MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6696ad7b0ee5d1ddf212e97bc16145ad4116714b212812099449603205c6843d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6696ad7b0ee5d1ddf212e97bc16145ad4116714b212812099449603205c6843d
SHA3-384 hash: 331840bd5e57996772704d84c7cf49ea648df5ad577bc25715453d9adc9ad1dabb09441f1ba0fe0de1a9e49d3efe305c
SHA1 hash: c6045add26674babc63a3abbed3d83eb545fd389
MD5 hash: 91834906b220ce6291d142827a6ef30f
humanhash: september-edward-magazine-william
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:399'872 bytes
First seen:2022-09-17 03:57:30 UTC
Last seen:2022-09-17 04:26:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a80c3940763f436348583ca7b3aa024 (15 x Smoke Loader, 13 x GCleaner, 11 x Stop)
ssdeep 6144:F2K0DL/JX3wlaiMk6lyU0kJJxaduvmqXu/j7m2FO+qD0W4l1KnigabwVf:F29DJX3eNQlzXJxoyNOPm28+xWC1Ki
Threatray 12'326 similar samples on MalwareBazaar
TLSH T11C84D0227A918971D4553D308826DFB0277FFC2166241A47F7B06B6E6E733806A7638F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0ef0e86869696860 (1 x GCleaner)
Reporter andretavare5
Tags:exe gcleaner


Avatar
andretavare5
Sample downloaded from http://95.214.24.96/load.php?pub=mixinte

Intelligence

File Origin
# of uploads :
3
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-17 03:58:33 UTC
Tags:
loader trojan stealer raccoon recordbreaker arkei opendir
Link:
https://app.any.run/tasks/1cdf61dc-8d7d-4e07-8e8d-aa7eb89a4dd5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310807/
Detection(s):
Win.Packed.Tofsee-9951336-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file in the system32 subdirectories
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63254644ba7b8113dd6de169/reports/7caeb159-17ac-44ad-9220-1c6daccfaa2e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc67f169-f8b7-4c65-80af-547d1aa7b1ce
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1072082
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6696ad7b0ee5d1ddf212e97bc16145ad4116714b212812099449603205c6843d/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2022-09-17 03:58:09 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
21 of 39 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2lk26yo4xi534qs5f54cykfvvarm4kleeubecmujfqdebogqq6q._file
Verdict:
malicious
Similar samples:
2cf1affaddac715171d5be89d0c2bfaa3470608efdc12940967fc22fcffde54f
GCleaner
3c5c5eac09d165dcab59bcd240f337b27af6638f344c6367c0d83f50aabbdab5
GCleaner
55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb
GCleaner
94059fda9456b0e68c641eaec8c244e12dba0d9077b18ee9b879fbb26c8f6dd0
GCleaner
9fb66119db0b403cf06ed904a4179d7f0f91fea4b4c518c61994ec038145cb7c
GCleaner
aae66e4930de3e86e7a4095dbba08680278f96f570a0d116e4616c12492a3073
GCleaner
cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
GCleaner
dadbc9fa10d5281fc51842bf3340bbe5be01376a4d3defdeae9120f70c75bddb
GCleaner
+ 12'316 additional samples on MalwareBazaar
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/220917-ejg4psdadn/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
NyMaim
Malware Config
C2 Extraction:
208.67.104.97
85.31.46.167
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9f8192c5-922b-478a-a00b-90942ceab690
Unpacked files
SH256 hash:
ff27b0a9f2a2a87e08e78206a7e0b1151544413aa7cd73e3b281df5e527c2c9f
MD5 hash:
241adb9d0406ff6f28d16b517ad6ebbf
SHA1 hash:
3c1e67d17af5e3211b363f719777c742f653eaad
Detections:
win_nymaim_g0
Create hunting rule
Link:
https://www.unpac.me/results/49f0ffd8-3a82-44d4-be62-50a4b436bd96/
Parent samples :
55759765436a5ef2e4b7ab3383c2a4bafc6818ca9fc659c8212c200c5e33e2bc
ee574d89db9e8f656e0cd3845b2f2e2612982e62fbb53771a6fe255bcd8deacb
2c31cceb39bbfa3926a226533cc96a6b8f71d4868a452dd7d769353cce5c3372
1ba8584136cfd425821ecc697ef84bc5660ec8eaeed38aedbefeb96158d42349
8300b7608c08c7ebba60503bea52a17f3d8e87b370a2c49bd087a70ef771ec0a
168ad6a3d2727f76b7f5e0894712adae40f7a730369b839ee5c633d78bb44053
1faf2a191de3233262fab81e8ffb9a58314019b06f76fb43798bd194897a3935
661814d8f8f27542926df368593f2544cb1dcbbc8fa2ecfdcb06b9f679e0952c
63247b6125f05e61df8db917b35184c4c11fe493d32ed95ddd104821f64f87f6
aa455850cd6ffc41625ed8f468a397cce32b598bc712a0295194a31ae57a7953
142f9dd0c99d213841e2756764026aeae26128e5094f204e1791131cd47b3b66
543ad268826e993e7224a584e210d9858e74ddd2b807d56b152f33161c1e9fcf
b0ae8a7a076e80fee612288e6f2a133b4f3b5796e8ba0b5361bf6accb8a1aad2
118374dc5306524a9f428ca8a5f702e87cf295fa9b5719c57d27e34e4cd3e21b
334c099b1ea6f34b2f4965b5d2996a75a66b86224e8a6a3c8e74d2054b71655e
e86e83c20b0c276e2bc512f3e44b63eb58660b726ac5dc4b6f67bc8e5fc61e1a
bfe37cbeabb8002d916ba4e36f75e3bbdce83f1472644d390f0e9a2074635ba5
02b6173f9fd0c344b921bad5dd3369c3dbbc627871e0eca02e891421fac349ff
a543199fd8c26e4f0ce51764981dd373256aa3cdfbc7ecfe3763e3e4cf3eea42
b8a69625dcc43715c8273b2401b259e084349b32be465ea8982785969f3f9f53
0579e44b9d73a8320715a18dfaeafe5cdba6a955e6e8e21d027ad8da6b454094
ffd888d6056626e8c97ef36361465196763628404b8dd339a56efb113488a1fc
aa232b0a580dcc13a01b8920df0146953b8f23a6372cfcfc36828e820a262b6f
854d8d8e815dda1dd77e3c1080f6a2ad529c8cef323d8bd4e773cef19b6a44ae
27bc75db41981a78ace65a4e60ec4b600ea6912a88bc6eb8cae29688a7b3b267
6696ad7b0ee5d1ddf212e97bc16145ad4116714b212812099449603205c6843d
b947b4524438f8dd3c788623409347b17fdd0c5c83d8d1a356e97528ff6787b6
3b457b62586f59f1ccb2aab9b4696ee813e0b858c55a33db2c3b2c973af05661
0fee417fd34087b0e53a2b80f3be7a174ec317c2905e3bf9f57cc02ee4587c34
2e0c9a7c1b7e381609174fb3777cc11af780dcf7e80aef2cbc5f3e84f6d81040
76d5bd4f9bfed7cc718c8617716706d244f1c0ca9ae352223c9791b6d455ec55
345c53f9a6eaffd874e49aa8e34e2ff23e046431a5557ee87485a53d2d442f55
f16c68fd8cd513c0bf9346f167000fafadb082f21b526e14acf50b7010ee78d0
fa180d788066c58a8bcb27729bbe5bdcba7887b5eacff50effc3af1206fd4eee
9f62eb535bbdba09dc711e2228827ab143c482056a70e37256c80c1e76342955
1772db8180db281a07f3fe553f004cab921d6e3e7dc1b86d07f956fc9b201613
17c080f58e43f652fa72ccb3c60ce03228d6c843362cfe716c2873e6af5e8ea7
68067451f8a6ccd2ecddf04c468be95bb133b0c92a700c3e6a7fe50dbca42de7
1d59b3017dedbd53b363e9b30c7e909055245c528f73e107392e3d9581fea252
20839523c0695dbcf2f862d1b7b466c7b2de2b64b22180691abd5a336291731a
f60da95a425e0ef33550da4e87c0fac6e99ca94602ae61ce97a2d84e9f54762e
ff2ed471a40fe6e23181c6a2f731bf097c3046f67ee2c3e0e451bd5bef048280
33dad27079a2b7b9d14a434fe7dc2225426f6363b908cb1ae436c0e1c83b1975
f03631ef2f834bf26eefde590f30ecf8ef3a759c69306d2bf1b7fc3c92a6cfeb
3f41a55f5a60951728f31470fd789be15feddfcf63c5afa6d8a3ec677ba81fff
7cd74db163f108d1969f2bae3a5cbabace6f61a8414b5957343868118aa8cbbd
8e9cc7dfb5ebc2fa8b4f6e738076bb6cb9830b118c1da38fa42b031c331c2e6b
3eee24ef5994cfd164e9f5877220d95a86400a5e28acc4ccc89e2efe030cccd6
f145d23b836eb14debbb106542602645cb3900a072cb3ab93925ca10a3b91c63
9d1620067e74eb64790cee0da424a5a37860c22f35d8809df7d7c0ac14b7a782
c6a15b35a1fc2a1c4f26f903117e71ce5bc21bf0b2a5ebeadd12e7214c8417b8
421dbb80e3517d006331bc38e611ad26932c1fae9e3427119222efdb65057cb7
7e2d9db1eb708dc899f2f4a1f7040c624f1f48051f3ed3cb1419eb117902bc8c
6a7abf3ef8758696c70d216b42f86a931d0d05bed34814dcb6865ed2c1d7f922
e2ab5bc1bb8454439c16ea54ce796056a0b77583bc167e77d8c054b7e4028dcf
0821eb16ab4a47e8ca876c05dbccab3af8fce9e592b4394f0282a2ee26564945
SH256 hash:
6696ad7b0ee5d1ddf212e97bc16145ad4116714b212812099449603205c6843d
MD5 hash:
91834906b220ce6291d142827a6ef30f
SHA1 hash:
c6045add26674babc63a3abbed3d83eb545fd389
Link:
https://www.unpac.me/results/49f0ffd8-3a82-44d4-be62-50a4b436bd96/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6696ad7b0ee5d1ddf212e97bc16145ad4116714b212812099449603205c6843d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Record_Breaker_Similarities
Create hunting rule
Author:DigitalPanda

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/310807/
  
URLhaus
https://urlhaus.abuse.ch/url/2276314/

Comments