MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53364173f3b4771f13cf0f8c6d4e19717f9097d3680e62a09d69186cb71001c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs 3 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53364173f3b4771f13cf0f8c6d4e19717f9097d3680e62a09d69186cb71001c8
SHA3-384 hash: d38634ac4ca589b11802a96995f914ec8973525a7f3d5f76058dc7183c720bcecb7a610be8acf5792df5c059fbe0625e
SHA1 hash: 955afd9dae7c07f72bc9e3394b0e37de41d3aab3
MD5 hash: a2b8cf09d6dd866faa2ff72c553081ad
humanhash: leopard-berlin-avocado-video
File name:a2b8cf09d6dd866faa2ff72c553081ad.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:270'848 bytes
First seen:2021-08-09 02:15:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1dd2fbc6a5c2e2fc6f774863c78cf7c8 (2 x DanaBot, 1 x GCleaner, 1 x RedLineStealer)
ssdeep 6144:zILWTvRwx9NuwUobWUPyX6yljLiSrRgDajTwa/RxJg:zI6L6xXRjbWqO6Yje0RPY
TLSH T11644E1343741CC76F453397058B6DBB0566BFD61EB24C642BA95376F2E322E0223939A
dhash icon 36e1dcbc649cf166 (1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://74.119.195.134/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://74.119.195.134/ https://threatfox.abuse.ch/ioc/166044/
http://gcc-prtnrs.top/dlc/distribution.php https://threatfox.abuse.ch/ioc/166056/
http://gcc-prtnrs.top/stats/remember.php https://threatfox.abuse.ch/ioc/166057/

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main-setup-v2.3.exe
Verdict:
Malicious activity
Analysis date:
2021-08-07 22:07:44 UTC
Tags:
trojan evasion stealer vidar rat redline loader opendir phishing
Link:
https://app.any.run/tasks/5b1c4b14-8bf2-4931-a2c8-18f052456c42

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177338/
Detection(s):
Win.Dropper.Raccoon-9884213-0
Create hunting rule

Win.Malware.Fragtor-9884245-0
Create hunting rule

Win.Malware.Fragtor-9884342-0
Create hunting rule

Win.Malware.Generic-9884343-0
Create hunting rule

Win.Malware.Generic-9884468-0
Create hunting rule

Win.Dropper.Fragtor-9884486-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a UDP request
Sending an HTTP POST request
Reading critical registry keys
Delayed reading of the file
Creating a window
Sending a custom TCP request
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file
Launching a process
Creating a file in the Program Files subdirectories
Launching cmd.exe command interpreter
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ddc1ce95-52f1-4f2d-b484-57340274b8a9
Result
Threat name:
Cryptbot Glupteba Raccoon RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828922
Signature
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Country aware sample found (crashes after keyboard check)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Yara detected Autohotkey Downloader Generic
Yara detected Cryptbot
Yara detected Evader
Yara detected Glupteba
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 461353 Sample: sm3IX1O9SY.exe Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 81 FAiPDwVpqBpfgnM.FAiPDwVpqBpfgnM 2->81 107 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->107 109 Multi AV Scanner detection for domain / URL 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 14 other signatures 2->113 10 sm3IX1O9SY.exe 29 2->10         started        signatures3 process4 dnsIp5 101 dahgarq.top 185.123.53.190, 49719, 49734, 49735 TELE-ASTeleAsiaLimitedHK unknown 10->101 103 zeleps11.top 176.96.238.212, 49738, 49739, 49740 MSKHOSTRU Czech Republic 10->103 105 4 other IPs or domains 10->105 73 C:\Users\user\AppData\...\69329417523.exe, PE32 10->73 dropped 75 C:\Users\user\AppData\...\49480606991.exe, PE32 10->75 dropped 77 C:\Users\user\AppData\...\12348301953.exe, PE32 10->77 dropped 79 6 other files (none is malicious) 10->79 dropped 137 May check the online IP address of the machine 10->137 15 cmd.exe 10->15         started        17 cmd.exe 10->17         started        19 cmd.exe 10->19         started        21 7 other processes 10->21 file6 signatures7 process8 file9 24 49480606991.exe 15->24         started        29 conhost.exe 15->29         started        31 12348301953.exe 17->31         started        33 conhost.exe 17->33         started        35 69329417523.exe 19->35         started        37 conhost.exe 19->37         started        51 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->51 dropped 53 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->53 dropped 55 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->55 dropped 57 4 other malicious files 21->57 dropped process10 dnsIp11 87 iplogger.org 24->87 89 dahgarq.top 24->89 59 C:\Users\user\AppData\...\apineshpp.exe, PE32 24->59 dropped 123 Detected unpacking (overwrites its own PE header) 24->123 125 May check the online IP address of the machine 24->125 127 Creates HTML files with .exe extension (expired dropper behavior) 24->127 135 2 other signatures 24->135 39 apineshpp.exe 24->39         started        91 74.119.195.134, 49737, 80 MOVECLICKLLCUS United States 31->91 93 telete.in 195.201.225.248, 443, 49736 HETZNER-ASDE Germany 31->93 61 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->61 dropped 63 C:\Users\user\AppData\...\ucrtbase.dll, PE32 31->63 dropped 65 C:\Users\user\AppData\...\softokn3.dll, PE32 31->65 dropped 71 56 other files (none is malicious) 31->71 dropped 129 Detected unpacking (changes PE section rights) 31->129 131 Tries to steal Mail credentials (via file access) 31->131 43 cmd.exe 31->43         started        95 185.53.46.58, 49762, 80 STNB-ASDE Germany 35->95 97 morelm07.top 142.11.209.158, 49761, 80 HOSTWINDSUS United States 35->97 99 2 other IPs or domains 35->99 67 C:\Users\user\AppData\Local\Temp\Filett.exe, PE32 35->67 dropped 69 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 35->69 dropped 133 Tries to harvest and steal browser information (history, passwords, etc) 35->133 file12 signatures13 process14 dnsIp15 83 185.215.113.17, 18597, 49753, 49756 WHOLESALECONNECTIONSNL Portugal 39->83 85 api.ip.sb 39->85 115 Detected unpacking (overwrites its own PE header) 39->115 117 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->117 119 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->119 121 2 other signatures 39->121 45 conhost.exe 39->45         started        47 conhost.exe 43->47         started        49 timeout.exe 43->49         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53364173f3b4771f13cf0f8c6d4e19717f9097d3680e62a09d69186cb71001c8/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-07 08:39:07 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=km3ec47twr3r6e6pb6gg2tqzof7zbf6tnahgfie5nemgznyqahea._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:danabot family:raccoon family:redline botnet:fa93985ba268e1dd8b72ef392332edcba95ddd45 botnet:mix 09.08 banker discovery infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210809-lf385qq7rn/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads user/profile data of web browsers
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Danabot
Danabot Loader Component
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M2
suricata: ET MALWARE GCleaner Downloader Activity M3
suricata: ET MALWARE GCleaner Related Downloader User-Agent
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
haibam72.top
morelm07.top
185.215.113.17:18597
Unpacked files
SH256 hash:
2435f4885bf105796691b2e6536ea2347906cb2bbbd2d51e22094220f137b81e
MD5 hash:
379c61b9c72d4051bd1d745c7f465130
SHA1 hash:
da7212e88ff1b721b7ef86ace2fc49f20ff02ac9
Link:
https://www.unpac.me/results/b35c990d-a0d3-4aa8-93d6-2574f9779e0a/
SH256 hash:
53364173f3b4771f13cf0f8c6d4e19717f9097d3680e62a09d69186cb71001c8
MD5 hash:
a2b8cf09d6dd866faa2ff72c553081ad
SHA1 hash:
955afd9dae7c07f72bc9e3394b0e37de41d3aab3
Link:
https://www.unpac.me/results/b35c990d-a0d3-4aa8-93d6-2574f9779e0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53364173f3b4771f13cf0f8c6d4e19717f9097d3680e62a09d69186cb71001c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177338/

Comments