MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments 1

SHA256 hash:	84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae
SHA3-384 hash:	28119680ace9668075c6296afc8336926f4063c0e892295d9a3c325d7ea37b2eeb997eb8c539e69893aff3a913ba45a2
SHA1 hash:	07199e9f82c4af33bb0477418d8619aebf4fad20
MD5 hash:	429eb5f331d0c51036a4c50c5a1c1494
humanhash:	mountain-winner-sixteen-solar
File name:	429eb5f331d0c51036a4c50c5a1c1494
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	365'056 bytes
First seen:	2024-06-05 20:03:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8571dae9b0b532dd8a42c9a419f83a72 (2 x GCleaner)
ssdeep	6144:Qp/9XSBjcOjYXHquhpoY8vUZFk6xP50mT:QZ9XSyOcH5R8vUZpPz
TLSH	T14274BE01BAE4D431E5B3063159B8DAB1057AFC769F669A4F73883F0F29742C1BA21763
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	914cccd0d4e87192 (1 x GCleaner)
Reporter	zbetcheckin
Tags:	32 exe gcleaner

Intelligence

File Origin

# of uploads :

# of downloads :

379

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae.exe

Verdict:

Malicious activity

Analysis date:

2024-06-05 20:06:46 UTC

Tags:

gcleaner loader

Link:

https://app.any.run/tasks/742191fb-9812-4544-8fd8-a71697939bfa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6660d039a29d07c94ae5f9b2win7simulatehigh_evasion

Tags:

Generic Network Stealth Zpack

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a file in the %temp% subdirectories

Creating a file

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Connection attempt to an infection source

Launching a tool to kill processes

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e5d72890-7f4e-4fd3-bb6c-5fbe9af5509a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae/

Threat name:

Win32.Trojan.Gcleaner

Status:

Malicious

First seen:

2024-06-05 20:04:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qttvtrwvs5fgbs5vpkrxee46v2f6bn7dif4kg3bcvvsqjj2spoxa._file

Verdict:

malicious

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner loader

Link:

https://tria.ge/reports/240605-ys84bsgb7t/

Behaviour

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Deletes itself

Loads dropped DLL

Downloads MZ/PE file

GCleaner

Malware Config

C2 Extraction:

185.172.128.90
5.42.64.56
185.172.128.69

Unpacked files

SH256 hash:

ccd0c8b308f9160431acaba610ac55f83e5ae230fb8c5864718fd902fad6c11c

MD5 hash:

8451e20d9b36d937ce791ce9c815f971

SHA1 hash:

9c85fc81958314d1b6916530a52c03660369c597

Detections:

GCleaner

win_gcleaner_auto

Link:

https://www.unpac.me/results/3c4e7a1f-cdf1-46ff-8a13-30c413e91324/

Parent samples :

ccd0c8b308f9160431acaba610ac55f83e5ae230fb8c5864718fd902fad6c11c
8c055d9a75cbb4ad28940ed89fddee3a80c933c40cd75796f716153c772325e4
55bfc4f6664eeab47ac132a9bebc81232c64ce420e44e1192cff4fdcacc91cae
57660fdf082d844e870b6b5b15aadfe8b5d545f0d28894e1cfbb2d0f04578cbc
3e41d664051e58f25c2b38755a41ed162df2da9e619675bd1ffd90ffa68d960c
f4146aecc21e1413da1fec7e17e20a6fb90adc191c82239b24f178251baddb14
3c195593808549d5441dbc38f0df010629889f375c3f5901dff0be8b8bf171f6
6a41f4693bf480f6b8957759f250b4ff8cff871b0c36e4b8fb6d00e378e38a4d
7ac2a16d33f1c5f37b313687ea809457be01d17d334cfe60faa02bf4486c95b5
67de2ad9d305bc91a816b916de81445ab62689acf99c1ce75b9fe436258c741c
677ea36839a62978a2484167fb3c720deeb3dba911988b98264c7077222a628a
4315455408e0e3110b73387f1e29c697d9b0af676ebd24dd73047331eff2895f
c979400b5280152c72bcd58f77763c4507bb7c39adaec5386d2ab6f96d7f8bc2
22468ceb0f9991c618e4d682d304b195a65e60a6f507629561106ed815b81f3b
b8ba624689f250feaa759a17ca11bccfde74bcb4525a907d7b43f353890ab598
f66f7bde132e98f39e3b111dcd948283b01e2ecd8b675a39ddd8091584338c3a
84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae
7dcf898284612ea50daa06f4bddaca74c2cb881b40c68b162e03c3daeb01d0a7
d37558506f2c695cc909fc5fee628f48c88e85055b83049f8d3e3bb6a67ddc5f
dbf6f9bca73a3177afd8a2aea09fadba98f9ff0b4515a6b7c209b60eb08b5e89
202a732886a96543338aed9940ed61fdc5b26d531ccb777d9a1fcc70f6669c83
abbb8f4a475b64403de19c1c01c0f5e8e805b0efb40909830f2c519f305db583
2d7a783d16e6399b4a9184333aa111fa90699061517d541c96885c6d1bb494a0
d580cf5c5974abebad470cf01f14bb9e1fa4d462fdc68774f10f03b6c852d687
0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d
a0527f548f6ed392f4d578d32ce5d75677492875b13a60a068e55f8ad6105267
66eb7fee3043bc8f34bef23ad5bca3b4a19848ec5018b2cd27cc1aaf8f6c8995
0b17198dfde8bc47f1f903dfe0a33b57abf6cbca31292ee1d526a3143a11d648

SH256 hash:

84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae

MD5 hash:

429eb5f331d0c51036a4c50c5a1c1494

SHA1 hash:

07199e9f82c4af33bb0477418d8619aebf4fad20

Link:

https://www.unpac.me/results/3c4e7a1f-cdf1-46ff-8a13-30c413e91324/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	Windows_Trojan_Generic_2993e5a5 Create hunting rule
Author:	Elastic Security

Rule name:	win_gcleaner_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

exe 84e759c6d5974a60cbb57aa372139eae8be0b7e34178a36c22ad6504a7527bae

(this sample)

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	USER32.dll::GetUserObjectSecurity
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::WriteProcessMemory KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::FindFirstVolumeMountPointW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AddConsoleAliasA KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleTextAttribute KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::GetWindowsDirectoryW ADVAPI32.dll::BackupEventLogA
WIN_HTTP_API	Uses HTTP services	WINHTTP.dll::WinHttpWriteData
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegOpenKeyW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-06-05 20:03:43 UTC

url : hxxp://miles-and-more-kreditkartes.com/batushka/univ.exe