MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46c2001b215e1b46c8373f182de759b4e43aa0d5139692da84af650757ecdb00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46c2001b215e1b46c8373f182de759b4e43aa0d5139692da84af650757ecdb00
SHA3-384 hash: b78290a6d60e533f6448052c5f5175dbce89aeeef673cb6a6b362726a9687febd98843bcb7865bc455b4892f065fdec8
SHA1 hash: 7f9d64c34b6781eb705fee8d98cc76c7ba567145
MD5 hash: f03e6a16427224c2ca83e290e37f820c
humanhash: rugby-zulu-iowa-cold
File name:f03e6a16427224c2ca83e290e37f820c.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'442'624 bytes
First seen:2025-03-18 07:54:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 98304:Fd59dSt8XFGEsHdpNqtuA/WEPpFtRuXb7PCp:TBeiFuHdpkn/lRFWL7c
Threatray 242 similar samples on MalwareBazaar
TLSH T1E726337A7EF37268DC1C45720A7B8971ADB0F42A8DEF5793E212397C4D36369060E909
TrID 35.7% (.EXE) Win32 Executable (generic) (4504/4/1)
16.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
16.0% (.EXE) OS/2 Executable (generic) (2029/13)
15.8% (.EXE) Generic Win/DOS Executable (2002/3)
15.8% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
444
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f03e6a16427224c2ca83e290e37f820c.exe
Verdict:
Malicious activity
Analysis date:
2025-03-18 08:01:22 UTC
Tags:
auto generic gcleaner loader
Link:
https://app.any.run/tasks/234de67e-8faf-431b-98bd-28741995eb8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d9285108116ce4257216cb
Tags:
emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Verdict:
Malicious
Labled as:
Ursu.Generic
Link:
https://www.hybrid-analysis.com/sample/46c2001b215e1b46c8373f182de759b4e43aa0d5139692da84af650757ecdb00
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/65ec89db-2d25-447b-bf12-140b80a850d4
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1641392
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Sample uses process hollowing technique
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Writes to foreign memory regions
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/46c2001b215e1b46c8373f182de759b4e43aa0d5139692da84af650757ecdb00
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46c2001b215e1b46c8373f182de759b4e43aa0d5139692da84af650757ecdb00/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-03-18 07:55:13 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3baagzblynunsbxh4mc3z2zwtsdvigvcoljfwuev5sqov7m3maa._file
Verdict:
malicious
Label(s):
gcleaner
Create hunting rule
Similar samples:
19588db4bc98090955e95c3bef81c946fa593c7e3d2aa3dfbf57b213b7e16360
GCleaner
3885d1d08491f1b741e6f94611ed9e9a1bae2630ad7c9738390018073a884caf
GCleaner
567e12bf3b85bf8c13d9e7deaa5f5ce636658a34d1a4f2389b6094714b26850e
GCleaner
afdc8e40a1d10f348b39747f45096e7bb3989a41a4bf25a1383bb3f938426242
GCleaner
bd37c06dd246a70a7f3d34e939f9d9016884c0d09fe835622c8f130b948170b4
GCleaner
d46662f5f75e5ae182f522a1e64df9bade5cdc5d7eca415062aa2af2c4b60853
GCleaner
ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd
GCleaner
error
GCleaner
+ 232 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner defense_evasion discovery loader
Link:
https://tria.ge/reports/250318-jr73baxtht/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
GCleaner
Gcleaner family
Malware Config
C2 Extraction:
185.156.73.73
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/54cdb533-32b6-4bbc-9b7c-f7c824e83f7f
Unpacked files
SH256 hash:
46c2001b215e1b46c8373f182de759b4e43aa0d5139692da84af650757ecdb00
MD5 hash:
f03e6a16427224c2ca83e290e37f820c
SHA1 hash:
7f9d64c34b6781eb705fee8d98cc76c7ba567145
Link:
https://www.unpac.me/results/9ae65a81-d9b8-44eb-bf51-71a35764104f/
SH256 hash:
b5a324985b818362bf46078b02946578804990277fb99ac96df5caf030da6430
MD5 hash:
d8f2b697c7cd8b2e5052a5fec543a10e
SHA1 hash:
8d2cb5d6421654c55f87c0454c4d17fb311c0e73
Detections:
GCleaner
Create hunting rule
Link:
https://www.unpac.me/results/9ae65a81-d9b8-44eb-bf51-71a35764104f/
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/46c2001b215e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46c2001b215e1b46c8373f182de759b4e43aa0d5139692da84af650757ecdb00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 46c2001b215e1b46c8373f182de759b4e43aa0d5139692da84af650757ecdb00

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3452038/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments