MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 16


Intelligence 16 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7
SHA3-384 hash: 07b3fdb57f376655f3e229ad82e379e0bdbdc53ab87d1b3268619a361f42ced1549d0e0e63c66c2ebae6af6d035bd5ee
SHA1 hash: cb3a1dc49f4b8c69b2b18058aff264a7f56a16ec
MD5 hash: 90558ce5b5805e794baf0ea0e0825b00
humanhash: blossom-neptune-nevada-video
File name:Soft.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:3'837'216 bytes
First seen:2025-09-16 19:02:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4fdf814116f25d72ed5b4fb0454f8a2e (5 x GCleaner)
ssdeep 98304:o5ML8bGlq+BFeaH9M9BFuYOxLSHieZshprG:oWQyq+BhH6fuYLjshprG
Threatray 495 similar samples on MalwareBazaar
TLSH T18106E0E645A19434FAA7A539D83A7BF425E6BD00343F34C20660AB7B8F75CD8171B1A3
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:exe gcleaner


Avatar
iamaachum
https://safe-soft.eu/kmspico/ => https://mega.nz/folder/6Eky3YYA#EVqhMkDD6dYtRLM8Bk35pQ

GCleaner C2: 176.46.158.23

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Soft.exe
Verdict:
Malicious activity
Analysis date:
2025-09-16 18:55:26 UTC
Tags:
gcleaner loader stealc stealer golang inno installer delphi
Link:
https://app.any.run/tasks/00ae29e5-1b37-415f-b22d-e3298c7b82fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27787/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c9b29ed49ea3f1e4b6863e
Tags:
delphi emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-16T12:29:00Z UTC
Last seen:
2025-09-16T12:29:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan-PSW.Tepfer.TCP.C&C Trojan-PSW.Tepfer.HTTP.C&C HEUR:Trojan-PSW.Win32.Tepfer.gen
Link:
https://opentip.kaspersky.com/477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7/results?tab=lookup
Malware family:
RealVNC
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/96bf792a-915a-45ae-b841-5e479e7279c9
Result
Threat name:
CryptOne, GCleaner, Socks5Systemz, Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778773
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates / moves files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Early bird code injection technique detected
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process tries to detect installed antivirus files
Potentially malicious time measurement code found
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected GCleaner
Yara detected Socks5Systemz
Yara detected Stealc v2
Yara detected Tofsee
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1778773 Sample: Soft.exe Startdate: 16/09/2025 Architecture: WINDOWS Score: 100 123 185.156.73.98 RELDAS-NETRU Russian Federation 2->123 125 45.91.200.135 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 2->125 127 11 other IPs or domains 2->127 153 Suricata IDS alerts for network traffic 2->153 155 Found malware configuration 2->155 157 Malicious sample detected (through community Yara rule) 2->157 159 20 other signatures 2->159 14 Soft.exe 2 2->14         started        18 svchost.exe 2->18         started        20 svchost.exe 2->20         started        22 4 other processes 2->22 signatures3 process4 file5 115 C:\Users\user\AppData\...\svchost015.exe, PE32 14->115 dropped 117 C:\Users\user\AppData\Local\...\svcEBC0.tmp, PE32 14->117 dropped 177 Writes to foreign memory regions 14->177 179 Found hidden mapped module (file has been removed from disk) 14->179 181 Maps a DLL or memory area into another process 14->181 24 svchost015.exe 35 14->24         started        183 Changes security center settings (notifications, updates, antivirus, firewall) 18->183 28 MpCmdRun.exe 18->28         started        signatures6 process7 dnsIp8 135 176.46.158.23, 49723, 49724, 49727 ESTPAKEE Iran (ISLAMIC Republic Of) 24->135 137 drive.usercontent.google.com 142.250.72.129, 443, 49720 GOOGLEUS United States 24->137 85 C:\Users\user\AppData\...\QIPRNJcHXMK.exe, PE32 24->85 dropped 87 C:\Users\user\AppData\...\z2AnQ9PZ7C.exe, PE32+ 24->87 dropped 89 C:\Users\user\AppData\...\KDLGlzScDM.exe, PE32 24->89 dropped 91 3 other malicious files 24->91 dropped 30 KDLGlzScDM.exe 2 24->30         started        33 QIPRNJcHXMK.exe 2 24->33         started        35 z2AnQ9PZ7C.exe 18 24->35         started        39 conhost.exe 28->39         started        file9 process10 dnsIp11 119 C:\Users\user\AppData\...\KDLGlzScDM.tmp, PE32 30->119 dropped 41 KDLGlzScDM.tmp 18 26 30->41         started        121 C:\Users\user\AppData\...\QIPRNJcHXMK.tmp, PE32 33->121 dropped 45 QIPRNJcHXMK.tmp 3 6 33->45         started        129 93.152.230.54, 49725, 80 ONLINEDIRECT-ASBG Bulgaria 35->129 161 Multi AV Scanner detection for dropped file 35->161 163 Early bird code injection technique detected 35->163 165 Found many strings related to Crypto-Wallets (likely being stolen) 35->165 167 8 other signatures 35->167 47 chrome.exe 35->47         started        49 chrome.exe 35->49         started        51 chrome.exe 35->51         started        file12 signatures13 process14 file15 93 C:\Users\user\...\usbdrivetester453.exe, PE32 41->93 dropped 95 C:\Users\user\AppData\...\unins000.exe (copy), PE32 41->95 dropped 97 C:\Users\user\AppData\Local\...\is-88QBI.tmp, PE32 41->97 dropped 105 21 other malicious files 41->105 dropped 171 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->171 53 usbdrivetester453.exe 1 19 41->53         started        99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 45->99 dropped 101 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 45->101 dropped 103 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 45->103 dropped 57 QIPRNJcHXMK.exe 45->57         started        signatures16 process17 dnsIp18 131 178.16.53.192, 443, 50246, 50290 DUSNET-ASDE Germany 53->131 133 94.26.38.3, 2024, 50326, 50449 PULSAR-NET-ASBG Bulgaria 53->133 79 C:\ProgramData\USBDriveTester\sqlite3.dll, PE32 53->79 dropped 81 C:\ProgramData\...\USBDriveTester.exe, PE32 53->81 dropped 83 C:\Users\user\AppData\...\QIPRNJcHXMK.tmp, PE32 57->83 dropped 59 QIPRNJcHXMK.tmp 57->59         started        file19 process20 file21 107 C:\Users\user\is-VH6BD.tmp, PE32 59->107 dropped 109 C:\Users\user\AppData\Roaming\is-CE9IL.tmp, PE32 59->109 dropped 111 C:\Users\user\AppData\...\avp.exe (copy), PE32 59->111 dropped 113 4 other malicious files 59->113 dropped 173 Drops PE files to the user root directory 59->173 175 Office process tries to detect installed antivirus files 59->175 63 regsvr32.exe 59->63         started        signatures22 process23 dnsIp24 139 117.45.17.84.dnsbl.sorbs.net 63->139 141 smtp.google.com 63->141 143 13 other IPs or domains 63->143 77 C:\Users\user:.repos, data 63->77 dropped 145 System process connects to network (likely due to code injection or exploit) 63->145 147 Suspicious powershell command line found 63->147 149 Creates / moves files in alternative data streams (ADS) 63->149 151 Found strings related to Crypto-Mining 63->151 68 powershell.exe 63->68         started        71 powershell.exe 63->71         started        file25 signatures26 process27 signatures28 169 Loading BitLocker PowerShell Module 68->169 73 conhost.exe 68->73         started        75 conhost.exe 71->75         started        process29
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7/
Verdict:
Malicious
Threat:
Family.GCLEANER
Link:
https://tip.neiki.dev/file/477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7
Threat name:
Win32.Trojan.Gcleaner
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 18:55:28 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i567fjjbs66xcusmjthrslhc2kx3rnft3drt7dx2igeranbpgdtq._file
Verdict:
malicious
Label(s):
gcleaner
Create hunting rule
Similar samples:
53afe13ca6d157bec8b1cc467764abd1194fb3bbd06c0a67a2ee5f560b63d1a4
GCleaner
6557410235018ef55b87a36a66cadcbecd3f028313bfc6d4fded104536cff8c9
GCleaner
74273805a7bd7441f36bdc596eff7b4597c254015727024c2e86717d8954bbe3
GCleaner
a639d8ed17108b7cf50aa15e689f62c03a04b409a6204249d0f9503b55d888bd
GCleaner
aa586630eb5a50f271a1bdc1e20be4673b40a0c9b20433b7b2fcc0a65413526d
GCleaner
cb15de5f46531f8027182000f0c961cb20c4815e992ac8810198cee869bbeb20
GCleaner
e0c21356fdd99942e1d9e89f0afee73e5f14772bf5f8836ab8b96a997ba76768
GCleaner
error
GCleaner
fa47e000ed767d0ab02b6500ccd02bdb0cdaec3892c01a1998a51d3d44a146d8
GCleaner
+ 485 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250916-xq3m4agr7x/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8ceb228a-0ae0-47b2-87df-9f54037d6028
Unpacked files
SH256 hash:
477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7
MD5 hash:
90558ce5b5805e794baf0ea0e0825b00
SHA1 hash:
cb3a1dc49f4b8c69b2b18058aff264a7f56a16ec
Link:
https://www.unpac.me/results/a01ee29c-be84-4e51-a6fd-f5ff808795db/
SH256 hash:
5a5ed78e04c7ad144a4580c19e9743d252b4a25e84ba7e6c4c43fc459c956a9a
MD5 hash:
8aadb7e2a4e0128b357b6e90d924d128
SHA1 hash:
cfc4678d82f0e4b0cebd1fb0b01f479dc25134d5
Detections:
GCleaner
Create hunting rule
Link:
https://www.unpac.me/results/a01ee29c-be84-4e51-a6fd-f5ff808795db/
Parent samples :
2046f265e025776e7199a9e576be5ed49483841f5203c3e3eeb79d0a24f73920
384cdb291c4006761018b84c0c02f37afbfa0b51c6bf0220639abc91f74009b1
768f9ecc19a84b15234ead8058f24a9c8a337430312eab9ecbbcbfa8ab69d0f3
aba7585008a92523b09b28c94fdd8fb7afc39b5b466efac8ca5f7f2b520bbedd
ca4a5fcd9eff405f9f8037e89e1a72914eda7129e5aa9476283021c03c56500c
c5e135c050b4ecbc73acae15b6dbbfaf5157e60fe62c96913b4c56df77ae4feb
dd717fcb7d845a4bb7e0380a9df665219b9b2de29ca8a12600c52f831069f1b3
c582323df2a900ae3b0b1860ff768aa5e90f3e595b33aecb57040b130a65e632
e65f22bbb7a32f6fd436eb0ea6de0c000542ffd6785a983d8f0594b791331994
70cc21383260ea0cb520627324853ae7665cb4b8f6462c5a96e07375a2c26317
3c4cd60b0bcf381bfdeae2397ae2011016d1d389df0cb524d5e12ac9aea5e71b
408ef63acd027f6ba843e30d00d51e506d714804ee842a83f4f31a4b5d7aa7d9
f62ad9ecb4facb02dead75e27e29db58519b6805f49278852d02298b55e59cf5
758e36455c17152210a6ae8001e3b9d7680159440e0e6ae702b9302ec2160d50
a91a863821ef21472adfeeed5e90eebf3fe5e559f257f7d37de401c2a0553485
8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88
9653fb267376aa1495996d935a8bb8b6d73b46aa372d814bfb3c91ba0ebbf7f3
e41b1aa6ff791b7611638851db2ba42c47a125a81b5c74d10354f4f87d4e8770
4fb3fb9750c68de93bee10692827f5630635ef39ed13a86dba52b9cd1e02280d
05664da4d3ea8b39b6183a1112e67f46a8715536faa0a9469bc2659f4ef16289
d3a77d8bcd9963d30fd3e51acee6654e3ccbf2b2b81fbe47e97b9b9068c76f06
1a757566caa5edd32fd5c190b9e8da7d7abf3398b9a3ceddd365a95886434767
53afe13ca6d157bec8b1cc467764abd1194fb3bbd06c0a67a2ee5f560b63d1a4
82bf3e8991a22f67e5cf9b7340eb3c1fa5456c9d9a9e27fdc107c46572713897
512b629f01ce1668bcc60ea305e93fb264cf2b7f2f87bb3aafef29beeb604cce
cc261502042db67adb917ce03321ee47277cfbc1712b770c6b71c035b89793cb
477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7
a53952ad1b88e5d6b4fc14f09e4ccd0f2ce4be72df7c5693abd8cdad953a4871
5dfcdc1c491fbf2f7f2fbac6bbf27b84be652583b66b252c46e8ed86577c3c60
SH256 hash:
0a0b083cc0e62db594b7be21088202c7fe0970d609b2847085d0bf2be8e54a5c
MD5 hash:
4ce3ce196eda86d92b68362b6269b618
SHA1 hash:
fd42ee0aca0315acac25c297f1ce33634c549559
Link:
https://www.unpac.me/results/a01ee29c-be84-4e51-a6fd-f5ff808795db/
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/477df2a52197/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7

(this sample)

  
Link
https://tria.ge/250916-xheajay1gz/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/27787/

Comments