MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 489eade7becb78deb88c28f80a3fc5d22e071ef8cb629f79d5e6fdebdee8ae70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 489eade7becb78deb88c28f80a3fc5d22e071ef8cb629f79d5e6fdebdee8ae70
SHA3-384 hash: 5658eb6084368fa2c5c07cdcf41d88981689a8cb7fe355ea0c14a1711bdc33f7c8a184f5ee5e7afead8cae75d818ac18
SHA1 hash: dd7534bdb46605ddc482371053e79bcc252c1ad9
MD5 hash: 55e7f1381362daa3cb6e507dabc604e5
humanhash: freddie-single-magnesium-sodium
File name:55e7f1381362daa3cb6e507dabc604e5.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'794'907 bytes
First seen:2023-06-17 09:55:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (260 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/61lORBKic6QL3E2vVsjECUAQT45deRV9RI:sBuZrEUoqBKIy029s4C1eH96
TLSH T1AC85CF3FF268A13EC56A1B3245739320997BBA51B81A8C1E07FC384DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
55e7f1381362daa3cb6e507dabc604e5.exe
Verdict:
Suspicious activity
Analysis date:
2023-06-17 09:55:54 UTC
Tags:
installer
Link:
https://app.any.run/tasks/2e336547-7614-4408-af16-7644f325d619

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/399755/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.15995.28204.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91118/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/648d8333440c7d496e86f201/reports/937fb3dd-f22a-4c1b-915f-b23012dd31d7/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332545
Link:
https://www.hybrid-analysis.com/sample/489eade7becb78deb88c28f80a3fc5d22e071ef8cb629f79d5e6fdebdee8ae70
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cf5c7805-7ec1-4905-90c6-7124d7d9e5b0
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1256441
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Yara detected Generic Downloader
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 889461 Sample: 8UvPumbygi.exe Startdate: 17/06/2023 Architecture: WINDOWS Score: 72 98 45.12.253.72 CMCSUS Germany 2->98 100 45.12.253.75 CMCSUS Germany 2->100 102 45.12.253.98 CMCSUS Germany 2->102 130 Snort IDS alert for network traffic 2->130 132 Found malware configuration 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 8 other signatures 2->136 10 8UvPumbygi.exe 2 2->10         started        13 msiexec.exe 2->13         started        signatures3 process4 file5 72 C:\Users\user\AppData\...\8UvPumbygi.tmp, PE32 10->72 dropped 15 8UvPumbygi.tmp 3 25 10->15         started        74 C:\Windows\Installer\MSI9C7F.tmp, PE32 13->74 dropped 76 C:\Windows\Installer\MSI9C4F.tmp, PE32 13->76 dropped 78 C:\Windows\Installer\MSI9836.tmp, PE32 13->78 dropped 80 14 other malicious files 13->80 dropped 20 msiexec.exe 13->20         started        22 msiexec.exe 13->22         started        24 msiexec.exe 13->24         started        process6 dnsIp7 116 45.12.253.74, 49692, 80 CMCSUS Germany 15->116 118 webcompanion.com 104.18.212.25, 49745, 80 CLOUDFLARENETUS United States 15->118 124 2 other IPs or domains 15->124 56 C:\Users\user\AppData\Local\Temp\...\s2.exe, PE32 15->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 15->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\s0.exe, PE32 15->60 dropped 70 3 other files (2 malicious) 15->70 dropped 126 Performs DNS queries to domains with low reputation 15->126 26 s2.exe 15->26         started        30 s1.exe 15->30         started        33 s0.exe 14 15->33         started        120 pstbbk.com 157.230.96.32, 49702, 80 DIGITALOCEAN-ASNUS United States 20->120 122 collect.installeranalytics.com 52.73.64.126, 443, 49701, 49703 AMAZON-AESUS United States 20->122 62 C:\Users\user\AppData\Local\...\shi8F5E.tmp, PE32 20->62 dropped 64 C:\Users\user\AppData\Local\...\shi8EC1.tmp, PE32 20->64 dropped 128 Query firmware table information (likely to detect VMs) 20->128 35 taskkill.exe 20->35         started        66 C:\Users\user\AppData\Local\...\shi8442.tmp, PE32 22->66 dropped 68 C:\Users\user\AppData\Local\...\shi8376.tmp, PE32 22->68 dropped file8 signatures9 process10 dnsIp11 82 C:\...\WebCompanionInstaller.resources.dll, PE32 26->82 dropped 84 C:\...\WebCompanionInstaller.resources.dll, PE32 26->84 dropped 86 C:\...\WebCompanionInstaller.resources.dll, PE32 26->86 dropped 94 10 other malicious files 26->94 dropped 138 Multi AV Scanner detection for dropped file 26->138 37 WebCompanionInstaller.exe 26->37         started        110 54.198.235.9, 443, 49744 AMAZON-AESUS United States 30->110 112 collect.installeranalytics.com 30->112 88 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 30->88 dropped 90 C:\Users\user\AppData\...\Windows Updater.exe, PE32 30->90 dropped 92 C:\Users\user\AppData\Local\...\shi6720.tmp, PE32+ 30->92 dropped 96 3 other malicious files 30->96 dropped 40 msiexec.exe 30->40         started        114 45.12.253.56, 49693, 80 CMCSUS Germany 33->114 140 Detected unpacking (changes PE section rights) 33->140 142 Detected unpacking (overwrites its own PE header) 33->142 42 cmd.exe 33->42         started        44 WerFault.exe 9 33->44         started        46 WerFault.exe 9 33->46         started        50 6 other processes 33->50 48 conhost.exe 35->48         started        file12 signatures13 process14 dnsIp15 104 wc-update-service.lavasoft.com 64.18.87.81, 49747, 80 MTOCA Canada 37->104 106 flow.lavasoft.com 104.17.9.52, 49746, 49748, 80 CLOUDFLARENETUS United States 37->106 108 wcdownloadercdn.lavasoft.com 37->108 52 conhost.exe 42->52         started        54 taskkill.exe 42->54         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/489eade7becb78deb88c28f80a3fc5d22e071ef8cb629f79d5e6fdebdee8ae70/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2023-06-17 09:56:08 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcpk3z56zn4n5oemfd4aup6f2ixaohxyznrj66ov4366xxxivzya._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230617-lycabsah5z/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
cb398b212d877015cc455a18c8455b0599e7f4ab47e462938b3621d20c49cafe
MD5 hash:
fe6e1b48da2b437e6ea8418bbed6e599
SHA1 hash:
aea4ed2bb9027a1f3b1d5f4b2e3fdde6fa4051bd
Link:
https://www.unpac.me/results/b394c8d7-40ed-4e19-a162-604109551af4/
SH256 hash:
13cd13ca90cceb2e1cff53c6b6aaa56bae134d49d554fce17a150cc23dfb91c2
MD5 hash:
b5b9d4cb60e9dc50975782763652e618
SHA1 hash:
35e8e40a100cb54ef16ab073faa51913f269422b
Link:
https://www.unpac.me/results/b394c8d7-40ed-4e19-a162-604109551af4/
SH256 hash:
489eade7becb78deb88c28f80a3fc5d22e071ef8cb629f79d5e6fdebdee8ae70
MD5 hash:
55e7f1381362daa3cb6e507dabc604e5
SHA1 hash:
dd7534bdb46605ddc482371053e79bcc252c1ad9
Link:
https://www.unpac.me/results/b394c8d7-40ed-4e19-a162-604109551af4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/489eade7becb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/489eade7becb78deb88c28f80a3fc5d22e071ef8cb629f79d5e6fdebdee8ae70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/399755/

Comments