MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs 6 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
SHA3-384 hash: 15d94769f9d197b497ef815739380ae8726f7153b7494d98fe505005b3a8012007cf3e78e1ceb13fba2ca2eb1967941b
SHA1 hash: fa6afc54f0e7a0a8a0477d9ac7a18334dc4814d5
MD5 hash: bab4569b91afc1b8e96f1f39708c41bd
humanhash: diet-yellow-october-shade
File name:bab4569b91afc1b8e96f1f39708c41bd.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'054'854 bytes
First seen:2021-10-22 18:41:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JT1nlSNFz/c8HZGVl/+yBTMaeyQRNzn4/KfPClr+Lcisg4ieGQ0:JThoLH/yKaeyorJ6lKLci+iQ0
Threatray 591 similar samples on MalwareBazaar
TLSH T1FD1633050D3E95B7E58B4F73BBB237360B47D39651E1C81A33D06AEA1C26223297835B
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
185.215.113.15:21508

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.15:21508 https://threatfox.abuse.ch/ioc/236616/
5.149.254.7:80 https://threatfox.abuse.ch/ioc/236639/
http://178.159.43.105/xenforo/usercontent/MultiProtect.php https://threatfox.abuse.ch/ioc/236640/
45.9.20.182:46792 https://threatfox.abuse.ch/ioc/236644/
5.252.176.69:1203 https://threatfox.abuse.ch/ioc/236645/
3.17.66.208:50383 https://threatfox.abuse.ch/ioc/236646/

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199472/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61730605db358dd15ed5afd1/reports/0131ac3a-9efa-441b-b15e-2a5b99c9211b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b23275d6-e799-46cd-98ea-f28c0106d62c
Result
Threat name:
RedLine SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875472
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 507904 Sample: wA5D1yZuTf.exe Startdate: 22/10/2021 Architecture: WINDOWS Score: 100 68 208.95.112.1 TUT-ASUS United States 2->68 70 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->70 72 4 other IPs or domains 2->72 90 Multi AV Scanner detection for domain / URL 2->90 92 Antivirus detection for URL or domain 2->92 94 Antivirus detection for dropped file 2->94 96 18 other signatures 2->96 10 wA5D1yZuTf.exe 10 2->10         started        signatures3 process4 file5 44 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->44 dropped 13 setup_installer.exe 19 10->13         started        process6 file7 46 C:\Users\user\AppData\...\setup_install.exe, PE32 13->46 dropped 48 C:\Users\user\...\Sun07e3a022a8656c5ca.exe, PE32 13->48 dropped 50 C:\Users\user\...\Sun07dc9d2dae027.exe, PE32 13->50 dropped 52 14 other files (7 malicious) 13->52 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 66 127.0.0.1 unknown unknown 16->66 88 Adds a directory exclusion to Windows Defender 16->88 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 5 other processes 16->26 signatures10 process11 signatures12 29 Sun075246a0bffeab.exe 20->29         started        34 Sun0741b6b6c3.exe 22->34         started        36 Sun0752b359bd184a.exe 14 24->36         started        98 Adds a directory exclusion to Windows Defender 26->98 38 Sun07be2debb1a.exe 26->38         started        40 Sun07e3a022a8656c5ca.exe 26->40         started        42 powershell.exe 26 26->42         started        process13 dnsIp14 74 45.142.182.152 XSSERVERNL Germany 29->74 76 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 29->76 84 12 other IPs or domains 29->84 54 C:\Users\...\irOmzi3pEAdXS0Pk1OCeeDY1.exe, PE32 29->54 dropped 56 C:\Users\user\...\search_hyperfs_204[1].exe, PE32 29->56 dropped 58 C:\Users\user\AppData\...\Service[1].bmp, PE32 29->58 dropped 64 28 other files (9 malicious) 29->64 dropped 100 Antivirus detection for dropped file 29->100 102 Machine Learning detection for dropped file 29->102 104 Tries to harvest and steal browser information (history, passwords, etc) 29->104 106 Disable Windows Defender real time protection (registry) 29->106 108 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->108 110 Maps a DLL or memory area into another process 34->110 112 Checks if the current machine is a virtual machine (disk enumeration) 34->112 78 45.9.20.13 DEDIPATH-LLCUS Russian Federation 36->78 60 C:\Users\user\AppData\Local\...\null[1], PE32 36->60 dropped 114 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 36->114 80 88.99.66.31 HETZNER-ASDE Germany 38->80 86 2 other IPs or domains 38->86 82 104.21.85.99 CLOUDFLARENETUS United States 40->82 62 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 40->62 dropped 116 Creates processes via WMI 40->116 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-10 22:11:24 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtlvjl25hop2u7uwe33z7tgdkrsceqshuehu2appkavaii7gg6tq._file
Verdict:
malicious
Similar samples:
1b18ce7b513855676ef76c17fcf6b6d492f20e197fae1090e722b43f7f5ff2df
GCleaner
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
GCleaner
3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8
GCleaner
44f3c573b5d6d77d97c2ebf5d4a235da5aed3a18eb5b76ea420d262df0f3a826
GCleaner
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
GCleaner
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
GCleaner
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
GCleaner
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
GCleaner
d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
GCleaner
+ 581 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:937 botnet:she aspackv2 backdoor infostealer stealer suricata themida trojan
Link:
https://tria.ge/reports/211022-xcb8zschdq/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
135.181.129.119:4805
https://mas.to/@xeroxxx
Unpacked files
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
0e2e68dc9724fc97647db64d367e7eed6ecf41b6cfe23fef257260607f86445d
MD5 hash:
91220afa4a880b7fb2d1b6a5117bf30d
SHA1 hash:
486b03728efe58dfbe19078bceb412e43eb153dd
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
1efba74468b00def8150162945619e54ab506887c654008243d13d4228857754
MD5 hash:
b3b8a7bb0abe2b0c68c52cb5e8ebb47e
SHA1 hash:
5523c955b8b4b456b40f143148857fcb0261512a
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
26c4f29ab602e908199b590a256b53cc367b49f82a9d366106153b0d8c724916
MD5 hash:
7bd565b4e776d961c484515d8e1950a4
SHA1 hash:
f93a282ee0bc7e3853b56d46056c6581655e93be
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
18ceec79701361471cb9f4077a83d295e16874d6d4b07781adcdfbe9f153cc1e
MD5 hash:
eb98f9882ec928c70911ba53792c5d2c
SHA1 hash:
e8dcd03fe0ec923ecd2025b53bc324e5bfbfdc28
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
41ec458860db48991bfed79e4d854e475034ce88d3b981fe5d6c2b29fb17dad6
MD5 hash:
4a61fe7f6bd3ef29e50f00c6a53dc91e
SHA1 hash:
ad7e7b546c53c18b173b66dff58b61d2c483d4e5
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
ee4355899a94ed5b369d8a8851d52ef2286c01af577e70bc82f43a5f4716fb0b
MD5 hash:
69f0fe993f6e63c9e7a2b739ec956e82
SHA1 hash:
6f9a1b7a9fceac26722da17e204f57a47d7b66a5
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
9ca53571a96d09feb51063cbf584abe0e42d694bf37d3f863823f37e82290e5e
MD5 hash:
83232615635e6c41718cb89cba5770e1
SHA1 hash:
608eb41afe1bfe9aa4f6b4d6e68b97a5a4894cc0
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
4b24c24a3e8dc8a4584d23ad44f0bef741debb40e3ff115e9a8fb2728c2106a3
MD5 hash:
b2403f6f58f5df4596a39ee669dafc88
SHA1 hash:
10f23f71b869c90ae2d439c045d1914c8c58ab5f
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
a8d83c8d3139acf1239472e34e32d26861b42770e263eaa4fbf982e80fb5bff1
MD5 hash:
ae016d0512c8bfd177a1e56afd92cf25
SHA1 hash:
b09b5c5e9d1f7a56779dc0f3d4d33d7faecb2983
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
1c9ef58743e52aa820386969ca02c0b3e5011b35c6fd4cd70431d8f422fe873b
MD5 hash:
9be5ce41974949ce893c8ebc8968290d
SHA1 hash:
fd2252cefa907022ae386951dd78236842637343
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
ece4921d16b98752874b7f0a5ee5321ec190d1620c6577f5aa0e1d436fca7e92
MD5 hash:
b1aa2062f93aed96f1bc6b504ebf6986
SHA1 hash:
8d4c1503014aab7ec65bcdbca806073dac74a0d3
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
SH256 hash:
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
MD5 hash:
bab4569b91afc1b8e96f1f39708c41bd
SHA1 hash:
fa6afc54f0e7a0a8a0477d9ac7a18334dc4814d5
Link:
https://www.unpac.me/results/bf18fcfe-c0fa-42dd-a057-c2f685984bc4/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4cd754af5d3b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199472/

Comments