MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46f7a66cb5d9c1d94d99a9bbf6e973a21d438b81ed722fcd73fb5c4e6ca08954. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46f7a66cb5d9c1d94d99a9bbf6e973a21d438b81ed722fcd73fb5c4e6ca08954
SHA3-384 hash: 3fce3d1c6bed20a3fb0232aa3c439060b035a5a9dfb2f7c68959bc89e52238d5f64a7b5af382cf5068d33d26b66bc80f
SHA1 hash: 318d4b8e019409217ebcfc8858052f5bbc52831b
MD5 hash: 5757e496af8ec484f294eba16cde2e23
humanhash: avocado-arizona-cold-minnesota
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:3'639'568 bytes
First seen:2025-11-05 03:46:42 UTC
Last seen:2025-11-05 14:07:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2ffaac75292c9510a72a45eee801fb3 (3 x GCleaner)
ssdeep 98304:/jRCbPYTMNkduR2NytzqMizbsmw2m4jvFm3:AbAw6duR2NRcmw2m4m
Threatray 225 similar samples on MalwareBazaar
TLSH T1CAF5D153C2A3CB61CE0102FE5F7BB2C2D815652CFAA4A6FFEAEB9451393DD111356482
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 gcleaner


Avatar
Bitsight
url: http://178.16.55.189/files/smm_traff/random.exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
90
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-11-05 03:49:39 UTC
Tags:
delphi auto generic gcleaner loader
Link:
https://app.any.run/tasks/5162901b-9363-4a92-93b8-bcf2bc281635

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35388/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690ac8c09942f1282ecc3028
Tags:
delphi emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi expired-cert fingerprint installer-heuristic invalid-signature keylogger packed signed
Link:
https://www.filescan.io/uploads/690ac8c44425b0b1fd150768/reports/33b5d6f5-4ba6-4727-802c-a6967595ef5a/overview
Verdict:
Malicious
Labled as:
Application.Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/46f7a66cb5d9c1d94d99a9bbf6e973a21d438b81ed722fcd73fb5c4e6ca08954
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-05T00:53:00Z UTC
Last seen:
2025-11-06T10:23:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Win32.Agentb.gen HEUR:Trojan.Win32.Agent.gen Trojan.Win32.Qshell.sb Trojan.Win32.Delf.sb HEUR:Trojan.Win32.Convagent.gen
Link:
https://opentip.kaspersky.com/46f7a66cb5d9c1d94d99a9bbf6e973a21d438b81ed722fcd73fb5c4e6ca08954/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9d7b88f8-e1dc-4aa3-a447-a9567d759e82
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/46f7a66cb5d9c1d94d99a9bbf6e973a21d438b81ed722fcd73fb5c4e6ca08954
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/5757e496af8ec484f294eba16cde2e23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46f7a66cb5d9c1d94d99a9bbf6e973a21d438b81ed722fcd73fb5c4e6ca08954/
Verdict:
Malicious
Threat:
Family.GCLEANER
Link:
https://tip.neiki.dev/file/46f7a66cb5d9c1d94d99a9bbf6e973a21d438b81ed722fcd73fb5c4e6ca08954
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2025-11-05 03:47:50 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i332m3fv3ha5stmzvg57n2ltuiouhc4b5vzc7tlt7noe43farfka._file
Verdict:
malicious
Label(s):
gcleaner
Create hunting rule
Similar samples:
41efb861dbd52669d69c3fd0ae3cabbf7c993601ff3e88649810487b3e5b997b
GCleaner
5b36eb63f4519ec3b39981b1e9b5ad10be9ecba8a09b86e87ab41a9a701b9511
GCleaner
60d3530b58d702886b0de3267f22d69c608a29fd263a68627314534a65b05b9f
GCleaner
82aae2701dfeda4d01c03ab9129702b9a6298302b76931ccc784c219d2acca31
GCleaner
85023ef1c4861562b41d07ead0b1bd139fb5ddd2621c83558392e8797fd031f5
GCleaner
a071db1acb51e629aeb194a9a960116581c3cef7be5dd7af11d55a291fe90357
GCleaner
eacbbb8407add6256d6ae8af7a33abc4e306ebefc69484e16361d6ff66c74d2b
GCleaner
error
GCleaner
fb94e060b3129d360e4286a75d04dc396d3ffff274df3491ce429b05d7d24530
GCleaner
+ 215 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/251105-eb6gbssjdm/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
GCleaner
Gcleaner family
Malware Config
C2 Extraction:
185.156.73.98
45.91.200.135
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/473ae5c5-f4e8-4008-a83a-0ef9042932d3
Unpacked files
SH256 hash:
46f7a66cb5d9c1d94d99a9bbf6e973a21d438b81ed722fcd73fb5c4e6ca08954
MD5 hash:
5757e496af8ec484f294eba16cde2e23
SHA1 hash:
318d4b8e019409217ebcfc8858052f5bbc52831b
Link:
https://www.unpac.me/results/e12c7a8d-2d78-4a28-abfa-af6f3b1d2de4/
SH256 hash:
d3d3224b50e7ff955cba76e05f5058471add627c6f15658420146040192b3e1b
MD5 hash:
61f30fea94c55ee3199526448a73e58f
SHA1 hash:
71c175173df87bda7ffc77b2208b28f04bbdc628
Link:
https://www.unpac.me/results/e12c7a8d-2d78-4a28-abfa-af6f3b1d2de4/
SH256 hash:
ba94ef33cdf3d8b7b9922c31bc516bf66f50c02225ab46d35eb5efabe1ea803c
MD5 hash:
e7ae118efe2663141e08ee6e41902bbe
SHA1 hash:
b934cc3d7986d37c96926d871a5e3ccfd548d07d
Detections:
GCleaner
Create hunting rule
Link:
https://www.unpac.me/results/e12c7a8d-2d78-4a28-abfa-af6f3b1d2de4/
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/46f7a66cb5d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/46f7a66cb5d9c1d94d99a9bbf6e973a21d438b81ed722fcd73fb5c4e6ca08954

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 46f7a66cb5d9c1d94d99a9bbf6e973a21d438b81ed722fcd73fb5c4e6ca08954

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3696641/
Cape
Cape
https://www.capesandbox.com/analysis/35388/
  
URLhaus
https://urlhaus.abuse.ch/url/3697170/

Comments