MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f5b750b4ce31fee246f69e6de1d4022ac84cedc1a85c1523a3f853fc093c334. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	4f5b750b4ce31fee246f69e6de1d4022ac84cedc1a85c1523a3f853fc093c334
SHA3-384 hash:	7e8d2070e0983e6f24ab5246c7fb9cad62655569f25edb939f2c4547909bdd9ca6829d88b1ba35f882e841c41147e000
SHA1 hash:	c890d0ee5edbfb58d09eacdb2b8b8091924848b9
MD5 hash:	04314619528c65d7f6506250597a7e6b
humanhash:	don-ink-early-bulldog
File name:	file
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	3'339'630 bytes
First seen:	2023-02-15 20:05:25 UTC
Last seen:	2023-02-15 20:44:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'514 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	98304:JHxDbn5jT+D2wffmMPjb5uGEGxtKGv2MR:dxDT51wfftP0dAzvjR
TLSH	T1E3F512BCB255C45DD580BEB48C3A89E75CD76EE3E9E8A01270C87F3F11B92849B09617
TrID	78.6% (.EXE) Inno Setup installer (109740/4/30) 10.1% (.EXE) Win32 Executable Delphi generic (14182/79/4) 3.2% (.EXE) Win32 Executable (generic) (4505/5/1) 2.1% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	14b0b0fceeaa3b18 (363 x GCleaner)
Reporter	andretavare5
Tags:	exe gcleaner

andretavare5

Sample downloaded from http://45.12.253.74/pineapple.php?pub=mixinte

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-02-15 20:05:56 UTC

Tags:

installer

Link:

https://app.any.run/tasks/2ca327f2-82b7-4327-b019-cc909a5c7479

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Nymaim

Link:

https://www.capesandbox.com/analysis/366841/

Detection(s):

SecuriteInfo.com.Trojan.Moneyinst.746.21331.248.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Modifying a system file

Creating a file in the %AppData% subdirectories

Sending an HTTP GET request

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Creating a file in the Windows subdirectories

Launching a process

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Launching a tool to kill processes

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/70531/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware installer overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63ed3b2c178c324d143e5f43/reports/6e95d74a-26f3-492a-bea4-390ab34186db/overview

Verdict:

Malicious

Labled as:

Downloader/BeamWinHTTP

Link:

https://www.hybrid-analysis.com/sample/4f5b750b4ce31fee246f69e6de1d4022ac84cedc1a85c1523a3f853fc093c334

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e80ebb92-d647-4281-a8db-cb65d81c4aa6

Result

Threat name:

Nymaim

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1176134

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f5b750b4ce31fee246f69e6de1d4022ac84cedc1a85c1523a3f853fc093c334/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-02-15 20:06:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 25 (64.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j5nxkc2m4mp64jdpnhtn4hkaekwijtw4dkc4cur2h6ct7qetym2a._file

Verdict:

malicious

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner discovery loader

Link:

https://tria.ge/reports/230215-yvdp7sdg76/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

GCleaner

Malware Config

C2 Extraction:

45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75

Unpacked files

SH256 hash:

a6dce8329c0799ee4be4631d679ec3fa099fc12d74637696399cf941bda1b0e5

MD5 hash:

28b55df70b307d7fef31c56795b2da3c

SHA1 hash:

1d3344045b7d8f043f36880f6ec1ceaced97e6fc

Detections:

win_nymaim_g0

Nymaim

win_gcleaner_auto

Link:

https://www.unpac.me/results/0e0ce533-4955-4660-a7ee-337be9488061/

SH256 hash:

a2bbe72dba8f7a9e470d781df8633d4ce846be74d1ee5b1fc3f7da1587c33d8d

MD5 hash:

f65d4e57a66544d3afc30277114748ff

SHA1 hash:

ce47dd82a4099c53d8f47d5bf9fe696d8b5f365d

Link:

https://www.unpac.me/results/0e0ce533-4955-4660-a7ee-337be9488061/

SH256 hash:

88dac1be47743ebd87b354e8e7434daccd7ee69794c1d1fc35a741c14039f4a5

MD5 hash:

97eda3fbbf9cf5e9f0fcada647aa6f25

SHA1 hash:

5a1cd65a49a221ac4acfd1fc790ebea496fdb638

Link:

https://www.unpac.me/results/0e0ce533-4955-4660-a7ee-337be9488061/

SH256 hash:

c432fab5c1779fe9416552d16139582150d45fa0ee1231daff32b32fd98738a0

MD5 hash:

3a9332527fc25068c4911b3a9d9089e6

SHA1 hash:

07032abe6c75ef587d8be715f8da549cd7bec325

Link:

https://www.unpac.me/results/0e0ce533-4955-4660-a7ee-337be9488061/

SH256 hash:

4f5b750b4ce31fee246f69e6de1d4022ac84cedc1a85c1523a3f853fc093c334

MD5 hash:

04314619528c65d7f6506250597a7e6b

SHA1 hash:

c890d0ee5edbfb58d09eacdb2b8b8091924848b9

Link:

https://www.unpac.me/results/0e0ce533-4955-4660-a7ee-337be9488061/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4f5b750b4ce31fee246f69e6de1d4022ac84cedc1a85c1523a3f853fc093c334

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	win_gcleaner_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/366841/

URLhaus

https://urlhaus.abuse.ch/url/2509470/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample