MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e
SHA3-384 hash: 2858df28dc952a30601b3882a38ac8ef16ea414bd03053b21ffb34ac446b35ba315880ad4f53f57ab7eefd85d3bf9fa9
SHA1 hash: e36627f6faaee192a2ab8f4d6e7ccad03409e306
MD5 hash: b59c8093621b9d5b5ad1905fab5aee00
humanhash: lithium-fanta-pluto-violet
File name:b59c8093621b9d5b5ad1905fab5aee00
Download: download sample
Signature GCleaner
Create hunting rule
File size:311'296 bytes
First seen:2023-07-08 06:10:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a05021a5e6a8299dae264887f82f8054 (2 x Glupteba, 2 x Stealc, 1 x GCleaner)
ssdeep 6144:i083LPjsNIaUNNsEdX/k5+qgRxx4xwdmJLaTZoA:N837js+bjX4SD4i0KKA
Threatray 58 similar samples on MalwareBazaar
TLSH T12B64CF437594BC61E9655B32CE3EC2E8366EF511CE487B4632A87F6F29712B1E232341
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33f0e8e8e8c0e969 (1 x GCleaner)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
28061b2c108210de2371acc68083ea74.exe
Verdict:
Malicious activity
Analysis date:
2023-07-08 04:50:39 UTC
Tags:
loader smoke trojan opendir amadey stealer vidar rat redline ransomware stop arkei miner
Link:
https://app.any.run/tasks/0f607087-4501-4ace-9038-373262adb086

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/411418/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96516/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
86%
Tags:
greyware packed xpack
Link:
https://www.filescan.io/uploads/64a8fdf70e49d672f31eaaf6/reports/455b786b-7c1a-4c7a-ba65-f45ca04a2675/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60908dc7-9c1e-490a-a15b-79391b488278
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-07-06 21:27:09 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lcpzqqmcfotgvpsm7fh4h4iegb6rgakn43j62s6fa6dt7ydfhyxa._file
Verdict:
malicious
Similar samples:
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
GCleaner
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65
GCleaner
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
GCleaner
51f7cb2bce2460bec286f14978cb796e6858be4335c10401a1fb9e54893cca92
GCleaner
5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011
GCleaner
60da6ce55330f4f38e98b39bf07cf75fdabd80296429f1538c48d5df499d48d2
GCleaner
7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad
GCleaner
de8385440c23789f44c418bdf2e30578559b1c6b142c820f081f81280d1c0888
GCleaner
+ 48 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/230708-gxledsdh61/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
b98acf1c6f5edc3a6eb80f9d5cc07eb8e2cc0f25f6d63e5f79a1090876e2d588
MD5 hash:
31bd047f848d0efc202b7406960872fe
SHA1 hash:
13b3409430b62ce3fee441f7eca58d827df47005
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/1b76f037-0e20-498f-84ab-51c69bd26426/
Parent samples :
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65
60da6ce55330f4f38e98b39bf07cf75fdabd80296429f1538c48d5df499d48d2
f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e
a75c766167a44c78f3824d28780078cf2cc31522a55372958cefd5f3f093e4c1
c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3
dcba1aa4b4d92b68713b03f12985b0b0689055b3921e0273506d23f7e675ff52
e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
ee366039716c1ca70c1c1744faaf2aeeae8d780c6bbd438cc0c1fef3f7a57cc7
SH256 hash:
589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e
MD5 hash:
b59c8093621b9d5b5ad1905fab5aee00
SHA1 hash:
e36627f6faaee192a2ab8f4d6e7ccad03409e306
Link:
https://www.unpac.me/results/1b76f037-0e20-498f-84ab-51c69bd26426/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/589f9841822b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2666413/
Cape
Cape
https://www.capesandbox.com/analysis/411418/

Comments


Avatar
zbet commented on 2023-07-08 06:10:18 UTC

url : hxxp://45.9.74.80/offer/setup.exe