MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e890b0ee04f14d8989db2a0a853c06741112c432030b63457fe866600b44749. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e890b0ee04f14d8989db2a0a853c06741112c432030b63457fe866600b44749
SHA3-384 hash: 4b187a84394c5d84de33c2ce0b5755a1f90939c035597393ccd0b9b11ca220c6abd43ec97ff1edf3f6cf62faf907c1d7
SHA1 hash: e3be8ffcc9dc2924652920f904f9058dbbf6e14e
MD5 hash: 401358d510a50b4e174c1f3abaf3bc0e
humanhash: monkey-football-pasta-whiskey
File name:setup_installer.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'376'119 bytes
First seen:2021-10-30 11:17:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xtCvLUBsgwxKJjuX1UWQXk5Q3jWRzEALRMJN7op7+eI:xuLUCgJjWDQUe3j86hoBI
TLSH T1E1163352BD8245FBD103543ABA5C9F73B5BC472406318AAFFB21564EAF391E3052B28D
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter Anonymous
Tags:exe gcleaner

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.97/ https://threatfox.abuse.ch/ioc/239602/

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-30 08:50:30 UTC
Tags:
trojan rat redline loader evasion stealer opendir vidar formbook
Link:
https://app.any.run/tasks/51d6221e-bdc6-4a20-8a2e-08c19d90646d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/07296d6e-813e-4746-afa0-294b3afe759b
Result
Threat name:
FormBook RedLine SmokeLoader Socelars Vi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879784
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected FormBook
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 512218 Sample: setup_installer.exe Startdate: 30/10/2021 Architecture: WINDOWS Score: 100 68 208.95.112.1 TUT-ASUS United States 2->68 70 149.154.167.99 TELEGRAMRU United Kingdom 2->70 72 10 other IPs or domains 2->72 92 Multi AV Scanner detection for domain / URL 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus detection for URL or domain 2->96 98 19 other signatures 2->98 9 setup_installer.exe 21 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\...\Sat01f932a994dbc6.exe, PE32 9->44 dropped 46 C:\Users\user\...\Sat01e3b3e0fa80800c.exe, PE32 9->46 dropped 48 16 other files (10 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 88 172.67.141.157 CLOUDFLARENETUS United States 12->88 90 127.0.0.1 unknown unknown 12->90 116 Adds a directory exclusion to Windows Defender 12->116 118 Disables Windows Defender (via service or powershell) 12->118 16 cmd.exe 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 12->20         started        22 13 other processes 12->22 signatures8 process9 signatures10 25 Sat0188dba58af938.exe 16->25         started        30 Sat016e74da9cbf1.exe 4 30 18->30         started        32 Sat01c0e0d4fbb2ea73.exe 20->32         started        100 Adds a directory exclusion to Windows Defender 22->100 102 Disables Windows Defender (via service or powershell) 22->102 34 Sat01b537da2e0af175a.exe 22->34         started        36 Sat01866e4ba0024d.exe 2 22->36         started        38 Sat01e3b3e0fa80800c.exe 22->38         started        40 5 other processes 22->40 process11 dnsIp12 74 45.142.182.152 XSSERVERNL Germany 25->74 82 4 other IPs or domains 25->82 50 C:\Users\...\iYdY8akDoyKa_lDoaXkiKYZQ.exe, PE32 25->50 dropped 52 C:\Users\...\SErrImfUq5TLc2c4Wj_ZBrg6.exe, PE32 25->52 dropped 62 26 other files (8 malicious) 25->62 dropped 104 Creates HTML files with .exe extension (expired dropper behavior) 25->104 106 Tries to harvest and steal browser information (history, passwords, etc) 25->106 84 6 other IPs or domains 30->84 54 C:\Users\...\TQ9bu9AniEMC0UPRuTYwVIHj.exe, PE32 30->54 dropped 64 8 other files (2 malicious) 30->64 dropped 108 Antivirus detection for dropped file 30->108 110 Disable Windows Defender real time protection (registry) 30->110 76 88.119.161.165 IST-ASLT Lithuania 32->76 56 C:\Users\user\AppData\...\5442964012.exe, PE32 32->56 dropped 66 2 other files (1 malicious) 32->66 dropped 112 Machine Learning detection for dropped file 32->112 78 162.159.134.233 CLOUDFLARENETUS United States 34->78 58 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 34->58 dropped 80 94.140.112.53 TELEMACHBroadbandAccessCarrierServicesSI Latvia 36->80 114 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 36->114 86 2 other IPs or domains 38->86 60 C:\Users\user\...\Sat018ad0a25a7faa.tmp, PE32 40->60 dropped file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e890b0ee04f14d8989db2a0a853c06741112c432030b63457fe866600b44749/
Threat name:
Win32.Trojan.Cryprar
Create hunting rule
Status:
Malicious
First seen:
2021-10-30 11:18:07 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2eqwdxaj4knrge5wkqkqu6am5arclcdeaylmncx72dgmafui5eq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:933 botnet:eae58d570cc74796157b14c575bd3adc01116ca0 botnet:srtupdate33 aspackv2 backdoor infostealer stealer suricata trojan
Link:
https://tria.ge/reports/211030-neacqsbehp/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
135.181.129.119:4805
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
https://mas.to/@lilocc
Unpacked files
SH256 hash:
88b2d8a7fbf025987947226c9d6d72c72f93bdc182d05857893027289059ef09
MD5 hash:
3addf1aab7f2237dd61b6857f2832c9c
SHA1 hash:
2e9f422f0717ca2e8fd9d0b4fff720dcd367e2c4
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
4887918b59cd66475a12a9c512ec570e6f900c23ef69ff7513e2b5cd63fd2ef2
MD5 hash:
4d3446a7e14d3250e1030b67e202c8dd
SHA1 hash:
cd8fdfdfed34fcd05700293658bfcf8528e68802
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
Parent samples :
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
92bc70b3e7e6c99bc93dec85ecd8db8b101a766917bee4967d36b20f5522ff57
MD5 hash:
b78915e5316a375923d57cd80d805845
SHA1 hash:
5ad907aa1adc5f7899a9304b4e814b381e4909de
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
eb8ffea34c1766bf42f4118fee7407047f71815ef92dec221121baf95338460d
MD5 hash:
138a0694a61a8f01bec3075df64aba30
SHA1 hash:
db4e3180dc492536e7d6a42f086c9b2b4c133e13
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
9cde8e9e06dd9ce7b6e4a13e9772d6811a54b3aef023303ffcae41a85fdb33a1
MD5 hash:
a9b1f1220f1d5b0fe97d1e88a0bad407
SHA1 hash:
d290340d1766ac2d112973bc3928a8d7531fe1d7
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
ada643d4b7b36ef9efa0c239adcc0ec6d4e555bde773535108f598e2003ff3c4
MD5 hash:
cfe1eb33f18beceac203b86207492779
SHA1 hash:
b98ab4befa66e1f457b4b1b38834eb669659c84f
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
43831a9f83d9588ac1e3fbbc35bbb732e367d00097a363660ac9c2d07dc95401
MD5 hash:
718a30be9e42bba912ecbc180549bfa1
SHA1 hash:
b5b58e385333fff4f4d1158a10969014c297ddab
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
5bc24e9e6071d673c52ee5677b06311b4e4b0d280181a98dba655d0b3357e61a
MD5 hash:
b0569a27892f4745508332ab513b2c16
SHA1 hash:
901b57160b197071681038f95a056a6efd58ecc0
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
6ef3dcc9c6665e8d93276737d985a5d0074b54e5402e2f07f13bb148a19f2167
MD5 hash:
0845c3e18176706bd2ea5f9e8a85cb01
SHA1 hash:
7402fd7b8669204169fd238b2b7529e3f67d4479
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
8047fd20131b90898ccc1de4571aa5facc41be6b21b2ac569dd4fa5cbd63d64b
MD5 hash:
5378b8c436d97634a9524d8ae6bdc662
SHA1 hash:
6f010be3d0fe41a66dce640803bb2135d5bb7335
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
0772d9393887571ca0fa5a5b0f30b2f7129952822f1e02079ea32da4c3f3ff90
MD5 hash:
03eda0fc62b0c7443b5ee33fc462b27f
SHA1 hash:
6c51cf52c4fefcb3ce2e37d9f1b5ab86a8e88632
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
0cc2ef889a3794f5d4485c77da08f6983296300649b6943a8224968bdcd22b16
MD5 hash:
e94eadb3033dc1cfab87e8bfb9025e25
SHA1 hash:
691953105e0f9f6d518004f74f4792fa34fb89aa
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
d7e6dac7cb8cfcd1817cdc591094be5838e8848f5882601be78cffa3084dca74
MD5 hash:
9b3bda1625f99d5ac9a8645acd5d2285
SHA1 hash:
e0d2f4d390a23bea8607828cfb7de763f4409b93
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
e61ca94894963a5e7ca39ad133cee4aace23bf666845e9fe7d078519b83c45b2
MD5 hash:
d9c2dc249aca248dcdbf395496d3d33a
SHA1 hash:
2077ca3a24abcbcaac7051e690121b2a2e4346dd
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
815f855cc890a4ba4df9cffa92cb1b45a8dab3133e7553b46ba9c5b99f168753
MD5 hash:
3f4d1b224126b2c6127713e4a912f8f7
SHA1 hash:
d8ea7863edf1fb5ba0675a9564d777cd4608a5a2
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
1c18fff3abd6c2b2db7eb8e1200faf71f997b403bd4284c8bbca19d8f2feab03
MD5 hash:
649324923020f5b420c6aba28043f7b4
SHA1 hash:
23cc83c81cb860a10b97e177adc9861a70e0792c
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
9ab75a85aa405e88e147092344969d4dcb10f7e7330a8f3f8351a9df79678386
MD5 hash:
59219514eb1e3b9449826bb7287b2182
SHA1 hash:
f7c15155a9146143bed3b5b41e21246ecf902fa5
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
SH256 hash:
7e890b0ee04f14d8989db2a0a853c06741112c432030b63457fe866600b44749
MD5 hash:
401358d510a50b4e174c1f3abaf3bc0e
SHA1 hash:
e3be8ffcc9dc2924652920f904f9058dbbf6e14e
Link:
https://www.unpac.me/results/fa55682c-3135-4c1f-ad67-ef39e7982bcf/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7e890b0ee04f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e890b0ee04f14d8989db2a0a853c06741112c432030b63457fe866600b44749

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments