MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74b316db9c08f5eb7fe8f336eb9d85274048de7596b0b42bf20eea995c4ed4f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74b316db9c08f5eb7fe8f336eb9d85274048de7596b0b42bf20eea995c4ed4f8
SHA3-384 hash: dd1b93a02b71bf388031b4fea13e7a72c9cfddf1db071256e8904b0261d0ca587e97d993aa8eb9ae4d5d11ff18ca7bd6
SHA1 hash: 80edf2fa87fd06dc2e70c88bf44673d32ca5b36e
MD5 hash: a133e50062dc1460cc38f281f6209403
humanhash: magnesium-massachusetts-bravo-pluto
File name:a133e50062dc1460cc38f281f6209403.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:5'237'850 bytes
First seen:2024-03-03 15:00:23 UTC
Last seen:2024-03-03 16:23:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4639a0b3116c2cfc71144b88a929cfd (98 x GuLoader, 53 x Formbook, 39 x VIPKeylogger)
ssdeep 98304:Dbo2uA3UDoNCIbuTXjKPh6pFkyQc9F+HzLrBfu2gEY/1GEjnZ49KdmRVziIn:DUlDoN5buLjK87kyQc9F+H7OXZ493VT
Threatray 132 similar samples on MalwareBazaar
TLSH T125363331E3A57018EFA1E437EC5E74C49FA352205B8E7DD2964B630F8C95A43E0226DA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
415
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.17229.16233.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65e490b006b24253d235c05e/reports/c4cd39e4-9524-4d83-a537-272826d55979/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/74b316db9c08f5eb7fe8f336eb9d85274048de7596b0b42bf20eea995c4ed4f8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55153ec5-4d19-420f-88d2-64221862ba9f
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1402171
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Installs a global event hook (focus changed)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1402171 Sample: vc9dXDjnki.exe Startdate: 03/03/2024 Architecture: WINDOWS Score: 52 120 Multi AV Scanner detection for domain / URL 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 Antivirus detection for URL or domain 2->124 126 5 other signatures 2->126 10 vc9dXDjnki.exe 32 2->10         started        process3 dnsIp4 108 172.67.168.148 CLOUDFLARENETUS United States 10->108 110 172.67.211.172 CLOUDFLARENETUS United States 10->110 76 C:\Users\user\AppData\Local\...\runme.exe, PE32 10->76 dropped 78 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 10->78 dropped 80 C:\Users\user\AppData\Local\Temp\...\blip.dll, PE32 10->80 dropped 82 2 other malicious files 10->82 dropped 14 runme.exe 39 10->14         started        file5 process6 dnsIp7 112 107.167.110.216 OPERASOFTWAREUS United States 14->112 114 213.166.68.96 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 14->114 116 4 other IPs or domains 14->116 84 C:\Users\user\AppData\Local\...\set_3.exe, PE32 14->84 dropped 86 C:\Users\user\AppData\Local\...\set_1.exe, PE32 14->86 dropped 88 C:\Users\user\AppData\Local\...\set_0.exe, PE32 14->88 dropped 90 4 other malicious files 14->90 dropped 18 set_0.exe 50 14->18         started        file8 process9 dnsIp10 102 107.167.110.218 OPERASOFTWAREUS United States 18->102 104 107.167.125.189 OPERASOFTWAREUS United States 18->104 106 4 other IPs or domains 18->106 48 Opera_installer_2403031502143472404.dll, PE32 18->48 dropped 50 C:\Users\user\AppData\Local\...\set_0.exe, PE32 18->50 dropped 52 C:\Users\user\AppData\Local\...\opera_package, PE32 18->52 dropped 54 4 other malicious files 18->54 dropped 22 set_0.exe 1 181 18->22         started        25 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 5 18->25         started        27 set_0.exe 5 18->27         started        29 2 other processes 18->29 file11 process12 file13 56 Opera_installer_2403031502176055752.dll, PE32 22->56 dropped 58 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 22->58 dropped 60 C:\Users\user\...\win10_share_handler.dll, PE32+ 22->60 dropped 72 20 other malicious files 22->72 dropped 31 installer.exe 22->31         started        35 set_0.exe 4 22->35         started        62 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 25->62 dropped 64 C:\Users\user\...\browser_assistant.exe, PE32 25->64 dropped 66 C:\Users\user\...\assistant_installer.exe, PE32 25->66 dropped 68 Opera_installer_2403031502146142676.dll, PE32 27->68 dropped 70 Opera_installer_2403031502154783260.dll, PE32 29->70 dropped 37 assistant_installer.exe 29->37         started        process14 file15 92 Opera_installer_2403031503145601008.dll, PE32+ 31->92 dropped 94 C:\Users\user\AppData\Local\...\opera.exe, PE32+ 31->94 dropped 96 C:\Users\user\AppData\Local\...\launcher.exe, PE32+ 31->96 dropped 98 C:\...\launcher.exe.1709478195.old (copy), PE32+ 31->98 dropped 118 Installs a global event hook (focus changed) 31->118 39 installer.exe 31->39         started        42 explorer.exe 31->42 injected 44 ImIuIqmJoRXm.exe 31->44 injected 46 18 other processes 31->46 100 Opera_installer_2403031502178606264.dll, PE32 35->100 dropped signatures16 process17 file18 74 Opera_installer_2403031503148383328.dll, PE32+ 39->74 dropped
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/74b316db9c08f5eb7fe8f336eb9d85274048de7596b0b42bf20eea995c4ed4f8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74b316db9c08f5eb7fe8f336eb9d85274048de7596b0b42bf20eea995c4ed4f8/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2024-02-27 03:08:53 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oszrnw44bd26w77i6m3oxhmfe5aerxtvs2ylik7sb3vjsxco2t4a._file
Verdict:
malicious
Similar samples:
0effe718a91a56be8af1a21d673a6c670adeae79054fa3eb9d7394f791c6a105
GCleaner
460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
GCleaner
6b0f58da4681748d3b7064e8d6d2664b3cf229047ae99dc33d36f93a30109f09
GCleaner
6c1a2d364c63d957989483ed42bab9c880c0cb96eca3c56b86f1ed360bd39c8b
GCleaner
a2426a4ecc9babad217d30ecc526382eb2b72a2611dd4c752c3811ecc038b6c5
GCleaner
+ 122 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240303-sdwa2acb4y/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Loads dropped DLL
Unpacked files
SH256 hash:
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
MD5 hash:
40d7eca32b2f4d29db98715dd45bfac5
SHA1 hash:
124df3f617f562e46095776454e1c0c7bb791cc7
Link:
https://www.unpac.me/results/46fe26f1-accd-4336-ab78-5c109cc99d35/
SH256 hash:
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
MD5 hash:
4add245d4ba34b04f213409bfe504c07
SHA1 hash:
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
Link:
https://www.unpac.me/results/46fe26f1-accd-4336-ab78-5c109cc99d35/
SH256 hash:
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
MD5 hash:
1d8f01a83ddd259bc339902c1d33c8f1
SHA1 hash:
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
Link:
https://www.unpac.me/results/46fe26f1-accd-4336-ab78-5c109cc99d35/
SH256 hash:
74b316db9c08f5eb7fe8f336eb9d85274048de7596b0b42bf20eea995c4ed4f8
MD5 hash:
a133e50062dc1460cc38f281f6209403
SHA1 hash:
80edf2fa87fd06dc2e70c88bf44673d32ca5b36e
Link:
https://www.unpac.me/results/46fe26f1-accd-4336-ab78-5c109cc99d35/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74b316db9c08f5eb7fe8f336eb9d85274048de7596b0b42bf20eea995c4ed4f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments


Avatar
Kasibe commented on 2024-03-03 15:12:50 UTC

OffLoader