MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a4b558e3f228adc43c877a56890612ba69b2e112ca8e0fdd538581e0dc6898b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a4b558e3f228adc43c877a56890612ba69b2e112ca8e0fdd538581e0dc6898b
SHA3-384 hash: 78695a95fa6c5629eedf8326318994a87a586d2412c5558c727967b31be4ca6fb2f6e76a04e88a576cb0b206683d3f46
SHA1 hash: 171b4d74354c4ec4653ce99d662172ddac9833ab
MD5 hash: 477ba03195f3b0d566546ef9ec031fe7
humanhash: maine-venus-nine-illinois
File name:477ba03195f3b0d566546ef9ec031fe7.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'794'899 bytes
First seen:2023-06-22 05:55:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/G1lORHUKic6QL3E2vVsjECUAQT45deRV9RU:sBuZrEU0qHUKIy029s4C1eH9q
Threatray 4 similar samples on MalwareBazaar
TLSH T1AA85CF3FF268A13EC46A1B3245739320997BBA51B81A8C1E47FC384DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
477ba03195f3b0d566546ef9ec031fe7.exe
Verdict:
No threats detected
Analysis date:
2023-06-22 06:02:14 UTC
Tags:
installer
Link:
https://app.any.run/tasks/870c335f-d727-4d5b-bb19-f6c3373592a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/401537/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.1967.21109.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6493e274bf0c96409e799ae0/reports/cd889ddc-d14b-4c58-9f66-f12894e8e26f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5a4b558e3f228adc43c877a56890612ba69b2e112ca8e0fdd538581e0dc6898b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8a36f122-d7cb-4af6-8540-32620cc58c27
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
50 / 100
Link:
https://www.joesandbox.com/analysis/1259448
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 892473 Sample: ECnCJ4QWok.exe Startdate: 22/06/2023 Architecture: WINDOWS Score: 50 112 wcdownloadercdn.lavasoft.com 2->112 114 wc-update-service.lavasoft.com 2->114 128 Snort IDS alert for network traffic 2->128 130 Antivirus detection for URL or domain 2->130 132 Antivirus detection for dropped file 2->132 134 4 other signatures 2->134 9 ECnCJ4QWok.exe 2 2->9         started        12 msiexec.exe 97 56 2->12         started        14 Windows Updater.exe 5 18 2->14         started        signatures3 process4 dnsIp5 88 C:\Users\user\AppData\...CnCJ4QWok.tmp, PE32 9->88 dropped 17 ECnCJ4QWok.tmp 3 23 9->17         started        90 C:\Windows\Installer\MSIE981.tmp, PE32 12->90 dropped 92 C:\Windows\Installer\MSIE952.tmp, PE32 12->92 dropped 94 C:\Windows\Installer\MSIE5C5.tmp, PE32 12->94 dropped 98 14 other malicious files 12->98 dropped 22 msiexec.exe 4 59 12->22         started        24 msiexec.exe 3 12->24         started        26 msiexec.exe 12->26         started        28 msiexec.exe 2 12->28         started        122 allroadslimit.com 188.114.96.7, 443, 49705, 49749 CLOUDFLARENETUS European Union 14->122 96 C:\Windows\Temp\...\Windows Updater.exe, PE32 14->96 dropped 30 Windows Updater.exe 14->30         started        file6 process7 dnsIp8 100 45.12.253.74, 80 CMCSUS Germany 17->100 102 webcompanion.com 104.18.211.25, 49750, 80 CLOUDFLARENETUS United States 17->102 110 2 other IPs or domains 17->110 70 C:\Users\user\AppData\Local\Temp\...\s2.exe, PE32 17->70 dropped 84 4 other files (3 malicious) 17->84 dropped 136 Performs DNS queries to domains with low reputation 17->136 32 s2.exe 17->32         started        36 s1.exe 67 17->36         started        104 pstbbk.com 157.230.96.32, 49702, 80 DIGITALOCEAN-ASNUS United States 22->104 106 collect.installeranalytics.com 52.73.64.126, 443, 49703, 49704 AMAZON-AESUS United States 22->106 72 C:\Users\user\AppData\Local\...\shiDDA9.tmp, PE32 22->72 dropped 74 C:\Users\user\AppData\Local\...\shiDD0C.tmp, PE32 22->74 dropped 138 Query firmware table information (likely to detect VMs) 22->138 39 taskkill.exe 1 22->39         started        76 C:\Users\user\AppData\Local\...\shiD2AC.tmp, PE32 24->76 dropped 78 C:\Users\user\AppData\Local\...\shiD1E0.tmp, PE32 24->78 dropped 80 C:\Windows\Temp\shi213A.tmp, PE32 26->80 dropped 82 C:\Windows\Temp\shi20AC.tmp, PE32 26->82 dropped 108 dl.likeasurfer.com 104.21.32.100, 443, 49715, 49718 CLOUDFLARENETUS United States 30->108 86 4 other malicious files 30->86 dropped 41 v113.exe 30->41         started        file9 signatures10 process11 dnsIp12 64 13 other malicious files 32->64 dropped 124 Multi AV Scanner detection for dropped file 32->124 43 WebCompanionInstaller.exe 32->43         started        116 collect.installeranalytics.com 36->116 52 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 36->52 dropped 54 C:\Users\user\AppData\...\Windows Updater.exe, PE32 36->54 dropped 56 C:\Users\user\AppData\Local\...\shiB8F5.tmp, PE32+ 36->56 dropped 66 3 other malicious files 36->66 dropped 126 Antivirus detection for dropped file 36->126 46 msiexec.exe 36->46         started        48 conhost.exe 39->48         started        118 192.168.2.1 unknown unknown 41->118 58 C:\Windows\Temp\shi1DDE.tmp, PE32+ 41->58 dropped 60 C:\Windows\Temp\MSI2013.tmp, PE32 41->60 dropped 62 C:\Windows\Temp\MSI1F18.tmp, PE32 41->62 dropped 68 2 other malicious files 41->68 dropped 50 msiexec.exe 41->50         started        file13 signatures14 process15 dnsIp16 120 flow.lavasoft.com 104.17.9.52, 49751, 80 CLOUDFLARENETUS United States 43->120
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a4b558e3f228adc43c877a56890612ba69b2e112ca8e0fdd538581e0dc6898b/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2023-06-22 05:56:06 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ljfvldr7ekfnyq6io6swredbfotjwlqrfsuob7ovhbmb4dogrgfq._file
Verdict:
malicious
Similar samples:
036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34
GCleaner
759e360b7e36dd9f7365f452324aafd783f2ed9c057cea4bd8d394b4e69b2e66
GCleaner
770ecdc1bbda3d9400d992448dcb03597ecb46a1c596dc9b6018a9cd0df681bf
GCleaner
fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
GCleaner
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230622-gm124acg53/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
51ac85992166306fd86e9be2b66eb70999c1e09a43b0ce3c92803219e1a43487
MD5 hash:
162f84d484f6330c55522930813e91bd
SHA1 hash:
2c8ddcd85d59507ddfa88df9e90cef467bae70f6
Link:
https://www.unpac.me/results/7fa66103-68f6-468d-9e8e-f757eb05d379/
SH256 hash:
35da2d08fb83f94036e76037d0f253dd47543d3a93c3b54b0173dc4cb3f8b152
MD5 hash:
d7642283eca83026e1e1f9f4db290d65
SHA1 hash:
bc563109cfc97dde94f69438c477bd1d90a68656
Link:
https://www.unpac.me/results/7fa66103-68f6-468d-9e8e-f757eb05d379/
SH256 hash:
7ba6fb383cd3127caf029236e59320c5ee27a98039f7563bdffd8b857557973d
MD5 hash:
100518428c69bf6233cdc5c3cb2808e8
SHA1 hash:
5b3eca32f011ded0c1372b770da47ca80c6d1066
Link:
https://www.unpac.me/results/7fa66103-68f6-468d-9e8e-f757eb05d379/
SH256 hash:
5a4b558e3f228adc43c877a56890612ba69b2e112ca8e0fdd538581e0dc6898b
MD5 hash:
477ba03195f3b0d566546ef9ec031fe7
SHA1 hash:
171b4d74354c4ec4653ce99d662172ddac9833ab
Link:
https://www.unpac.me/results/7fa66103-68f6-468d-9e8e-f757eb05d379/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5a4b558e3f22/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a4b558e3f228adc43c877a56890612ba69b2e112ca8e0fdd538581e0dc6898b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/401537/

Comments