MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59
SHA3-384 hash: a7ac7d03324902ad7d31c5ffba152f35e2db7d39c75a6c68e15e130708120f5fd502d2a49aac7801072ca417d76e95d0
SHA1 hash: 26975067cc24f634f6c64a79b98f356fb639d77e
MD5 hash: f4405d3dd08690d4ce4e9a02d4c641df
humanhash: uncle-item-potato-freddie
File name:77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:6'510'476 bytes
First seen:2021-11-23 16:31:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:yXlWFQxI7Mua49leNtAP++T72VG8+FBqPGI:yXkmShleNaPh72VG8oqx
Threatray 1'778 similar samples on MalwareBazaar
TLSH T13666332B3F069667F7E251326BBDC8B789A425973F13410FC6C709E9FF309948649918
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
176.122.25.128:49897

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
176.122.25.128:49897 https://threatfox.abuse.ch/ioc/253519/

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe
Verdict:
No threats detected
Analysis date:
2021-11-23 16:39:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b44ba3df-39de-4fdd-93c1-465bc8ad2c32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Searching for analyzing tools
Sending an HTTP GET request
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer barys overlay packed tiny wacatac
Link:
https://www.filescan.io/uploads/619d178702c80febc2a741ac/reports/df75a996-fa60-4c3c-80db-84d45be35c77/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9067f91-ff83-45fc-bba6-c709433f03f3
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894910
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 527393 Sample: 77012C024869BA2639B54B959FA... Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 57 136.144.41.58 WORLDSTREAMNL Netherlands 2->57 59 103.155.93.165 TWIDC-AS-APTWIDCLimitedHK unknown 2->59 61 18 other IPs or domains 2->61 77 Antivirus detection for URL or domain 2->77 79 Antivirus detection for dropped file 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 17 other signatures 2->83 10 77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe 10 2->10         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->45 dropped 13 setup_installer.exe 22 10->13         started        process6 file7 47 C:\Users\user\AppData\...\setup_install.exe, PE32 13->47 dropped 49 C:\Users\user\AppData\...\Thu00e6dc783f.exe, PE32 13->49 dropped 51 C:\Users\user\AppData\...\Thu00e1362251a3.exe, PE32+ 13->51 dropped 53 17 other files (12 malicious) 13->53 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 55 127.0.0.1 unknown unknown 16->55 75 Adds a directory exclusion to Windows Defender 16->75 20 cmd.exe 1 16->20         started        22 cmd.exe 16->22         started        24 cmd.exe 1 16->24         started        26 8 other processes 16->26 signatures10 process11 signatures12 29 Thu00e6dc783f.exe 3 20->29         started        33 Thu008c1e505ef28ce.exe 22->33         started        35 Thu0024eb0c01ddf62.exe 24->35         started        85 Adds a directory exclusion to Windows Defender 26->85 37 Thu00e1362251a3.exe 26->37         started        39 Thu006994f743f.exe 26->39         started        41 Thu00b87bb8a6c15.exe 26->41         started        43 powershell.exe 26 26->43         started        process13 dnsIp14 63 65.108.20.195 ALABANZA-BALTUS United States 29->63 87 Antivirus detection for dropped file 29->87 89 Detected unpacking (changes PE section rights) 29->89 91 Detected unpacking (overwrites its own PE header) 29->91 93 Multi AV Scanner detection for dropped file 33->93 95 Machine Learning detection for dropped file 33->95 97 Injects a PE file into a foreign processes 33->97 65 208.95.112.1 TUT-ASUS United States 37->65 67 8.8.8.8 GOOGLEUS United States 37->67 99 Tries to harvest and steal browser information (history, passwords, etc) 37->99 69 5.9.162.45 HETZNER-ASDE Germany 41->69 71 149.28.253.196 AS-CHOOPAUS United States 41->71 73 192.168.2.1 unknown unknown 41->73 signatures15
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-11-06 02:04:00 UTC
File Type:
PE (Exe)
Extracted files:
106
AV detection:
34 of 45 (75.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4asyasing5cmonvjokz7ky6cdv2v6hlxg74ykqr3nghdivz7jmq._file
Verdict:
malicious
Similar samples:
038152eae96d57cb15d542b84755d9feadee7d2012fc183a1937c448c211671e
GCleaner
0cdd906491990c6ba9c24bdd60172057587859a8e649ba7f4b51fece9a0fdac6
GCleaner
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
GCleaner
a3845d760f3394981f0e9b2330c279db0534befaaa17c67ded9b3dbd7b9e608f
GCleaner
bb1944681aa2fcfd5f372fd44e041a63569b46130540225afc1560a1650d4e37
GCleaner
c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
GCleaner
f1b2cc9a9fed9992129c1673d423647dd8307aada8ccff1b3d0fea35c2c3e741
GCleaner
+ 1'768 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:ani botnet:janera botnet:matthew2009 aspackv2 backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/211123-t1y6wadha2/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Reads user/profile data of web browsers
Themida packer
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
http://www.ecgbg.com/
https://mas.to/@killern0
http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
45.142.215.47:27643
65.108.20.195:6774
213.166.69.181:64650
Unpacked files
SH256 hash:
1778a6b25f9ac7d1bf1782d1196ac5254ed46e70033a38f391d02939d5b733da
MD5 hash:
3b32aabc7aad3bbfd7226cc614743f48
SHA1 hash:
ea748309ac48558506ddf93b45369b41f641126e
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
66d9e7d002b91df4aa572228d3c4a1d41997fff54555d0aa2e903f993f307814
MD5 hash:
17df2b7340cf3291107bfd454d0ca856
SHA1 hash:
00458e02751bb0e2cc268730a0cac2689249b1a7
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
6c05dfe8f17d9df784b99f24c719fa342b169e05ce3628a7a86a19b9e4117e87
MD5 hash:
f10476b5f25c36a0864a9f2ffb3b87cb
SHA1 hash:
6b512b22b3f4258c1167e9ea9eb5aa4885162064
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d
MD5 hash:
2c509753fac93810c09574a8b56af1e4
SHA1 hash:
e53da7ff5a9cfc3bda21794d639ed1f02cd7a881
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
68223fa16261faf405282fee551520b480eb4132f769b73c9fa707adf00539f6
MD5 hash:
05378594f7196c773e7f8d8670907c43
SHA1 hash:
c829048f7221f3641434b1386490a320dc6d3b4b
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
c3b3439a5a324135d9aad9a2dbe679894de538139879d473f561b71bf5bb65e9
MD5 hash:
887a3de308037c13569a3b6f76d99628
SHA1 hash:
b7f88c12cc5e7ccd3cf997b5ff32f74356dbf36a
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
bb65b1fd6a5ee0f72f3abdbb1aff0a6c89ff0cd72de6c6d77bfa359ec72c6287
MD5 hash:
7c2321a68c6ddde1619ef03fc36ccc1b
SHA1 hash:
9c2fd03a4965a2d787c0c2358c75866c7ce5953b
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
43e7c7d9cf33c82437454c407318e9b5055420f4e9a8b492ce558f7115a4a37c
MD5 hash:
e4ee629445944b949b8347268448c12d
SHA1 hash:
974b68f92f3d7196a75eed49052da3b77b2de704
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
cc5f4d44f395885cc6fd2a62016a73d79436c26bbdad4d253b3d838ee8e280d5
MD5 hash:
e89724e92dd14f86800b607fd3f3c0e8
SHA1 hash:
7f3118d3545987f7abf7c5c0a76392236ca8a9f2
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
b7b51624334ec2223788c2b8bcaf055e4d3c2351d4282b2285a23f3e0703d7da
MD5 hash:
431b0cae5e3e7cdacf934e62de3b8484
SHA1 hash:
74edd67927d9ecd251d357cf8b5689b273a72edd
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
9fd083a486d854b5bec7d7c79893f19cf56dc458c04d1ecd2022938c66621a83
MD5 hash:
0f6fd076419ad2bd253f0eeb9c088118
SHA1 hash:
637a4e64071e39cc4bd36aef08a64c8e9a9c8dad
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
dad9dff62cef8913f7bc79ca6e5459b29ec15751979dd06e99e8d0aa8243e89b
MD5 hash:
c574af9160acb15fdbf03bda5639fd41
SHA1 hash:
4791c3b661c2780ec2d5631b2902d587c42b8caf
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
1b63be98352f2640a7748d2006b054cbdde2b3de9108b3d1368151c4860b8c38
MD5 hash:
37dcb962fdabf964305ed0b99d6de954
SHA1 hash:
467fc0aaef8080f97eef3cf23cc7692b94e49167
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
b1920edd533a39e340a58a6e720a38b6fd703d91ec097b9f2b1a69ce9d7fbbf8
MD5 hash:
8b78a03d45ea20b55ad506929729ec1d
SHA1 hash:
c0c2b7ce1f68b41d1d72f07939387dabf9ffc597
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
47f24073926b87611a719599123e60d3e7e41882d2935b0fffd5a5596ca44714
MD5 hash:
5938dcaca6085b0e9d5783ccbfb3eed4
SHA1 hash:
7eca0c7b56c4e60f4ef50fd81d9b69f603e14067
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
5e7d3e0c0363a0aebe474b817acbd6e4bd843992b330cde3992b8e1247e6172d
MD5 hash:
44f3d1ffed57ce4ab139b33e2c128bb3
SHA1 hash:
da2133af85bd33b6dff8eeadca33ec54e565be5e
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
cef252456ae7e88ae1425b6e25dca568f03806259062c69c5dd83ff09887a0bb
MD5 hash:
7121bdcf785299c09abf148e4e6a128b
SHA1 hash:
6859879be9ee7e1cfb3642b082f1e54e5bfe68d0
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
bb6d8ca0ac00280bed9d6c3447ed9425ebce386dc98fa243655b4bccf226b43d
MD5 hash:
a18eb4099791ff2f6ec0f18b7ff1da27
SHA1 hash:
96d17dc6031636376c7a1a4742d12eb02a2903df
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
f8fdb0cf6be16b9dd7a4baaac65bae2a53f678e95a5b76d5edeec0a43f532d11
MD5 hash:
ab308330d72428a6a98e6b22fa4f1710
SHA1 hash:
16c2c324d55d2a4c20f735f5a9dd912fafc0d291
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
6c3367773a3d88e040b94bf795664d970e8b0aabce287f034a11f64f9ee9fb2b
MD5 hash:
38a9895d95f37b93e4e2dbf0fb8c7925
SHA1 hash:
88d4bcbadcadddb177ce63daeca524f8949bd443
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
SH256 hash:
77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59
MD5 hash:
f4405d3dd08690d4ce4e9a02d4c641df
SHA1 hash:
26975067cc24f634f6c64a79b98f356fb639d77e
Link:
https://www.unpac.me/results/6b346c08-d718-45e9-98ce-0472dca81c2e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208770/

Comments