MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bd0f1a500c8eb22f267f4414a8187c5f77f3b02b66d5dc9f9f42c2ff1206b1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bd0f1a500c8eb22f267f4414a8187c5f77f3b02b66d5dc9f9f42c2ff1206b1e
SHA3-384 hash: f25a4e26bf57c52b06dfda37ff25d62787cc6284e87c742ad0ea19d1514048b0235755532bb562a15a0b337c1b62973b
SHA1 hash: b2890822011c4c315d2fa8d3fcb0f635bea3aa1c
MD5 hash: c4807ea6c4ee04746a88248c855cb71d
humanhash: thirteen-oven-zebra-oxygen
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:389'960 bytes
First seen:2022-11-30 15:53:46 UTC
Last seen:2022-12-01 09:54:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'446 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:x/QiQXCpkm+ksmpk3U9j0IJaOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3pP6m6UR0IJalL//plmW9bTXeVhD4
TLSH T118841243F3E18839E073CDB05C90E962493B79254DBC690836ECAD9F9F3B6825256787
TrID 75.1% (.EXE) Inno Setup installer (109740/4/30)
9.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.0% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:exe gcleaner


Avatar
andretavare5
Sample downloaded from https://punch-cidre.s3.pl-waw.scw.cloud/TUN.exe

Intelligence

File Origin
# of uploads :
18
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-30 20:41:50 UTC
Tags:
installer loader evasion trojan sinkhole gcleaner stealer vidar opendir amadey
Link:
https://app.any.run/tasks/6cd4a446-a232-4790-ac6e-240315034b99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/340540/
Detection(s):
SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Sending a custom TCP request
Connecting to a non-recommended domain
Creating a file in the Program Files subdirectories
Sending an HTTP POST request
Creating a file
Searching for synchronization primitives
Moving a file to the Program Files subdirectory
Modifying a system file
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63877ca7559d07a06f48d5a8/reports/1cc27366-174e-47ba-94b6-dfa22f6c3d4e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5707a447-7c64-4d85-9b97-2645862f2df6
Result
Threat name:
Fabookie
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1124573
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Yara detected Fabookie
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 757298 Sample: file.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 89 xv.yxzgamen.com 2->89 91 www.profitabletrustednetwork.com 2->91 93 25 other IPs or domains 2->93 111 Snort IDS alert for network traffic 2->111 113 Multi AV Scanner detection for domain / URL 2->113 115 Antivirus detection for URL or domain 2->115 117 10 other signatures 2->117 11 file.exe 2 2->11         started        15 ZHilaelaecaere.exe 2->15         started        18 ZHilaelaecaere.exe 2->18         started        signatures3 process4 dnsIp5 75 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 11->75 dropped 123 Obfuscated command line found 11->123 20 file.tmp 3 19 11->20         started        105 s3.pl-waw.scw.cloud 15->105 107 uchiha.s3.pl-waw.scw.cloud 15->107 109 2 other IPs or domains 15->109 file6 signatures7 process8 dnsIp9 95 s3.pl-waw.scw.cloud 151.115.10.1, 443, 49696, 49704 OnlineSASFR United Kingdom 20->95 97 5de5c46f-c6bb-4dc8-bd5f-34662c54ce50.s3.pl-waw.scw.cloud 20->97 51 C:\Users\user\AppData\Local\...\zizou.exe, PE32 20->51 dropped 53 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 20->53 dropped 55 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 20->55 dropped 57 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->57 dropped 24 zizou.exe 22 19 20->24         started        file10 process11 dnsIp12 99 s3.pl-waw.scw.cloud 24->99 101 connectini.net 37.230.138.123, 443, 49699, 49711 ROCKETTELECOM-ASRU Russian Federation 24->101 103 4 other IPs or domains 24->103 67 C:\Users\user\AppData\...\Reqyhikoku.exe, PE32 24->67 dropped 69 C:\Users\user\AppData\...behaviorgraphalylolafy.exe, PE32 24->69 dropped 71 C:\Program Files\...\poweroff.exe, PE32 24->71 dropped 73 5 other malicious files 24->73 dropped 119 Multi AV Scanner detection for dropped file 24->119 121 Machine Learning detection for dropped file 24->121 29 poweroff.exe 2 24->29         started        33 Reqyhikoku.exe 14 17 24->33         started        36 Galylolafy.exe 14 4 24->36         started        file13 signatures14 process15 dnsIp16 77 C:\Users\user\AppData\Local\...\poweroff.tmp, PE32 29->77 dropped 125 Obfuscated command line found 29->125 38 poweroff.tmp 29->38         started        79 www.google.com 172.217.168.68, 443, 49714, 49739 GOOGLEUS United States 33->79 81 connectini.net 33->81 127 Antivirus detection for dropped file 33->127 129 Multi AV Scanner detection for dropped file 33->129 131 Machine Learning detection for dropped file 33->131 41 chrome.exe 33->41         started        43 chrome.exe 33->43         started        45 chrome.exe 33->45         started        47 5 other processes 33->47 83 clients.l.google.com 142.250.203.110, 443, 49728 GOOGLEUS United States 36->83 85 google.com 36->85 87 connectini.net 36->87 file17 signatures18 process19 file20 59 C:\...\unins000.exe (copy), PE32 38->59 dropped 61 C:\Program Files (x86)\...\is-KN1H3.tmp, PE32 38->61 dropped 63 C:\Program Files (x86)\...\is-84NQN.tmp, PE32 38->63 dropped 65 3 other files (1 malicious) 38->65 dropped 49 Power Off.exe 38->49         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bd0f1a500c8eb22f267f4414a8187c5f77f3b02b66d5dc9f9f42c2ff1206b1e/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-30 01:04:13 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
14 of 39 (35.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lpipdjiazdvsf4th6rauvamhyx3x6oycwzwv3spz6qwc74janmpa._file
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim discovery evasion persistence trojan vmprotect
Link:
https://tria.ge/reports/221130-tca45sgd7w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Unexpected DNS network traffic destination
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
VMProtect packed file
Checks for common network interception software
NyMaim
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
45.139.105.171
85.31.46.167
Dropper Extraction:
https://grilloo.net/js/vendor/config_20.ps1
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66118fab-42e3-4377-9626-eccee4d58e8d
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/6cdbc438-0f95-4f66-868b-d1c29c28fad7/
SH256 hash:
154b4985fd7e51bb9dec86658597bb1b06c1d3fcaaee53456747fdd6cd382f0d
MD5 hash:
4bdb7eeaf9b8551cb04832c59f664f83
SHA1 hash:
823eccc302ccf9025817893fe24a24736b2146c9
Link:
https://www.unpac.me/results/6cdbc438-0f95-4f66-868b-d1c29c28fad7/
SH256 hash:
5bd0f1a500c8eb22f267f4414a8187c5f77f3b02b66d5dc9f9f42c2ff1206b1e
MD5 hash:
c4807ea6c4ee04746a88248c855cb71d
SHA1 hash:
b2890822011c4c315d2fa8d3fcb0f635bea3aa1c
Link:
https://www.unpac.me/results/6cdbc438-0f95-4f66-868b-d1c29c28fad7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5bd0f1a500c8eb22f267f4414a8187c5f77f3b02b66d5dc9f9f42c2ff1206b1e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/340540/
  
URLhaus
https://urlhaus.abuse.ch/url/2439244/

Comments