MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 46eb7b113f08caedc20b3b15cc04af0b9ac671d547afda4edce2d5a131929e29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
GCleaner
Vendor detections: 12
| SHA256 hash: | 46eb7b113f08caedc20b3b15cc04af0b9ac671d547afda4edce2d5a131929e29 |
|---|---|
| SHA3-384 hash: | eb82292c109da72d261290ea764bbfcad7d546b9d5dedc01d5be69eb8fcbcfdb251613f3fff7d4f186ad6b26237da6dc |
| SHA1 hash: | 178020e586e365f47c2d5e2c10b33dc6de8d7b90 |
| MD5 hash: | aa88b9b2f738c62fbaedc19802aa05c7 |
| humanhash: | sweet-minnesota-mars-hot |
| File name: | aa88b9b2f738c62fbaedc19802aa05c7.exe |
| Download: | download sample |
| Signature | GCleaner |
| File size: | 7'594'983 bytes |
| First seen: | 2021-12-18 05:26:01 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer) |
| ssdeep | 196608:xuLUCgEO8Bz2Ne5OV7qBUiuaf6Fw8ap4EM/Pjr:xWdgP9Ne5OVGdulwRpTM3P |
| Threatray | 819 similar samples on MalwareBazaar |
| TLSH | T1C67633017A7290FDDF46927C4A997772D515020C57278AAFFB94CC8C9FAA99F80CAC43 |
| File icon (PE): |  |
| dhash icon | 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox) |
| Reporter |  abuse_ch |
| Tags: | exe gcleaner |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 45.9.20.240:46257 | https://threatfox.abuse.ch/ioc/277335/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Launching a process
DNS request
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
barys mokes overlay packed spybot
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Threat name:
Win32.Ransomware.StopCrypt
Status:
Malicious
First seen:
2021-12-15 08:22:50 UTC
File Type:
PE (Exe)
Extracted files:
212
AV detection:
21 of 27 (77.78%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 809 additional samples on MalwareBazaar
Result
Malware family:
vidar
Score:
10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:915 botnet:v2user1 aspackv2 backdoor discovery infostealer persistence spyware stealer suricata trojan
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://www.yarchworkshop.com/
https://mstdn.social/@sergeev43
https://koyu.space/@sergeev45
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
159.69.246.184:13127
https://mstdn.social/@sergeev43
https://koyu.space/@sergeev45
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
159.69.246.184:13127
Unpacked files
SH256 hash:
d3e453a08188f2d4b9ff9dbcbf76789db5c6bd7005ee3c9c9ddf74f0d1b1a0ed
MD5 hash:
4d9e7733c7efdb8a8048386a5e648cc5
SHA1 hash:
a09b0b2c86efaefd59700bff3c0ef1218d73e322
SH256 hash:
93d9ce6291eb10f727da27c487816b29fcba1b907d252f94d11ea0c3a99175fa
MD5 hash:
c7fc3bcb573b112eca27af5ef7192cce
SHA1 hash:
e43a907bdaced88d3c4444844e72d2381e9f1ad7
SH256 hash:
3d966268571cf0a83f327df99ffd7441ffe65ad098f1db2fff8dd6a5d5233796
MD5 hash:
541501763132091ca1571883622b2c81
SHA1 hash:
17f0073da00f8511abc7b4dd5d018f043c0c5489
SH256 hash:
a7565e1865732064ff51cb093c515f80a2914b0f45c0d0c24e117d8b6dc68497
MD5 hash:
39ce9db5fdf3ec95d412cb6b6ef903b2
SHA1 hash:
004ea5c2c821bcf3f1cc7fce4548ca14a9ce7ab8
SH256 hash:
2a93372deb6f0605f375845720380f866fe0eecea899ca0c06c70cfa64cc4a93
MD5 hash:
75108a95a87c842b5df4a556be360458
SHA1 hash:
7aa74a8ba315480f32454df3a19c96684b726c6c
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
SH256 hash:
97c1250df63bbc0080b88212cd95a83036dd21167b569cfb2032962ac942f60d
MD5 hash:
b254c5faa90a801757e7730d7a698458
SHA1 hash:
ecf5ec79338bf614d12a2d79b8495039d4dcdc44
SH256 hash:
eedc6ea4c8ac8e8bc5b174271cbdbca451ae28b1b9fca988c3ea0b92cc9a33bb
MD5 hash:
e1052cd1d7a27c3a6088c12ccc4b14f4
SHA1 hash:
d575240875e1a86cea96f7f2c1862c8f7a39ca27
SH256 hash:
418c37d2ed05589a1443714916504a1aadcab7794b105036f7b3060e6f41cba7
MD5 hash:
e2366ffb93ce751d4f7f82cddac249cc
SHA1 hash:
d00991e4a4047016d68c23d3fa425186b6013af3
SH256 hash:
57908ffc3cc8acb7bfd62baa5d582215389ab9df2239040e9ed87865849118df
MD5 hash:
1426e199a880481a2a4006fac7b36268
SHA1 hash:
cef56198df74709d1defdbb139094cdf194e2cc3
SH256 hash:
fb5e44afa9b86e8d68f158b58036682dc28b8e3ed0d5391ffcd246f5bd8dec99
MD5 hash:
4c120576caedf379e15621df6328dfc0
SHA1 hash:
af3ddbcb753c2609d1b1c0985984a0957d9d0d0f
SH256 hash:
99f0b7f3850cf910e41e4f5ddb3a0dc31b8aacbd786ac4baf2d8da957688934f
MD5 hash:
081b25efff8d8aa6270f74b2785c3aec
SHA1 hash:
a516b6adca827f8f22579a56b7edec4816d4bcce
SH256 hash:
2021bc878303d0fa2cf6398497f26b039df3c6c76079daf1c0a2e45fbe17f7a3
MD5 hash:
1071090c648e29d7c95b9a09372d2e1a
SHA1 hash:
9772cc13378eb66761fa11def4ca7f3aeb90dbac
SH256 hash:
f08fc2801a7b2a3577f9d59f5e7b497152db0b25cab4937eb702e1a02af78373
MD5 hash:
fb00ed53b7360a2e16e0d53cf368f853
SHA1 hash:
7db576c5ca0cbe1bfa8ad7d0320211fc3afd9c78
SH256 hash:
f086f42987935840dd21bdf36e6f16756d85a4d0e5d85e8280df4d1470585448
MD5 hash:
e80ef341180e56dc87ab5f00dd203de8
SHA1 hash:
4330332026f93f79b045516e56ce3073adf19052
SH256 hash:
41dcbe8872334df78bb2c481367d7bdbaf9e78541602f4256fd1c7ccb3f8110d
MD5 hash:
6a5e0530ba62158b3d89d0f2cfc69ea8
SHA1 hash:
3153c2fe9b9699074984757b946fa3644ec08e74
SH256 hash:
f45daafd61371b1f080a92eea8e9c8bfc9b710f22c82d5a06a1b1bf271c646ad
MD5 hash:
7e32ef0bd7899fa465bb0bc866b21560
SHA1 hash:
115d09eeaff6bae686263d57b6069dd41f63c80c
SH256 hash:
282d4b7bc4cd1bea95bcc0967451a4d0d0de0fc14ad41307e67d892f87523d8e
MD5 hash:
89f7317a2539e814ff8a0132e72fce09
SHA1 hash:
0df9a41a767c298d8f2d47d5c2457c04f7641464
SH256 hash:
1f1734fb8d99eb3f6544d270e4836dd4151736daeff763d41a97c166793b8ec2
MD5 hash:
8847293b9f0c3a382ceb073bcf580f6e
SHA1 hash:
0b5afd557e91989186ff0fd2528c8123fd1c7ca7
SH256 hash:
788ea0253cf19f1d75bb553e5959b85f079f92f25602680e783e8686908d9b4f
MD5 hash:
6e52a42a905429239e7a062c0b485a6d
SHA1 hash:
0051cfad7adaf47c6ed0a1c6178d8120c938ff91
SH256 hash:
7e56bc9d1c885827dd139d3931115c2576e254732656717a4f4720fffc46a558
MD5 hash:
cea10f2bdc342d84ac5b092c86b033d3
SHA1 hash:
a17b0fe3989df310f2ebad1f46449782865a88cc
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
SH256 hash:
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b
MD5 hash:
a6865d7dffcc927d975be63b76147e20
SHA1 hash:
28e7edab84163cc2d0c864820bef89bae6f56bf8
SH256 hash:
012c3d22b5374c4f595fcf1986bf2a67697f322f36e8bb6456809334f98f5781
MD5 hash:
8bacb64db8fb73308faefd14b863fd43
SHA1 hash:
c5bf54f8b9cc198d6d380f3ee7a74df2feadf32a
SH256 hash:
9dac78cf97a753e813b02cb654f076cdea03155bc9a98ed64ec248729ead52ec
MD5 hash:
29fa5c5ade39d4ae5a0f564949278923
SHA1 hash:
376051004220051779d97fcb44065a8724de370b
SH256 hash:
774e29b5f449c85e49b18cd911590067481ccb7880f0a1dbf59f5eda8c20f412
MD5 hash:
081363f8b9c66fc9ff156b47998b2d35
SHA1 hash:
5389644212bc9e70117a2c71d6408f4adae2276b
SH256 hash:
f5056d070ceb2c9902612f8cfb0b60bef335d07a936ef33d9dcf8245737f6558
MD5 hash:
f6723ac4597445108bb65c5b429c9835
SHA1 hash:
317d12b2a345d81e97054ff0d382da83de66c2ca
SH256 hash:
e62c0e5af033730f75f0b533958edda39463e6b0c60df72191da034971fc4a81
MD5 hash:
3d4dd5a3d5670bb858101a836054522a
SHA1 hash:
52257ea04fb60ce867407f1f3d872e79ad195fb0
SH256 hash:
68cb23256ee368c3136cf5251fc21da977089a9b9e2fb3b7696897aceb7beb55
MD5 hash:
2b585082229aee367fe8c9098ab781ec
SHA1 hash:
c44e2fc73033e40e5dd8ce1969b02eca6e464063
SH256 hash:
ff6399a42634dafa9d3fa4ebaba23dfed6ed1d25dc7cfa536f6ebbe4f8a6a67a
MD5 hash:
c74fe717e1e4c315e62fa7f9a90720fb
SHA1 hash:
8d7a59482e79a107aa33941f718044f06022e664
SH256 hash:
48c136d17163e672c02267e37057dfc22ca8b22e47d8847f0fd44be4d6080f02
MD5 hash:
c6d1bad16a07ae7a67e65bc2293f8158
SHA1 hash:
97e837b03080a9df31c8a4776350b292fab4ab15
SH256 hash:
159190b19bbe146abe500b9166c713cad55f5f35204317a02185b31a798ab644
MD5 hash:
19f5c71d595aceb9a64483f5f69e9e83
SHA1 hash:
39b279c80617b0b9a106ef8875c4b9a6f4fcac3a
SH256 hash:
46eb7b113f08caedc20b3b15cc04af0b9ac671d547afda4edce2d5a131929e29
MD5 hash:
aa88b9b2f738c62fbaedc19802aa05c7
SHA1 hash:
178020e586e365f47c2d5e2c10b33dc6de8d7b90
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.