MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5acf6e353062232eedf273f4370d422d24aaf79240d97c27679a2a0dc223d163. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5acf6e353062232eedf273f4370d422d24aaf79240d97c27679a2a0dc223d163
SHA3-384 hash: efddd5656d27cb7b0d296d9476def755e1fed220614778ead05daeffefd2a5f7aca1ceba2956013c604e4295416b9567
SHA1 hash: 1c290c3e0c9c4d0568a2fe4a32eb3b7d148dd5c1
MD5 hash: 6185d207f75a1f7c787d3571b4d1805c
humanhash: monkey-sodium-cold-michigan
File name:SecuriteInfo.com.Win32.CrypterX-gen.16988.2539
Download: download sample
Signature GCleaner
Create hunting rule
File size:258'048 bytes
First seen:2024-02-27 01:26:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dd29265500433e05853a8af89087a307 (2 x GCleaner)
ssdeep 3072:cCrCHNoYXlWTZPAPxCR5rfrcHzxO/IRPvJca7HkPePJI97UD2f:c+CHNRXlWTZPAPgR5rfITEQZJV7HViJ
TLSH T1EB44E111B7B0D836C8E61635887596E849BAFC626A70635BB3603F3F6E712D09E35313
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9a44ccc8d6cc70b0 (1 x GCleaner)
Reporter SecuriteInfoCom
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477901/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.16988.2539.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint masquerade packed
Link:
https://www.filescan.io/uploads/65dd3a6703a1c3a7aef6c99a/reports/4d2db4ab-98ef-452a-9225-a5ed3ce5469c/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5acf6e353062232eedf273f4370d422d24aaf79240d97c27679a2a0dc223d163
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/afad021f-e8c4-45bc-852a-5a10a1093713
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1399185
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5acf6e353062232eedf273f4370d422d24aaf79240d97c27679a2a0dc223d163
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5acf6e353062232eedf273f4370d422d24aaf79240d97c27679a2a0dc223d163/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2024-02-27 01:27:04 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=llhw4njqmirs53psop2dodkcfuskv54sidmxyj3htiva3qrd2frq._file
Verdict:
malicious
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/240227-bt375sde7s/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Downloads MZ/PE file
GCleaner
Malware Config
C2 Extraction:
185.172.128.90
5.42.64.3
5.42.65.115
Unpacked files
SH256 hash:
c37679e78f6af5ba63dedfdfa3c66327626f6a4afa19359ca80d02ae5e1f827a
MD5 hash:
7757bf2b97b51df1bd3b15e17962675a
SHA1 hash:
8e436f717997057dff178f628e784d6e9bad7a51
Link:
https://www.unpac.me/results/f95aa450-3751-4847-a802-d8790f895793/
SH256 hash:
5acf6e353062232eedf273f4370d422d24aaf79240d97c27679a2a0dc223d163
MD5 hash:
6185d207f75a1f7c787d3571b4d1805c
SHA1 hash:
1c290c3e0c9c4d0568a2fe4a32eb3b7d148dd5c1
Link:
https://www.unpac.me/results/f95aa450-3751-4847-a802-d8790f895793/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5acf6e353062232eedf273f4370d422d24aaf79240d97c27679a2a0dc223d163

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 5acf6e353062232eedf273f4370d422d24aaf79240d97c27679a2a0dc223d163

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2755634/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2770950/
  
URLhaus
https://urlhaus.abuse.ch/url/2770896/
Cape
Cape
https://www.capesandbox.com/analysis/477901/

Comments