MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 665687b64c26cd4019dd0e43415dd4978c2ed59c7c897462f3cd64c4920e380b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 665687b64c26cd4019dd0e43415dd4978c2ed59c7c897462f3cd64c4920e380b
SHA3-384 hash: 48c24a802a34093015e45c0e99ca4efadbc89371d51d6c5d6a002a627d97c20b8b789b53cd5de0705b66388417b7a7b1
SHA1 hash: c2f706da55db84c9be7a9ea8a6bd6a7fcc38821f
MD5 hash: d05ef81ac5b06b66781eaea972cb2f47
humanhash: undress-summer-arizona-delaware
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:2'589'885 bytes
First seen:2023-03-17 10:19:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'446 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:EGlJfsRCVMPPVMVY8Mkac1f9/WCxUyE2J5Gpn7DhyMMG999TaP5bZ2Rozh5dlLYp:5vgX8MX6BH+GjG5nhyPG9TTaP5bkWPYp
Threatray 1 similar samples on MalwareBazaar
TLSH T1C4C5331656D408F6E8E1D9706C0386657937EE13072EA59462DC1ECC0F6F846CEBE2EB
TrID 44.1% (.EXE) Win32 Executable PowerBASIC/Win 9.x (148303/79/28)
32.6% (.EXE) Inno Setup installer (109740/4/30)
12.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:exe gcleaner


Avatar
andretavare5
Sample downloaded from http://45.12.253.74/pineapple.php?pub=mixinte

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-17 10:21:09 UTC
Tags:
installer loader stealer gcleaner rat redline opendir
Link:
https://app.any.run/tasks/cc74b128-5841-4730-a999-9eb08fd98913

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375064/
Detection(s):
SecuriteInfo.com.TR.Spy.KGBSpy.1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Modifying a system file
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73564/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware installer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64143ed33b01ade53e6eeea6/reports/7a6d9187-6794-4a6e-b7e2-cde4f7a45980/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1251208
Link:
https://www.hybrid-analysis.com/sample/665687b64c26cd4019dd0e43415dd4978c2ed59c7c897462f3cd64c4920e380b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d144895e-442f-483c-8c32-b7c767584ebb
Result
Threat name:
Cryptbot, MinerDownloader, RedLine, Stea
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1195701
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Cryptbot
Yara detected CryptbotV2
Yara detected Generic Downloader
Yara detected Generic MinerDownloader
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828597 Sample: file.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 123 raw.githubusercontent.com 2->123 125 pastebin.com 2->125 127 2 other IPs or domains 2->127 149 Snort IDS alert for network traffic 2->149 151 Malicious sample detected (through community Yara rule) 2->151 153 Antivirus detection for URL or domain 2->153 155 19 other signatures 2->155 13 file.exe 2 2->13         started        signatures3 process4 file5 115 C:\Users\user\AppData\Local\...\is-S4ISP.tmp, PE32 13->115 dropped 16 is-S4ISP.tmp 15 24 13->16         started        process6 file7 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->87 dropped 89 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 16->89 dropped 91 C:\...\unins000.exe (copy), PE32 16->91 dropped 93 6 other files (4 malicious) 16->93 dropped 19 FRec317.exe 33 16->19         started        process8 dnsIp9 129 45.12.253.56, 49698, 80 CMCSUS Germany 19->129 131 45.12.253.72, 49699, 80 CMCSUS Germany 19->131 133 45.12.253.75, 49700, 49726, 80 CMCSUS Germany 19->133 101 C:\Users\user\AppData\...\3tp0NDN5Xt.exe, PE32 19->101 dropped 103 C:\Users\user\AppData\...\qWqw4ODNSt.exe, MS-DOS 19->103 dropped 105 C:\Users\user\AppData\Roaming\...\jEtnkrG.exe, PE32 19->105 dropped 107 4 other malicious files 19->107 dropped 23 4wPqeW.exe 19->23         started        26 qWqw4ODNSt.exe 19->26         started        29 jEtnkrG.exe 2 36 19->29         started        32 2 other processes 19->32 file10 process11 dnsIp12 111 C:\Users\user\AppData\Roaming\...\m64.exe, PE32 23->111 dropped 113 C:\Users\user\AppData\Roaming\...\m2.exe, PE32 23->113 dropped 34 m64.exe 23->34         started        37 m2.exe 23->37         started        163 Detected unpacking (changes PE section rights) 26->163 165 Injects a PE file into a foreign processes 26->165 39 qWqw4ODNSt.exe 78 26->39         started        141 getgoodsa.link 85.31.45.22, 49701, 49702, 49703 CLOUDCOMPUTINGDE Germany 29->141 167 Detected unpacking (overwrites its own PE header) 29->167 169 Tries to steal Mail credentials (via file / registry access) 29->169 171 Tries to harvest and steal browser information (history, passwords, etc) 29->171 173 2 other signatures 29->173 42 cmd.exe 1 29->42         started        44 conhost.exe 32->44         started        46 taskkill.exe 32->46         started        file13 signatures14 process15 dnsIp16 95 C:\Users\user\AppData\Roaming\...\m3.exe, PE32 34->95 dropped 97 C:\Users\user\AppData\Roaming\...\m1.exe, PE32 34->97 dropped 48 m3.exe 34->48         started        51 m1.exe 34->51         started        135 ernwld52.top 85.31.45.219, 49750, 80 CLOUDCOMPUTINGDE Germany 39->135 137 ovahui07.top 185.246.220.246, 49751, 80 LVLT-10753US Germany 39->137 139 192.168.2.1 unknown unknown 39->139 99 C:\Users\user\AppData\Roaming\...\prebid.exe, PE32 39->99 dropped 53 cmd.exe 39->53         started        55 cmd.exe 39->55         started        57 conhost.exe 42->57         started        59 timeout.exe 1 42->59         started        file17 process18 signatures19 143 Writes to foreign memory regions 48->143 145 Allocates memory in foreign processes 48->145 147 Injects a PE file into a foreign processes 48->147 61 RegSvcs.exe 48->61         started        64 WerFault.exe 48->64         started        66 RegSvcs.exe 51->66         started        68 WerFault.exe 51->68         started        70 prebid.exe 53->70         started        73 conhost.exe 53->73         started        75 conhost.exe 55->75         started        77 timeout.exe 55->77         started        process20 file21 175 Writes to foreign memory regions 61->175 177 Injects a PE file into a foreign processes 61->177 79 AppLaunch.exe 61->79         started        82 conhost.exe 61->82         started        109 C:\Users\user\AppData\...\DpEditor.exe, PE32 70->109 dropped 179 Query firmware table information (likely to detect VMs) 70->179 181 Hides threads from debuggers 70->181 183 Tries to detect sandboxes / dynamic malware analysis system (registry check) 70->183 84 DpEditor.exe 70->84         started        signatures22 process23 file24 117 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 79->117 dropped 119 C:\ProgramData\Dllhost\dllhost.exe, PE32 79->119 dropped 121 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 79->121 dropped 157 Query firmware table information (likely to detect VMs) 84->157 159 Hides threads from debuggers 84->159 161 Tries to detect sandboxes / dynamic malware analysis system (registry check) 84->161 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/665687b64c26cd4019dd0e43415dd4978c2ed59c7c897462f3cd64c4920e380b/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-03-17 10:20:09 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mzlipnsme3guago5bzbucxous6gc5vm4psexiyxtzvsmjeqohafq._file
Verdict:
malicious
Similar samples:
84cc827150e0aeb82f1e7b4abd98332c49b45be6ac8f4df9fbd516633c452d0f
GCleaner
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/230317-mc4ccshg2w/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
38d161157f7311a27341fe635efe3a4aa2c521f0b5c7cf59811ed1ef74d0afaa
MD5 hash:
40d668cc66a2dfbb2e8f07ce95da5f6c
SHA1 hash:
d086c4deaf552ccb06e0e8d2658c1c69e6e17c32
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/d66f2471-8eef-432b-a97a-e26e7de196d9/
SH256 hash:
2b795bf1e77f152cacebe72b7bbe6e9d446439607b06a04536fb7d3415507ab8
MD5 hash:
083c91834379657e23c897a9b4ef10f0
SHA1 hash:
6e8ad1d5c5dec124e8d00908a72acb02b5ce1f29
Link:
https://www.unpac.me/results/d66f2471-8eef-432b-a97a-e26e7de196d9/
SH256 hash:
665687b64c26cd4019dd0e43415dd4978c2ed59c7c897462f3cd64c4920e380b
MD5 hash:
d05ef81ac5b06b66781eaea972cb2f47
SHA1 hash:
c2f706da55db84c9be7a9ea8a6bd6a7fcc38821f
Link:
https://www.unpac.me/results/d66f2471-8eef-432b-a97a-e26e7de196d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/665687b64c26cd4019dd0e43415dd4978c2ed59c7c897462f3cd64c4920e380b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/375064/
  
URLhaus
https://urlhaus.abuse.ch/url/2509470/

Comments