MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61398612ad5035f2a6f1a1eb695d6042d76192ed696f73c44b3eb8ed7dfb1c04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	61398612ad5035f2a6f1a1eb695d6042d76192ed696f73c44b3eb8ed7dfb1c04
SHA3-384 hash:	322f0f6011666c6bed25444c3cdb0f3171dae621851fb3a52adbb0ead4e343127c72aeba8fc9a23dae2056884dabda7e
SHA1 hash:	8f331c0da837e6e5bc88839a940abc0ec679a082
MD5 hash:	ad02265bbeab5f481ce2577d350a9e2e
humanhash:	winner-asparagus-leopard-sad
File name:	ad02265bbeab5f481ce2577d350a9e2e.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	299'008 bytes
First seen:	2022-06-09 08:36:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8ecc82a073398bf14d8558eb75c220bf (5 x Amadey, 4 x Smoke Loader, 1 x GCleaner)
ssdeep	3072:h/Z1DGH5ZXiHDndcPom9j6JpsdoOvOSl8Ig9dJTRsz58L7XMQVo5DdfngPCNM+Rw:NauDdcz2J+hvOK8JTGG7fijPgPCz
Threatray	9'019 similar samples on MalwareBazaar
TLSH	T13154F121BAF0DC32F9B7653048B1D6224A7B7D1266318946B3B406A97F712D07B783D7
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	66e0d8d0d8d8d8d0 (1 x GCleaner)
Reporter	abuse_ch
Tags:	exe gcleaner

Intelligence

File Origin

# of uploads :

# of downloads :

293

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ad02265bbeab5f481ce2577d350a9e2e.exe

Verdict:

Malicious activity

Analysis date:

2022-06-09 08:46:05 UTC

Tags:

loader evasion

Link:

https://app.any.run/tasks/f03c98cd-2643-4a63-8dcf-94210662cbf5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Nymaim

Link:

https://www.capesandbox.com/analysis/278153/

Detection(s):

SecuriteInfo.com.Trojan.Siggen18.3513.2104.5134.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62a1b1348e867832d9eaa7db/reports/cb3707e6-f61a-4ba9-9f27-4c1efda3c00d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/51d89536-a96b-4782-8424-39493a349e45

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/61398612ad5035f2a6f1a1eb695d6042d76192ed696f73c44b3eb8ed7dfb1c04/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-06-09 03:45:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=me4ymevnka27fjxruhvwsxlaillwdexnnfxxhrclh24o27p3dqca._file

Verdict:

malicious

GCleaner

34a1058099e4cd83b385aabc3bfa13af4ec2a1131b319a00d3e806b74f04c53c

GCleaner

3d9df2f61bcef270af2d278069c3aa0457d996e29a25896128867a9a52a4abea

GCleaner

659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767

GCleaner

a05b12806135be357756f9bfed4e77836f44919a56351a2aa127ae8eecf54c1c

GCleaner

b180216a50259f6c1602343a6da48ccd1b9bc293e0d6ff4f1336fa212c482ce6

GCleaner

d79a379ce1fcbe1e3548dfde37f6c2591f2ebf8de6c0d0db6f282933e529cf53

GCleaner

df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d

GCleaner

+ 9'009 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220609-kh6nkahef2/

Behaviour

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Deletes itself

Unpacked files

SH256 hash:

a0b348ae08664e5ccc0f3596020aecc5cc779c56b1db07f726a163a152cd9457

MD5 hash:

0eea16edb874efb6cbbf2d1dc71c6480

SHA1 hash:

c948bd3f07e1785a160d272c533d2d11fe79cf7c

Link:

https://www.unpac.me/results/4a0496cf-674b-4e22-8788-3897e9308e52/

Parent samples :

b14fb1b11ccf9793912a1bbda9a027c01c75155135b1cb177b77c0de7a4d6b34
45f64ad405eaa4ed35eb74b4e773cb1041c377abdc2b80599168018a2e1406bc
4eecbfc54480c8b8e98d3abba71b70d63575355141f4892a55d49631841ebfba
190a63203f7970e14c4f9f886ad814bbb5b30160dcba66d22b78583baaae478e
d97409bc67beeca578cfa94b5058501dd8951e4206a18a019702e039966a22dc
81a110de18613503c0f3075da56cdbe363091cebcd8c52423ac1d63aa791bb22
cd8fdfee914d46d345bedd2868f2aec93c48fd00385492e377793f06cd42dc1f
6763b0b45f0fd8e32e29377a207058fc42a02bb6d1db368c76fd0af470abc341
5ec64b926c9e2f1d2c69f92b69b5c9169b23d533f327ac944776e8e266eaab99

SH256 hash:

61398612ad5035f2a6f1a1eb695d6042d76192ed696f73c44b3eb8ed7dfb1c04

MD5 hash:

ad02265bbeab5f481ce2577d350a9e2e

SHA1 hash:

8f331c0da837e6e5bc88839a940abc0ec679a082

Link:

https://www.unpac.me/results/4a0496cf-674b-4e22-8788-3897e9308e52/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/61398612ad50/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/61398612ad5035f2a6f1a1eb695d6042d76192ed696f73c44b3eb8ed7dfb1c04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

exe 61398612ad5035f2a6f1a1eb695d6042d76192ed696f73c44b3eb8ed7dfb1c04

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2212368/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/278153/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Unpacked files

File information

Comments

Login required