MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 466f9fc7cee4b6482710d73ba6d1f292146fdfea17638c3875684833267c77f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 15


Intelligence 15 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 466f9fc7cee4b6482710d73ba6d1f292146fdfea17638c3875684833267c77f1
SHA3-384 hash: c8ffc3d3ddb1eb6536154d6c27b0bf60ef1705f7f912bae1e218decfe3d69090b7865846277550d37205a0624d167623
SHA1 hash: f69176fa556d09b1e7919a894e72bc65b2ab5b75
MD5 hash: d9ad7adb0cb4a36f385edc2fb6777497
humanhash: orange-social-missouri-robert
File name:gniscan.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:5'199'632 bytes
First seen:2026-01-01 15:13:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98615183c8737b803f9ab650a6f91b1c (8 x GCleaner)
ssdeep 49152:N4nCVnxHpahFODllMz4FeSzTjm2LV3PqMmS5+U23d7vD7:N4nCVnxJqgDHxFeSzTjm2BCMcU23lf
Threatray 303 similar samples on MalwareBazaar
TLSH T17D36D0F6D0EB0C33E6216AF44E7161371CA7AD0C286646FD16FDA9EB6A1D76C301413A
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter ng0kp
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
ID ID
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
gniscan.exe
Verdict:
Malicious activity
Analysis date:
2026-01-01 15:16:00 UTC
Tags:
auto generic gcleaner loader
Link:
https://app.any.run/tasks/52d139f2-517f-4765-8323-4d35c3f4ec13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46802/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69568f0fe148d42004de55f1
Tags:
delphi cobalt emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi expired-cert fingerprint installer-heuristic invalid-signature keylogger packed signed stealer unsafe zusy
Link:
https://www.filescan.io/uploads/69568f0a127d6a14e0cb55c2/reports/66bd3b68-c662-441b-93a4-8a6b51fc2d38/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/466f9fc7cee4b6482710d73ba6d1f292146fdfea17638c3875684833267c77f1
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-01T01:13:00Z UTC
Last seen:
2026-01-02T10:34:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-PSW.Win32.Tepfer.pef
Link:
https://opentip.kaspersky.com/466f9fc7cee4b6482710d73ba6d1f292146fdfea17638c3875684833267c77f1/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ee0c2085-dc6e-40ee-850c-30ed07bba7bc
Score:
66%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/466f9fc7cee4b6482710d73ba6d1f292146fdfea17638c3875684833267c77f1
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/d9ad7adb0cb4a36f385edc2fb6777497
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/466f9fc7cee4b6482710d73ba6d1f292146fdfea17638c3875684833267c77f1/
Verdict:
Malicious
Threat:
Family.GCLEANER
Link:
https://tip.neiki.dev/file/466f9fc7cee4b6482710d73ba6d1f292146fdfea17638c3875684833267c77f1
Threat name:
Win32.Trojan.GCleaner
Create hunting rule
Status:
Malicious
First seen:
2026-01-01 04:57:45 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=izxz7r6o4s3eqjyq2452nupssikg7x7kc5ryyodvnbedgjt4o7yq._file
Verdict:
malicious
Label(s):
gcleaner
Create hunting rule
Similar samples:
49d597f824dc68a4f9f404f9e20774ff6a502680849ebbfecf3427ed0cdae5e7
GCleaner
5883bfbb8849529d61723a2ed3082eab3ab5145fdac7f76408d43114b36b1647
GCleaner
5b5795f581d1df41ad22bbfff2b0d94d273b250f36962fdba619ce38e9bb5184
GCleaner
71e4d38127af57ea7f4071a67b3012b550f3bc0e28c6372cb230f82711c6c1a4
GCleaner
951940c3e5a71d8f9d668ee2f2627dd46eab03542f49f5f30e45611f8cba7d49
GCleaner
d4b9ac5a080412aae02c21c4f48ef1760aab9807e4e2e3a7f2ceaac68d25a79d
GCleaner
d8e9dc3d146b15aeb76bae6ea7909562e44169646cbcd65df0c1c406956b4d44
GCleaner
fcfd2ba1fce5268e84a03b0c5bffc5b38520795074d9334bf65f98935cc8c980
GCleaner
+ 293 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/260106-k6x2bsfv2h/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
GCleaner
Gcleaner family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/10b1a29a-d1d5-493f-8fef-a14aded4e14b
Unpacked files
SH256 hash:
466f9fc7cee4b6482710d73ba6d1f292146fdfea17638c3875684833267c77f1
MD5 hash:
d9ad7adb0cb4a36f385edc2fb6777497
SHA1 hash:
f69176fa556d09b1e7919a894e72bc65b2ab5b75
Link:
https://www.unpac.me/results/3fbeb25b-2dbd-4d83-b988-b8babd8356d4/
SH256 hash:
d3d3224b50e7ff955cba76e05f5058471add627c6f15658420146040192b3e1b
MD5 hash:
61f30fea94c55ee3199526448a73e58f
SHA1 hash:
71c175173df87bda7ffc77b2208b28f04bbdc628
Link:
https://www.unpac.me/results/3fbeb25b-2dbd-4d83-b988-b8babd8356d4/
SH256 hash:
752999bd83b0ee4512661ac8ccff54e3a3b7c7abed54c70d6833c0b2f54534b2
MD5 hash:
105bc019791d1d90d44696e7f602c0df
SHA1 hash:
b852cc109b75ee3baa4e5d02ce9d2c370ea71967
Link:
https://www.unpac.me/results/3fbeb25b-2dbd-4d83-b988-b8babd8356d4/
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/466f9fc7cee4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/466f9fc7cee4b6482710d73ba6d1f292146fdfea17638c3875684833267c77f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 466f9fc7cee4b6482710d73ba6d1f292146fdfea17638c3875684833267c77f1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3743700/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/46802/

Comments