MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b2391a7841833a3524f5034b7287e55f4c8fbec8678ecf7a6040ada9c07fde1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	6b2391a7841833a3524f5034b7287e55f4c8fbec8678ecf7a6040ada9c07fde1
SHA3-384 hash:	dcce45c28ab83c320c3cb942103b572542353560f6f088803deb5ac533ee67ac72797724167c87fc44f0fe2f21fa35bc
SHA1 hash:	eb209469e0b66a485b135012cf43538ceb9dc96c
MD5 hash:	054b1e771a301c1e792397a683ed0a90
humanhash:	king-sodium-solar-william
File name:	file
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	1'990'144 bytes
First seen:	2024-12-10 03:47:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	24576:is1z360xvZO1tdPFRKAykTASgVtAXOw7W90BiIcYXOovl+ydbiIFRP0KjaJb4iJO:nLw7dr7ItuZWobc61tbHFRFG4Sy6U
Threatray	151 similar samples on MalwareBazaar
TLSH	T1FB9533D3DD6262BCCC984477C8677FF4E40A6A72D890FB31920DC24D95B7A40AFE548A
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
File icon (PE):
dhash icon	dfa99a8aa6d26984 (27 x GCleaner)
Reporter	Bitsight
Tags:	exe gcleaner

Bitsight

url: http://31.41.244.11/files/unique2/random.exe

Intelligence

File Origin

# of uploads :

# of downloads :

481

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

b0b56a92786831c7512288ff06c7691b61290eb97959dbe7fcab9daeda0cf442.exe

Verdict:

Malicious activity

Analysis date:

2024-12-10 03:28:28 UTC

Tags:

amadey botnet stealer loader gcleaner themida

Link:

https://app.any.run/tasks/a4675a4e-89af-41b7-bef3-0833b8b2a6c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.BootkitX-gen.741.28924.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6757b9f448182d16855755df

Tags:

cobalt virus micro sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Searching for the window

Connection attempt

Sending an HTTP GET request

Creating a file in the %temp% subdirectories

Creating a file

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

microsoft_visual_cc packed packed packer_detected

Link:

https://www.filescan.io/uploads/6757b9f4ca9ebba5dcb613f4/reports/9026b1fb-5955-4da5-b036-1d0464bf090c/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/6b2391a7841833a3524f5034b7287e55f4c8fbec8678ecf7a6040ada9c07fde1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c940b0c9-7ec2-41d0-a9b1-3be322e80e6b

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1572088

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6b2391a7841833a3524f5034b7287e55f4c8fbec8678ecf7a6040ada9c07fde1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b2391a7841833a3524f5034b7287e55f4c8fbec8678ecf7a6040ada9c07fde1/

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2024-12-10 03:48:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nmrzdj4edaz2guspka2lokd6kx2mr67mqz4oz55gaqfnvhah7xqq._file

Verdict:

malicious

Label(s):

shellcode_loader_002

gcleaner

GCleaner

617514b5e721e4963f6b93f203452f7988a0f4c30db06748b90bb202331c3e73

GCleaner

6b2391a7841833a3524f5034b7287e55f4c8fbec8678ecf7a6040ada9c07fde1

GCleaner

8a331ca76c2b919f30406ff66a92db0e27ae6af9725749a80959b42656871536

GCleaner

9f1169888c4c2acd65e79928bb27a686204fa3b622b921a7ee56c7a735924eb6

GCleaner

c4a16bac6cdc5735e1bbb57c7f4c300e35a4c2f617c85585d17ac5a55a875383

GCleaner

d3a2826492bfcf84e775bfc185033ecd34cb374cd7ea31a35188957501f394bd

GCleaner

error

GCleaner

+ 141 additional samples on MalwareBazaar

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner discovery evasion loader

Link:

https://tria.ge/reports/241210-ecr1bsxqdm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Downloads MZ/PE file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

GCleaner

Gcleaner family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a963b911-bb1d-470c-ad67-118ef5b1c860

Unpacked files

SH256 hash:

7818f224bfc5fdfafb0cdb232e57cc2808c78e1bfb8b550d7e8fcb2595eb5c44

MD5 hash:

f930e8ee43bec8e1ea59d336bc41ec08

SHA1 hash:

245a1b6355075dba4137b0c8f38250f0221f897d

Detections:

GCleaner

Link:

https://www.unpac.me/results/c241ec50-70ee-4d44-b633-56fbb5468805/

Parent samples :

d3a2826492bfcf84e775bfc185033ecd34cb374cd7ea31a35188957501f394bd
9f1169888c4c2acd65e79928bb27a686204fa3b622b921a7ee56c7a735924eb6
8a331ca76c2b919f30406ff66a92db0e27ae6af9725749a80959b42656871536
15df6347f76b4d0c86e07c4482e0b81b119265a4dd71f2c729c6bcc59e1cfa9b
617514b5e721e4963f6b93f203452f7988a0f4c30db06748b90bb202331c3e73
c4a16bac6cdc5735e1bbb57c7f4c300e35a4c2f617c85585d17ac5a55a875383
6b2391a7841833a3524f5034b7287e55f4c8fbec8678ecf7a6040ada9c07fde1
d6f64f42200504958f0d75af57b0766aab46ac3ccd770cb1e5cc91927579d9fb
03704ac5905c8ed32d791115ac52f119286075a5d25e3be6724f3b990c3f6361
14a7faa5a16cbc6e031beb668ec24d78b04d8fe4959766cf11722932b93317dc
725f1f569ffd78d2fd1ec2e576b1ac6ab984b905fef3945c549b8b3c4c9cd1c0
9cd587e74a90f572286c6606c8d0dd40c5053aab867b5347c2499e5338a46b2d
12e5a10025f316a2ce8b05a5e4170d3a5f6578ab97088c77ff9a552afaf592f6
5cf283b12d73892ee010289b4d554e5b1c7d1aede0a8e6cd0a33415513526b5b
417e7e396fbadbf07bf6952dbd3c0b6b496bc18871047645879db777552552b1
53957b3c63da49c6bfd73328983d398e81c80c74c5d789d2066ff306769f3277
9edabdb564b79176743506ba6466765f5193ab2ce29f7bcbbb7f1a694ed54768
501c477f13b6aef38fa11de85507a55863f99d0cde075879c9c6eab4cf11572f
323426e01a17e9974e2c710c0708a7232d250a2a7aa815ee7fdfac5f634af0e2
7d5e0011d50f2454c25f973100794bab9d6e650ce8aef5d682d58598df9d6e97
eca30819c2664a213893346c7a9e1645790070004b41ef670a246c0a291700ae
c890656f9cdacb46f581181e6d80374a50c3c9bd5c82c88e8b497db40b9a8df4
44e9ae9e07cc4933f495be3d6c400e1712179daaca387bfa1ed2f1401b6133b6
d3cf9af71d2c1e521b9dba8e12d522116663363435fe77c7a3665a516e4614d9
768b8658cb7a5c056112d48a059a5c6ae85972b649e9b6cc6a32c5b5a5c37668
69615a4a7d21f3a65247576820e03cd986b8180382d8944f0035009da62eeee6

SH256 hash:

6b2391a7841833a3524f5034b7287e55f4c8fbec8678ecf7a6040ada9c07fde1

MD5 hash:

054b1e771a301c1e792397a683ed0a90

SHA1 hash:

eb209469e0b66a485b135012cf43538ceb9dc96c

Link:

https://www.unpac.me/results/c241ec50-70ee-4d44-b633-56fbb5468805/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b2391a7841833a3524f5034b7287e55f4c8fbec8678ecf7a6040ada9c07fde1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

exe 6b2391a7841833a3524f5034b7287e55f4c8fbec8678ecf7a6040ada9c07fde1

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3331761/

URLhaus

https://urlhaus.abuse.ch/url/3308787/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample