MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63d15995aabfa7357c195576884d9ac6b6c1f9f92dea19d7eb0bc58f75f88ceb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63d15995aabfa7357c195576884d9ac6b6c1f9f92dea19d7eb0bc58f75f88ceb
SHA3-384 hash: cdbeb68eb9945d3910da942e13ce1a5ced1fa891da2c71774d12dbc5a01a8a7e4ea1677e63ceb4fabb88a3e287a56c5c
SHA1 hash: 6db690b953165663da49191f91622e1643fc76c7
MD5 hash: 757f76cf67c1a5f7cfaff302cb09316f
humanhash: wolfram-three-low-equal
File name:setup_x86_x64_install.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:9'522'663 bytes
First seen:2021-11-30 15:06:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:JLprGIhDBHlt9dRh0NffiB+Z+v2XlDPiZA/OeUuWWNaFRZI:JL8Ytdd0ffs+Z3XNiZAZUujYi
Threatray 763 similar samples on MalwareBazaar
TLSH T1B1A633062E63786ACFD6F6729D03753726EC04B1A158AC4BF5883FA4039D0167A79F72
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter tech_skeech
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-11-30 14:29:17 UTC
Tags:
evasion trojan stealer vidar loader
Link:
https://app.any.run/tasks/4fa791af-0c1c-45bc-9c8b-c1b0f92d83b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/209971/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Launching a process
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/61a63e19c4c5314148237fbc/reports/6f9b9ce5-8900-41c0-8072-de54dc584ca8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e36fb323-d352-4c57-86be-8e4728cfef43
Result
Threat name:
Backstage Stealer Metasploit RedLine Smo
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/898780
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Backstage Stealer
Yara detected Metasploit Payload
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531257 Sample: setup_x86_x64_install.exe Startdate: 30/11/2021 Architecture: WINDOWS Score: 100 65 194.195.211.98 NEXINTO-DE Germany 2->65 67 194.87.138.114 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Russian Federation 2->67 69 7 other IPs or domains 2->69 89 Antivirus detection for dropped file 2->89 91 Antivirus / Scanner detection for submitted sample 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 22 other signatures 2->95 10 setup_x86_x64_install.exe 10 2->10         started        13 svchost.exe 4 2->13         started        15 svchost.exe 1 2->15         started        17 svchost.exe 1 2->17         started        signatures3 process4 file5 63 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->63 dropped 19 setup_installer.exe 20 10->19         started        process6 file7 51 C:\Users\user\AppData\...\setup_install.exe, PE32 19->51 dropped 53 C:\Users\user\...\Tue14de40520f461c46.exe, PE32 19->53 dropped 55 C:\Users\user\...\Tue14d88b9ee6ea119d0.exe, PE32+ 19->55 dropped 57 15 other files (10 malicious) 19->57 dropped 22 setup_install.exe 1 19->22         started        process8 signatures9 97 Adds a directory exclusion to Windows Defender 22->97 99 Disables Windows Defender (via service or powershell) 22->99 25 cmd.exe 22->25         started        27 cmd.exe 1 22->27         started        30 cmd.exe 22->30         started        32 6 other processes 22->32 process10 signatures11 34 Tue14517c75cafbdd0fc.exe 25->34         started        101 Adds a directory exclusion to Windows Defender 27->101 103 Disables Windows Defender (via service or powershell) 27->103 37 powershell.exe 12 27->37         started        39 Tue14b9ffcd91.exe 30->39         started        42 Tue14de40520f461c46.exe 32->42         started        45 Tue14d88b9ee6ea119d0.exe 32->45         started        47 powershell.exe 26 32->47         started        49 Tue147bc162e829cb35e.exe 32->49         started        process12 dnsIp13 81 Multi AV Scanner detection for dropped file 34->81 83 Machine Learning detection for dropped file 34->83 85 Injects a PE file into a foreign processes 34->85 59 C:\Users\user\AppData\...\Tue14b9ffcd91.tmp, PE32 39->59 dropped 87 Obfuscated command line found 39->87 71 5.9.162.45 HETZNER-ASDE Germany 42->71 73 149.28.253.196 AS-CHOOPAUS United States 42->73 75 208.95.112.1 TUT-ASUS United States 45->75 77 8.8.8.8 GOOGLEUS United States 45->77 79 2 other IPs or domains 45->79 61 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 45->61 dropped file14 signatures15
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63d15995aabfa7357c195576884d9ac6b6c1f9f92dea19d7eb0bc58f75f88ceb/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-30 15:07:41 UTC
File Type:
PE (Exe)
Extracted files:
162
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpivtfnkx6ttk7azkv3iqtm2y23md6pzfxvbtv7lbpcy65pyrtvq._file
Verdict:
unknown
Similar samples:
44e401aaf0b52528aa033257c1a1b8a09a2b10edf26edaafcef0f45a2c40e885
GCleaner
5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1
GCleaner
7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed
GCleaner
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
GCleaner
8e2a3c9ab42314166d930089fbf7ff245d528394fea1ad413bb8362b2aa6cbd5
GCleaner
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
GCleaner
e6080d51c23ff3825d6dda3280757ba1ce88be4b06d10bf9960a0d79973b43e3
GCleaner
ffe21af6accb27ecee7c5fae57211ff9f545e64b680059b4037596288c63920b
GCleaner
+ 753 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:915 botnet:media28p aspackv2 backdoor collection discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211130-shbgesfcer/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates processes with tasklist
Gathers network information
Gathers system information
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
CryptBot
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
http://www.wgqpw.com/
https://mstdn.social/@anapa
https://mastodon.social/@mniami
65.108.69.168:16278
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
https://cinems.club/search.php
https://clothes.surf/search.php
Unpacked files
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
399df5d026df66bfc6f28855e882f28af362fd2568b0a186e537b4d355253096
MD5 hash:
aa4b8e4e93cfee7af8a2877ea1f850ab
SHA1 hash:
f0b9b560c2b9e70ad9e19403a65397dbc6917608
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
76d403fb6fd03e03a5fc5207b547757e4ef2a6ca50428217cd2a36c1aaac0573
MD5 hash:
e1dc41428af78b9007e94289a1e70adc
SHA1 hash:
f06d87c9742936eb6c65564ff9df92ad19b0f342
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
d524e026b060421e0ea30009b93eec6ed8a30dc68f3eded098087aa9d0dfd162
MD5 hash:
cd0f8aaf1b08cd90665f857c79b56ce8
SHA1 hash:
c734770691b8b13d963eb6f596b3f9e61dab87aa
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
fdb3e8fbfa6ea2438033311ed42b41abbb1426edcf865aaea7bca2820bdfd30b
MD5 hash:
a92c7cdfe9dab879908e1f8f2ba50214
SHA1 hash:
bf7bbb29d6a3534f12f65ac8dc9a05256c07c28c
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
da0af919cff072b1b1230a8d0b3daf2e64e59e16ea9268fad55803cfa3c9fea0
MD5 hash:
a4ab468f47aa9531d266e838d1c81153
SHA1 hash:
b2e45ce9a7a205249f8aaded38c8a3a717ee744d
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
e3c0e6d196ed7207156b1510d1eb9dafd8cf7018090a4c25b6b7b44fc976aede
MD5 hash:
549c95140b58ffffb9c020a2f070509f
SHA1 hash:
af6a301fe9d729a5bd4d3f7ff7aa014b46c52deb
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
0ad5327842a689881417460e5078d73a6b0fa218ece21cb665cd2975ade6ea1d
MD5 hash:
b7a14e5c4efb276a5e4a1beccfa573f2
SHA1 hash:
ac28067021fc58a0d902b2836d1f6c851b0683ca
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
81aa74780f4ad829c6e36d8135d8c10c795788663ccae7e25a27bb84b6a0e3fa
MD5 hash:
6417d8bc062ce240768cf9ccc890377f
SHA1 hash:
6db912410c7ee53924881879f2de5a19f032d08f
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
2ac2f22f376075b29c0b6c787c57ce9a70ef0727bfb1617c3bfb94198bfa7640
MD5 hash:
f9c6d895abb9e1dac411cf78baeb5dfb
SHA1 hash:
16445ba3e98d44624eb922f7d28ca1b7bbcce1bd
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
1bbf1271ce5c9dc20b595fdf1f516166f65b443599fc835607008666296983ff
MD5 hash:
49fc2ee06ab4c4b533cf9ce484c02adf
SHA1 hash:
b90f22613578232b8bf377377ea5c4d84b37b0a7
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
Parent samples :
fea538eff5bc9cd3970edda4b3ddfa0e72505b01dc207e47d8112074720fa05e
1e227b989a219d8a1ba81633a8ff218e1acd87ec718382c0cb3ce5166d3f8c00
13654e2fe0c25303cd4697dd2f66c5d3b228cd3fff6e97ac979257c0b0768cb8
f5b716c1a860c94a7720b3f9995e92b39fa068bdc14179e6d2f897d0bc494c45
5b77e331ff166d24ccaf781b84705bb6afcceaaa708024d54efc2a10f515c32a
781824a03b746fbeedba42ceba949da4f93388bfd3c7eae4ab560417fd128a40
9ddc809e6e1d32f3c3b1fc1e5382fad699e6336a270bb91fef2a4c0e13f39d14
4066a70177c5b8a86458e8727efaa599b0de0e342fd709eec5d3b78ed066cd67
01e9a86fc7574104e12afa4836b39fca625d7d2bdcf04cf52dc0217b98497223
956c25ec50bb0668d3bb6b037303a585a9bf98d9da02029aa2f9e0740ee0af75
dff08a4db1cd85dc67a84f8abf6293dbbc85d0f7e1db274e167dbf752286c9f7
22be97159484e7213af523470521ce27c372f44c2deee2cf61bd0145392b8680
0990a2572d8b275f4adb305f3673f72ba4baafa1f85c7132a2306531517ebca8
e57501a7f031ba3ac01f8d4d322b5b26cb6d7d25e9ad148054b16aa644f2d31e
42f9ccb5ce68dd33b5d2d1af3738cd3693b301c84734cdb7b2c0659164d17c93
7181f1e9e1fa0ad630c4963c6ea10419ff6fc14f13d743abbf5869144b4eebd6
0fa22938832ad3770336afdb1b3fe2f848582fe3d282f08727a7174b42c8b79f
501db6290affecf31a95c2fb5e1b93e047aa3a1cc93657891fd90c0f7bb16830
65d0b2e1c67a7fc4ae550caca3559f2ed1931b6c3d3b13c80d13d9b2731c3f4d
619303e69672123f86e9f16789dec49c26e512df9c26e1cc4dbe36238665a97c
d45f08b42166979807a9a9ab00acaec258632c6d0bdddf209f7fa6249517bd6a
63d15995aabfa7357c195576884d9ac6b6c1f9f92dea19d7eb0bc58f75f88ceb
87a0e76ffaebb434696dff4449ad27f6912937899749b7d8eb3b623615176a78
da2b47c7c49e973d0ffc33fc55392d4157a089dc6b099d4edd2e7ae59254b42c
29051151777a6f7f0e7ebeab85ed7eaed71029fbbb088785f8598798093e1735
a7ae2843ba9ab452c9588cb8a3cd0a1dc4d66d72d23416238af3e256ac269a89
17720f794f8ed7b19821d11379903549ac4b6f83df4104022084a05acde254a6
d1bb1b063c6b1af42c93a32d3778c1ded6ffbf8d7e1f791c6ca4849aa19f308a
5a5158c712e1588c621124b5dc4b0c3ebfc064ffc0e2c2623d152e369eb8b8a5
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
376bf69f01fe65802f1ec35b8715067687c4bd47937154fc4c3903b06fe89a92
MD5 hash:
feea5b4bc6a46188e7998b53b668d6fe
SHA1 hash:
ff73a76d88ba96baba23acf669ab2fb61e541916
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
a174e0d67eca3a59399994a54a44f4f2b7584f286dcf3cdb7a80f1ef83c010c6
MD5 hash:
b3b683d8cb51a926977080d7f7cf4bf5
SHA1 hash:
82eb466d03c72417f1a3f1320ccb732899af5e88
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
fba80e768a8e2291ed0e4cc900dc57e28d9474b02f0389589929f7f9c4ed0830
MD5 hash:
93185aa705d5cdd7885dfac45bf0f001
SHA1 hash:
57a66a76f5c28e89bac0b2bb1501ba7e2af8438b
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
64aca4da607f721312379e27bff6c0c3b19c1e4d51768ad817e015aa0a64f104
MD5 hash:
148beb6f43f933db310d322f331d4276
SHA1 hash:
fab3badf6ea6fa0761f1ff674e34a84ca74ba314
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
340223054f35a36a7a0352782f916d82da65d6df0ffc56da0cded5f0eee65312
MD5 hash:
276dc40d3ccd122ae7e9c9f42b721b60
SHA1 hash:
e33bfb2a8c8a96062260bc61ea4cff9623a7b551
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
4c43d483ef86dac27dfd70458d47056cfdf87cf2586d5a4b945f3830d0deaa24
MD5 hash:
1f7edecc6e72a043610adf42e7872918
SHA1 hash:
2943340effbef5cf4eda850d00fb31bd2ce99825
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
83010c982d09a2ef5ffaac33b9756b461b7d938aa202ccce26a1f7c31cbced93
MD5 hash:
0311c1f606d2136e135878dc2ecf59a9
SHA1 hash:
d481c9d2ae62503d36f0e1e2c34c03b405a4cb40
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
6d2ec0c3f288cf52b2bb65ba181651a7b4ba7cf82b925429f72c58b442f78041
MD5 hash:
d322de77f009fea30e0fcad90b9ea400
SHA1 hash:
0d8bdf7de064cf209eae492da68606cb24189013
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
047a9d9acac8d4b96cbd8577cc6af88c6c1dd37338b837382753eca322f58f5d
MD5 hash:
0a76cba06564b337000ef60c1e278e6d
SHA1 hash:
ae25ca02a0a349460afadb1e54378f6151955116
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
efc39d31d144c3bebe42757230354a076fc54debd94ca8aae883edb6312246fb
MD5 hash:
70bd5ad582a3ebe1351863b40ff2edff
SHA1 hash:
c1413918be1b6e5b41c9f7f4993514f161d9a89e
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
da9ca75ea5b15275097bdd558b4a5c59f9329274d699afd71b9bcff0ff607462
MD5 hash:
7192d407423bb5aba6f456d222fbba11
SHA1 hash:
0e8cdecafad8699080ab732f4994e491cc197c02
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
cdef191a7b1b2687b451a73aad8a43957fa6c4f52bd0e31b52311f487a993133
MD5 hash:
6c65e5b0e038c3312f9c52b2fad355bc
SHA1 hash:
1c63a801ba24fa4d0e70a99e29639ad89c31a424
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
SH256 hash:
63d15995aabfa7357c195576884d9ac6b6c1f9f92dea19d7eb0bc58f75f88ceb
MD5 hash:
757f76cf67c1a5f7cfaff302cb09316f
SHA1 hash:
6db690b953165663da49191f91622e1643fc76c7
Link:
https://www.unpac.me/results/99a2f36e-4e96-4e20-82fa-f3d0102d6e9b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63d15995aabfa7357c195576884d9ac6b6c1f9f92dea19d7eb0bc58f75f88ceb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 63d15995aabfa7357c195576884d9ac6b6c1f9f92dea19d7eb0bc58f75f88ceb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/209971/

Comments