MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bda2708e3d4cb38dddeae92bda767aa9d8f5bef431e9a48295b9c7f5e1f7bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bda2708e3d4cb38dddeae92bda767aa9d8f5bef431e9a48295b9c7f5e1f7bde
SHA3-384 hash: ba51432c5980a826f4731ae25915358c70ce965f082fcce4f8023c9f3424aec283ca0270b80d96167ec6dab3c5bf8ee4
SHA1 hash: ff28634076bea8156bbc1c0308a87afd77acae9e
MD5 hash: e5013b1a7cab7a0d10e305e5f084257b
humanhash: lion-uranus-cold-lake
File name:e5013b1a7cab7a0d10e305e5f084257b.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:418'304 bytes
First seen:2021-11-30 23:56:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f0b538abbe574275afcdf5200fd4d28 (2 x RedLineStealer, 1 x Tofsee, 1 x ArkeiStealer)
ssdeep 6144:KVtr8Omf3bXXm4NjHaWFdrf/XW/YVL6YYHzvUHzFt0PiDE9NnF:c9mfbXNj3FBfu/YVL6YYHzvUv00aNF
Threatray 254 similar samples on MalwareBazaar
TLSH T11E94BF10A7F0C039F1B727B85A79A379A53F7AA16B24D0CF52D426EA5A356D0EC30347
File icon (PE):PE icon
dhash icon 33e1dc346498f16e (1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://postbackstat.biz/stats/save.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://postbackstat.biz/stats/save.php https://threatfox.abuse.ch/ioc/256403/

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8PY0w6tMRYuDwM3b7_FNCQNY.exe
Verdict:
Malicious activity
Analysis date:
2021-11-28 06:01:49 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/45b99164-1819-44d7-b23a-23b27d6bef13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210121/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Query of malicious DNS domain
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61a6ba501ba903dd8fc847ac/reports/491c9fc6-a8df-4520-ba59-d2e019121fb0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1b49e4d-b34b-4c92-9bad-0e82c9a66564
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/899104
Signature
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bda2708e3d4cb38dddeae92bda767aa9d8f5bef431e9a48295b9c7f5e1f7bde/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-27 17:39:04 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
36 of 45 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jpncochd2tftrxo6v2jl3j3hvkoy6w7pimpjusbjlooh6xq7pppa._file
Verdict:
malicious
Similar samples:
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
GCleaner
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
GCleaner
55bea97718d10ad6dde683d1316015e4ed475558d725ee34858b15ce8b434afb
GCleaner
7be418280356c7dc0384328a50904f3cee364185aa7f99e127e511461cd6db5c
GCleaner
b05798eab2bd214db04037519c3d5271e9602980123b594c8b579f5581d4efdd
GCleaner
e34fc70bee3b2e9051e1115f1053aec2bbd3555a8d71600e90890662ea718ff1
GCleaner
fe3ae99417e0d632995ad5ceeccc4c0b308b8a30d2c93031f15837b607b8552b
GCleaner
+ 244 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/211130-3zkrjaccg7/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
3287014b4f0e1f443825600c46f4b51226ef1a502eddce33439d0f90be64898e
MD5 hash:
18933f7b1ee6346c6c3f111eb7fc198f
SHA1 hash:
471cdf48767ab2e059346e70e64a7e92f48e9c7c
Link:
https://www.unpac.me/results/80f4f2af-0649-4065-8665-1c0dbe8665db/
SH256 hash:
4bda2708e3d4cb38dddeae92bda767aa9d8f5bef431e9a48295b9c7f5e1f7bde
MD5 hash:
e5013b1a7cab7a0d10e305e5f084257b
SHA1 hash:
ff28634076bea8156bbc1c0308a87afd77acae9e
Link:
https://www.unpac.me/results/80f4f2af-0649-4065-8665-1c0dbe8665db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bda2708e3d4cb38dddeae92bda767aa9d8f5bef431e9a48295b9c7f5e1f7bde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/210121/

Comments