MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 13

Intelligence 13 IOCs 2 YARA File information Comments

SHA256 hash:	59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388
SHA3-384 hash:	48eae1fca6b6aba6a2df2c6d02ae4adfba8bc5f9cca077358be4f0a2588d05b23139bf901cac5bb92f85adba0d8dda32
SHA1 hash:	41300141ba3cfdb0e31249b3ced7c6db25e49e29
MD5 hash:	b0de949e57e5e4b2498c0a3f4932377d
humanhash:	pip-massachusetts-queen-autumn
File name:	b0de949e57e5e4b2498c0a3f4932377d.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	7'267'374 bytes
First seen:	2022-01-30 06:46:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:JeaZ6eEHgrvBrMiVIE4wk24O/brr5O3WMjP1hgdehgpd4gCRBvTK1C+zUHt:JeaKAr3VhrH4ubr9ijD1Ha4gxAt
TLSH	T1D376334C6BA68945C6D616B24D1CC93F49BEC0E04B49D6ED3DBC1A68DF22E38817E3C5
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe gcleaner

abuse_ch

GCleaner C2:
157.90.17.156:56409

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
157.90.17.156:56409	https://threatfox.abuse.ch/ioc/366514/
92.255.57.115:11841	https://threatfox.abuse.ch/ioc/366527/

Intelligence

File Origin

# of uploads :

# of downloads :

243

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b0de949e57e5e4b2498c0a3f4932377d.exe

Verdict:

No threats detected

Analysis date:

2022-01-30 06:56:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cf35f230-9478-412d-acf6-e412f6218d8a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/225845/

Detection(s):

Win.Dropper.Pswtool-9857487-0

Win.Packed.Barys-9859531-0

Win.Packed.Jaik-9863991-0

Win.Packed.Tiny-9901377-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

DNS request

Running batch commands

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Creating a window

Searching for analyzing tools

Searching for synchronization primitives

Creating a process with a hidden window

Launching cmd.exe command interpreter

Unauthorized injection to a recently created process

Launching a tool to kill processes

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5501/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61f6346df01ae00db3df2a31/reports/95369b5e-bd56-4600-bb92-67b8307e77cd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Socelars

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8c89f825-b67a-4dc3-8939-a38a31238011

Result

Threat name:

SmokeLoader Socelars onlyLogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930309

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Disables Windows Defender (via service or powershell)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hides threads from debuggers

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Obfuscated command line found

PE file has a writeable .text section

PE file has nameless sections

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Yara detected onlyLogger

Yara detected SmokeLoader

Yara detected Socelars

Yara Genericmalware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388/

Threat name:

Win32.Trojan.Jaik

Status:

Malicious

First seen:

2022-01-28 10:21:49 UTC

File Type:

PE (Exe)

Extracted files:

382

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lejav4wktsf4cf3kjxcuge24p4dcs2bnopfqq3excf567jyagoea._file

Verdict:

malicious

Result

Malware family:

socelars

Score:

10/10

Tags:

family:onlylogger family:redline family:smokeloader family:socelars botnet:20kprofessor2 botnet:media262231 aspackv2 backdoor discovery infostealer loader persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/220130-hj7wxahcd2/

Behaviour

Checks SCSI registry key(s)

Delays execution with timeout.exe

Enumerates processes with tasklist

Kills process with taskkill

Modifies registry class

Modifies system certificate store

Runs ping.exe

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

OnlyLogger Payload

OnlyLogger

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://www.anquyebt.com/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
157.90.17.156:56409
92.255.57.115:11841

Unpacked files

SH256 hash:

245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa

MD5 hash:

4f93004835598b36011104e6f25dbdba

SHA1 hash:

6cb45092356c54f68d26f959e4a05ce80ef28483

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c

MD5 hash:

83b531c1515044f8241cd9627fbfbe86

SHA1 hash:

d2f7096e18531abb963fc9af7ecc543641570ac8

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec

MD5 hash:

6faec01bf7a3d7f5c5dee2e6e3143a58

SHA1 hash:

603a36f817cab5574e58ab279379e5c112e5fb37

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

6460754c17ab602b0ddfd2a82e637748b4a54139f6dbefa848ff01722a077acc

MD5 hash:

64638fe3e9d9acbcfe027bac3d0a7fab

SHA1 hash:

ff0d35497c4d6676a01a57db299df9847b382126

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

a6c25d3ee591dc6cebf7bfc659f154eb64a421b7500e2a57600da326b357510c

MD5 hash:

302e6d97aa89c215aa7ae5b7bff8ae52

SHA1 hash:

e87e004c0844be50dd7f52d784f9ba39104eff36

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

526e5e6a81cacac90e253d142148ac1a67e07a29638d6c73fc02474c858185c4

MD5 hash:

01bd1309eed86d4c2f91e22e3904ba1e

SHA1 hash:

d64c21e98ab7bd00b7f767e4b4b308eeb59bdc12

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

758be7c5d90bc3bd370c59e98a99cc61399f848e153e17f09b48196d84eed2d2

MD5 hash:

eb018c8365790a362d09242104cb40ab

SHA1 hash:

c7e82c7b0ad7ca20eb2fba4a47376035d66c5a9d

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

0fab67787a4569600c6c645abd29325b9d07c19c2e525d871a573b9ec9dc06c3

MD5 hash:

4ffcd5b3bcb1d9b12039bdbf613e34a3

SHA1 hash:

8c700964090382f9289231a1ff2d6f29f17f7e83

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

f60816afc4878a48da64d9c56029fdd1192dc5e30fd3b84f0736e02ea1279ce4

MD5 hash:

919f7ffad4526c4744d5ff749a71c95c

SHA1 hash:

8903a8bc8051c2bfb2d570ab420b1913af5f9c7f

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

f407ce2cbac65d2ddfef8acc60173f74753daf4e10217441d6ae4d50f056e300

MD5 hash:

44515fdf83a273fc66ef8575070541bf

SHA1 hash:

36c003d74777af2a97332feda01060d41d1157f4

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

94841e4abeaf7130b13bef19814d9fb2cd9125580e1ae8719bf35c073aac74f8

MD5 hash:

2acdea2a3aca1a4ded30b3fee71386f1

SHA1 hash:

2fd419091225be290e5f49bbdb5f5da6ed060083

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

4795816f6329a5da74a993e101b3b40f65fa1d8371bb328ef8184b37a7ea61a4

MD5 hash:

7b17f8f82bd57062bf36de9f0c41be8a

SHA1 hash:

1bd8773da3966d9fe48947f317d5a21fc1b9d3bc

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112

MD5 hash:

ce54b9287c3e4b5733035d0be085d989

SHA1 hash:

07a17e423bf89d9b056562d822a8f651aeb33c96

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

06d8294720be7342d4e6ea124b4ef0425727d55648db7c7220513b2d6e0c5f05

MD5 hash:

cdf00253597651ddbd7c319d0685ff46

SHA1 hash:

c10b20ed8d410c17c5396da6de3cdcd1c0ba9e98

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f

MD5 hash:

32404da1b26037746f9bf0d5628ea968

SHA1 hash:

8d2bf53983638235d5cc2f81171839801ba02e84

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

069478bbcf2ba6bcb947cec42c8bea85ea93c86fa7ccc985f58ef29b876263a7

MD5 hash:

8562f4d1a71bffd7cdeb6dd49ce319f2

SHA1 hash:

79a943d4b30ec898bc3bdf5d54aa7d1625d67b02

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

0f5ad273fafb773ad300dba3977d9666221961f41eeb5b84476defb51bc8249e

MD5 hash:

7e5267cad327d67f272ff4bdbe82d4cb

SHA1 hash:

b483b6c78b15945a0337cb5d41865e2ae3f05a92

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

1705e430fd1b69cbf7fe8b9ab7072df9c3457b851e618a2fcb1b1a18542cf7c7

MD5 hash:

e207f03d5bc275ac5c7de02289250392

SHA1 hash:

52df3a7ea7018fd2c119ee2059f9f7aac320a647

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

b7965094eabc56411a9c68fc533166bba12ba0758900261b34af1d953e3d2711

MD5 hash:

337b9e0f2baa9463a97b757920310413

SHA1 hash:

d7e955d1f7b50c947d3ee1211c89053ec6e95523

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

f0ccfc55beb87bb4597bc12149e59c6de850d331e40460691f18ff4ff0d93084

MD5 hash:

5bacc83d2458c3e04d5717f8595bbf92

SHA1 hash:

28f2725f1632d827ad4b146c24824a6e102ae0cb

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

4fa98bde660123b9eec1e51a9a2e5486323c414188df1b918a2ee87459dc6671

MD5 hash:

3b8f87b845ba59dc4f5c9088a17df12a

SHA1 hash:

7acff703f609da1baa6d81573a981202000b7ed9

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

ee5a770238ddd63fc797d34f6eae5e795fd00f61403a109e5e41fab2478c79ef

MD5 hash:

a98f8a3de11839127a7ebd2c4a39a6ee

SHA1 hash:

4004403e369f7ac08952d8b7e7c2b8fd5e44e4b1

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

d67804b100008e415f1affa003e6afc6460556e0a928af8ac910949dac38a74e

MD5 hash:

207cc3f6aafd2aa5bd534416b8fe62f7

SHA1 hash:

5c87fbd618b75fc15802c09f4242c1a70d505c22

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

eb8f585e98c25413c6d2da7dbac862891b1a610f61d2ba201ae68168843baece

MD5 hash:

2973dfed48c5bf946d5997d1e3dbf86a

SHA1 hash:

d801b96193315e57324163f9149c273d8c282fe1

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

3b63c0741d882a8695c976fb2079786e94674188452b3a7d812eeab9bea56e4d

MD5 hash:

bf22904c58a7aa070af53ad990a4428d

SHA1 hash:

158d67b75046c02fbddd6f15164f203de3703ae8

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

SH256 hash:

59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388

MD5 hash:

b0de949e57e5e4b2498c0a3f4932377d

SHA1 hash:

41300141ba3cfdb0e31249b3ced7c6db25e49e29

Link:

https://www.unpac.me/results/6c4d8ffa-ed9d-4f6e-88a1-510864f69fb7/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/59120af2ca9c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/225845/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample