MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae
SHA3-384 hash: c94799ea7ab22ab418fd932e08e22b5d211e6d7351dc831e652c853caa9e035a531d878940c869fed465421a43278f37
SHA1 hash: ee00902c2e22797c3d08c237a6fe350c5a142031
MD5 hash: 914e64cc166a58194817c112a6919c52
humanhash: pennsylvania-magnesium-lamp-nebraska
File name:914e64cc166a58194817c112a6919c52
Download: download sample
Signature GCleaner
Create hunting rule
File size:358'400 bytes
First seen:2024-05-29 12:56:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b3f7368a77856522320ff0e8d452c570 (1 x GCleaner)
ssdeep 6144:E8i8e6PhdPBQ5WtErlFdlivZpQjrBIviyWK28numh:PHeYe5WelDoC1a
TLSH T16A744903A2E07C54EE254B72DE1EC6E8665EBD308FB9676E3248BB2F0573172C522711
TrID 46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 00c8c8b0dce97284 (2 x GCleaner)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae.exe
Verdict:
Malicious activity
Analysis date:
2024-05-29 13:02:09 UTC
Tags:
gcleaner loader
Link:
https://app.any.run/tasks/ba822fdb-401d-453e-9b99-043fb409978d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Fareit-10030127-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6657262faf950bab634f909bwin7simulatehigh_evasion
Tags:
Network Stealth Xpack
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/665726285ebb21a54994eaa1/reports/708b7000-bda0-4839-abf2-09a7a4cdf310/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00100f26-fab3-4cb5-8546-f445fc2a569c
Result
Threat name:
GCleaner, Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1448965
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GCleaner
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448965 Sample: jyfRUPloEf.exe Startdate: 29/05/2024 Architecture: WINDOWS Score: 100 24 185.172.128.69 NADYMSS-ASRU Russian Federation 2->24 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus detection for URL or domain 2->32 34 6 other signatures 2->34 8 jyfRUPloEf.exe 14 2->8         started        signatures3 process4 dnsIp5 26 185.172.128.90, 49731, 80 NADYMSS-ASRU Russian Federation 8->26 36 Detected unpacking (changes PE section rights) 8->36 38 Detected unpacking (overwrites its own PE header) 8->38 12 cmd.exe 8->12         started        14 WerFault.exe 16 8->14         started        16 WerFault.exe 16 8->16         started        18 8 other processes 8->18 signatures6 process7 process8 20 conhost.exe 12->20         started        22 taskkill.exe 12->22         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-05-29 12:57:09 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kw74j5tgj3vli6wbgku35pebemwgjtscbzcocgjm75h5zlgjdsxa._file
Verdict:
malicious
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/240529-p6x4jsfa8y/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
GCleaner
Malware Config
C2 Extraction:
185.172.128.90
5.42.64.56
185.172.128.69
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a49cb29c-4615-4852-a62e-d90f842ab9ef
Unpacked files
SH256 hash:
ccd0c8b308f9160431acaba610ac55f83e5ae230fb8c5864718fd902fad6c11c
MD5 hash:
8451e20d9b36d937ce791ce9c815f971
SHA1 hash:
9c85fc81958314d1b6916530a52c03660369c597
Detections:
GCleaner
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/afe19252-cb5d-4ddd-85fb-7d506957b0cf/
Parent samples :
ccd0c8b308f9160431acaba610ac55f83e5ae230fb8c5864718fd902fad6c11c
8c055d9a75cbb4ad28940ed89fddee3a80c933c40cd75796f716153c772325e4
55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae
57660fdf082d844e870b6b5b15aadfe8b5d545f0d28894e1cfbb2d0f04578cbc
3e41d664051e58f25c2b38755a41ed162df2da9e619675bd1ffd90ffa68d960c
f4146aecc21e1413da1fec7e17e20a6fb90adc191c82239b24f178251baddb14
3c195593808549d5441dbc38f0df010629889f375c3f5901dff0be8b8bf171f6
6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d
7ac2a16d33f1c5f37b313687ea809457be01d17d334cfe60faa02bf4486c95b5
67de2ad9d305bc91a816b916de81445ab62689acf99c1ce75b9fe436258c741c
677ea36839a62978a2484167fb3c720deeb3dba911988b98264c7077222a628a
4315455408e0e3110b73387f1e29c697d9b0af676ebd24dd73047331eff2895f
c979400b5280152c72bcd58f77763c4507bb7c39adaec5386d2ab6f96d7f8bc2
22468ceb0f9991c618e4d682d304b195a65e60a6f507629561106ed815b81f3b
b8ba624689f250feaa759a17ca11bccfde74bcb4525a907d7b43f353890ab598
f66f7bde132e98f39e3b111dcd948283b01e2ecd8b675a39ddd8091584338c3a
84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae
7dcf898284612ea50daa06f4bddaca74c2cb881b40c68b162e03c3daeb01d0a7
d37558506f2c695cc909fc5fee628f48c88e85055b83049f8d3e3bb6a67ddc5f
dbf6f9bca73a3177afd8a2aea09fadba98f9ff0b4515a6b7c209b60eb08b5e89
202a732886a96543338aed9940ed61fdc5b26d531ccb777d9a1fcc70f6669c83
abbb8f4a475b64403de19c1c01c0f5e8e805b0efb40909830f2c519f305db583
2d7a783d16e6399b4a9184333aa111fa90699061517d541c96885c6d1bb494a0
d580cf5c5974abebad470cf01f14bb9e1fa4d462fdc68774f10f03b6c852d687
0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d
a0527f548f6ed392f4d578d32ce5d75677492875b13a60a068e55f8ad6105267
66eb7fee3043bc8f34bef23ad5bca3b4a19848ec5018b2cd27cc1aaf8f6c8995
0b17198dfde8bc47f1f903dfe0a33b57abf6cbca31292ee1d526a3143a11d648
SH256 hash:
55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae
MD5 hash:
914e64cc166a58194817c112a6919c52
SHA1 hash:
ee00902c2e22797c3d08c237a6fe350c5a142031
Link:
https://www.unpac.me/results/afe19252-cb5d-4ddd-85fb-7d506957b0cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Generic_2993e5a5
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2850423/
  
URLhaus
https://urlhaus.abuse.ch/url/2850449/
  
URLhaus
https://urlhaus.abuse.ch/url/2850419/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleOutputA
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetConsoleMode
KERNEL32.dll::SetConsoleTitleA
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW

Comments


Avatar
zbet commented on 2024-05-29 12:56:24 UTC

url : hxxp://jobs-servers.com/batushka/univ.exe