MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
SHA3-384 hash: 0c8d0f819729f507d28a1fcdd9b7f291e51196b8246fc39b2f5f6213fa98a0b3dca5b7a4fe451ec804a1d6b5498887fd
SHA1 hash: 9ac9b2bea4507031b79db57c5fe3856bf1900d69
MD5 hash: defafd07d253ff3e67f6bb04d59b125c
humanhash: fanta-charlie-washington-eighteen
File name:6E52D162BAF265E070EC1A3147AD651D8BD8481D96B33.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:3'573'115 bytes
First seen:2022-01-12 00:22:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xACvLUBsg5cFzvBdaxCBcNQp4cMhnreJ0RmqvJ:x9LUCg5cd/YCmPJeSYqvJ
TLSH T1ACF533127B7AC1B7E5111138DB886F7234FEC3C82A3589D7772087692F3A4E2852E95D
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
193.38.54.57:45801

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.38.54.57:45801 https://threatfox.abuse.ch/ioc/294070/
http://web-stat.biz/info.php https://threatfox.abuse.ch/ioc/294080/

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6E52D162BAF265E070EC1A3147AD651D8BD8481D96B33.exe
Verdict:
No threats detected
Analysis date:
2022-01-12 00:26:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/556c44c4-15f7-4d62-85c9-450ff5618244

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/218418/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61de1f69e997359713de2147/reports/5b146ac6-f5b8-4fce-bdd7-2ce95b4e1c17/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/291aa7d1-399f-409d-a0a4-969293199281
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/918803
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected malicious lnk with hta
Yara detected RedLine Stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 551281 Sample: 6E52D162BAF265E070EC1A3147A... Startdate: 12/01/2022 Architecture: WINDOWS Score: 100 60 212.193.30.29 SPD-NETTR Russian Federation 2->60 62 91.121.67.60 OVHFR France 2->62 64 7 other IPs or domains 2->64 82 Antivirus detection for URL or domain 2->82 84 Antivirus detection for dropped file 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 20 other signatures 2->88 9 6E52D162BAF265E070EC1A3147AD651D8BD8481D96B33.exe 19 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\...\Wed06f9fffb9fce655c.exe, PE32+ 9->44 dropped 46 C:\Users\user\AppData\...\Wed06edd6b8998.exe, PE32 9->46 dropped 48 14 other files (9 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 80 127.0.0.1 unknown unknown 12->80 114 Adds a directory exclusion to Windows Defender 12->114 116 Disables Windows Defender (via service or powershell) 12->116 16 cmd.exe 12->16         started        18 cmd.exe 12->18         started        20 cmd.exe 12->20         started        22 7 other processes 12->22 signatures8 process9 signatures10 25 Wed06c309967f8043c8c.exe 16->25         started        30 Wed06002750541796d.exe 18->30         started        32 Wed06d91f4e16fac21d.exe 20->32         started        90 Adds a directory exclusion to Windows Defender 22->90 92 Disables Windows Defender (via service or powershell) 22->92 34 Wed0658076940.exe 22->34         started        36 Wed06f9fffb9fce655c.exe 22->36         started        38 Wed066f5b23a5ec2e646.exe 22->38         started        40 2 other processes 22->40 process11 dnsIp12 66 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 25->66 68 212.193.30.45 SPD-NETTR Russian Federation 25->68 76 13 other IPs or domains 25->76 50 C:\Users\...\ZRo2uFrE9PG8CAzttOpcbDw8.exe, PE32+ 25->50 dropped 52 C:\Users\user\AppData\Local\...\HR[1].exe, PE32 25->52 dropped 54 C:\Users\user\...54iceProcessX64[1].bmp, PE32+ 25->54 dropped 58 43 other files (11 malicious) 25->58 dropped 94 Antivirus detection for dropped file 25->94 96 Creates HTML files with .exe extension (expired dropper behavior) 25->96 98 Disable Windows Defender real time protection (registry) 25->98 100 Machine Learning detection for dropped file 30->100 102 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->102 104 Maps a DLL or memory area into another process 30->104 106 Checks if the current machine is a virtual machine (disk enumeration) 30->106 108 Injects a PE file into a foreign processes 32->108 78 2 other IPs or domains 34->78 56 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 34->56 dropped 110 Creates processes via WMI 34->110 70 208.95.112.1 TUT-ASUS United States 36->70 72 8.8.8.8 GOOGLEUS United States 36->72 74 192.168.2.1 unknown unknown 36->74 112 Tries to harvest and steal browser information (history, passwords, etc) 36->112 file13 signatures14
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2021-10-20 08:57:12 UTC
File Type:
PE (Exe)
Extracted files:
81
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nzjncyv26js6a4hmdiyupllfdwf5qsa5s2ztz3q3rhme5hesyxzq._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:fucker2 botnet:media18 aspackv2 backdoor evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220112-apgynsacb4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
135.181.129.119:4805
91.121.67.60:2151
Unpacked files
SH256 hash:
4dac4731ed0a9bee3a0834cc33e0c5b2e1d283c318a5bb1d83d196994b0b43b6
MD5 hash:
470d3d00e0ce20009ad477b1c301feac
SHA1 hash:
84929da49c59089f7528fa6d809f76a74f702fb9
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
03c7096f04ff5c60e9cc2f959fd2b412137ab04e131c54295edf86e6c73a9427
MD5 hash:
93477906b5ba6f5b376b21d4bf810752
SHA1 hash:
7dc227ed554b97276fd3385faa9f9af9cc9da18a
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
51a78b5f1799ffe27a1412e5eaa89e46dc32482e140c46ddafcd4c248e701b07
MD5 hash:
74c38bb6084f0c955a35c2355f6d9bc9
SHA1 hash:
ff3911cf479e9932acbb4148918b1e10e368b13a
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
38025567d5c9d5dd374cb5f9b1f9c7362a350509d78f03f5dcdf3b4a9fce2157
MD5 hash:
bcd7186b7025fa03137a876de4d5c3f8
SHA1 hash:
fefbe5f0837909580218d2ea70428ad322495bc5
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
b7fd0c0227a445847a051fe986bc517e2b136682d98dbe5349e2bc75e0e9e4ec
MD5 hash:
c950dfa870dc50ce6e1e2fcaeb362de4
SHA1 hash:
fc1fb7285afa8d17010134680244a19f9da847a1
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
1f8aeae31a3271b2bcf49ebdf7b198289b33a9d99cfd62bed4f223461ed37499
MD5 hash:
d4cf976668138f9674bd67a68152e9ef
SHA1 hash:
e8b7f477bb113cbe6b949212ddccc615b3a07dc0
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
e3235b5345a96077085b2822c94f5fa07ebe7b2296faca293f743857182add37
MD5 hash:
ffdb3744b3e0bb279dec8a3e8df9634f
SHA1 hash:
d5a452124003cf61e62dbddeb91f528ce3c9d5f5
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
434b3631be70489bd3f979c3b0eb7debb4ff78fa63b8227064fe90e2d2273217
MD5 hash:
49766fbaf0a5ff518153ab8681b3cd33
SHA1 hash:
ca28ffdecb3ae47ab611049d62b564903ca07950
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
c48f955af8749972b7bd7dba2dd239cb224d049f8bc2dd1fe5c6233e2d64e741
MD5 hash:
78d016d5b9ee552dc76bf8a024392ce9
SHA1 hash:
8ba7b1380ca5cd7c7de57f4b8f2e74028e9b363d
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
4d7bf2038b241cc664c74c6e979f5fe95434613b0e1cfb6484417cb61793ffb9
MD5 hash:
3dab7aa5329772c930838683b5599fec
SHA1 hash:
6ef7d0cdedbd1520c1b346a9467aa5837eca679d
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d
MD5 hash:
7dc5f09dde69421bd8581b40d994ccd7
SHA1 hash:
23788ae65ec05a9e542636c6c4e1d9d6be26d05c
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
b103289d1d49827dfff649df138835afb6f7555c0b3002ae288940a56335cea9
MD5 hash:
3c66f116919a98eb1619b9f5ec7e5e1d
SHA1 hash:
0ee57ca68d23094e30e904310b3c4611b3d5b5d3
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
f88e2926a7aff6788062ace2d4999d73a4de253d8758c262e7f674088ec4bbde
MD5 hash:
9c27633bcdf8507a59b7a283a3b2b490
SHA1 hash:
102ab66902788948457c3cd715fbd3a2650f1933
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
ab5f96733064cf336bc452b7a0e36172ddf3a8c0734834253dfc8673341b560f
MD5 hash:
4bcdfc5bd7b14c0b4eeaf218ad324ed6
SHA1 hash:
12e33cf5f73610e7b8cfa472a88a8857057c3f8f
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
d4c64c3bd5103e18f95e4b76f00feb96058a8d05f92f2d8b402f606f12febda4
MD5 hash:
3fb8862c0818e96599e247d42ac8438f
SHA1 hash:
9a41da73edbc07be81c28a4732b00a82727709af
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
3151abae4ac6b666c68eb4ec034e85e898c4c69e616dc6ec49508332a612d532
MD5 hash:
0ed05fb23e9a6f1f9739ff53049c208b
SHA1 hash:
59ab2fe098326f75e15e6ae6e34a808361fdfdb1
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
379f87266239eeaac6b4aa80214ca8b95863f42f600ee8987765395f3a8b4de4
MD5 hash:
1750f1defd0ca1a6d3b055cd2fa299f2
SHA1 hash:
ba5e303287fd241596214374b0bfbda3290661cd
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
5113f0fdf387a25912d0d1fb1a4b608c9f3da56e4ad53674db239501f4a56404
MD5 hash:
61ef2f43c6a4d7e45c4fc23651d1042d
SHA1 hash:
d95bcb10982480f694a57b8bf27bf61e2f5477cd
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
SH256 hash:
6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
MD5 hash:
defafd07d253ff3e67f6bb04d59b125c
SHA1 hash:
9ac9b2bea4507031b79db57c5fe3856bf1900d69
Link:
https://www.unpac.me/results/da7dadea-57dc-445f-a211-a061b5283719/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/218418/

Comments