MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84860b1d90de1d371ece5e4e4cf34cef1e3e174569024c29be70c61a478f9401. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84860b1d90de1d371ece5e4e4cf34cef1e3e174569024c29be70c61a478f9401
SHA3-384 hash: 317c3525b856d5adac7fed6cd16297a8ac4a5bdbc56f88c1400315a31eaea00b0e08bb12fb904f8775208db75eba33e1
SHA1 hash: 8c7e4c4bca80e10075b7a772644c45aa95fee4f0
MD5 hash: ab5a3bdfff5cb02f322cd4ef8e5fc1c0
humanhash: kentucky-tennis-london-freddie
File name:ab5a3bdfff5cb02f322cd4ef8e5fc1c0.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'795'633 bytes
First seen:2023-07-03 08:09:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/B1lORUZFlKic6QL3E2vVsjECUAQT45deRV9R4:sBuZrEUvqqDKIy029s4C1eH9m
Threatray 186 similar samples on MalwareBazaar
TLSH T1C585CF3FF268A13EC46A1B3245739320997BBA51B81A8C1E47FC384DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab5a3bdfff5cb02f322cd4ef8e5fc1c0.exe
Verdict:
No threats detected
Analysis date:
2023-07-03 08:10:25 UTC
Tags:
installer
Link:
https://app.any.run/tasks/d392a21e-d073-4d3f-abdc-e2664f03a110

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/405757/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.23723.30439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95197/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/64a2825a1a035eeff9b3c3d6/reports/a6e03278-f33b-4a93-b8d2-c4297741d010/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332545
Link:
https://www.hybrid-analysis.com/sample/84860b1d90de1d371ece5e4e4cf34cef1e3e174569024c29be70c61a478f9401
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/35725a25-dce8-440f-bf8f-4ef0764bd8bb
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1265630
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 898660 Sample: TeS97Heaps.exe Startdate: 03/07/2023 Architecture: WINDOWS Score: 88 141 Snort IDS alert for network traffic 2->141 143 Found malware configuration 2->143 145 Malicious sample detected (through community Yara rule) 2->145 147 8 other signatures 2->147 8 TeS97Heaps.exe 2 2->8         started        11 msiexec.exe 97 56 2->11         started        13 Windows Updater.exe 2->13         started        process3 dnsIp4 101 C:\Users\user\AppData\...\TeS97Heaps.tmp, PE32 8->101 dropped 16 TeS97Heaps.tmp 3 27 8->16         started        103 C:\Windows\Installer\MSI70DD.tmp, PE32 11->103 dropped 105 C:\Windows\Installer\MSI709E.tmp, PE32 11->105 dropped 107 C:\Windows\Installer\MSI6CB4.tmp, PE32 11->107 dropped 111 14 other malicious files 11->111 dropped 21 msiexec.exe 59 11->21         started        23 msiexec.exe 3 11->23         started        25 msiexec.exe 11->25         started        27 msiexec.exe 11->27         started        129 allroadslimit.com 13->129 109 C:\Windows\Temp\...\Windows Updater.exe, PE32 13->109 dropped 29 Windows Updater.exe 13->29         started        file5 process6 dnsIp7 113 str.skymiddle.host 188.114.96.7, 443, 49707, 49708 CLOUDFLARENETUS European Union 16->113 115 act.reactionharbor.xyz 16->115 123 6 other IPs or domains 16->123 83 C:\Users\user\AppData\Local\Temp\...\s4.exe, PE32+ 16->83 dropped 97 5 other files (4 malicious) 16->97 dropped 149 Performs DNS queries to domains with low reputation 16->149 31 s4.exe 16->31         started        36 s0.exe 2 16->36         started        38 s3.exe 67 16->38         started        117 pstbbk.com 157.230.96.32, 49716, 80 DIGITALOCEAN-ASNUS United States 21->117 119 collect.installeranalytics.com 52.205.130.115, 443, 49715, 49717 AMAZON-AESUS United States 21->119 85 C:\Users\user\AppData\Local\...\shi64E5.tmp, PE32 21->85 dropped 87 C:\Users\user\AppData\Local\...\shi6448.tmp, PE32 21->87 dropped 151 Query firmware table information (likely to detect VMs) 21->151 40 taskkill.exe 21->40         started        89 C:\Users\user\AppData\Local\...\shi59E9.tmp, PE32 23->89 dropped 91 C:\Users\user\AppData\Local\...\shi591D.tmp, PE32 23->91 dropped 93 C:\Windows\Temp\shiB046.tmp, PE32 25->93 dropped 95 C:\Windows\Temp\shiAF8A.tmp, PE32 25->95 dropped 121 dl.likeasurfer.com 172.67.150.192, 443, 49723, 49726 CLOUDFLARENETUS United States 29->121 99 4 other malicious files 29->99 dropped 42 v113.exe 29->42         started        file8 signatures9 process10 dnsIp11 131 iplogger.com 148.251.234.93 HETZNER-ASDE Germany 31->131 133 carambasti.info 31->133 69 2 other malicious files 31->69 dropped 137 May check the online IP address of the machine 31->137 44 1102334549.exe 31->44         started        57 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 36->57 dropped 48 s0.tmp 26 21 36->48         started        135 collect.installeranalytics.com 38->135 59 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 38->59 dropped 61 C:\Users\user\AppData\...\Windows Updater.exe, PE32 38->61 dropped 71 4 other malicious files 38->71 dropped 139 Multi AV Scanner detection for dropped file 38->139 51 msiexec.exe 38->51         started        53 conhost.exe 40->53         started        63 C:\Windows\Temp\shiAC7D.tmp, PE32+ 42->63 dropped 65 C:\Windows\Temp\MSIAF00.tmp, PE32 42->65 dropped 67 C:\Windows\Temp\MSIADA7.tmp, PE32 42->67 dropped 73 2 other malicious files 42->73 dropped 55 msiexec.exe 42->55         started        file12 signatures13 process14 dnsIp15 125 b47n300.info 94.140.112.52 TELEMACHBroadbandAccessCarrierServicesSI Latvia 44->125 127 api.ip.sb 44->127 153 Antivirus detection for dropped file 44->153 155 Detected unpacking (changes PE section rights) 44->155 157 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->157 159 9 other signatures 44->159 75 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 48->75 dropped 77 C:\...\unins000.exe (copy), PE32 48->77 dropped 79 C:\Program Files (x86)\...\is-GEVHP.tmp, PE32 48->79 dropped 81 11 other files (8 malicious) 48->81 dropped file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84860b1d90de1d371ece5e4e4cf34cef1e3e174569024c29be70c61a478f9401/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2023-07-03 08:10:05 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qsdawhmq3yotohwolzhez42m54pd4f2fnebeykn6oddbur4psqaq._file
Verdict:
malicious
Similar samples:
1177adfb95bdd9a54a339005976ed4096d23fb4dd2099e91c35fc526c9a7cdbd
GCleaner
19362eda54d5c1f090d95cddc7207d1263e376f2f58db1fa17d587136f41b1ac
GCleaner
63fe94f5903f4d969dd1e3032497a9f7ed693410a1a58a9857aaf22826bb0115
GCleaner
7618c4f3710d5fe1291571206d83e391b2fa3ed555f031327463c3c80b4bfaf2
GCleaner
87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d
GCleaner
f92695f29c11eed7607949e15ed40c2d6de909adbf3e04dc75b6b34f44ad07f9
GCleaner
f95fdca4f8709816b40f99b492f57e383ab60dee9d34cfe1aa919e0c90dd48ba
GCleaner
ff83807006950b99eddcf7b5924e3eb4704c116cf19984585590fd92aa62309b
GCleaner
+ 176 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230703-j2pnqafe88/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
1630b9047fce56122ed0afc97c8050c8f9efb0f7b0783f77f2acb22ba3c4e9c3
MD5 hash:
2fec3a7b60b0364b72439b02b6e3d023
SHA1 hash:
43c26f6100a0096afd6b891bcb342712f5b2cf17
Link:
https://www.unpac.me/results/15c533c0-5e75-402b-a318-4d49e1b3e80e/
SH256 hash:
92ee7e5a068c426f4659b8a9a8715fe6898ade5e5ef64e22b7ece5972aabeaea
MD5 hash:
0ba94d74ed0c254d2a5cdff61142b5e7
SHA1 hash:
d230a815e3988d0ccfc5d97cb4cad99f2f4301c6
Link:
https://www.unpac.me/results/15c533c0-5e75-402b-a318-4d49e1b3e80e/
SH256 hash:
97dbd4e108caef352ca39097efe9def811cd782f3fa9f58127d2c6ec51996009
MD5 hash:
7a37a04deee5e8d46d588447939d3f57
SHA1 hash:
abcd016367b46cfe30a05504d3fbf6f378113b35
Link:
https://www.unpac.me/results/15c533c0-5e75-402b-a318-4d49e1b3e80e/
SH256 hash:
1630b9047fce56122ed0afc97c8050c8f9efb0f7b0783f77f2acb22ba3c4e9c3
MD5 hash:
2fec3a7b60b0364b72439b02b6e3d023
SHA1 hash:
43c26f6100a0096afd6b891bcb342712f5b2cf17
Link:
https://www.unpac.me/results/15c533c0-5e75-402b-a318-4d49e1b3e80e/
SH256 hash:
1630b9047fce56122ed0afc97c8050c8f9efb0f7b0783f77f2acb22ba3c4e9c3
MD5 hash:
2fec3a7b60b0364b72439b02b6e3d023
SHA1 hash:
43c26f6100a0096afd6b891bcb342712f5b2cf17
Link:
https://www.unpac.me/results/15c533c0-5e75-402b-a318-4d49e1b3e80e/
SH256 hash:
92ee7e5a068c426f4659b8a9a8715fe6898ade5e5ef64e22b7ece5972aabeaea
MD5 hash:
0ba94d74ed0c254d2a5cdff61142b5e7
SHA1 hash:
d230a815e3988d0ccfc5d97cb4cad99f2f4301c6
Link:
https://www.unpac.me/results/15c533c0-5e75-402b-a318-4d49e1b3e80e/
SH256 hash:
92ee7e5a068c426f4659b8a9a8715fe6898ade5e5ef64e22b7ece5972aabeaea
MD5 hash:
0ba94d74ed0c254d2a5cdff61142b5e7
SHA1 hash:
d230a815e3988d0ccfc5d97cb4cad99f2f4301c6
Link:
https://www.unpac.me/results/15c533c0-5e75-402b-a318-4d49e1b3e80e/
SH256 hash:
97dbd4e108caef352ca39097efe9def811cd782f3fa9f58127d2c6ec51996009
MD5 hash:
7a37a04deee5e8d46d588447939d3f57
SHA1 hash:
abcd016367b46cfe30a05504d3fbf6f378113b35
Link:
https://www.unpac.me/results/15c533c0-5e75-402b-a318-4d49e1b3e80e/
SH256 hash:
97dbd4e108caef352ca39097efe9def811cd782f3fa9f58127d2c6ec51996009
MD5 hash:
7a37a04deee5e8d46d588447939d3f57
SHA1 hash:
abcd016367b46cfe30a05504d3fbf6f378113b35
Link:
https://www.unpac.me/results/15c533c0-5e75-402b-a318-4d49e1b3e80e/
SH256 hash:
84860b1d90de1d371ece5e4e4cf34cef1e3e174569024c29be70c61a478f9401
MD5 hash:
ab5a3bdfff5cb02f322cd4ef8e5fc1c0
SHA1 hash:
8c7e4c4bca80e10075b7a772644c45aa95fee4f0
Link:
https://www.unpac.me/results/15c533c0-5e75-402b-a318-4d49e1b3e80e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84860b1d90de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/405757/

Comments