MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d
SHA3-384 hash: 7ab8c4614209e013b5996e63011b4af370e22ef63b8666006cbb7654665606d3712b4f0fe1b17560e620bf34156cf5ae
SHA1 hash: 13f4e9d3354c4e9d3a681b37d37286e171fdc65b
MD5 hash: 747395a7777c19c8b665ec6bb586ff3a
humanhash: avocado-vegan-michigan-cold
File name:747395a7777c19c8b665ec6bb586ff3a
Download: download sample
Signature GCleaner
Create hunting rule
File size:314'880 bytes
First seen:2024-05-31 06:07:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a582865c782b33b9d8f1f43c5ada28c (1 x GCleaner, 1 x Smoke Loader)
ssdeep 3072:UjG7OjhVQ/OISTdP8Ztd5rG3eVATxyFPBuflzqhLkgbe+3mILcqJs5rdKGdKth:UEOjcVMR8Ztdlw+PB08zbTWInQK6Kth
TLSH T12664AE4393F1BD24D9668B769E2FCBE8371FFA714E44776612087A2F19711A1C923312
TrID 67.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.2% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b200c8c8d4e87190 (1 x GCleaner)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
358
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d.exe
Verdict:
Malicious activity
Analysis date:
2024-05-31 06:07:34 UTC
Tags:
gcleaner loader
Link:
https://app.any.run/tasks/04a46f65-2e15-4193-a08b-baff447a0685

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Fareit-10030127-0
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66596956af950bab634f9b76win7simulatehigh_evasion
Tags:
Network Stealth Xpack
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9d37d2a-f995-4d52-b4a0-9352fb99b016
Result
Threat name:
GCleaner, Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1449970
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected GCleaner
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1449970 Sample: UzKF6awWzg.exe Startdate: 31/05/2024 Architecture: WINDOWS Score: 100 24 185.172.128.69 NADYMSS-ASRU Russian Federation 2->24 28 Multi AV Scanner detection for domain / URL 2->28 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 7 other signatures 2->34 8 UzKF6awWzg.exe 14 2->8         started        signatures3 process4 dnsIp5 26 185.172.128.90, 49705, 80 NADYMSS-ASRU Russian Federation 8->26 36 Detected unpacking (changes PE section rights) 8->36 38 Detected unpacking (overwrites its own PE header) 8->38 12 cmd.exe 8->12         started        14 WerFault.exe 16 8->14         started        16 WerFault.exe 16 8->16         started        18 8 other processes 8->18 signatures6 process7 process8 20 conhost.exe 12->20         started        22 taskkill.exe 12->22         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d/
Threat name:
Win32.Trojan.StealC
Create hunting rule
Status:
Malicious
First seen:
2024-05-31 06:08:07 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nja7i2j36sapnoevo5m7eufu76gp7by3bq3ojoh3nuaog6hdrjgq._file
Verdict:
malicious
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/240531-gvwscahe3s/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
GCleaner
Malware Config
C2 Extraction:
185.172.128.90
5.42.64.56
185.172.128.69
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1f463b33-0f08-4ddf-9dd5-34d6fafed9f5
Unpacked files
SH256 hash:
ccd0c8b308f9160431acaba610ac55f83e5ae230fb8c5864718fd902fad6c11c
MD5 hash:
8451e20d9b36d937ce791ce9c815f971
SHA1 hash:
9c85fc81958314d1b6916530a52c03660369c597
Detections:
GCleaner
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/b03cd30c-35b6-4809-b283-4200b5851cf5/
Parent samples :
ccd0c8b308f9160431acaba610ac55f83e5ae230fb8c5864718fd902fad6c11c
8c055d9a75cbb4ad28940ed89fddee3a80c933c40cd75796f716153c772325e4
55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae
57660fdf082d844e870b6b5b15aadfe8b5d545f0d28894e1cfbb2d0f04578cbc
3e41d664051e58f25c2b38755a41ed162df2da9e619675bd1ffd90ffa68d960c
f4146aecc21e1413da1fec7e17e20a6fb90adc191c82239b24f178251baddb14
3c195593808549d5441dbc38f0df010629889f375c3f5901dff0be8b8bf171f6
6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d
7ac2a16d33f1c5f37b313687ea809457be01d17d334cfe60faa02bf4486c95b5
67de2ad9d305bc91a816b916de81445ab62689acf99c1ce75b9fe436258c741c
677ea36839a62978a2484167fb3c720deeb3dba911988b98264c7077222a628a
4315455408e0e3110b73387f1e29c697d9b0af676ebd24dd73047331eff2895f
c979400b5280152c72bcd58f77763c4507bb7c39adaec5386d2ab6f96d7f8bc2
22468ceb0f9991c618e4d682d304b195a65e60a6f507629561106ed815b81f3b
b8ba624689f250feaa759a17ca11bccfde74bcb4525a907d7b43f353890ab598
f66f7bde132e98f39e3b111dcd948283b01e2ecd8b675a39ddd8091584338c3a
84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae
7dcf898284612ea50daa06f4bddaca74c2cb881b40c68b162e03c3daeb01d0a7
d37558506f2c695cc909fc5fee628f48c88e85055b83049f8d3e3bb6a67ddc5f
dbf6f9bca73a3177afd8a2aea09fadba98f9ff0b4515a6b7c209b60eb08b5e89
202a732886a96543338aed9940ed61fdc5b26d531ccb777d9a1fcc70f6669c83
abbb8f4a475b64403de19c1c01c0f5e8e805b0efb40909830f2c519f305db583
2d7a783d16e6399b4a9184333aa111fa90699061517d541c96885c6d1bb494a0
d580cf5c5974abebad470cf01f14bb9e1fa4d462fdc68774f10f03b6c852d687
0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d
a0527f548f6ed392f4d578d32ce5d75677492875b13a60a068e55f8ad6105267
66eb7fee3043bc8f34bef23ad5bca3b4a19848ec5018b2cd27cc1aaf8f6c8995
0b17198dfde8bc47f1f903dfe0a33b57abf6cbca31292ee1d526a3143a11d648
SH256 hash:
6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d
MD5 hash:
747395a7777c19c8b665ec6bb586ff3a
SHA1 hash:
13f4e9d3354c4e9d3a681b37d37286e171fdc65b
Link:
https://www.unpac.me/results/b03cd30c-35b6-4809-b283-4200b5851cf5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Generic_2993e5a5
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2850338/
  
URLhaus
https://urlhaus.abuse.ch/url/2869117/
  
URLhaus
https://urlhaus.abuse.ch/url/2869118/
  
URLhaus
https://urlhaus.abuse.ch/url/2869121/
  
URLhaus
https://urlhaus.abuse.ch/url/2850450/
  
URLhaus
https://urlhaus.abuse.ch/url/2869127/
  
URLhaus
https://urlhaus.abuse.ch/url/2853388/
  
URLhaus
https://urlhaus.abuse.ch/url/2850421/
  
URLhaus
https://urlhaus.abuse.ch/url/2850423/
  
URLhaus
https://urlhaus.abuse.ch/url/2852418/
  
URLhaus
https://urlhaus.abuse.ch/url/2869124/
  
URLhaus
https://urlhaus.abuse.ch/url/2869126/
  
URLhaus
https://urlhaus.abuse.ch/url/2850390/
  
URLhaus
https://urlhaus.abuse.ch/url/2850340/
  
URLhaus
https://urlhaus.abuse.ch/url/2850419/
  
URLhaus
https://urlhaus.abuse.ch/url/2869116/
  
URLhaus
https://urlhaus.abuse.ch/url/2850334/
  
URLhaus
https://urlhaus.abuse.ch/url/2850449/
  
URLhaus
https://urlhaus.abuse.ch/url/2869119/
  
URLhaus
https://urlhaus.abuse.ch/url/2869111/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleOutputA
KERNEL32.dll::SetConsoleMode
KERNEL32.dll::SetConsoleTitleA
KERNEL32.dll::GetConsoleAliasW
KERNEL32.dll::GetConsoleAliasesW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpReadData

Comments


Avatar
zbet commented on 2024-05-31 06:07:05 UTC

url : hxxp://doggie-services.com/batushka/univ.exe