MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5eeffe30a4fcce65f50caf6e4feab254bd757b0b5109cce8e70be50ab2a4b457. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5eeffe30a4fcce65f50caf6e4feab254bd757b0b5109cce8e70be50ab2a4b457
SHA3-384 hash: 7737360557bd11426217d1444448733eea5ba957d5adde4651d3740b8ca007395906964e117283f0a226ca7ce72537d2
SHA1 hash: 0500c45acae68f88cdc685f053d75cb6e338c80d
MD5 hash: e5f1e8193c5358197e6fc7a2713d62a8
humanhash: mirror-lithium-shade-winner
File name:e5f1e8193c5358197e6fc7a2713d62a8.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:302'592 bytes
First seen:2022-06-05 08:37:11 UTC
Last seen:2022-06-05 09:43:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 871cb2437d28ce529ddfbb3879adedb2 (2 x GCleaner, 1 x Smoke Loader)
ssdeep 6144:y0RTxidE3cPLEpxi8bcqCAs0JGR7Og0j:y0DSFn8bYAs0Y7r0
Threatray 8'817 similar samples on MalwareBazaar
TLSH T18054F1317BF08831F5FB773494B099543ABF78822474864EA7B8166EAE217C09E75363
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 36f0c8c8c8c8e860 (4 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
363
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
e5f1e8193c5358197e6fc7a2713d62a8.exe
Verdict:
Malicious activity
Analysis date:
2022-06-05 08:52:48 UTC
Tags:
loader evasion trojan opendir rat redline
Link:
https://app.any.run/tasks/cea3b966-f9c6-4412-af9c-8a0441198a54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/276781/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.65479.11608.30747.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/629c6b6d704da713c66cbb59/reports/87c78ec4-6ba4-4368-b5a6-d3596814296e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63c968db-6d9d-4820-bfda-1e793d70ea21
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1006853
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 639345 Sample: DOPHMqym7g.exe Startdate: 05/06/2022 Architecture: WINDOWS Score: 60 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Nymaim 2->44 46 Machine Learning detection for sample 2->46 7 DOPHMqym7g.exe 15 2->7         started        process3 dnsIp4 38 37.0.8.39, 49772, 80 WKD-ASIE Netherlands 7->38 10 WerFault.exe 9 7->10         started        14 WerFault.exe 9 7->14         started        16 WerFault.exe 9 7->16         started        18 7 other processes 7->18 process5 dnsIp6 40 192.168.2.1 unknown unknown 10->40 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 10->24 dropped 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->34 dropped 36 3 other malicious files 18->36 dropped 20 conhost.exe 18->20         started        22 taskkill.exe 18->22         started        file7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5eeffe30a4fcce65f50caf6e4feab254bd757b0b5109cce8e70be50ab2a4b457/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-05 04:30:29 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3x74mfe7thgl5imv5xe72vsks6xk6ylkee4z2hhbpsqvmvewrlq._file
Verdict:
malicious
Similar samples:
0153ad4d1224b9a37b2eb3264ea7f8685828ab18c9c49aecaa6bda39d914aa7a
GCleaner
34a1058099e4cd83b385aabc3bfa13af4ec2a1131b319a00d3e806b74f04c53c
GCleaner
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
GCleaner
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
GCleaner
76ec71452ee463bae5890c3c311fa79afceb73650d1046e0298b2b75e0e08d77
GCleaner
d79a379ce1fcbe1e3548dfde37f6c2591f2ebf8de6c0d0db6f282933e529cf53
GCleaner
ddf49a03e02e2a373eae0941e762357c361a689cc76ed8db78016500080b0869
GCleaner
df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d
GCleaner
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
GCleaner
+ 8'807 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220605-kjp27shdd7/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
Unpacked files
SH256 hash:
a0b348ae08664e5ccc0f3596020aecc5cc779c56b1db07f726a163a152cd9457
MD5 hash:
0eea16edb874efb6cbbf2d1dc71c6480
SHA1 hash:
c948bd3f07e1785a160d272c533d2d11fe79cf7c
Link:
https://www.unpac.me/results/9d0a077c-3336-437b-8304-10e648e5f7d7/
Parent samples :
b14fb1b11ccf9793912a1bbda9a027c01c75155135b1cb177b77c0de7a4d6b34
45f64ad405eaa4ed35eb74b4e773cb1041c377abdc2b80599168018a2e1406bc
4eecbfc54480c8b8e98d3abba71b70d63575355141f4892a55d49631841ebfba
190a63203f7970e14c4f9f886ad814bbb5b30160dcba66d22b78583baaae478e
d97409bc67beeca578cfa94b5058501dd8951e4206a18a019702e039966a22dc
81a110de18613503c0f3075da56cdbe363091cebcd8c52423ac1d63aa791bb22
cd8fdfee914d46d345bedd2868f2aec93c48fd00385492e377793f06cd42dc1f
6763b0b45f0fd8e32e29377a207058fc42a02bb6d1db368c76fd0af470abc341
5ec64b926c9e2f1d2c69f92b69b5c9169b23d533f327ac944776e8e266eaab99
SH256 hash:
5eeffe30a4fcce65f50caf6e4feab254bd757b0b5109cce8e70be50ab2a4b457
MD5 hash:
e5f1e8193c5358197e6fc7a2713d62a8
SHA1 hash:
0500c45acae68f88cdc685f053d75cb6e338c80d
Link:
https://www.unpac.me/results/9d0a077c-3336-437b-8304-10e648e5f7d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5eeffe30a4fcce65f50caf6e4feab254bd757b0b5109cce8e70be50ab2a4b457

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 5eeffe30a4fcce65f50caf6e4feab254bd757b0b5109cce8e70be50ab2a4b457

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2212368/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/276781/

Comments