MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f21d74f2ad986423d4a3f060a94a7006b43ad6227c3ce28b8b5018259c07397. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f21d74f2ad986423d4a3f060a94a7006b43ad6227c3ce28b8b5018259c07397
SHA3-384 hash: de5b04cc8cbc26518abccdb944ff118cb2fe4b2c9bea3addce03b4ddf4133556cae40a8ee3118244cbaf3a11f0cb21e8
SHA1 hash: 85a3ceb1ce9cd681f70151ae8aa41b5c233b6ae2
MD5 hash: 33b2c99ec24834dfc7e36dfdabea8043
humanhash: speaker-lemon-uncle-whiskey
File name:33b2c99ec24834dfc7e36dfdabea8043
Download: download sample
Signature GCleaner
Create hunting rule
File size:398'848 bytes
First seen:2023-01-25 15:04:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f16ef841269728457dd532b4a807550 (6 x Smoke Loader, 2 x RedLineStealer, 1 x GCleaner)
ssdeep 6144:HzLmJeTTkuOvPMwPraqF/OJqXoxChGmTKq0VvRFBMolz20AxUy:TSYdwPraqAWDhG40VvR5lzov
TLSH T11D84CF12F6D4BCA1F92DC9328D26DBDC3A7EF8905D146226767C7A0F69702E0863E351
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 32f0e86969696969 (1 x Nymaim, 1 x GCleaner)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
33b2c99ec24834dfc7e36dfdabea8043
Verdict:
Malicious activity
Analysis date:
2023-01-25 15:04:31 UTC
Tags:
loader gcleaner trojan rat redline stealer opendir vidar cryptbot
Link:
https://app.any.run/tasks/aa14ba5f-9105-4610-be1f-f64d7281683b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356758/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63016/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63d14521447edb203a00f115/reports/a69b85a9-5828-42c6-ae90-7cd3433ae32a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c6c2126-ea8e-4b17-acad-25962d2153fe
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1158804
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f21d74f2ad986423d4a3f060a94a7006b43ad6227c3ce28b8b5018259c07397/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 15:08:40 UTC
File Type:
PE (Exe)
Extracted files:
88
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4q5otzk3gdeepkkh4davffhabvuhllce7b44kfywuayewoaoolq._file
Verdict:
malicious
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/230125-sf66bagg57/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
b2ddfbc0bda6a7be79d792211d0f461aba034c4d7df56bd640eb339607a334b1
MD5 hash:
7ec281e3a914062ca9bb1906fe8e3adc
SHA1 hash:
46d36d59372f8dd021498036b6aae7649cc4806b
Detections:
win_nymaim_g0
Create hunting rule
Nymaim
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/5a123b0d-6887-4c4e-81f3-e6b8f127e0d2/
Parent samples :
a8e63f9b3f0afa3b9e38a21c413ed4c62d0c10d410e99b60ea69d8b58d40ca18
f787a587a4ff9056d821fd4ab685c0c7c0de84c2d7c440155acbb99b0e63071b
9cfdc5f11ab2c97fd116b930b1e20d51ecb607efdbbb106811bdfb3288a0b82a
5f21d74f2ad986423d4a3f060a94a7006b43ad6227c3ce28b8b5018259c07397
b11f4d0513f8394544e1b1244b6eb46c8219034afe039fd0dc891ca4f463f9f0
f5a84bf51c4075d3dc72f3fb33a6137292b453086642a95114bdb3a5eb00195a
99d7cab5a3ee9b7c9fc2ee3786312978332a2dc6836bc7e658914ae53481d6d9
ffdb81bc24bd8b48d04cd589a0d84d848f9a32ff2cda79b8370bc162ee8d607d
a57bde2ce8ff1779020ddc373b1ab649a72fd1a450a46b46af446c4b9ad06bbe
8b404bd0942c675042585388c409252521839c262b33fbbe5a60346eed84915f
8853715caa4502209f806afcded94a839120cc0885196b32d8d25f7e4a43dca3
a0bcf89c02ad71f0080b2bc7fdd7171e9bae7ed60fdcf920eadc837fc6d2c0a3
99c174299dbb2e0fc5a2fa4bab7bfbc95b7ce2c510fc043a5a4a952a61d28ffe
c424c1d216307f9ea2268a53843ee9606d2bdb81e009df7974cae072d28d2d55
c7cfe5a719c1f661d3c88a943667b38d19ceb50e75bda93e2e7c0768d9465b27
4f3b3a58cf917cc065473b644107bedf72121fa1591335bccc4b95f331c4ac9c
324d28d289447cd6be831620cd47658acba7eca3a05d982ef8b2c1287f173cd1
a3d7b71b897c554fabca6a2cadba74f5fc19103d20d2e8a0d7ba3ba16a506acf
4a881b40d1a58134c0d61e1d196443aae5f9c395ce969103981a8c904bb566bd
0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b
9c48e1bb555bbb98d635146b5098f1fda8753eade8479c079a14a5a1887fde7e
8a2ed465f876e200314451371c46e38ddb7dae622efe7f60bb7d58d9291651d5
43c684cde21885bd1a7add14846c6ce0ab374a6ff7163b655ec80186620770d3
dac1de6b2503baa1e80b0c90555aa87b663cd6a8e57651c97aae775defbe8f29
ec4a3b4195a3e96b2368b55ebb4c3c64e07a2d84e8f5b8a501b0547473ebf9d9
4b0e4fd6806fe1cd9dd277211a3aa9ab0510a3795355190acf8a84f6a2e5a508
3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5
621f05c3a5bc27def35adf4d0503b2f5019db2f2b72a0452c9a14850c4495779
ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f
780ed40282d7d392080687d1e32bc017f63ffab0c0fb020d1dcf3bf7c4c186da
25a2a5069c502b7aafebbdf26a2d80225774f39f537f2d1b03e3099300d6b3f9
SH256 hash:
5f21d74f2ad986423d4a3f060a94a7006b43ad6227c3ce28b8b5018259c07397
MD5 hash:
33b2c99ec24834dfc7e36dfdabea8043
SHA1 hash:
85a3ceb1ce9cd681f70151ae8aa41b5c233b6ae2
Link:
https://www.unpac.me/results/5a123b0d-6887-4c4e-81f3-e6b8f127e0d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f21d74f2ad986423d4a3f060a94a7006b43ad6227c3ce28b8b5018259c07397

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_gcleaner_de41
Create hunting rule
Author:Johannes Bader
Description:detects GCleaner
Rule name:win_gcleaner_w0
Create hunting rule
Author:Johannes Bader @viql
Description:detects GCleaner

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 5f21d74f2ad986423d4a3f060a94a7006b43ad6227c3ce28b8b5018259c07397

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/356758/

Comments


Avatar
zbet commented on 2023-01-25 15:04:10 UTC

url : hxxp://45.12.253.74/pineapple.php?pub=mixkis/