MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bb5f93524d19c19ad102c9577107b7761e1ce94ea2229594fab55fdb98a7e34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs 5 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bb5f93524d19c19ad102c9577107b7761e1ce94ea2229594fab55fdb98a7e34
SHA3-384 hash: 480593eb580716fb87250a7046052a00d0f6f0d418f334afcb69bbd9ee4d9ae7efe50968784a1a2a9c460345c3f2530e
SHA1 hash: b60983bec0346c6fdc0569f641e9091b7f201a5b
MD5 hash: 90c7efe55fff3704de712084227e84a6
humanhash: illinois-kansas-illinois-double
File name:6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:139'264 bytes
First seen:2022-06-18 09:06:29 UTC
Last seen:2022-06-18 09:45:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f357e85531c6f51e747b50e32a172ccb (1 x RedLineStealer, 1 x GCleaner)
ssdeep 3072:UkS7y4Oot/ZhJ3br4VkSlXWoQY2FRNu5UWzvzH9IHAz6ZS5:w7bRVb8TfQYERNu5UImE
Threatray 83 similar samples on MalwareBazaar
TLSH T17FD36B167AC1C072E66141323A64D7F0896DFD355BA18AA733845BBF4F202F26DA1F27
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8eb2d4d0e4f4b28e (2 x RedLineStealer, 2 x CoinMiner, 1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
94.140.112.166:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.140.112.166:80 https://threatfox.abuse.ch/ioc/716127/
103.89.90.61:12036 https://threatfox.abuse.ch/ioc/716128/
http://abababa.org/test3/get.php https://threatfox.abuse.ch/ioc/716130/
176.124.201.194:42409 https://threatfox.abuse.ch/ioc/716131/
109.107.172.33:37679 https://threatfox.abuse.ch/ioc/716217/

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Microsoft_Toolkit.exe
Verdict:
Malicious activity
Analysis date:
2021-12-28 20:48:42 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/243e1f30-a417-4b80-b047-1c23874cfcd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281125/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.46937.20090.2819.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Sending an HTTP GET request
DNS request
Creating a file
Reading critical registry keys
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a window
Launching a process
Running batch commands
Searching for synchronization primitives
Sending an HTTP POST request
Creating a file in the Program Files subdirectories
Searching for many windows
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21820/overview
Behaviour
MalwareBazaar
CallSleep
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/62ad95f5473553ed319cd9c4/reports/ed07c190-df38-456b-be51-4d771f5352cb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pioneer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9effb08f-4e74-4e64-abf0-ba27b5657743
Result
Threat name:
Djvu, Nymaim, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1015599
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sets debug register (to hijack the execution of another thread)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Djvu Ransomware
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 648090 Sample: 6BB5F93524D19C19AD102C95771... Startdate: 18/06/2022 Architecture: WINDOWS Score: 100 136 Malicious sample detected (through community Yara rule) 2->136 138 Antivirus detection for URL or domain 2->138 140 Antivirus detection for dropped file 2->140 142 16 other signatures 2->142 9 6BB5F93524D19C19AD102C9577107B7761E1CE94EA222.exe 4 60 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 process3 dnsIp4 112 185.215.113.15 WHOLESALECONNECTIONSNL Portugal 9->112 114 188.172.84.173 VFM-ASVodafoneMaltaLtdASMT Malta 9->114 122 11 other IPs or domains 9->122 94 C:\Users\...\tksU__qIeV82ECCdmYb7uqUJ.exe, PE32+ 9->94 dropped 96 C:\Users\...\iutkaTEhZGolPHf53EQR5p_z.exe, PE32 9->96 dropped 98 C:\Users\...\aX4Od0IBvcKFvs5eAeQbLZif.exe, PE32 9->98 dropped 100 22 other files (13 malicious) 9->100 dropped 168 Creates HTML files with .exe extension (expired dropper behavior) 9->168 170 Disable Windows Defender real time protection (registry) 9->170 20 aX4Od0IBvcKFvs5eAeQbLZif.exe 17 9->20         started        24 iutkaTEhZGolPHf53EQR5p_z.exe 9->24         started        27 MlDymjDDkH9u4XOdItTxKMBY.exe 9->27         started        29 13 other processes 9->29 116 172.217.168.14 GOOGLEUS United States 14->116 118 173.194.160.71 GOOGLEUS United States 14->118 124 2 other IPs or domains 14->124 172 Sets debug register (to hijack the execution of another thread) 14->172 174 Modifies the context of a thread in another process (thread injection) 14->174 176 Changes security center settings (notifications, updates, antivirus, firewall) 16->176 120 104.244.42.65 TWITTERUS United States 18->120 file5 signatures6 process7 dnsIp8 102 149.154.167.99 TELEGRAMRU United Kingdom 20->102 76 C:\Users\...\uejLIEzwvN3kJP7MriZS8eUH.exe, PE32 20->76 dropped 78 C:\Users\user\AppData\Local\...\WW14[1].exe, PE32 20->78 dropped 80 C:\...\PowerControl_Svc.exe, PE32 20->80 dropped 31 uejLIEzwvN3kJP7MriZS8eUH.exe 20->31         started        35 schtasks.exe 20->35         started        37 schtasks.exe 20->37         started        104 159.69.102.192 HETZNER-ASDE Germany 24->104 82 C:\ProgramData\vcruntime140.dll, PE32 24->82 dropped 92 5 other files (none is malicious) 24->92 dropped 150 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->150 152 Tries to steal Instant Messenger accounts or passwords 24->152 154 Tries to harvest and steal browser information (history, passwords, etc) 24->154 156 Tries to steal Crypto Currency Wallets 24->156 84 C:\Users\user\AppData\Local\...\SETUP_~1.EXE, PE32 27->84 dropped 158 Creates multiple autostart registry keys 27->158 39 SETUP_~1.EXE 27->39         started        106 37.0.8.39 WKD-ASIE Netherlands 29->106 108 178.33.220.142 OVHFR France 29->108 110 116.202.185.47 HETZNER-ASDE Germany 29->110 86 C:\Users\...86Yl5yJURQ8fdufDncCdvLUyc.tmp, PE32 29->86 dropped 88 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 29->88 dropped 90 C:\Users\user\...\Installer_ovl_sig.exe, PE32 29->90 dropped 160 Obfuscated command line found 29->160 162 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 29->162 164 Checks if the current machine is a virtual machine (disk enumeration) 29->164 166 Injects a PE file into a foreign processes 29->166 42 2tnat0XUBK61CR3tWnck40Z6.exe 29->42         started        44 NYl5yJURQ8fdufDncCdvLUyc.tmp 29->44         started        46 explorer.exe 29->46 injected file9 signatures10 process11 dnsIp12 126 198.54.115.119 NAMECHEAP-NETUS United States 31->126 128 176.9.147.148 HETZNER-ASDE Germany 31->128 134 5 other IPs or domains 31->134 58 C:\Users\user\AppData\...\download2[1].exe, PE32 31->58 dropped 60 C:\Users\user\...60iceProcessX64[1].bmp, PE32+ 31->60 dropped 62 C:\Users\user\AppData\Local\...\Apub[1].exe, PE32 31->62 dropped 74 11 other files (2 malicious) 31->74 dropped 48 conhost.exe 35->48         started        50 conhost.exe 37->50         started        144 Antivirus detection for dropped file 39->144 146 Machine Learning detection for dropped file 39->146 52 powershell.exe 39->52         started        130 162.0.217.254 ACPCA Canada 42->130 64 C:\Users\...\2tnat0XUBK61CR3tWnck40Z6.exe, PE32 42->64 dropped 148 Creates multiple autostart registry keys 42->148 132 151.115.10.1 OnlineSASFR United Kingdom 44->132 66 C:\Users\user\AppData\Local\...\befeduce.exe, PE32 44->66 dropped 68 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 44->68 dropped 70 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 44->70 dropped 72 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->72 dropped 54 rundll32.exe 46->54         started        file13 signatures14 process15 process16 56 conhost.exe 52->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bb5f93524d19c19ad102c9577107b7761e1ce94ea2229594fab55fdb98a7e34/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2021-12-29 01:44:11 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=no27snje2gobtliqfskxoed3o5q6dtuu5ircswkpvnk73omkpy2a._file
Verdict:
malicious
Similar samples:
06db093414f42d7669e57d31a8d563c71018e8d75c886244b77a6a9bc86b6fdb
GCleaner
0cba0f9dafbb15b07c0e8b87ccd3ea7c306198b67dd480c42aa822c0e51ad2e8
GCleaner
4618fb57958c19496e668916d769cb40e6bb0a0af0fbb1ff73ee89e701f3fe9b
GCleaner
6bb5f93524d19c19ad102c9577107b7761e1ce94ea2229594fab55fdb98a7e34
GCleaner
b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2
GCleaner
e2e7294a6fee9ef6372897f3bebffb0d17bc31b9cf8c663181e192a608057061
GCleaner
+ 73 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:redline family:vidar botnet:10k#24343 botnet:1448 botnet:517 botnet:8888 botnet:937 discovery evasion infostealer persistence ransomware spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/220618-k3armaadh2/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates processes with tasklist
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
Malware Config
C2 Extraction:
http://abababa.org/test3/get.php
https://t.me/tg_randomacc
https://indieweb.social/@ronxik333
103.89.90.61:12036
https://t.me/tg_dailylessons
https://busshi.moe/@olegf9844xx
176.124.201.194:42409
Unpacked files
SH256 hash:
6bb5f93524d19c19ad102c9577107b7761e1ce94ea2229594fab55fdb98a7e34
MD5 hash:
90c7efe55fff3704de712084227e84a6
SHA1 hash:
b60983bec0346c6fdc0569f641e9091b7f201a5b
Link:
https://www.unpac.me/results/18bc6b31-bb71-4646-8a0e-725578a3fe0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bb5f93524d19c19ad102c9577107b7761e1ce94ea2229594fab55fdb98a7e34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:privateloader
Create hunting rule
Author:Andre Tavares
Description:Detects downloader PrivateLoader loader and core, based on string encryption and an http header used on C2 comms
Rule name:win_privateloader
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281125/

Comments