MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6afa5829ac5dfbb7098a32cef1dca23e5bbdf9a1bc0805670451eeed534c5636. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6afa5829ac5dfbb7098a32cef1dca23e5bbdf9a1bc0805670451eeed534c5636
SHA3-384 hash: a5fa724def99af7784b011d1f2bddb5009ae4b51e376bee359fb541c01d2122d441c85558c1d85ba4e61f6269d240f58
SHA1 hash: a2c487251cac61520c3156b46b80460b95a00859
MD5 hash: 78563a66f06fd8e6132d1ee4c8a5ab2a
humanhash: helium-solar-item-cold
File name:78563a66f06fd8e6132d1ee4c8a5ab2a
Download: download sample
Signature GCleaner
Create hunting rule
File size:226'304 bytes
First seen:2021-08-28 05:36:14 UTC
Last seen:2021-08-28 07:08:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d3c9c233147536fd2cb825c3f3ce75bc (5 x Smoke Loader, 4 x RaccoonStealer, 2 x GCleaner)
ssdeep 3072:PbnNYGHU9936I0sKY565sQOuU2y8R5FNIzsI5/DuT61m:PrNYGHU9d302565sQxU2ZUsI5/
Threatray 3'834 similar samples on MalwareBazaar
TLSH T1E224D01136B1C173C5D32A7448EDA76226ABBE616B71D6873F142B6E3E322D0563D383
dhash icon e2d89c6cbcb0e21e (1 x GCleaner)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
78563a66f06fd8e6132d1ee4c8a5ab2a
Verdict:
Malicious activity
Analysis date:
2021-08-28 05:37:32 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/900ad09f-877a-48db-b466-8ce7ee196fc1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183004/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.6743.23269.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c597ee5-ca42-469d-89be-b8f41c49e734
Result
Threat name:
Cryptbot Glupteba RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840650
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Country aware sample found (crashes after keyboard check)
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Autohotkey Downloader Generic
Yara detected Cryptbot
Yara detected Evader
Yara detected Glupteba
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473081 Sample: cLsPVMndxS Startdate: 28/08/2021 Architecture: WINDOWS Score: 100 68 wlANzYguDSFGTx.wlANzYguDSFGTx 2->68 70 prda.aadg.msidentity.com 2->70 72 2 other IPs or domains 2->72 92 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Found malware configuration 2->96 98 15 other signatures 2->98 9 cLsPVMndxS.exe 26 2->9         started        signatures3 process4 dnsIp5 86 hypercustom.top 185.120.56.166, 49715, 49716, 49722 CLOUDSOLUTIONSRU Russian Federation 9->86 88 garbage-cleaner.biz 194.61.121.28, 49702, 49709, 80 CLOUDSOLUTIONSRU unknown 9->88 90 3 other IPs or domains 9->90 54 C:\Users\user\AppData\...\60921123100.exe, PE32 9->54 dropped 56 C:\Users\user\AppData\...\18033523754.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\...\04071417793.exe, PE32 9->58 dropped 60 6 other files (3 malicious) 9->60 dropped 116 May check the online IP address of the machine 9->116 14 cmd.exe 9->14         started        16 cmd.exe 9->16         started        18 cmd.exe 9->18         started        20 10 other processes 9->20 file6 signatures7 process8 file9 23 60921123100.exe 14->23         started        27 conhost.exe 14->27         started        29 18033523754.exe 16->29         started        32 conhost.exe 16->32         started        34 04071417793.exe 18->34         started        36 conhost.exe 18->36         started        46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->46 dropped 48 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->48 dropped 50 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->50 dropped 52 6 other malicious files 20->52 dropped 38 conhost.exe 20->38         started        40 conhost.exe 20->40         started        42 taskkill.exe 20->42         started        process10 dnsIp11 74 188.124.36.242, 25802 SELECTELRU Russian Federation 23->74 100 Multi AV Scanner detection for dropped file 23->100 102 Detected unpacking (changes PE section rights) 23->102 104 Query firmware table information (likely to detect VMs) 23->104 114 3 other signatures 23->114 76 hypercustom.top 29->76 78 iplogger.org 29->78 62 C:\Users\user\AppData\Roaming\...\apinesp.exe, PE32 29->62 dropped 106 May check the online IP address of the machine 29->106 108 Contains functionality to register a low level keyboard hook 29->108 110 Sample or dropped binary is a compiled AutoHotkey binary 29->110 44 WerFault.exe 29->44         started        80 morsyr05.top 5.44.43.35, 49740, 80 MGNHOST-ASRU Russian Federation 34->80 82 bunawj52.top 213.252.245.216, 49738, 80 IST-ASLT Lithuania 34->82 84 2 other IPs or domains 34->84 64 C:\Users\user\AppData\Local\Temp\File.exe, PE32 34->64 dropped 66 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 34->66 dropped 112 Tries to harvest and steal browser information (history, passwords, etc) 34->112 file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6afa5829ac5dfbb7098a32cef1dca23e5bbdf9a1bc0805670451eeed534c5636/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 05:08:08 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nl5fqknmlx53ocmkglhpdxfchzn336nbxqeakzyekhxo2u2mky3a._file
Verdict:
unknown
Similar samples:
4101bd379660a169d50442c9921d6fb0329620efbc5a163856c2f5e5f41e601c
GCleaner
4e01866db5ec52866e21eac49c4135d62fe712d8b64cee07bd755a2accf0340b
GCleaner
5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb
GCleaner
8eea00bd7d1db820c7a1b5622119b76944215e5803c2e8b772b9548e9ee91c66
GCleaner
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
GCleaner
9bb77fb3b462b7b52694f0326b83b4f0f47969240e296129cd23da3b2fe98fb0
GCleaner
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
GCleaner
b5f88e34db4bb65da8c21982590b67922fe32e62e7cfaae9fbe417a4262aa143
GCleaner
b9f79bcb4c0ea9e939b35813e807fda308b7038f1dea613e7d8bbd7fe127ac84
GCleaner
+ 3'824 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210828-vjl9epf4js/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
4117351650847ddeb6daa6ea7380efaa29a3eb9189292e6b3948806795f63194
MD5 hash:
5f0412d9025704fb35eb22d15f7e377f
SHA1 hash:
70369ae356b7813bd0d23815e1338904ca2086ec
Link:
https://www.unpac.me/results/a6abb041-ec79-4f33-9ed4-4b659a656f93/
SH256 hash:
6afa5829ac5dfbb7098a32cef1dca23e5bbdf9a1bc0805670451eeed534c5636
MD5 hash:
78563a66f06fd8e6132d1ee4c8a5ab2a
SHA1 hash:
a2c487251cac61520c3156b46b80460b95a00859
Link:
https://www.unpac.me/results/a6abb041-ec79-4f33-9ed4-4b659a656f93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6afa5829ac5dfbb7098a32cef1dca23e5bbdf9a1bc0805670451eeed534c5636

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 6afa5829ac5dfbb7098a32cef1dca23e5bbdf9a1bc0805670451eeed534c5636

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183004/

Comments


Avatar
zbet commented on 2021-08-28 05:36:15 UTC

url : hxxp://194.145.227.159/pub.php?pub=azed/