MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a881b40d1a58134c0d61e1d196443aae5f9c395ce969103981a8c904bb566bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a881b40d1a58134c0d61e1d196443aae5f9c395ce969103981a8c904bb566bd
SHA3-384 hash: 855148c912570b9cf4b207966e9318b4b6fc8ca1ef7529754ca2f5f93eb26e800be5d03e58e16899ea35fad9e7db0722
SHA1 hash: 5b2928255501c56b4e90680bb56f74d0ac466955
MD5 hash: c8b85d12cd4691911126aee1a3bd8402
humanhash: hamper-maine-magnesium-robin
File name:c8b85d12cd4691911126aee1a3bd8402.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:284'160 bytes
First seen:2023-02-27 16:16:12 UTC
Last seen:2023-02-27 17:32:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 04ac9617c34172e16c360c717c2451c4 (2 x CoinMiner, 1 x LaplasClipper, 1 x GCleaner)
ssdeep 6144:M6gBe0I/8n2wkOyljOFHRaR5mODVPIZSd:M6g1I/82FrlexaaWPIQ
Threatray 6'819 similar samples on MalwareBazaar
TLSH T16D54D012729CB8F1D26216364E38C2F49E6EFD614E256A8B33687F2F1EB0191D572713
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1271696969696932 (1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c8b85d12cd4691911126aee1a3bd8402.exe
Verdict:
Malicious activity
Analysis date:
2023-02-27 16:18:22 UTC
Tags:
gcleaner
Link:
https://app.any.run/tasks/80f84804-24cc-4527-b7f3-231cbacc7278

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/370319/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.5785.4438.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/63fcd7802313ffd5d318abd6/reports/15ab7360-b5de-45b0-a2d1-7f57a7b36ee9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4a881b40d1a58134c0d61e1d196443aae5f9c395ce969103981a8c904bb566bd
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3e07e98-64e9-45ad-8338-7ba3e864ceb6
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1183324
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a881b40d1a58134c0d61e1d196443aae5f9c395ce969103981a8c904bb566bd/
Threat name:
Win32.Downloader.GCleaner
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 16:17:06 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
21 of 25 (84.00%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkebwqgruwatjqgwdyorszcdvls7tq4vz2ljca4ydkgjas5vm26q._file
Verdict:
malicious
Similar samples:
4f3b3a58cf917cc065473b644107bedf72121fa1591335bccc4b95f331c4ac9c
GCleaner
9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6
GCleaner
99c174299dbb2e0fc5a2fa4bab7bfbc95b7ce2c510fc043a5a4a952a61d28ffe
GCleaner
b11f4d0513f8394544e1b1244b6eb46c8219034afe039fd0dc891ca4f463f9f0
GCleaner
c424c1d216307f9ea2268a53843ee9606d2bdb81e009df7974cae072d28d2d55
GCleaner
f5a84bf51c4075d3dc72f3fb33a6137292b453086642a95114bdb3a5eb00195a
GCleaner
+ 6'809 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/230227-trc72see23/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
b2ddfbc0bda6a7be79d792211d0f461aba034c4d7df56bd640eb339607a334b1
MD5 hash:
7ec281e3a914062ca9bb1906fe8e3adc
SHA1 hash:
46d36d59372f8dd021498036b6aae7649cc4806b
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/8d4bc67e-84f6-4470-8e91-15762009bce4/
Parent samples :
a8e63f9b3f0afa3b9e38a21c413ed4c62d0c10d410e99b60ea69d8b58d40ca18
f787a587a4ff9056d821fd4ab685c0c7c0de84c2d7c440155acbb99b0e63071b
9cfdc5f11ab2c97fd116b930b1e20d51ecb607efdbbb106811bdfb3288a0b82a
5f21d74f2ad986423d4a3f060a94a7006b43ad6227c3ce28b8b5018259c07397
b11f4d0513f8394544e1b1244b6eb46c8219034afe039fd0dc891ca4f463f9f0
f5a84bf51c4075d3dc72f3fb33a6137292b453086642a95114bdb3a5eb00195a
99d7cab5a3ee9b7c9fc2ee3786312978332a2dc6836bc7e658914ae53481d6d9
ffdb81bc24bd8b48d04cd589a0d84d848f9a32ff2cda79b8370bc162ee8d607d
a57bde2ce8ff1779020ddc373b1ab649a72fd1a450a46b46af446c4b9ad06bbe
8b404bd0942c675042585388c409252521839c262b33fbbe5a60346eed84915f
8853715caa4502209f806afcded94a839120cc0885196b32d8d25f7e4a43dca3
a0bcf89c02ad71f0080b2bc7fdd7171e9bae7ed60fdcf920eadc837fc6d2c0a3
99c174299dbb2e0fc5a2fa4bab7bfbc95b7ce2c510fc043a5a4a952a61d28ffe
c424c1d216307f9ea2268a53843ee9606d2bdb81e009df7974cae072d28d2d55
c7cfe5a719c1f661d3c88a943667b38d19ceb50e75bda93e2e7c0768d9465b27
4f3b3a58cf917cc065473b644107bedf72121fa1591335bccc4b95f331c4ac9c
324d28d289447cd6be831620cd47658acba7eca3a05d982ef8b2c1287f173cd1
a3d7b71b897c554fabca6a2cadba74f5fc19103d20d2e8a0d7ba3ba16a506acf
4a881b40d1a58134c0d61e1d196443aae5f9c395ce969103981a8c904bb566bd
0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b
9c48e1bb555bbb98d635146b5098f1fda8753eade8479c079a14a5a1887fde7e
8a2ed465f876e200314451371c46e38ddb7dae622efe7f60bb7d58d9291651d5
43c684cde21885bd1a7add14846c6ce0ab374a6ff7163b655ec80186620770d3
dac1de6b2503baa1e80b0c90555aa87b663cd6a8e57651c97aae775defbe8f29
ec4a3b4195a3e96b2368b55ebb4c3c64e07a2d84e8f5b8a501b0547473ebf9d9
4b0e4fd6806fe1cd9dd277211a3aa9ab0510a3795355190acf8a84f6a2e5a508
3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5
621f05c3a5bc27def35adf4d0503b2f5019db2f2b72a0452c9a14850c4495779
ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f
780ed40282d7d392080687d1e32bc017f63ffab0c0fb020d1dcf3bf7c4c186da
25a2a5069c502b7aafebbdf26a2d80225774f39f537f2d1b03e3099300d6b3f9
SH256 hash:
4a881b40d1a58134c0d61e1d196443aae5f9c395ce969103981a8c904bb566bd
MD5 hash:
c8b85d12cd4691911126aee1a3bd8402
SHA1 hash:
5b2928255501c56b4e90680bb56f74d0ac466955
Link:
https://www.unpac.me/results/8d4bc67e-84f6-4470-8e91-15762009bce4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a881b40d1a58134c0d61e1d196443aae5f9c395ce969103981a8c904bb566bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370319/

Comments