5652a99430834aea15bf9f08627e8c58a47209f
9ed7bf0f134ff65ed05d5e69cd178cdb8bc6b47d0e537bd660eb0cf04dd9223f
a383428919722e619c1d8dcd7e38491801d30ed9225211c9871545209b3ea7df
f3231a039f3898bbff37d1cbe3c7c60bf1701d05eab14f69cb0b8aa40e420f79
00bb31c5e08b25fc08c18c3f0416fe8c8ffd65c06001ab4054457445d969cbdd
8ec9fcf2fbb49f5ebaf8ea7be00059305ed3cd85fb21d773bcfe723e605c14b5
2eb626fcdb5da57b83ea8aeb7319e72647101f1335bb1c61467676a9dfcc2ed2
674eed92551d85961ef2728ead23e6e80f26fb201022b643011e194aea47165e
44a0f733868fdc74689b32d99ce72739620ce45b816412b70cd530303ecddba9
2ea56ea49ac4e2b743cfc85e2b6ae67220737c20908e0f5d7268e71b593c0515
dc9235660caabd189c394ea16adbcd46711f5eecb0bb93fad0ced91b2d33c56d
b171ed213578fd044444acd7a8679d6867141007cd00d01d6d391685f5e253ae
a52e781e431e11d902416be055742b756a9528eeea06c1249077af8300740f86
f3580ea4cd6f27353a84ae15f6086b7c5098343e43afdd8dc3e16e9d56fd701b
875338be98cc5c4374e45b0b2ed578f56e89c545554a03b24dfe20ec69560eb8
80bc5cf59fa0e901e8e6a46bce2cfe54caebd97c2a1acf4b4a5543b642b8f2b9
1a76c788216b2ff600758bd15d2b2e2ca061c49472c116cfe7c23704c0fe83f0
d305da59e773fb16bbf0f516dc21120873b79219fee1dfb4662b30d393c54614
70b8081888707711b9ea58290b5c3c16cf2ec4066ebf618105d5c1295ab8cc41
32e4606e597f776b957f4aa6650e950fbfed364d831c8a32a6d118f35387b00e
f575b848b59f18bc9991b2dc1710d54fdb4b77fb49387e7883d9152ade19ba83
8b89fe8301da063958fe0df539e47781319a4f0c9a4b8bd0f49bf5c845308319
8cc8748a42122450ba854d0419f960dbce63bb631f961e474978568ad5f92d15
614fc876a9dff9ec9c157384c791ffda532024dd00f807288cd20091b9a89753
eda9c8a15ee3a7aafafd66c28622b543e3c4d4c5abc2b8157a05588bcb2be0a2
93fa773200ef0324435ee2823cf79ff37bf7e7edfb8f590e02064fa9dc338637
4e847643568276229dbc26f82152bbbbd2c5bf86b6bbd43080e297285c545b8c
fe30369ef1c3f03d98d0b7a2aafe20678b9ce0edaafa28d12f997bf6eabc6121
8ec72faef5f0fcd1c8b3c5371eb3f9bd8beeefa034f7fc4750168df49e35a69f
b97f9007ab47814a89f7faf2ea36237fb487a897539a2ba67bc34b9779886762
ac862ba3cb5ad90f8e3d37f72e886cdee49c23fedeb61672f772ae101296c112
054ec4ca2ccc08dcd5cd7412cf3d556f68a26e7cbb7ecfddeb097740187c3799
c3b887d733c5edecf04046fa65236a2b45d2b9a1c3708000c797492a7b0309f1
9c6e7d1cc84f620c9f9d01c11bb7bdc1e7b8412b7698aed8b836cc386e089031
3c2902102c28b16db206cc577d87a8828a1f2e583362f74ef870ff7ed2a50f31
SH256 hash:
44a0f733868fdc74689b32d99ce72739620ce45b816412b70cd530303ecddba9
MD5 hash:
1d23fdee8b23e49a515e93412ecd44d0
SHA1 hash:
ac86ae5bbb7c7ca171fa8f465daf00738e41cf3d
Link:
https://www.unpac.me/results/95b59fc6-7d09-48be-b0fd-b66b3d553b12/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44a0f733868fdc74689b32d99ce72739620ce45b816412b70cd530303ecddba9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/317690/
  
URLhaus
https://urlhaus.abuse.ch/url/2276314/

Comments