MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c79c3b549bdea13526f1365ad2253f6385531606362cc29d9dea172cd9d50cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	6c79c3b549bdea13526f1365ad2253f6385531606362cc29d9dea172cd9d50cb
SHA3-384 hash:	35663c0aaef0eaed90b4c46df95b61121ba16996d789a6c98b45e79a19dfbb21a823280bbfa52b0aedad272f75823843
SHA1 hash:	a9da618d8f84e3eed38fc249691c88ad59c15487
MD5 hash:	ed9c6713e17769faaf3f2f9d610cd495
humanhash:	jupiter-idaho-table-carbon
File name:	ED9C6713E17769FAAF3F2F9D610CD495.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	380'928 bytes
First seen:	2021-08-08 16:25:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2f3a2cbde47abc5415a01609e3c61f2d (1 x RedLineStealer, 1 x Smoke Loader, 1 x GCleaner)
ssdeep	6144:sJKyKNtDPNCFsGNio8kGTsNkPJWNPCkbkzL7rNdlqqKLOz9QKWHse:LZNtLEFsGNioyWA2sL/j0qKLOhQh
Threatray	194 similar samples on MalwareBazaar
TLSH	T19A84BF20A791C038F5F312F84976A379A53D7EB1673495CB63E52AEE06346E1AC31387
dhash icon	92f1ecb4f4dcf1a6 (1 x GCleaner)
Reporter	abuse_ch
Tags:	exe gcleaner

abuse_ch

GCleaner C2:
http://gc-prtnrs.top/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://gc-prtnrs.top/decision.php	https://threatfox.abuse.ch/ioc/166045/

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ED9C6713E17769FAAF3F2F9D610CD495.exe

Verdict:

Malicious activity

Analysis date:

2021-08-08 16:29:54 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/ffc36d45-f327-466c-aa28-0f2cc8260f9d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Gcleaner

Link:

https://www.capesandbox.com/analysis/177282/

Detection(s):

Win.Malware.Generic-9881904-0

Win.Packed.Mokes-9881941-0

Win.Malware.Generic-9881942-0

Win.Malware.Generic-9881960-0

Win.Dropper.Raccoon-9881977-0

Win.Malware.Generic-9882081-0

Win.Malware.Mdeclass-9882085-0

Win.Packed.Tofsee-9882342-1

Win.Packed.Generic-9883262-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching the default Windows debugger (dwwin.exe)

DNS request

Connection attempt

Sending an HTTP GET request

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Launching a tool to kill processes

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5ff7cb06-598e-42ca-822d-fb56da6530ee

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/828837

Signature

Antivirus detection for URL or domain

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6c79c3b549bdea13526f1365ad2253f6385531606362cc29d9dea172cd9d50cb/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-08-01 03:01:00 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Verdict:

unknown

GCleaner

5ca5094a2b00a4f97ca49c409fbbdfc3b38bf272348ed8b7371bf26f61070eb1

GCleaner

6acf924acc2978d82ac6b7adc976b07158cc09b7d64676175a9a1e61e6312c2c

GCleaner

8b7ecaa0849028572361c41866bc0acb5d5f1debcfe1e0762d445b759badbd8b

GCleaner

a90bc226fcaf18a89bad9b0a1a57085ecd055b726b67e3a3964d7da03d244007

GCleaner

b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317

GCleaner

c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0

GCleaner

cbcd57dd83369317946567dba9624dedbf2ce33acc796b2ba6f4c57b7d3cf49a

GCleaner

d4842f9caa07b1dab09b1f2475f280eeacacdd6c4a3d625e4398b3cf67171f99

GCleaner

+ 184 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/210808-pgj9jtbc9s/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Deletes itself

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE GCleaner Downloader Activity M1

Unpacked files

SH256 hash:

3b309236695517c2e06ff8af3f5c073e1b8e8c99768f5141f4cf9e704050dfdb

MD5 hash:

048d3824dae9ba8c0b48a841c56f2e24

SHA1 hash:

8da82b6a497c97a5512009ef57b4d25f77c57dc1

Link:

https://www.unpac.me/results/e5a177ee-2123-4960-8484-e5edf427f28f/

SH256 hash:

6c79c3b549bdea13526f1365ad2253f6385531606362cc29d9dea172cd9d50cb

MD5 hash:

ed9c6713e17769faaf3f2f9d610cd495

SHA1 hash:

a9da618d8f84e3eed38fc249691c88ad59c15487

Link:

https://www.unpac.me/results/e5a177ee-2123-4960-8484-e5edf427f28f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6c79c3b549bdea13526f1365ad2253f6385531606362cc29d9dea172cd9d50cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/177282/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample