MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cccd82fbb3928236bb753a0c198f19d4338f0af1b4b8618a21fa5899fe5ac41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cccd82fbb3928236bb753a0c198f19d4338f0af1b4b8618a21fa5899fe5ac41
SHA3-384 hash: 3648067b0d527bf07f8c4642bf084b6646ad2978420fa8baffdce97a1c6cc7ef8c02fc99e34c9c262d498688982e29d9
SHA1 hash: c9e794b6ab39d7b182372e88124d3bada8031574
MD5 hash: a02d9e097100e1e197344038e214817c
humanhash: video-bravo-vegan-apart
File name:a02d9e097100e1e197344038e214817c.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:6'034'969 bytes
First seen:2021-11-08 06:50:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:Jrwz2BLnbgEHlym3/g9IE4nycWh28CWQJABHkd0R5MFox7wobkGSA7IV+Hip:Jr22BDd0P4yXh2+BTMI7bDSNqip
Threatray 682 similar samples on MalwareBazaar
TLSH T13056333CA7454270F43A2378B820568F9C5E9EDB1C9F8337D12A169D1AD2FF249BE215
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
185.215.113.29:1102

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.29:1102 https://threatfox.abuse.ch/ioc/244872/

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/203149/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mokes overlay packed trickbot
Link:
https://www.filescan.io/uploads/6188c8d92084b424af0f2e75/reports/89e955d6-73b0-4ea4-a7cc-cf9be4434cd2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1de238b3-241e-4f36-aa1f-ddfe75b0c770
Result
Threat name:
FormBook Raccoon RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885001
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 517459 Sample: O4eFetVyO4.exe Startdate: 08/11/2021 Architecture: WINDOWS Score: 100 76 208.95.112.1 TUT-ASUS United States 2->76 78 199.192.17.247 NAMECHEAP-NETUS United States 2->78 80 8 other IPs or domains 2->80 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for URL or domain 2->102 104 Antivirus detection for dropped file 2->104 106 22 other signatures 2->106 11 O4eFetVyO4.exe 10 2->11         started        signatures3 process4 file5 48 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->48 dropped 14 setup_installer.exe 23 11->14         started        process6 file7 50 C:\Users\user\AppData\...\setup_install.exe, PE32 14->50 dropped 52 C:\Users\user\...\Fri14f0a7b8815afdc06.exe, PE32 14->52 dropped 54 C:\Users\user\...\Fri14b6c6a5f23318.exe, PE32 14->54 dropped 56 18 other files (11 malicious) 14->56 dropped 17 setup_install.exe 1 14->17         started        process8 signatures9 96 Adds a directory exclusion to Windows Defender 17->96 98 Disables Windows Defender (via service or powershell) 17->98 20 cmd.exe 17->20         started        22 cmd.exe 17->22         started        24 cmd.exe 17->24         started        26 12 other processes 17->26 process10 signatures11 29 Fri1403c870e8bb.exe 20->29         started        34 Fri1445476abb0.exe 22->34         started        36 Fri14295b2c28.exe 24->36         started        108 Adds a directory exclusion to Windows Defender 26->108 110 Disables Windows Defender (via service or powershell) 26->110 38 Fri145a45b94cdd68.exe 26->38         started        40 Fri1423267bf9204.exe 26->40         started        42 Fri14f0a7b8815afdc06.exe 26->42         started        44 6 other processes 26->44 process12 dnsIp13 82 45.142.182.152 XSSERVERNL Germany 29->82 84 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 29->84 90 9 other IPs or domains 29->90 58 C:\Users\...\re51oezyNLpbSUyhdC49bDSz.exe, PE32 29->58 dropped 60 C:\Users\...\oJk80RJhSOZQl_jO73VyCxEC.exe, PE32 29->60 dropped 62 C:\Users\...\e2iN0yA1CxtG_Q1gVefTHkVt.exe, PE32 29->62 dropped 72 35 other files (10 malicious) 29->72 dropped 112 Antivirus detection for dropped file 29->112 114 Creates HTML files with .exe extension (expired dropper behavior) 29->114 116 Tries to harvest and steal browser information (history, passwords, etc) 29->116 86 172.67.176.199 CLOUDFLARENETUS United States 34->86 64 C:\Users\user\AppData\...\aaa_v016[1].exe, PE32+ 34->64 dropped 66 C:\Users\user\AppData\...\aaa_v016[1].dll, DOS 34->66 dropped 118 Detected unpacking (creates a PE file in dynamic memory) 34->118 120 Hijacks the control flow in another process 34->120 122 Sets debug register (to hijack the execution of another thread) 34->122 134 3 other signatures 34->134 88 212.192.241.15 RAPMSB-ASRU Russian Federation 36->88 92 3 other IPs or domains 36->92 68 C:\Users\...\FuiAT7zS5DOA9bMLQKGdaThD.exe, PE32 36->68 dropped 74 8 other files (2 malicious) 36->74 dropped 124 Disable Windows Defender real time protection (registry) 36->124 126 Machine Learning detection for dropped file 38->126 128 Sample uses process hollowing technique 38->128 70 C:\Users\user\...\Fri1423267bf9204.tmp, PE32 40->70 dropped 130 Obfuscated command line found 40->130 132 Injects a PE file into a foreign processes 42->132 94 3 other IPs or domains 44->94 136 2 other signatures 44->136 46 mshta.exe 44->46         started        file14 signatures15 process16
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5cccd82fbb3928236bb753a0c198f19d4338f0af1b4b8618a21fa5899fe5ac41/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2021-11-06 18:35:00 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltgnql53heucg25xkoqmdghrtvbtr4fpdnfymgfcd6syth7fvraq._file
Verdict:
malicious
Similar samples:
096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
GCleaner
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
GCleaner
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
GCleaner
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
GCleaner
995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b
GCleaner
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
GCleaner
b41ece0fdbd279c8c8dd615981603fb4cb7052d28d26ce803fbeb0eef5ea01d2
GCleaner
+ 672 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:916 botnet:media0421 botnet:user112 aspackv2 backdoor evasion infostealer stealer suricata trojan
Link:
https://tria.ge/reports/211108-hmhfesgfcn/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://www.hhgenice.top/
https://mas.to/@kirpich
http://misha.at/upload/
http://roohaniinfra.com/upload/
http://0axqpcc.cn/upload/
http://mayak-lombard.ru/upload/
http://mebel-lass.ru/upload/
http://dishakhan.com/upload/
135.181.129.119:4805
91.121.67.60:23325
Unpacked files
SH256 hash:
b9b1cc9ba58accdfe8c5d7bb874ea90819320fd4178e7deabd81d1fdb834beda
MD5 hash:
e0b528cce64f43b141b1a36a6e7a4d3b
SHA1 hash:
f3823c1706c0eb25b30a28d066ce2defdecde3d9
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
bee014fe2735fb9edb3c0b1170e878c93f85da4a09b1726ae7f863440357202b
MD5 hash:
c3af85aec0d2a90819f7193b56bfe180
SHA1 hash:
9bd7ac2f68278319cd640b53fe1c336171c445c0
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
faac5856fbfcb5f9e89568a3256de5e11aa5851802d0a902ac62d3624759a153
MD5 hash:
29051443bbd2bf2ee8f0722a1f56c99a
SHA1 hash:
9c9d93c4b393b466642f90cbb8e2338219b59b79
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
012e9fa8ebaaa475cf8004463a660073e0e139a3dd5acfe138e76b03a80f68cf
MD5 hash:
a0d4817976bf8dc7ac52a3101d846fa8
SHA1 hash:
3669d388445bcbba8bc7c825c0648be089550caa
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
88b2d8a7fbf025987947226c9d6d72c72f93bdc182d05857893027289059ef09
MD5 hash:
3addf1aab7f2237dd61b6857f2832c9c
SHA1 hash:
2e9f422f0717ca2e8fd9d0b4fff720dcd367e2c4
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
0e3a4882244c530eb460966acfbf76e97b8402c1fa27ea7b74ac651e078164ab
MD5 hash:
2545294d86199f2500301b776dcedafb
SHA1 hash:
b8f38b89ead4e0aecca0efde83fd5fd40fff2e97
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
38225dc5826f194a09c48d08abbd176e806a8e13c1f2f9758631f5e51988a83e
MD5 hash:
3ba48d0fed22173a120483e738b1bae3
SHA1 hash:
8e937f85dc04864a868e52a4a0047e6f552ec168
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
7ac4cc59bb66c43d7680ba930bf5c2c98f7ca08c591b9bf6556699f7a4fa2260
MD5 hash:
6617d0e761abcea3a66eb53243e85f34
SHA1 hash:
7e2ef58648d5e34bae9089e073e7fc5c87846bde
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
c0219617eebc0f5682fbdc289821f73919d1c3980d9e5e4ca0c22b570087d790
MD5 hash:
d2d2c54cf3c3c3ad390fbb31d47b0be0
SHA1 hash:
6d16e1edd8cb3a90086b3987938d833b7b282689
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
d8ebb4faf28b7edc6509a9e2ee2b317b3a242ad06d05e126a8d8a2437da493fe
MD5 hash:
c90a821c8f9bfaf11a13e2423b41a4a7
SHA1 hash:
3fb3760bdec7a04fbb6f8829c8eb5f9daa2874c6
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
5d698eca36f2f1559952e48e87d820847e6be9b8f8a5214913ae944fffde78b4
MD5 hash:
83a8ee136bf8cc2bb713f881ce088c49
SHA1 hash:
24b2148d19db34e8e6c529095029352494416ee9
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
712ede35e5f34fc2d9000951e336771577915cab75c3c1bb72a6aea96e16b265
MD5 hash:
7ac8528300b524bf5667cecaa8c277e4
SHA1 hash:
1559aa3883461697645e4ad34f7ad92195ea26a4
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
382dc91dfdf466b6335b4c1c51ac8166cdb7b0a1b1f89c38579f04aafbf54e6c
MD5 hash:
19bfee1e23f5ce8adb83a0fee1eb6489
SHA1 hash:
c0e955dc5bd431669ffa0aa85adfd490c957138d
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
Parent samples :
d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929
886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040
f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166
66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e
SH256 hash:
d963923e272840267fa277042fe5b9e7f20363b2c51ddc65b00be9b91c3004ec
MD5 hash:
b39de12261b76b1be05e0727edd328ea
SHA1 hash:
7f3938d232090de009455c8677eacb76ae1e605b
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
4b5f35a8e69d6fdc6bc69dea86caa2ced5d74bcc22067d33c5fbacca237ca8d8
MD5 hash:
63c934c37102c8cf670aa84d18f33591
SHA1 hash:
93036bfc13d361d2ea61798574a9910abded640b
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
54d7a7600412cf9e2d83f43a9c72cc65c36856f092579a4722e86bf090b21dd9
MD5 hash:
ca738d5f13d20b6e98a5cb5c16cbb22a
SHA1 hash:
12bc5598bcfc0cf627f742b81c88ad52a870dbfa
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
8433ad1c1e9723270498990f20faae20aee061ff9266c5d46764ec307dc680ab
MD5 hash:
87b0cbaf38e13928d611c4eff86be8ef
SHA1 hash:
bb025dd86003c5e1c068e895828ea9749a684071
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
ebcfa5efbe161a53d0160d4703ff76f20cb9f75c4c740dbb9196e737ad29c6c1
MD5 hash:
27742b29c0e47b61a4470c0c14b4dd6c
SHA1 hash:
1897a266630a74140c3060ad07cbad1c2f207d2b
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
1f0e4291d164f0f63cd1f07a048ecf5fa1e4cf378d8a8c81f86782a40db66823
MD5 hash:
649d7a736b16fcd85e347a95d1fa07ca
SHA1 hash:
d07ee49e6fc40d1bc272a95159beaad0f7332247
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
5cdc889fa06b6c8cb2ea03a2c915e49681f02832dcbc91015ef4f098ab470eeb
MD5 hash:
83f027e6fc29286ff8705b4a9617ce17
SHA1 hash:
cd9a4ed3f0ad0dc8298435998edf6141d3db8563
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
SH256 hash:
5cccd82fbb3928236bb753a0c198f19d4338f0af1b4b8618a21fa5899fe5ac41
MD5 hash:
a02d9e097100e1e197344038e214817c
SHA1 hash:
c9e794b6ab39d7b182372e88124d3bada8031574
Link:
https://www.unpac.me/results/09a694fa-37e3-4c30-a466-1cfc4c9bef16/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5cccd82fbb3928236bb753a0c198f19d4338f0af1b4b8618a21fa5899fe5ac41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/203149/

Comments