MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5aeeb53a492389bfaaa1a2d15b98324c159ded6cd2e55dd67efb3eba6e4ee270. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5aeeb53a492389bfaaa1a2d15b98324c159ded6cd2e55dd67efb3eba6e4ee270
SHA3-384 hash: 7cbaa06fe33691052814cf240c318843135dc72afc2d000f9c3efded56e2b8fb492851f44a17f86216dc4d93894843f5
SHA1 hash: 2a4dacdb64d3f3c7dea9eb9f5a2f038e171725dc
MD5 hash: dd7dcb489754da3c757a58efef55690e
humanhash: island-sierra-quebec-princess
File name:5AEEB53A492389BFAAA1A2D15B98324C159DED6CD2E55.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'344'622 bytes
First seen:2022-01-29 12:05:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xOp9ZX654XTpujOT9Yv3akzDEYDX0ouNeIy43r2M:xOp9ZqiXTAjOT9izX0ouNt8M
TLSH T1291633207BE18DFEE9628076658C7F3C89E9C789283BCEDB13241A4E1DB4D41D25B1B5
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://159.223.25.220/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://159.223.25.220/ https://threatfox.abuse.ch/ioc/357405/

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5AEEB53A492389BFAAA1A2D15B98324C159DED6CD2E55.exe
Verdict:
No threats detected
Analysis date:
2022-01-29 12:09:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/54f86bcc-a750-4f51-bf2d-3e001b4f778a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/225776/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Running batch commands
Launching a process
Sending a custom TCP request
Searching for synchronization primitives
Creating a window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5449/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mokes overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f52daf541b36270655b14e/reports/d79ae388-840d-46e7-9040-b76c189e4522/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f854230-8fb0-4487-aac8-2654761a97fe
Result
Threat name:
RedLine SmokeLoader Socelars Vidar onlyL
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930119
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell File Write to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562597 Sample: 5AEEB53A492389BFAAA1A2D15B9... Startdate: 29/01/2022 Architecture: WINDOWS Score: 100 103 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->103 113 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 Antivirus detection for URL or domain 2->117 119 26 other signatures 2->119 12 5AEEB53A492389BFAAA1A2D15B98324C159DED6CD2E55.exe 20 2->12         started        15 WmiPrvSE.exe 2->15         started        signatures3 process4 file5 75 C:\Users\user\AppData\...\setup_install.exe, PE32 12->75 dropped 77 C:\Users\user\...\Fri21fa7d22db890f1c.exe, PE32 12->77 dropped 79 C:\Users\user\...\Fri21e5481bfbcfd5b5.exe, PE32 12->79 dropped 81 15 other files (10 malicious) 12->81 dropped 17 setup_install.exe 1 12->17         started        process6 dnsIp7 85 127.0.0.1 unknown unknown 17->85 87 hsiens.xyz 17->87 109 Performs DNS queries to domains with low reputation 17->109 111 Adds a directory exclusion to Windows Defender 17->111 21 cmd.exe 17->21         started        23 cmd.exe 1 17->23         started        25 cmd.exe 17->25         started        27 11 other processes 17->27 signatures8 process9 signatures10 30 Fri21e5481bfbcfd5b5.exe 21->30         started        33 Fri21a4e2c461.exe 4 53 23->33         started        37 Fri2121694f6e72.exe 25->37         started        125 Adds a directory exclusion to Windows Defender 27->125 39 Fri21ae6a2912a25.exe 27->39         started        41 Fri2124d79eddfb04.exe 27->41         started        43 Fri21fa7d22db890f1c.exe 27->43         started        45 6 other processes 27->45 process11 dnsIp12 127 Antivirus detection for dropped file 30->127 129 Detected unpacking (changes PE section rights) 30->129 131 Machine Learning detection for dropped file 30->131 147 4 other signatures 30->147 47 explorer.exe 30->47 injected 89 103.155.92.143 TWIDC-AS-APTWIDCLimitedHK unknown 33->89 91 83.220.174.101 THEFIRST-ASRU Russian Federation 33->91 95 14 other IPs or domains 33->95 63 C:\Users\...\6OQC2j9wFwXplLp7jENvTPAz.exe, PE32 33->63 dropped 65 C:\Users\user\AppData\...\askinstall59[1].exe, PE32 33->65 dropped 67 C:\Users\user\AppData\...\Setup32[1].exe, PE32 33->67 dropped 71 23 other files (3 malicious) 33->71 dropped 133 Creates HTML files with .exe extension (expired dropper behavior) 33->133 135 Disable Windows Defender real time protection (registry) 33->135 97 2 other IPs or domains 37->97 137 Multi AV Scanner detection for dropped file 37->137 139 May check the online IP address of the machine 37->139 141 Tries to harvest and steal browser information (history, passwords, etc) 37->141 51 mshta.exe 39->51         started        93 t.gogamec.com 104.21.85.99, 443, 49760, 49763 CLOUDFLARENETUS United States 41->93 69 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 41->69 dropped 143 Creates processes via WMI 41->143 99 2 other IPs or domains 43->99 101 6 other IPs or domains 45->101 145 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 45->145 file13 signatures14 process15 file16 83 C:\Users\user\AppData\Roaming\iiigctf, PE32 47->83 dropped 105 Benign windows process drops PE files 47->105 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->107 53 cmd.exe 51->53         started        signatures17 process18 file19 73 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 53->73 dropped 56 09xU.exE 53->56         started        59 conhost.exe 53->59         started        61 taskkill.exe 53->61         started        process20 signatures21 121 Antivirus detection for dropped file 56->121 123 Multi AV Scanner detection for dropped file 56->123
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5aeeb53a492389bfaaa1a2d15b98324c159ded6cd2e55dd67efb3eba6e4ee270/
Threat name:
Win32.Backdoor.TurtleLoader
Create hunting rule
Status:
Malicious
First seen:
2021-10-10 13:04:00 UTC
File Type:
PE (Exe)
Extracted files:
176
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=llxlkosjeoe37kvbulivxgbsjqkz33lm2lsv3vt67m7lu3so4jya._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
ryuk
Create hunting rule
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars botnet:media8 botnet:sehrish aspackv2 evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220129-n9rv9sbba3/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
91.121.67.60:2151
135.181.129.119:4805
Unpacked files
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
5de063d98221a5f0951e9e290c4b9f6c6d45602f5b5617ba832a4bee926f0059
MD5 hash:
25f85df36f4ec8103991f1c4df0e7049
SHA1 hash:
e12d673c30b459b81d6e0b43f2cd9a280c2e2acf
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
b3ebe2d73a6d2b289eb9076a94e1080d095cd3dfa0eb28d000ff9ea495ec286d
MD5 hash:
0bf74c3c12256fbe7ddc9ef82550c5ec
SHA1 hash:
9125023250645cbe4aaa5237b2ee2690bdb6167d
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
cbf1bc36ae69b5d54992392f8b7711e4ee4973e72e33a33318268d129eed4c45
MD5 hash:
29b30b117e8be91a98b72ada7211294f
SHA1 hash:
ca859c58c7a09cdc2d171b96a1a01f43f26b634e
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
b0907562ec1ac4ff1abc08598c77804ea6a4434b6955ef1d8ea7cfa99a6cb849
MD5 hash:
2aa74bffcea929cdd73b163a1dfabbcf
SHA1 hash:
74a2007532e312d234fbadcc0fb7d081a1932bc0
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
Parent samples :
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
SH256 hash:
8e39804f909ddfb3acb1f5765256ff6c7f73506eec614201aaaabffa823ef555
MD5 hash:
7c38cf2a3df9af2267e4d3dee4ab9fb6
SHA1 hash:
ec80c30832a550b59aa86a77e64c3fd852dab288
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
b1792b96ee1599053169c723ef3847f150fb3a6cbd7f6e49f0c7980e56f17ec0
MD5 hash:
782464a630ee6593821219958720db3e
SHA1 hash:
c46ee1af2bd512533f1cd26337e73e0ccb18f57f
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
e9071b3b10f7def5aad6cf036ecb453ad9ac2a3209790cdc7bb7064255394247
MD5 hash:
b0643101be8b0cbf58e26c988a786862
SHA1 hash:
afb6903cfa6a7b7fc52120f229e3982320ed2130
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
f7ec45966ad8e38d8507c637d75cd70d70f0a77a4fd436595c87c483eea6d567
MD5 hash:
17cebac621efe1638506eaa93b112748
SHA1 hash:
8c226904c925a4c61dc6a3ae02a1c3e7410b01cf
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
0d17f7b14fae231ac7557bc5268c2678c3f87a51f11c97861ef287075853d874
MD5 hash:
8ff0384afd71b0976701519eb9c6f120
SHA1 hash:
689868a6e4cd1e20e55c3fe76bcea78d844baaa3
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
d03bcf13c01b454fb8c69044dc883284a2fce48f715c764e18a0a9085b2c2cac
MD5 hash:
2f5fca3e8090d2b6cf1f2e26fae46740
SHA1 hash:
5321834a2e9cc82416840d7640156ae2578e4dae
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
3127db454894da4af94dafef6f8826e06dfd44c8337e160948b38fbf2b83c1a0
MD5 hash:
cc9c722f75be49e8f93929c989e4568d
SHA1 hash:
320fba78d341f12c4225e65e276281278b3c6316
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
39f4d61647e943b006f9b1c1fdda02e1c26e123162dbf85e1f842fd30fde00f4
MD5 hash:
330d9c5ca5ab9f54d4c6af59e0a6d683
SHA1 hash:
394dd8d2681222e13d23c82c20e7fe0a4f54460a
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
ef6e1f282a95be6ac6a878042bab99ac74b6c7c8c0c5a269b0d0a2fb70e47380
MD5 hash:
772423582633db594f455dac1406a541
SHA1 hash:
ac4e87efd9cca8632517578a13754d41958e2791
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
c62ea0ad2af6aaefb94214955d12dc9f4c12fea6ae236a56a7ed697b8b246791
MD5 hash:
bf807cca6e109befb80a2c5561e235b7
SHA1 hash:
c13577a90c41c1f3f73e1a9fa2724f048fe05480
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
SH256 hash:
5aeeb53a492389bfaaa1a2d15b98324c159ded6cd2e55dd67efb3eba6e4ee270
MD5 hash:
dd7dcb489754da3c757a58efef55690e
SHA1 hash:
2a4dacdb64d3f3c7dea9eb9f5a2f038e171725dc
Link:
https://www.unpac.me/results/dc94d304-bf67-4983-bcd2-21d2f4f6c0af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5aeeb53a492389bfaaa1a2d15b98324c159ded6cd2e55dd67efb3eba6e4ee270

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/225776/

Comments