MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dd59397cd5602fe62425fd765646360de68c56ff17ddb271886bded9f975f3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	5dd59397cd5602fe62425fd765646360de68c56ff17ddb271886bded9f975f3b
SHA3-384 hash:	be77cd2772f86ba1f5d297e35f56c7e4f1fc186e16d8b6b7b6b30eca6e7d36699006bf6b6f9fa5e4b4b5b44d34d443c7
SHA1 hash:	ab8b036293332398b3a81d8a91089b7cb6269bac
MD5 hash:	d8c62ac87bfc863525b9ad700c3515cd
humanhash:	venus-oxygen-juliet-ohio
File name:	D8C62AC87BFC863525B9AD700C3515CD.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	395'264 bytes
First seen:	2021-08-08 16:25:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f1a12d7f969c04eff5705d2d791fa891 (1 x DanaBot, 1 x Smoke Loader, 1 x GCleaner)
ssdeep	6144:2a17dKXao6I/RcKfq0Ut0pXxdWvLVnblYbyaNznhoFJEU2t:t7dKXaonnfq0UMnWTVBINzhoM
Threatray	192 similar samples on MalwareBazaar
TLSH	T1FA84AF30A690C035F4F712F845BAD3BCA52D3FA05724A1CB92D666EE57386E99C30397
dhash icon	b6714cbc74dcf166 (4 x GCleaner)
Reporter	abuse_ch
Tags:	exe gcleaner

abuse_ch

GCleaner C2:
http://gc-prtnrs.top/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://gc-prtnrs.top/decision.php	https://threatfox.abuse.ch/ioc/166045/

Intelligence

File Origin

# of uploads :

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

D8C62AC87BFC863525B9AD700C3515CD.exe

Verdict:

Malicious activity

Analysis date:

2021-08-08 16:26:23 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/55d321da-c566-4ca6-b7a3-2b8ef5e1984a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Gcleaner

Link:

https://www.capesandbox.com/analysis/177275/

Detection(s):

Win.Malware.Generic-9883106-0

Win.Malware.Filerepmalware-9883174-0

Win.Malware.Generic-9883187-0

Win.Malware.Generic-9883193-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending an HTTP GET request

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Sending a UDP request

Launching a tool to kill processes

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/73d34cb4-9a28-4f62-9e35-0ac59a89d50f

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/828844

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5dd59397cd5602fe62425fd765646360de68c56ff17ddb271886bded9f975f3b/

Threat name:

Win32.Trojan.Smokeldr

Status:

Malicious

First seen:

2021-08-06 00:14:48 UTC

AV detection:

30 of 46 (65.22%)

Threat level:

5/5

Verdict:

unknown

GCleaner

4272379ced0fed89dfc74a080cd17269b34bef293cbfe4bd424abd500bf367fa

GCleaner

6acf924acc2978d82ac6b7adc976b07158cc09b7d64676175a9a1e61e6312c2c

GCleaner

6c79c3b549bdea13526f1365ad2253f6385531606362cc29d9dea172cd9d50cb

GCleaner

a90bc226fcaf18a89bad9b0a1a57085ecd055b726b67e3a3964d7da03d244007

GCleaner

b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317

GCleaner

cbcd57dd83369317946567dba9624dedbf2ce33acc796b2ba6f4c57b7d3cf49a

GCleaner

d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702

GCleaner

fcfe0e26e945ba5fbde5d01cad9bcb66b2c9623bc8cdc627e9c886e32fde6134

GCleaner

+ 182 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/210808-l5r7qgptgx/

Behaviour

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Deletes itself

suricata: ET MALWARE GCleaner Downloader Activity M1

Unpacked files

SH256 hash:

3b309236695517c2e06ff8af3f5c073e1b8e8c99768f5141f4cf9e704050dfdb

MD5 hash:

048d3824dae9ba8c0b48a841c56f2e24

SHA1 hash:

8da82b6a497c97a5512009ef57b4d25f77c57dc1

Link:

https://www.unpac.me/results/5647d9ca-4549-411b-8d7c-bc9e32e6c9b7/

SH256 hash:

5dd59397cd5602fe62425fd765646360de68c56ff17ddb271886bded9f975f3b

MD5 hash:

d8c62ac87bfc863525b9ad700c3515cd

SHA1 hash:

ab8b036293332398b3a81d8a91089b7cb6269bac

Link:

https://www.unpac.me/results/5647d9ca-4549-411b-8d7c-bc9e32e6c9b7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5dd59397cd5602fe62425fd765646360de68c56ff17ddb271886bded9f975f3b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/177275/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample