MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5559d3e43563d36e1a97caba8f205acdc978b43c38337c5e1d24c750ed38f842. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	5559d3e43563d36e1a97caba8f205acdc978b43c38337c5e1d24c750ed38f842
SHA3-384 hash:	09023fbbf3c4c387ed6fd1afdd8b9330691fafce6911f9c7c9f6529d4ed5310f0182c9e68323f27badce2fece425a4c9
SHA1 hash:	635a50eaafa81e2c19d07542b32800eda3a2b1ca
MD5 hash:	eeca9de523e012e69cf3139f7f6b4b04
humanhash:	spaghetti-sierra-bacon-september
File name:	eeca9de523e012e69cf3139f7f6b4b04.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	312'320 bytes
First seen:	2023-04-19 16:03:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ce616e1524d84196ce99affa2a76819d (2 x Smoke Loader, 2 x GCleaner, 1 x Stealc)
ssdeep	3072:+yns/Huc2Alk2jo3DogYJkU1OqtMJ/yM0aiWIfp+jNcbkZLVvhliBE5/kfRwYPDw:fsmc2B2MYKNyMfijp+KmLRWckGYPDWJ
Threatray	39 similar samples on MalwareBazaar
TLSH	T13664F2617990CC32CDAE26749832EB9A2A7FB85141149D4777783BFA7F213C11A3139B
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c4a4e8e8e8e0e0dc (1 x GCleaner)
Reporter	abuse_ch
Tags:	exe gcleaner

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

eeca9de523e012e69cf3139f7f6b4b04.exe

Verdict:

Malicious activity

Analysis date:

2023-04-19 17:19:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/54ffa8b1-6005-459a-a6e4-f0f8f78d94fd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Nymaim

Link:

https://www.capesandbox.com/analysis/383438/

Detection(s):

Sanesecurity.Malware.29231.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/80481/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/644010f78c1908d5b414cd0e/reports/fef752be-fc96-4d26-a568-5ee2dcc24140/overview

Verdict:

Malicious

Labled as:

Ser.Babar.Generic

Link:

https://www.hybrid-analysis.com/sample/5559d3e43563d36e1a97caba8f205acdc978b43c38337c5e1d24c750ed38f842

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3cbd3c45-324f-4f4b-bb01-4f5c144e3623

Result

Threat name:

Nymaim

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1217329

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5559d3e43563d36e1a97caba8f205acdc978b43c38337c5e1d24c750ed38f842/

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2023-04-19 09:18:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kvm5hzbvmpjw4guxzk5i6ic2zxexrnb4hazxyxq5etdvb3jy7bba._file

Verdict:

malicious

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner loader

Link:

https://tria.ge/reports/230419-thy36adf2t/

Behaviour

Program crash

Downloads MZ/PE file

GCleaner

Malware Config

C2 Extraction:

45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75

Unpacked files

SH256 hash:

100fe6851f1f743c9abaa108b5cd19367f7b56bca54ab80699da04da34a75b40

MD5 hash:

b625fddb905b3328a712cd39d26c4a05

SHA1 hash:

4e6af66ab9738b32f703dba5f971bc4c4acdd7eb

Detections:

Nymaim

win_nymaim_g0

win_gcleaner_w0

win_gcleaner_auto

Link:

https://www.unpac.me/results/fd479822-ff8d-4ba2-9dbe-ae0a24ac7911/

Parent samples :

f1bcd722667511c3dbc6333ea198d2aacbac786495b507984ff1d0089071e174
4fcfd3b7154bfce760b51d76b2512e1f94fe166c10423cfaa282a91207f27993
3ce8151f750a8b4153accfec20ebff244d462ffd5ed1efbd7ad9b8a868e79015
da639a877dc33fe3de6d5a0488918748a75c674e1b2e20cfc87b79c4723df3b4
fb8edf41ac89e97ac2b214457af0bcb145d587b3a2a52bd703e2501e19aa4c6d
f8c69037e2121108936e7db81791bf7bfc0b627c4f01a2429afde9419e731b48
a6fa889d4997e972e3ad726d36a7546066acf63cf097856062aa644eddd0c7d3
782f9a51fd468803f5f5a43120181580c5ea565c450bb4d291d6cb4eacfbec19
8242ec76a68c23f1395728dfad8eb6449e49b2c5d5cdb67229b9d2dbd8894503
f84c4757e5e61e1d8d66303d5b91944726caa1b0f209c56d36b17957e6a6a884
f4566e61a5e837646a63aa00784e895d353f051013f30a00bf0d6838af7addf1
b00428cb1958bb18fba9e688e1ea13138de89195fe10e98524891d309f4ab47a
be6b59ebb78eae90d730fe77a0cbb28eabf28e19856307134ff892f595d496dd
6e8d47ab5cc60a8ef448fc3fbf1b5545a6fa29e06560ca5a4d8fa25f244d0548
82ee67c2a16400be3102e0c51138cc29118eaabcf1af2ecb6282ef79c4e1cb78
73d52a0e2acc955318c84f67c8f83b04c0e0455031d11e29fabbfd52b09d3771
01050a830b3288b3e4ab09e7e669bdd0ef039520e3ce2f16b3b7c7a9f7c39696
45b5b4972cd637a4b69b650a10e956a8071a46784429d7434b226675bf72a21a
71dfa64187315a09becab456d32e70e43ae68afbff5a601a9227089241b9c460
d3148cbb2b5663ac590670892f28fd4207c978f0aaadfef5024fe04727cb6378
d6e595778c9ee6696003c13a4c6545818035e593e8ebab769e74e103c18014e2
fcab2c1dee3d1b9f248c302758c568afd50adedf778c8deed27ef00c0ee217f2
e28224f0ffce7cf0069c41321c3b162a3c7fe53f4d6875a61ecf846bf30c1ee4
cf2d284d8055d732d087c1c9fe1dc69e6165cb5bee28c048a2752ba71ea8b24f
89bdac2cfc9747cc5d7d01272dac3f58a4e0ec56a6afbe2acac32f702840d51f
5559d3e43563d36e1a97caba8f205acdc978b43c38337c5e1d24c750ed38f842
341c70ac74087e45fe53487b959dfb0fc7777f276b95831aa0756e7d7f132300
274cb95b917882e4392516f6f78c12bf63eb96de873984d048d79a7a58823348
5c3e93d0d5cdec0c69be6c16345b484363b92204dbae3e9f2617ceb398a6b084
5df5d338fcd2cf967c08d5d50aef81f7e27ae868b94f1d0d8bf1aeee86fdcda3
8e32b2687a885a24983a14bf0ad0408bdd972b2c6bc8baee21b61dacaf6627d5
bc5de7ed331b9ff5f10a4f73dc79b99622410930fab1b76340505a150ff4877c
1eaae4ab4338872748b06dfde87deede2e51e7fe3528e9bfd15d4d6154a212c9

SH256 hash:

5559d3e43563d36e1a97caba8f205acdc978b43c38337c5e1d24c750ed38f842

MD5 hash:

eeca9de523e012e69cf3139f7f6b4b04

SHA1 hash:

635a50eaafa81e2c19d07542b32800eda3a2b1ca

Link:

https://www.unpac.me/results/fd479822-ff8d-4ba2-9dbe-ae0a24ac7911/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5559d3e43563d36e1a97caba8f205acdc978b43c38337c5e1d24c750ed38f842

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/383438/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample