MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51e380e872b007b342e94119d6665cc15ce492964c82799117e50e2f103a5ac3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51e380e872b007b342e94119d6665cc15ce492964c82799117e50e2f103a5ac3
SHA3-384 hash: a313124dd3d12a895c23deb6176c997b774a8b5eea95a349132236c0216329b55637844bb61aedb04566feb2cf816119
SHA1 hash: 29fb9d4068b45b3c7b12ca7658c9575d94eb248a
MD5 hash: 8508fd2f123ce5abedbacd851b74ffa5
humanhash: paris-thirteen-nevada-hydrogen
File name:8508fd2f123ce5abedbacd851b74ffa5.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:5'820'416 bytes
First seen:2022-02-07 06:01:20 UTC
Last seen:2022-02-07 07:52:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:IYvoAqcRWhq3tYmkWo5V7Hv4VU2Q+6WsWYvwwucbp9NxjGi9tbhyx7:JoBcRWhSSW07HgVU256Wsp3RxzO
Threatray 1'477 similar samples on MalwareBazaar
TLSH T13F46BF08D20CCEE7DF789983BF301489905D2FADBA66A7E807D746EC155976DC13388A
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
94.140.113.76:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.140.113.76:80 https://threatfox.abuse.ch/ioc/381622/

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/233998/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.30510.10984.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
DNS request
Creating a process from a recently created file
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Creating a file
Creating a process with a hidden window
Sending an HTTP POST request
Sending an HTTP GET request
Launching a process
Reading critical registry keys
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Stealing user critical data
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm mokes obfuscated packed
Link:
https://www.filescan.io/uploads/6200b5deaccdde96b5e3b4c3/reports/86be667a-0683-4f04-92c5-e7d1bb5999e4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/155e3688-0ea9-448e-aac7-ed6b811ad438
Result
Threat name:
Cookie Stealer Nitol RedLine Socelars on
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934920
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Cookie Stealer
Yara detected Nitol
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 567398 Sample: LbGqgnO8iD.exe Startdate: 07/02/2022 Architecture: WINDOWS Score: 100 72 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->72 74 toa.mygametoa.com 34.64.183.91 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 2->74 76 7 other IPs or domains 2->76 110 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 Antivirus detection for URL or domain 2->114 116 18 other signatures 2->116 8 LbGqgnO8iD.exe 15 2->8         started        11 rundll32.exe 2->11         started        13 svchost.exe 2->13         started        signatures3 process4 file5 56 C:\Users\user\AppData\Local\Temp\zy.exe, PE32 8->56 dropped 58 C:\Users\user\AppData\Local\Temp\inst1.exe, PE32 8->58 dropped 60 C:\Users\user\AppData\...\askinstall63.exe, PE32 8->60 dropped 62 11 other files (8 malicious) 8->62 dropped 16 LightCleaner2352312.exe 15 6 8->16         started        21 Proxypub.exe 2 8->21         started        23 inst1.exe 8->23         started        31 4 other processes 8->31 25 rundll32.exe 11->25         started        118 System process connects to network (likely due to code injection or exploit) 13->118 27 WerFault.exe 13->27         started        29 WerFault.exe 13->29         started        signatures6 process7 dnsIp8 64 presstheme.me 172.67.201.63, 443, 49747, 49749 CLOUDFLARENETUS United States 16->64 42 e02ef4a9-a298-42b4-85a4-cd3976f51d10.exe, PE32 16->42 dropped 44 d8f7ceab-47a8-4df6-9c50-21b98c66efda.exe, PE32 16->44 dropped 84 Multi AV Scanner detection for dropped file 16->84 86 Machine Learning detection for dropped file 16->86 88 Tries to evade analysis by execution special instruction which cause usermode exception 16->88 33 d8f7ceab-47a8-4df6-9c50-21b98c66efda.exe 16->33         started        36 e02ef4a9-a298-42b4-85a4-cd3976f51d10.exe 16->36         started        90 Detected unpacking (changes PE section rights) 21->90 92 Detected unpacking (overwrites its own PE header) 21->92 94 Contains functionality to infect the boot sector 23->94 96 Contain functionality to detect virtual machines 23->96 98 Contains functionality to inject code into remote processes 23->98 100 Writes to foreign memory regions 25->100 102 Allocates memory in foreign processes 25->102 104 Creates a thread in another existing process (thread injection) 25->104 66 195.189.226.81 OMNILANCEhttpomnilancecomUA Ukraine 31->66 68 iplogger.org 148.251.234.83, 443, 49754, 49760 HETZNER-ASDE Germany 31->68 70 2 other IPs or domains 31->70 46 C:\Users\user\AppData\Local\...\System.dll, PE32 31->46 dropped 48 C:\Users\user\AppData\Local\...\INetC.dll, PE32 31->48 dropped 50 C:\Users\...\Routes License Agreement.exe, PE32 31->50 dropped 52 C:\Users\...\Routes%20Installation[1].exe, PE32 31->52 dropped 106 May check the online IP address of the machine 31->106 108 Creates processes via WMI 31->108 38 zy.exe 2 31->38         started        file9 signatures10 process11 dnsIp12 80 Tries to harvest and steal browser information (history, passwords, etc) 33->80 82 Detected unpacking (overwrites its own PE header) 36->82 78 v.xyzgamev.com 104.21.40.196, 443, 49748, 49752 CLOUDFLARENETUS United States 38->78 54 C:\Users\user\AppData\Local\Temp\db.dll, PE32 38->54 dropped file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51e380e872b007b342e94119d6665cc15ce492964c82799117e50e2f103a5ac3/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-02-04 11:53:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
33 of 43 (76.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=khryb2dswad3gqxjiem5mzs4yfoojeuwjsbhteix4uhc6eb2llbq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
024eb21bd037fb35d9a56affa3a4e845585b963f65a4dfdbc5eaa93d5ef950a0
GCleaner
0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a
GCleaner
1e4b2af07cb9e6478dbf5051e1839a1f944e950a6f2dbadc94446928e46e7d45
GCleaner
2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df
GCleaner
3a6ca6a75525505890dc5d13ab3d888135b1cb4922605be0ee447579305b5e4b
GCleaner
5aeeb53a492389bfaaa1a2d15b98324c159ded6cd2e55dd67efb3eba6e4ee270
GCleaner
8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405
GCleaner
c4b4f4378e2335ab4aee6d5907aeff9b3d8678bd218acdfaed5fd3a969ca8bd0
GCleaner
+ 1'467 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:socelars botnet:pablicher discovery infostealer loader spyware stealer suricata
Link:
https://tria.ge/reports/220207-grgh9agcar/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M5
Malware Config
C2 Extraction:
http://www.tpyyf.com/
185.215.113.10:39759
Unpacked files
SH256 hash:
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
MD5 hash:
2b342079303895c50af8040a91f30f71
SHA1 hash:
b11335e1cb8356d9c337cb89fe81d669a69de17e
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
4f905a4ccb982e400a8c8b1694a56fb748b3a0422672772ff16b0c5dd63cb5c7
MD5 hash:
27deb5713d2081e1a88cab4c2c77cfb6
SHA1 hash:
53c5311ae3ed951a0a09e14412dffea885cfc3e2
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
3cc9f00748917e25208d9c79a527208f96732ca54e9b3e01e18b6cae7c0c6f53
MD5 hash:
a9f1c095a080df7a008fd2b04f57c73b
SHA1 hash:
c7096f65671d61d9ddd8c5ae39103fdef40c850e
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
7fc7da02d4981d221c0cab839e570cb3efcd493a8614b279d3e0fbc7b11ea821
MD5 hash:
df55d8a062d7586f86aca724860b4910
SHA1 hash:
9eb8e378d1367f2e6b058cba805f7624cae2cd9d
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
9c309bb4ff3b7dda3c1c75273f5dd95fb428cbd21d07aeb8e88c9b3a72484af6
MD5 hash:
874c65c409821a79f69eab35af10369f
SHA1 hash:
0c7b52496bff5cd9d3f1db65ff0f84d8ec8c9304
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
22da836421d0b9a7e53ec600647675c3136e83a6fcac0ee2077a2145e3abfb9c
MD5 hash:
e1bad62323481a431c80d80689c3370e
SHA1 hash:
608db08fd6f8acf951fa3b1a5d8939e7f0009e26
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
e0c05584bbe479fe3ca5bab69b8a771e134f98673318a1410cab0afda9d7191d
MD5 hash:
005ea5464174c96ca4fdbe4caad19c57
SHA1 hash:
3f3c54bbcc8c856c8957187378f0594ba09b70c9
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
8a7b7d535128ba864bbf9011e6cfde94fbb838b12c69347e3842dde66151877a
MD5 hash:
e63a69edc60e3fa587ee5f2d98d2fe58
SHA1 hash:
0bee2dc52b473ca047ebec3ab9548e411545bc73
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
2293fe261d5c6f5f2a33004b11f068037677b7aa5a6f792031e31555f31f0d69
MD5 hash:
9a2ea4da5eec75298f16ba444d3a98d6
SHA1 hash:
f4f790430556e36d418498cd2f3112d04dabf877
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
64c3ba6d9901d646fca4c4a6abe61d0600d2fae72e022866a58a5da8ba491681
MD5 hash:
5a940f37dbd4b2a11cbad4e6d2894362
SHA1 hash:
be6de46fbdfdbaf55ce4a8b019ec6a977451a383
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
cad945acf0a184ccbaba2f75e76ddd7f7b233845600aeb5830288f2a1f43357b
MD5 hash:
258b1f4b9b3e8238c677756c45b227dd
SHA1 hash:
bc4de5d2c5cd99d68dab277a46e8f2b77f9dace4
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
3a186d2cb0f5c7313ce70335bf022a8ad0d5f2a0c78afdc803bae5805b7c6e70
MD5 hash:
253d21cd11dd8ad4830fa5e523754b4d
SHA1 hash:
66b0e2e1978186cec8ed9b997dca2e7689c315f7
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
8dd5136b976d4fdfa0b1ff685f78806123f1bcf781fc2e39904f0530bc11112d
MD5 hash:
1108c7f8925586a62a3ce9972afb0c97
SHA1 hash:
2002d5a140c853ff6b16de5f25431771175f948e
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
190e1f1a62e84db81f2fb13269f9cb859f6bd5c45fe49e77fdcebcb2fa1ae921
MD5 hash:
e663aaf5ddc93c55aeffcaa6dd12cc22
SHA1 hash:
095240a325b9f15a1c702dc54d04e610be50cdbe
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
84bc10f1bffe5ea780dcdb912a71561d5df68553467ef4ee79224e6bca281567
MD5 hash:
2f2a49d381d18358d7a34aaf8dc50b2e
SHA1 hash:
051ae304b8e4bc64078d9d4a788f6580f79cfe2c
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
d437bf6f789a0ae7be2f13e64dbccbde7df4d814851b5bd2263c02e13ecc5d46
MD5 hash:
eb7597e2ad061ab73b1c005011c63dc5
SHA1 hash:
56d0864ef0d18fa70ae96ff0c0fddf92d1b82a31
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
6aa140ec75c8b1323dc1b72486778e53a177a57439f82e36b1804707fa8ff8ef
MD5 hash:
4e38a7bb18bfe4e969747076243e045d
SHA1 hash:
86a805fa73b758007ee321d4c1a8b7a5bb3e27b8
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
c6dd80a44d83ba70a152239abf7847acaabb66c3b7b55e45a57f310c667ae259
MD5 hash:
42b5f266bfe4de015b081e601d8631f0
SHA1 hash:
f4a36e1847e76e321efbdbeb55566cfef5d4584a
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
16bd8644dbd5ac79707e04bb5ac52f392746e1b1f92f02bfc53d693093125178
MD5 hash:
c549dce6b81b0af2ff204b11edceb8e4
SHA1 hash:
1a4f079924043a64377f8facb618db96c0995e0e
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
SH256 hash:
51e380e872b007b342e94119d6665cc15ce492964c82799117e50e2f103a5ac3
MD5 hash:
8508fd2f123ce5abedbacd851b74ffa5
SHA1 hash:
29fb9d4068b45b3c7b12ca7658c9575d94eb248a
Link:
https://www.unpac.me/results/f5ce1d50-e2e9-4783-86bd-7952d37ae3d8/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/51e380e872b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/233998/

Comments