MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b18ca8fcbd4da8534d53c2004f8a0b1b43cc9cfd19eb88d3e34a410366b2d39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 13 File information Comments

SHA256 hash: 7b18ca8fcbd4da8534d53c2004f8a0b1b43cc9cfd19eb88d3e34a410366b2d39
SHA3-384 hash: 1a67d2d256c699f56a65d88a1c4e732c21e5b16104bef140946838392d31651bdacd47f6bbfa85930a54cd32bb9f288e
SHA1 hash: 91852e7c4fde2cf2cabf02ceafd9ba5e617d5d32
MD5 hash: a62d1f7e3ccb1b6f6e07798e8d2baf19
humanhash: iowa-bacon-white-winter
File name:setup_euone.bin
Download: download sample
Signature GCleaner
File size:840'464 bytes
First seen:2026-07-04 15:21:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cd403f4b2a9029685c1ba1449e3de76d (2 x GCleaner)
ssdeep 12288:6KqXmsruZ1B3Stb8l8YCXa06b3Xwd4XZhOfOans6D31tV+EpP8k:69RSdCd8K7Gbnwd4XZ0fOivD3I6
TLSH T19B059E22A2904837C1A3163D9D2BAB74A927BE3139285D866BE43C4C8F37F517935377
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 399998ecd4d46c0e (573 x Quakbot, 308 x GCleaner, 137 x ArkeiStealer)
Reporter aachum
Tags:dropped-by-OffLoader EUONE exe gcleaner


Avatar
iamaachum
http://158.94.209.95/setup?name=euone

Intelligence


File Origin
# of uploads :
1
# of downloads :
124
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-07-04 15:23:31 UTC
Tags:
gcleaner loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
cobalt delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Launching a service
Deleting a recently created file
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-25T12:52:00Z UTC
Last seen:
2026-07-05T19:35:00Z UTC
Hits:
~10
Result
Threat name:
CryptOne, GCleaner, SnappyClient, Stealc
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Hijacks the control flow in another process
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Potentially malicious time measurement code found
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Disable power options
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses powercfg.exe to modify the power settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected CryptOne packer
Yara detected GCleaner
Yara detected Powershell decode and execute
Yara detected SnappyClient
Yara detected Stealc v2
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1937464 Sample: setup_euone.bin.exe Startdate: 04/07/2026 Architecture: WINDOWS Score: 100 153 45.91.200.135 PODAONLV Netherlands 2->153 155 185.156.73.98 FDN3UA Netherlands 2->155 157 4 other IPs or domains 2->157 173 Suricata IDS alerts for network traffic 2->173 175 Found malware configuration 2->175 177 Malicious sample detected (through community Yara rule) 2->177 179 30 other signatures 2->179 14 setup_euone.bin.exe 2->14         started        17 updater.exe 2->17         started        20 powershell.exe 2->20         started        signatures3 process4 file5 233 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->233 235 Hijacks the control flow in another process 14->235 237 Contains functionality to inject code into remote processes 14->237 247 4 other signatures 14->247 22 svchost.exe 38 14->22         started        131 C:\Windows\Temp\mkozkjcwhknq.sys, PE32+ 17->131 dropped 239 Antivirus detection for dropped file 17->239 241 Multi AV Scanner detection for dropped file 17->241 243 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->243 249 7 other signatures 17->249 27 powershell.exe 17->27         started        29 cmd.exe 17->29         started        31 sc.exe 17->31         started        33 sc.exe 17->33         started        245 Creates files in the system32 config directory 20->245 35 conhost.exe 20->35         started        signatures6 process7 dnsIp8 167 158.94.209.95, 49712, 49714, 49716 OMEGATECH-ASSC Netherlands 22->167 169 drive.usercontent.google.com 142.251.215.161, 443, 49710, 49721 GOOGLE-GoogleLLCUS United States 22->169 139 C:\Users\user\AppData\...\sU3fAeAuQRb9V.exe, PE32+ 22->139 dropped 141 C:\Users\user\AppData\...\xmlslM8AKnTq.exe, PE32+ 22->141 dropped 143 C:\Users\user\AppData\...\dQGhg3AtPT26.exe, PE32+ 22->143 dropped 145 6 other malicious files 22->145 dropped 195 System process connects to network (likely due to code injection or exploit) 22->195 197 Unusual module load detection (module proxying) 22->197 37 9gR3RtSLwbz.exe 1 16 22->37         started        42 B0PSyNYQtK.exe 1 22->42         started        44 dQGhg3AtPT26.exe 22->44         started        56 4 other processes 22->56 199 Loading BitLocker PowerShell Module 27->199 46 conhost.exe 27->46         started        48 conhost.exe 29->48         started        50 wusa.exe 29->50         started        52 conhost.exe 31->52         started        54 conhost.exe 33->54         started        file9 signatures10 process11 dnsIp12 161 juj.realmadridiran.news 172.67.189.111, 443, 49719, 49724 CLOUDFLARENET-CloudflareIncUS Canada 37->161 163 dutalogambone.com 109.106.254.249, 49733, 80 AS-HOSTINGERCY Singapore 37->163 165 telegram.me 149.154.167.99, 443, 49717 TELEGRAMVG United Kingdom 37->165 133 C:\Users\user\AppData\Local\...\4ff4a178.exe, PE32 37->133 dropped 135 C:\Users\user\AppData\Local\...\0be9fca7.exe, PE32+ 37->135 dropped 181 Antivirus detection for dropped file 37->181 183 Multi AV Scanner detection for dropped file 37->183 185 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->185 193 8 other signatures 37->193 58 cmd.exe 37->58         started        60 cmd.exe 37->60         started        137 C:\Users\user\AppData\Local\959827.vbs, ASCII 42->137 dropped 187 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 42->187 189 Potentially malicious time measurement code found 42->189 191 Wscript called in batch mode (surpress errors) 42->191 62 wscript.exe 1 42->62         started        65 conhost.exe 56->65         started        67 conhost.exe 56->67         started        69 conhost.exe 56->69         started        71 conhost.exe 56->71         started        file13 signatures14 process15 signatures16 73 0be9fca7.exe 58->73         started        76 conhost.exe 58->76         started        78 4ff4a178.exe 60->78         started        81 conhost.exe 60->81         started        251 Suspicious powershell command line found 62->251 253 Wscript starts Powershell (via cmd or directly) 62->253 255 Windows Scripting host queries suspicious COM object (likely to drop second stage) 62->255 257 2 other signatures 62->257 83 powershell.exe 14 15 62->83         started        process17 dnsIp18 201 Antivirus detection for dropped file 73->201 203 Multi AV Scanner detection for dropped file 73->203 205 Suspicious powershell command line found 73->205 221 4 other signatures 73->221 86 powershell.exe 73->86         started        147 C:\ProgramData\Chrome141\Chrome140.exe, PE32 78->147 dropped 207 Detected unpacking (changes PE section rights) 78->207 209 Hides threads from debuggers 78->209 211 Tries to detect sandboxes / dynamic malware analysis system (registry check) 78->211 159 62.60.226.243, 49720, 80 FEMOITGB Germany 83->159 213 Writes to foreign memory regions 83->213 215 Suspicious execution chain found 83->215 217 Found suspicious powershell code related to unpacking or dynamic code loading 83->217 219 Injects a PE file into a foreign processes 83->219 88 RegAsm.exe 83->88         started        92 conhost.exe 83->92         started        file19 signatures20 process21 dnsIp22 94 0be9fca7.exe 86->94         started        98 conhost.exe 86->98         started        171 64.224.17.118, 49723, 80 VIRTUO-12651980CANADAINCCA Belgium 88->171 223 Tries to harvest and steal browser information (history, passwords, etc) 88->223 225 Writes to foreign memory regions 88->225 227 Allocates memory in foreign processes 88->227 229 6 other signatures 88->229 100 chrome.exe 88->100         started        102 chrome.exe 88->102         started        104 chrome.exe 88->104         started        signatures23 process24 file25 149 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 94->149 dropped 151 C:\Windows\System32\drivers\etc\hosts, ASCII 94->151 dropped 259 Modifies the context of a thread in another process (thread injection) 94->259 261 Modifies the hosts file 94->261 263 Adds a directory exclusion to Windows Defender 94->263 265 5 other signatures 94->265 106 powershell.exe 94->106         started        109 cmd.exe 94->109         started        111 sc.exe 94->111         started        113 13 other processes 94->113 signatures26 process27 signatures28 231 Loading BitLocker PowerShell Module 106->231 115 conhost.exe 106->115         started        117 conhost.exe 109->117         started        119 wusa.exe 109->119         started        121 conhost.exe 111->121         started        123 conhost.exe 113->123         started        125 conhost.exe 113->125         started        127 conhost.exe 113->127         started        129 9 other processes 113->129 process29
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Backdoor.Androm
Status:
Malicious
First seen:
2026-06-26 06:47:00 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Result
Malware family:
gcleaner
Score:
  10/10
Tags:
family:gcleaner discovery loader
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Family: GCleaner
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
185.156.73.98
Unpacked files
SH256 hash:
7b18ca8fcbd4da8534d53c2004f8a0b1b43cc9cfd19eb88d3e34a410366b2d39
MD5 hash:
a62d1f7e3ccb1b6f6e07798e8d2baf19
SHA1 hash:
91852e7c4fde2cf2cabf02ceafd9ba5e617d5d32
SH256 hash:
172e116d86f706cbf556e2747813751f00104cb1b85338c01f9e5f5c09599ec8
MD5 hash:
0985cdb730ce76f793cce7fc2766a001
SHA1 hash:
75e4f72ae4667cef218e840658931151006633c4
Detections:
GCleaner
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Author:malware-lu
Rule name:Borland
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
Rule name:Suspicious_Process
Author:Security Research Team
Description:Suspicious process creation
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments