MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7618c4f3710d5fe1291571206d83e391b2fa3ed555f031327463c3c80b4bfaf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7618c4f3710d5fe1291571206d83e391b2fa3ed555f031327463c3c80b4bfaf2
SHA3-384 hash: ef2bf12e3cf0e4301eed65be75d06f6edce6427223530e21dfa4ac8704c417ffdff2edf66e62574e375996186351a7fb
SHA1 hash: 30339e092f6b72def146b0072e88a2c15cafea9c
MD5 hash: e580df3dab5dafce336d45f7c7a8e3eb
humanhash: nine-washington-angel-glucose
File name:e580df3dab5dafce336d45f7c7a8e3eb.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'794'641 bytes
First seen:2023-06-15 07:28:00 UTC
Last seen:2023-06-15 08:39:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (258 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/L1lORYDKic6QL3E2vVsjECUAQT45deRV9Rq:sBuZrEUVquKIy029s4C1eH9o
Threatray 12 similar samples on MalwareBazaar
TLSH T17185CF3FF268A13EC46A1B3245739310997BBA61B81A8C1E47FC384DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e580df3dab5dafce336d45f7c7a8e3eb.exe
Verdict:
Suspicious activity
Analysis date:
2023-06-15 07:30:51 UTC
Tags:
installer
Link:
https://app.any.run/tasks/d86ceadd-fae0-4e44-b955-a920b14f1e94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/399055/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.31.799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90824/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/648abd84416f5c526e22240c/reports/4259cc80-8727-4e39-9c60-89d349ce3fa7/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332545
Link:
https://www.hybrid-analysis.com/sample/7618c4f3710d5fe1291571206d83e391b2fa3ed555f031327463c3c80b4bfaf2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5d4ec63c-dc6b-471a-921b-cd9da0104b75
Result
Threat name:
MinerDownloader, Laplas Clipper, Nymaim,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255096
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected Laplas Clipper
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 888116 Sample: LKmdGDfKeP.exe Startdate: 15/06/2023 Architecture: WINDOWS Score: 100 83 bluestaks.novationgroups.com 50.31.188.9 SERVERCENTRALUS United States 2->83 85 wc-update-service.lavasoft.com 64.18.87.82 MTOCA Canada 2->85 87 7 other IPs or domains 2->87 103 Snort IDS alert for network traffic 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for URL or domain 2->107 109 13 other signatures 2->109 11 LKmdGDfKeP.exe 2 2->11         started        15 svchost.exe 44 2->15         started        signatures3 process4 file5 63 C:\Users\user\AppData\...\LKmdGDfKeP.tmp, PE32 11->63 dropped 127 Obfuscated command line found 11->127 17 LKmdGDfKeP.tmp 3 23 11->17         started        22 WerFault.exe 15->22         started        24 WerFault.exe 15->24         started        26 WerFault.exe 15->26         started        28 5 other processes 15->28 signatures6 process7 dnsIp8 75 45.12.253.74, 49703, 80 CMCSUS Germany 17->75 77 webcompanion.com 104.18.212.25 CLOUDFLARENETUS United States 17->77 79 act.reactionharbor.xyz 188.114.97.7 CLOUDFLARENETUS European Union 17->79 53 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 17->53 dropped 55 C:\Users\user\AppData\Local\Temp\...\s0.exe, PE32 17->55 dropped 57 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 17->57 dropped 59 2 other files (1 malicious) 17->59 dropped 111 Performs DNS queries to domains with low reputation 17->111 30 s0.exe 34 17->30         started        81 192.168.2.1 unknown unknown 22->81 file9 signatures10 process11 dnsIp12 95 45.12.253.72, 49705, 80 CMCSUS Germany 30->95 97 45.12.253.56, 49704, 80 CMCSUS Germany 30->97 99 2 other IPs or domains 30->99 67 C:\Users\user\AppData\Roaming\...\kCvMV8X.exe, PE32 30->67 dropped 69 C:\Users\user\AppData\Roaming\...\97N6.exe, PE32 30->69 dropped 71 C:\Users\user\AppData\...\zhXYsLPP.exe, PE32 30->71 dropped 73 7 other malicious files 30->73 dropped 101 Multi AV Scanner detection for dropped file 30->101 35 97N6.exe 30->35         started        39 kCvMV8X.exe 30->39         started        41 zhXYsLPP.exe 30->41         started        44 8 other processes 30->44 file13 signatures14 process15 dnsIp16 89 t.me 149.154.167.99, 443, 49711 TELEGRAMRU United Kingdom 35->89 91 116.202.5.168, 11022, 49712 HETZNER-ASDE Germany 35->91 93 lodar2ben.top 35->93 113 Multi AV Scanner detection for dropped file 35->113 115 Detected unpacking (changes PE section rights) 35->115 117 Detected unpacking (overwrites its own PE header) 35->117 125 3 other signatures 35->125 119 Writes to foreign memory regions 39->119 121 Allocates memory in foreign processes 39->121 123 Injects a PE file into a foreign processes 39->123 61 C:\Users\user\AppData\Local\...\gipikbh.dat, PE32+ 41->61 dropped 46 cmd.exe 41->46         started        file17 signatures18 process19 file20 65 C:\Users\user\AppData\Local\...\ffqqjflqs.exe, PE32 46->65 dropped 49 conhost.exe 46->49         started        51 ffqqjflqs.exe 46->51         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7618c4f3710d5fe1291571206d83e391b2fa3ed555f031327463c3c80b4bfaf2/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2023-06-15 07:29:06 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oymmj43rbvp6ckivoeqg3a7dsgzpupwvkxydcmtumpb4qc2l7lza._file
Verdict:
malicious
Similar samples:
1177adfb95bdd9a54a339005976ed4096d23fb4dd2099e91c35fc526c9a7cdbd
GCleaner
63fe94f5903f4d969dd1e3032497a9f7ed693410a1a58a9857aaf22826bb0115
GCleaner
703d46e527cbce0c838146a5bb4d93593fb2942ae8dda6cd4d017c5de510549e
GCleaner
a4f95464eccef0c4da2d48481ef8b1006a6ed0918fb421db63c793e1001bbeda
GCleaner
b56c9109fdb9e8d8853fa536f3cdea9528a8a53493d3f3dc9f49243e30ed6be5
GCleaner
dfac601a1adf9bfb8f732721db2c08461e91c5766497e951e568dbb2a718f212
GCleaner
f0380fcead378582fadeeddf805919af44febcd9386eb60b609477e8cfe04dc8
GCleaner
f95fdca4f8709816b40f99b492f57e383ab60dee9d34cfe1aa919e0c90dd48ba
GCleaner
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230615-janmcafa93/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
218f927dddb52d75ca5d771df61d2548241a88491bd18550697e90753606fd05
MD5 hash:
0740f546cb9de6eac0bdb72ba81eac66
SHA1 hash:
41be1afe45ede80e1184c9a8a8b9e341efdd4f38
Link:
https://www.unpac.me/results/2a2315ed-f72a-4a47-a7f9-9fb9995c4886/
SH256 hash:
306c9271cb637ad69bdbeb60b4183db742b69e9328412e8d08f6722ac5a36491
MD5 hash:
d2a3c1b0e9b0288f1388de484d6c53e1
SHA1 hash:
eb0718fb00b81adc9f2f56eca3c5ec6c58ffea37
Link:
https://www.unpac.me/results/2a2315ed-f72a-4a47-a7f9-9fb9995c4886/
SH256 hash:
d60a1e102ac1e68d99866ebcacf225feb8e5beadb890179e4087e037e8515d4b
MD5 hash:
1b7b2605138f98e6c5218d28c65ba80f
SHA1 hash:
c2812dca3ec623d66c2314ab33e4f494fe158f65
Link:
https://www.unpac.me/results/2a2315ed-f72a-4a47-a7f9-9fb9995c4886/
SH256 hash:
7618c4f3710d5fe1291571206d83e391b2fa3ed555f031327463c3c80b4bfaf2
MD5 hash:
e580df3dab5dafce336d45f7c7a8e3eb
SHA1 hash:
30339e092f6b72def146b0072e88a2c15cafea9c
Link:
https://www.unpac.me/results/2a2315ed-f72a-4a47-a7f9-9fb9995c4886/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7618c4f3710d5fe1291571206d83e391b2fa3ed555f031327463c3c80b4bfaf2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/399055/

Comments