MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 593d376336bb37228ecd2b7c5d46a2ef965c04f33df04d295d752c6f62ab1ab8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 593d376336bb37228ecd2b7c5d46a2ef965c04f33df04d295d752c6f62ab1ab8
SHA3-384 hash: 9c0dc2e34f3bd347618555e671980362078fe9e4183cad6be27944280a9b72f6107f7baae5b80ca8591de080a006acf7
SHA1 hash: d9b1ab156bf0ecbf8d8fa4a3210028164d54e2e3
MD5 hash: 2ff9904c56a056f3477a088bf89a3f5c
humanhash: oscar-fanta-mountain-ack
File name:593D376336BB37228ECD2B7C5D46A2EF965C04F33DF04.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'977'770 bytes
First seen:2021-11-06 12:16:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:ya2b6zhyS9+iP+BJoneHwhrcqxejahSuM5zb93PRhdHsrJQoFdAFm:y/OV9jyqnfrLxejjuC1jmrNdAs
TLSH T17F3633308F60F663F73736B20B30186BF5A65A9E18209B7B176DD98139B03153A9D363
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
95.181.152.143:51416

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.181.152.143:51416 https://threatfox.abuse.ch/ioc/244620/

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/202923/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9901323-1
Create hunting rule

Win.Packed.Socelars-9901325-1
Create hunting rule

Win.Packed.Socelars-9901373-1
Create hunting rule

Win.Malware.Socelars-9901376-1
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys mokes overlay packed
Link:
https://www.filescan.io/uploads/6186724043a4f7480911311f/reports/bc0755cb-831d-4313-926d-f5931b563935/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1aafb580-ef72-412e-8ff9-74ed79e8ead3
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884530
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 516985 Sample: 593D376336BB37228ECD2B7C5D4... Startdate: 06/11/2021 Architecture: WINDOWS Score: 100 79 ip-api.com 208.95.112.1, 49773, 80 TUT-ASUS United States 2->79 81 85.143.175.87 TRADERSOFTRU Russian Federation 2->81 83 17 other IPs or domains 2->83 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Antivirus detection for URL or domain 2->125 127 Antivirus detection for dropped file 2->127 129 24 other signatures 2->129 11 593D376336BB37228ECD2B7C5D46A2EF965C04F33DF04.exe 10 2->11         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->57 dropped 14 setup_installer.exe 22 11->14         started        process6 file7 59 C:\Users\user\AppData\...\setup_install.exe, PE32 14->59 dropped 61 C:\Users\user\...\Tue23f395dd12d26d.exe, PE32 14->61 dropped 63 C:\Users\user\...\Tue23e65df79a3126.exe, PE32 14->63 dropped 65 17 other files (12 malicious) 14->65 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 75 127.0.0.1 unknown unknown 17->75 77 hsiens.xyz 17->77 119 Performs DNS queries to domains with low reputation 17->119 121 Adds a directory exclusion to Windows Defender 17->121 21 cmd.exe 1 17->21         started        23 cmd.exe 1 17->23         started        25 cmd.exe 17->25         started        27 7 other processes 17->27 signatures10 process11 signatures12 30 Tue23f395dd12d26d.exe 4 18 21->30         started        35 Tue2353afa968c87.exe 2 23->35         started        37 Tue235814b44b8538e78.exe 25->37         started        131 Adds a directory exclusion to Windows Defender 27->131 39 Tue237e27b413f.exe 4 27->39         started        41 Tue2382b9e8812ef8f.exe 27->41         started        43 Tue233b3ceac91.exe 27->43         started        45 2 other processes 27->45 process13 dnsIp14 85 212.192.241.15, 49750, 49757, 49777 RAPMSB-ASRU Russian Federation 30->85 87 ipinfo.io 34.117.59.81, 443, 49756 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 30->87 95 3 other IPs or domains 30->95 67 C:\Users\user\...67iceProcessX64[1].bmp, PE32+ 30->67 dropped 69 C:\Users\...\WVg5GdY8IyOITmErSg7UCBro.exe, PE32+ 30->69 dropped 103 Antivirus detection for dropped file 30->103 105 May check the online IP address of the machine 30->105 107 Machine Learning detection for dropped file 30->107 117 2 other signatures 30->117 71 C:\Users\user\...\Tue2353afa968c87.tmp, PE32 35->71 dropped 109 Multi AV Scanner detection for dropped file 35->109 111 Obfuscated command line found 35->111 47 Tue2353afa968c87.tmp 35->47         started        113 Sample uses process hollowing technique 37->113 89 t.gogamec.com 172.67.204.112, 443, 49758, 49767 CLOUDFLARENETUS United States 39->89 73 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 39->73 dropped 115 Creates processes via WMI 39->115 91 65.108.20.195 ALABANZA-BALTUS United States 41->91 93 premium-s0ftwar3875.bar 35.205.61.67, 443, 49769 GOOGLEUS United States 45->93 97 2 other IPs or domains 45->97 file15 signatures16 process17 dnsIp18 99 safialinks.com 47->99 101 best-link-app.com 47->101 51 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 47->51 dropped 53 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 47->53 dropped 55 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->55 dropped file19
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/593d376336bb37228ecd2b7c5d46a2ef965c04f33df04d295d752c6f62ab1ab8/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 07:10:00 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=le6toyzwxm3sfdwnfn6f2rvc56lfybhthxye2kk5ouwg6yvldk4a._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:ani botnet:jamesoldd botnet:media28 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211106-pf2daabfdr/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
https://mas.to/@bardak1ho
65.108.20.195:6774
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
45.142.215.47:27643
91.121.67.60:62102
Unpacked files
SH256 hash:
bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05
MD5 hash:
5275ae278e347d83fb061a92e979fe86
SHA1 hash:
6c1118b87f366df72a25f1988f740ea6753984cd
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9
MD5 hash:
bf8b0c8e992a344ce312c8a939fa1c9e
SHA1 hash:
3e207a18a539ab6ec17737e6fe79562f59502718
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf
MD5 hash:
7b9e5d37881a3e58e26e22c79de09d47
SHA1 hash:
0cf699c041c6f7ad485b77f25403776aab99c057
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
3fd064dfa5e9ef6016845046f35b05f1b619411f469ff7e60c49772162879419
MD5 hash:
2d484c4f2224af41c813a1769a103c7f
SHA1 hash:
53a2609394d73797578ce78e06e4d4857d1082e4
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
Parent samples :
cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
SH256 hash:
cfac5d80e3cce0c9f2b7dc1b28605fbade1d5888d72880020d925b4e73217670
MD5 hash:
bd0ad3eb1f4af9f26a3a2a15318f0db4
SHA1 hash:
4ecb7d32e21d31784d5ccb56723cbf44f04902de
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
da0d092342b740d7b3944f2f432c0aa144ec2cac898f14448bc23da3c2539d39
MD5 hash:
15db3fdaf330504bc795c09bfdfe84d9
SHA1 hash:
9bf8a12427298e6f7b6957465a53060c3b0a1cf2
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
22d491f730beb8950a14775ce5e28b2884d1740bb3ca0e2d0db097bd957ff974
MD5 hash:
97e910d80fedbec70ba9ff148d483c0c
SHA1 hash:
84e5667f161a00ea090e69acaf9c70888f8903e8
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
384327781a03796184dadbc51af4b8eba3dcd6ae8f0d7f730fe814e8787b57a0
MD5 hash:
cc9a137c3dca9046fca7e44a7cc62708
SHA1 hash:
7b2b8596571e409fcea0559b1e78c097886eeeb4
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
0060425b0f242a5cc60c4879f31f8eece09987ddddd18f826bd2da68edd5c57e
MD5 hash:
879ca75cb32253b182661bd77dbb6b6b
SHA1 hash:
542c064030525e050e81acf1e53c05c7cf8f7856
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
109793a077940d6eac715ccda9d53100d7424980b52398dd3bb5259b6f2b10de
MD5 hash:
9256395d7acc4dbb8cbaa9b1f252adfc
SHA1 hash:
4c25407c506b160539b7092ae4afee078dfbc5f4
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
d7877200a20b58c5e7c06706da6318ba7cfed292f422520b79112bde18176d82
MD5 hash:
d1c082ef6cee273d5a2da3e41913607b
SHA1 hash:
49301fc32ef6aabe70b95c7c16a610f3027ad902
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
75688e96607df3ce1dd9e878cb9423a635190825f772dde4517561059bca59ad
MD5 hash:
e849cd66a188451112455c93ff4b7cac
SHA1 hash:
2659334b386da094d5c7ae10878ba3bd84980c69
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
c4ecf185621769141d1fe4e6738a76bcefad52fa06649c3b18d38bf4d1e69690
MD5 hash:
e28dfb41e5a1d3e045d5c459991006c4
SHA1 hash:
0e945f88d3e6281a948d83630bca14552e471b01
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
c2f83b62e5fc63d30df1a864df2b0f76533d7c9c3fd58f96edb64a501386a904
MD5 hash:
27d3e7ff96e8757bd058f3e5c660ef4f
SHA1 hash:
47328f361277fd909e4e78f305aca70f4ce425d8
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
69b8a67452e42970c7ea4aeb3ade8e1cfe4e045a4c823ebbe6929b6c240836f1
MD5 hash:
78ff6c918c87a1eed24bfbbe282ecdab
SHA1 hash:
5378595d61f4076f689b3be2f70565ca5e526a16
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
583ca27f94d96c274f09e516863cacc06c5eb68135c8a8e0705d87df8dddb51c
MD5 hash:
bba0fad599b85204ce2cae29c86d98af
SHA1 hash:
3f530a6d3d5280b0bb0459441d624baec904c911
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
1ef3cfe404ae1e96d0cf556cea107739d2bfaa2a7a634d296d60b347e2132cc3
MD5 hash:
f4a26716b314bfac2d88580d3cd69361
SHA1 hash:
f985f429c184e601a5d348f3118f9531e0a64fcc
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
618e50a4df86acd961fa4980e19b3fc0be6e0276ee6c19609b78f1b6f245dee0
MD5 hash:
07653b677cf7e993dc6a47386dbf0802
SHA1 hash:
a9d98c3a31c902d953a0ecbb87cdcfa0599c8f74
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
SH256 hash:
593d376336bb37228ecd2b7c5d46a2ef965c04f33df04d295d752c6f62ab1ab8
MD5 hash:
2ff9904c56a056f3477a088bf89a3f5c
SHA1 hash:
d9b1ab156bf0ecbf8d8fa4a3210028164d54e2e3
Link:
https://www.unpac.me/results/dd27635a-eeea-4bd5-b4bb-7d8567e207e8/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/593d376336bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/593d376336bb37228ecd2b7c5d46a2ef965c04f33df04d295d752c6f62ab1ab8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/202923/

Comments