MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80017d4daf4a64dcb73eabdf91bac4572898c52f3ecc21e7deb6bbc4fffebfc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80017d4daf4a64dcb73eabdf91bac4572898c52f3ecc21e7deb6bbc4fffebfc7
SHA3-384 hash: d73c5c20f6dea5e3f7c05d6972925f36bda2f3a21ef95a8b16b0660c58d5f462d71dade93842bf93ed036c67d9082b20
SHA1 hash: ffc7ebd012cb9746f37636ecdbdd83658b16aa13
MD5 hash: a6599b0c7ed1390cfdae92009e6c3804
humanhash: vermont-finch-jupiter-jupiter
File name:a6599b0c7ed1390cfdae92009e6c3804.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:5'872'505 bytes
First seen:2022-02-13 09:00:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xS5ChMvSYl8eT/zguZEdCDb1ozQ98KMgBSoEpmVJoZ1NjnqO4pyRdDsoOJ8D3i3F:xS5ChMaQ8SL7EdCDAA69bpmVmZ1Njp4x
TLSH T1984633413FE8A0F7EC360DB09D4C23A7762E9B785C1694377B90529C5D9E8B1232F998
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
31.210.20.39:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
31.210.20.39:81 https://threatfox.abuse.ch/ioc/387277/

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6599b0c7ed1390cfdae92009e6c3804.exe
Verdict:
No threats detected
Analysis date:
2022-02-13 09:10:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0e9c40cc-c2b3-49ce-abd3-8a0d6db5c8f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241165/
Detection(s):
Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Launching a process
DNS request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6208c8d645ddfa2e18c7fc6c/reports/0ce4832a-5a1c-4270-935d-a7c2c2719b1d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0dafaaa-2878-455e-92cd-a109b03757b4
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938927
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Disables Windows Defender (via service or powershell)
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Execution File Type Other Than .exe
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 571405 Sample: ieG4jQmQxd.exe Startdate: 13/02/2022 Architecture: WINDOWS Score: 100 62 2.56.56.126, 49749, 49759, 80 GBTCLOUDUS Netherlands 2->62 64 45.144.225.57, 49748, 80 DEDIPATH-LLCUS Netherlands 2->64 66 12 other IPs or domains 2->66 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for URL or domain 2->80 82 19 other signatures 2->82 9 ieG4jQmQxd.exe 21 2->9         started        12 svchost.exe 2->12         started        15 svchost.exe 2->15         started        17 6 other processes 2->17 signatures3 process4 file5 54 C:\Users\user\AppData\...\setup_install.exe, PE32 9->54 dropped 56 C:\Users\...\6204998e4487a_Thu04fd88ab219.exe, PE32 9->56 dropped 58 C:\Users\...\6204998d68973_Thu04ba2d2f.exe, PE32 9->58 dropped 60 16 other files (11 malicious) 9->60 dropped 19 setup_install.exe 1 9->19         started        86 Changes security center settings (notifications, updates, antivirus, firewall) 12->86 signatures6 process7 signatures8 84 Disables Windows Defender (via service or powershell) 19->84 22 cmd.exe 19->22         started        24 cmd.exe 1 19->24         started        26 cmd.exe 1 19->26         started        28 7 other processes 19->28 process9 signatures10 31 62049982b383c_Thu045b0501f0f.exe 22->31         started        34 6204997b1565b_Thu049974150fa.exe 24->34         started        36 6204997a4baec_Thu040b06cda.exe 15 5 26->36         started        88 Disables Windows Defender (via service or powershell) 28->88 40 62049980a6f6f_Thu0480869f3.exe 28->40         started        42 6204997e71521_Thu04f8201a032c.exe 28->42         started        44 620499855dccc_Thu04dc65bd47c.exe 28->44         started        46 2 other processes 28->46 process11 dnsIp12 90 Multi AV Scanner detection for dropped file 31->90 92 Machine Learning detection for dropped file 31->92 94 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 31->94 106 2 other signatures 31->106 96 Antivirus detection for dropped file 34->96 98 Sample uses process hollowing technique 34->98 68 presstheme.me 104.21.76.213, 443, 49746, 49760 CLOUDFLARENETUS United States 36->68 70 192.168.2.1 unknown unknown 36->70 72 iplogger.org 36->72 48 e8d7526d-803d-473a-8d71-35d05b456a26.exe, PE32 36->48 dropped 100 May check the online IP address of the machine 36->100 74 195.189.227.68 OMNILANCEhttpomnilancecomUA Ukraine 40->74 102 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 40->102 50 C:\...\6204997e71521_Thu04f8201a032c.tmp, PE32 42->50 dropped 104 Obfuscated command line found 42->104 52 C:\Users\user\AppData\Local\Temp\kSRiPo.u, PE32 44->52 dropped file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80017d4daf4a64dcb73eabdf91bac4572898c52f3ecc21e7deb6bbc4fffebfc7/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-11 14:34:00 UTC
File Type:
PE (Exe)
Extracted files:
288
AV detection:
29 of 43 (67.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qaax2tnpjjsnznz6vppzdowek4ujrrjph3gcdz66w254j776x7dq._file
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:smokeloader family:socelars aspackv2 backdoor discovery loader spyware stealer trojan
Link:
https://tria.ge/reports/220213-kyx2csgbd3/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://www.mkpmc.com/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
2f0dffa4bae64bc25a76d9623f8eb88c8f2b3295cbe1ae8fbf8c94d82056c252
MD5 hash:
9ddf26271c135b15a857e59d5e8c87ef
SHA1 hash:
a8fc12a34f656404f585d724fce1c4007a5db40d
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
080b9addacb60afc3f817fe98055c066c59848c701f4017ce99e2fae678bc7a1
MD5 hash:
01532005a7796b8ea61758bb958b183e
SHA1 hash:
e4d67e6be88cef798eb55236c7e260d684cdef26
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
c0435688deefa339eed8ac6bd33be477a808c3b6c2aa07b04a5e037187527fda
MD5 hash:
48383b5a96da94631f5ecee308ab2467
SHA1 hash:
e2f12cbce185eac38539d2cdab81c7d9f40295d1
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
c29b3213886dbeca867f0e452df5b89e0667c2784aaedc7b3a396ce75377c7d2
MD5 hash:
05e114142d28a59b2a5c3e7068f2e523
SHA1 hash:
c48cc693ab36506861fbd4bc8fcde62bc9feddab
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
8294c1e5fa58a786d30b485229869e878e658c4362a437e047ed0ece7741620f
MD5 hash:
c005c45f9e66c76c7f4a896309505f6a
SHA1 hash:
b8f7510f8016651f5f8d60e26f51c84173dc3ca1
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
13df58cb2a7de61146bfeff4f4a54b00268bc3532c909616448342b1e99c0591
MD5 hash:
b590da9906b79a4fd97c9162c62df7e7
SHA1 hash:
ac9b803d28fcb841b339a147c864a354e1f1ae28
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
f516791e9636d452ef512cb5d5d608459318e4da933624d1900464350f16c314
MD5 hash:
ea308a887b0c8950c60a95805e0c1977
SHA1 hash:
4ea5bf2d21e6b0c98586a5fdb64f0ee67818fa70
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
f026a3ac8f498a4e086d769e40387fbe9de50ba3f7e9f0546fd8143d2a70c406
MD5 hash:
5c3e075ec098dafabff9457bfab73b23
SHA1 hash:
08526991e098b31a2a710882e764a32d062e03b6
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
bdd3413c9dfa9e3c7e9d3f26ee3dac037e085cd4c2ccb56dc2b18b08785cdd62
MD5 hash:
5ff0cd9a4a3fac6f54130b2538438cf5
SHA1 hash:
2d949792a3668f6c0f92d989a90307d440268426
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
594c60ccb30e3bb41f7f7ef0364873786dd94b1e999c7f71ad02c7e64b28ff8f
MD5 hash:
2416c56a07232d6f6673e4cff07d453e
SHA1 hash:
cc8e02fbc3402cb4067782d1a878250435fc9ad2
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
8b265374a595f6f5edaeba68da7afdcaac67757b5770361d02b59f4e41fae184
MD5 hash:
b115fcbf4a9feb9edc0be31c83ab921f
SHA1 hash:
6879a1291cd68df84f7a9f0d6887aa20021bb0fe
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
f11f01559324b4f9b8b5c2ceffcd307d8ec4e14a2e30de7efa8ca79762fc0909
MD5 hash:
26812d4aa721f0e68ec51a3655637d9d
SHA1 hash:
7640340d8e3746c66e54c21f406709eb30dab0d2
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
3879c74cf1fa423d8b75a0560cb059f958626094e14d6e7a31cbf7047b29952a
MD5 hash:
30ef492c16afe1f499ef4ab122b5a9da
SHA1 hash:
12589b28badec1a7bb9bc129da1a7f1c33d5d6a2
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
636c2792a30e673552b437ba8ee4a88ad7cfdc432aa3d7fb5848133cfa496cff
MD5 hash:
8fdcaf0f1e622afb4063dac621782658
SHA1 hash:
bd8ff663899ea1344b9577efbbe23485f2d6549c
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
SH256 hash:
80017d4daf4a64dcb73eabdf91bac4572898c52f3ecc21e7deb6bbc4fffebfc7
MD5 hash:
a6599b0c7ed1390cfdae92009e6c3804
SHA1 hash:
ffc7ebd012cb9746f37636ecdbdd83658b16aa13
Link:
https://www.unpac.me/results/14f65ef3-9760-42d6-ac3f-b320d5bf9640/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:downloader_macros
Create hunting rule
Author:ddvvmmzz
Description:downloader macros
Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:obfuscate_macros
Create hunting rule
Author:ddvvmmzz
Description:obfuscate macros
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241165/

Comments