MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs 5 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326
SHA3-384 hash: 13c39af474f19f5955a3320a4ea765ed94bbcf55ba2cda3e79e9644de754428efc70185c70d81333a9ceaecf781a1701
SHA1 hash: e74b994ec9d6b5e966f730da9f335065fe8b6d86
MD5 hash: 194020bb0313b3175b0fb2e56d462e3c
humanhash: four-winner-echo-fix
File name:6DFD902231E6AA1301C11ECA21F5A29456AA020BFE1EB.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'732'461 bytes
First seen:2021-11-26 16:51:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yW5wzLQIzN3omu5t6pbfE5j5BSxVLCn5YtS+V8BXMPuhNRHuoNJh4dLfBoZSa:y0wnR4mKtA4r8xVCn5oS+1kHrNPAfCP
TLSH T1872633A51EB6B63AF4123C336D11262E77B3B58F110D8E1B33CAC6DD62F5E42590A858
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
95.181.152.177:21142

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.181.152.177:21142 https://threatfox.abuse.ch/ioc/254437/
http://5.181.156.242/ https://threatfox.abuse.ch/ioc/254438/
195.242.111.44:37939 https://threatfox.abuse.ch/ioc/254926/
45.130.151.74:81 https://threatfox.abuse.ch/ioc/254927/
65.21.226.115:27660 https://threatfox.abuse.ch/ioc/254928/

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6DFD902231E6AA1301C11ECA21F5A29456AA020BFE1EB.exe
Verdict:
No threats detected
Analysis date:
2021-11-26 16:55:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6005f29e-6a50-4e64-b781-699bdf30be87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
DNS request
Creating a window
Sending an HTTP GET request
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61a11078f36138de3f3f6125/reports/b12b9e75-3f71-40e0-a71f-725771654a4e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da73d615-a311-431c-8f38-ca8f4d854e6c
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896886
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 529364 Sample: 6DFD902231E6AA1301C11ECA21F... Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 76 136.144.41.58 WORLDSTREAMNL Netherlands 2->76 78 37.0.10.214 WKD-ASIE Netherlands 2->78 80 10 other IPs or domains 2->80 96 Antivirus detection for URL or domain 2->96 98 Antivirus detection for dropped file 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 16 other signatures 2->102 13 6DFD902231E6AA1301C11ECA21F5A29456AA020BFE1EB.exe 10 2->13         started        signatures3 process4 file5 74 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 13->74 dropped 16 setup.exe 8 13->16         started        process6 file7 56 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 16->56 dropped 58 C:\Users\user\AppData\...\setup_install.exe, PE32 16->58 dropped 60 C:\Users\user\AppData\Local\...\libzip.dll, PE32 16->60 dropped 62 3 other files (none is malicious) 16->62 dropped 19 setup_install.exe 3 16->19         started        process8 file9 64 C:\Users\user\AppData\...\72c28586c61033.exe, PE32 19->64 dropped 22 cmd.exe 1 19->22         started        25 conhost.exe 19->25         started        process10 signatures11 104 Adds a directory exclusion to Windows Defender 22->104 27 72c28586c61033.exe 17 22->27         started        process12 file13 66 C:\Users\user\AppData\...\setup_install.exe, PE32 27->66 dropped 68 C:\Users\user\...\Tue06fef1eb6915a54.exe, PE32 27->68 dropped 70 C:\Users\user\...\Tue06a05305b6ee3.exe, PE32 27->70 dropped 72 12 other files (7 malicious) 27->72 dropped 108 Multi AV Scanner detection for dropped file 27->108 31 setup_install.exe 1 27->31         started        signatures14 process15 dnsIp16 92 127.0.0.1 unknown unknown 31->92 94 Adds a directory exclusion to Windows Defender 31->94 35 cmd.exe 31->35         started        37 cmd.exe 31->37         started        39 cmd.exe 1 31->39         started        41 4 other processes 31->41 signatures17 process18 signatures19 44 Tue0699904d3988.exe 35->44         started        48 Tue0634f55dcf1.exe 37->48         started        50 Tue0631100942b.exe 39->50         started        106 Adds a directory exclusion to Windows Defender 41->106 52 Tue06fef1eb6915a54.exe 2 41->52         started        54 powershell.exe 24 41->54         started        process20 dnsIp21 82 208.95.112.1 TUT-ASUS United States 44->82 84 8.8.8.8 GOOGLEUS United States 44->84 86 192.168.2.1 unknown unknown 44->86 110 Antivirus detection for dropped file 44->110 112 Multi AV Scanner detection for dropped file 44->112 114 Tries to harvest and steal browser information (history, passwords, etc) 44->114 88 74.114.154.22 AUTOMATTICUS Canada 48->88 116 Machine Learning detection for dropped file 48->116 90 95.142.37.102 EUROBYTEEurobyteLLCMoscowRussiaRU Russian Federation 50->90 signatures22
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-11-21 06:45:00 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nx6zairr42vbgaobd3fcd5ncsrlkuaql7ypldhifkqnlgiywumta._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars family:vidar botnet:706 botnet:pab777 aspackv2 evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211126-vct3padehm/
Behaviour
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
https://kipriauka.tumblr.com/
185.215.113.15:6043
http://www.ecgbg.com/
Unpacked files
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
bb714b088b9945fecd70f12c16055a554ba9ef911dd1ac6e6c8454a7c1e56830
MD5 hash:
0c44fa294e3ba33b26b0f75a8d36ffc9
SHA1 hash:
dc03c1b4770c6238764de3ac40594ddf5db237f6
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
ae25cb941f3026c1da3db95f689d4dc493580c5900adcb856e62ece1fc591598
MD5 hash:
e7d138a960df98a500620432b4d32cc0
SHA1 hash:
b03ed11d72da94a70dd0a35cf0fa5dff2ea248e0
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
85c0574b48df124cb351cf102246e547a82619fbf7521d0bc515828b480aeb49
MD5 hash:
5dbebf819f64fc4691f2168c520160ea
SHA1 hash:
74d9e9ad214b51e6ffefb661b31f3f1c592867c1
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
98628754e589e8eadaa6d2272f82de370dac26034b56bef3f2d386062fb8d284
MD5 hash:
b30cf0b08987a2326ad8cbe6a4de902a
SHA1 hash:
25344641a9b5eb53f63109d4d8cc3f5ecf16ee92
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
802916a589989b0dea8ba87dad8ed5e3146d52994fc0dff270bee5e74f553087
MD5 hash:
65ef5067b4e421c8a7d7345197d1f187
SHA1 hash:
2163beace0c45bcb13b49f5339953669e957db73
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
e173de6e79423d659886704dcaaf5848078ced4e14e0772e4f1e7b3931bb0862
MD5 hash:
95f9e24e7dd90ee5892743c58801db9f
SHA1 hash:
f107fcd45e57e7b71193f1f1777b8377f5d3cda1
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
e621e23cf07ea962557bce0f28940a8283135de86d3fd3d520d58115a8484982
MD5 hash:
35959e37d587e649357c57c2c5797a93
SHA1 hash:
b3f2ef17f1c45e34ea84a70285a14672034a97ae
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
4266165affda48b7a0fc19e67760e2d0ff275bf5f66d463acdf89c17362c3022
MD5 hash:
6e5515bdee2907426548266c47390abc
SHA1 hash:
105000cfd2dcd2e5f5f5f9e1f5ab4eff4626473e
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
aff5052dcaceac8cc0d97983c19091be8f1d2fa3b2ea4f649adf0c16855bc8b8
MD5 hash:
b32e81cfce4fb1d3a87156891c95e35c
SHA1 hash:
9a1b6b18d71016d4b7ebe5abbfaaa204d51ece86
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
5050bc56c683a4dbfda08b43d68973961458fd712164c3792d060153c2bd7027
MD5 hash:
f9210936145be5d696c5c80f8f464a58
SHA1 hash:
4647f8be74272b9a6d6d039fc6bb68aca0c8b49c
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
856406c9c7b31f0c00351ad33116eef6266e808f62707dbdd452d78d87c15b49
MD5 hash:
dcb44b893efae5ddd8cb122af5c988f2
SHA1 hash:
b7a5c73b39271c594545f0d35e5c1f739f37fa7f
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
Parent samples :
71a117de440384fdc4b8fb690fc73674e9e2a9a75e68951ae798374808924264
33cbd9e39dd39a84d0426897605b17000046e0fb14399e9d0bf47b55c0e3ad8b
b10274561191cedb0b16d2a69fdcd4e5062edfe2621842eacd55945ffded3f57
6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326
2a9e7bc07bd4ec39c2beaa42ff35352bbe6400f899f70be8922688db70cc5357
15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d
SH256 hash:
be904aa90540c55c9b0566a5ab3548b5ea81f0873c63bde54bf7ebb22c8136bb
MD5 hash:
9ebe3f68beb6bec172ed2b6e3b8d8253
SHA1 hash:
731cc543811ecef81583c6dba4794da34354b775
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
3f7b10f183e301672615c4e622e5b3f07a8d0fb0ae5147a5bed4f9d16b073ef8
MD5 hash:
70386922e5d50065d214eeb977b010ce
SHA1 hash:
b99f7c22a4221b414f22c1ec1ced27826fb17b78
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
c156059fccb5df0d8d5d8ab25377e3b4f816e8e3c37ebf6c8f276fb9add6386e
MD5 hash:
df67ab217f5a7a6ed91a6fc6c431e0f8
SHA1 hash:
3b393760c7dbdf09a2e1a264e129995b158dfeaa
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
c1b38ae74ecc0b9d11225d97c6c20a3baab914147d704e7e475ffa8feaa53aaa
MD5 hash:
11c78ee9edbbb6ffb9bc68d7d4f9188f
SHA1 hash:
4696f7d5df20174b494d3172a6fe523260819ac4
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
a9371b20cf0649dca52055c1e8868bb00c4b3d6a962cf8616a00a5cf6fbb2e62
MD5 hash:
6910092e7b3d43a5452a8a9d2f9aa4bf
SHA1 hash:
be612eaaa538cf6a38cde53dbd9ac035b2f62938
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
7c8af64d22342b481d06a59051996f9eb39d4200f63674d0925e268020f8ed21
MD5 hash:
f3c58462f423b426d3ab7e4247967552
SHA1 hash:
42c073d5e433d440afff08d8387d105f025a9541
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
SH256 hash:
6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326
MD5 hash:
194020bb0313b3175b0fb2e56d462e3c
SHA1 hash:
e74b994ec9d6b5e966f730da9f335065fe8b6d86
Link:
https://www.unpac.me/results/0182388e-9975-4397-b304-d0c28a3db297/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments