MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d
SHA3-384 hash: 257289bde6b6983b865580d91fa7ad67797a4d38e6572393802f53f24a146a4042f3ca2d231879c8bada6ff5fac55d9c
SHA1 hash: c0efe0e15fc7316ec46e6dc0e0f1c587894a9ec5
MD5 hash: da40d4429f3cb3d91164ff418cd75332
humanhash: quebec-blue-black-cat
File name:da40d4429f3cb3d91164ff418cd75332.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'795'446 bytes
First seen:2023-06-27 06:17:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (260 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/11lORCF+BKic6QL3E2vVsjECUAQT45deRV9RO:sBuZrEUzqCF+BKIy029s4C1eH94
Threatray 15 similar samples on MalwareBazaar
TLSH T1AA85CF3FF268A13EC46A1B3245739310997BBA61B81A8C1E47FC384DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
da40d4429f3cb3d91164ff418cd75332.exe
Verdict:
Suspicious activity
Analysis date:
2023-06-27 06:19:58 UTC
Tags:
installer
Link:
https://app.any.run/tasks/fdb5725f-23b4-4280-9dab-a0c372e26599

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/403112/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.20967.21720.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/92815/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/649a7f1b0b141afbe5e12342/reports/a847d37d-9192-40b2-858f-99bf3c7b13e5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/03acfcd1-de51-4942-aea8-b34e9664f0f2
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad.mine
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1261831
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found strings related to Crypto-Mining
Infects executable files (exe, dll, sys, html)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 894851 Sample: 54zEUp34e1.exe Startdate: 27/06/2023 Architecture: WINDOWS Score: 52 160 Snort IDS alert for network traffic 2->160 162 Antivirus detection for URL or domain 2->162 164 Antivirus detection for dropped file 2->164 166 4 other signatures 2->166 13 msiexec.exe 501 173 2->13         started        17 54zEUp34e1.exe 2 2->17         started        19 Windows Updater.exe 2->19         started        process3 dnsIp4 122 C:\Windows\System32\vcruntime140_1.dll, PE32+ 13->122 dropped 124 C:\Windows\System32\vcruntime140.dll, PE32+ 13->124 dropped 126 C:\Windows\System32\vcomp140.dll, PE32+ 13->126 dropped 132 62 other malicious files 13->132 dropped 174 Infects executable files (exe, dll, sys, html) 13->174 22 msiexec.exe 59 13->22         started        27 msiexec.exe 3 13->27         started        29 msiexec.exe 13->29         started        31 msiexec.exe 13->31         started        128 C:\Users\user\AppData\...\54zEUp34e1.tmp, PE32 17->128 dropped 33 54zEUp34e1.tmp 3 29 17->33         started        142 allroadslimit.com 188.114.97.7, 443, 49706, 49749 CLOUDFLARENETUS European Union 19->142 130 C:\Windows\Temp\...\Windows Updater.exe, PE32 19->130 dropped 35 Windows Updater.exe 19->35         started        file5 signatures6 process7 dnsIp8 144 pstbbk.com 157.230.96.32, 49703, 80 DIGITALOCEAN-ASNUS United States 22->144 146 collect.installeranalytics.com 54.198.235.9, 443, 49702, 49704 AMAZON-AESUS United States 22->146 148 192.168.2.1 unknown unknown 22->148 84 C:\Users\user\AppData\Local\...\shiFB37.tmp, PE32 22->84 dropped 86 C:\Users\user\AppData\Local\...\shiFAA9.tmp, PE32 22->86 dropped 168 Query firmware table information (likely to detect VMs) 22->168 37 taskkill.exe 22->37         started        88 C:\Users\user\AppData\Local\...\shiEE27.tmp, PE32 27->88 dropped 90 C:\Users\user\AppData\Local\...\shiED6B.tmp, PE32 27->90 dropped 92 C:\Windows\Temp\shi457F.tmp, PE32 29->92 dropped 94 C:\Windows\Temp\shi4493.tmp, PE32 29->94 dropped 150 www.innovativewoodlab.com 45.86.230.88, 443, 49692, 49693 RAINBOW-HKRainbownetworklimitedHK Russian Federation 33->150 152 www.mminnn.com 23.106.59.46, 49750, 80 LEASEWEB-UK-LON-11GB United Kingdom 33->152 156 5 other IPs or domains 33->156 96 C:\Users\user\AppData\Local\Temp\...\s4.exe, PE32 33->96 dropped 98 4 other files (3 malicious) 33->98 dropped 170 Performs DNS queries to domains with low reputation 33->170 39 s4.exe 33->39         started        42 s2.exe 67 33->42         started        154 dl.likeasurfer.com 104.21.32.100, 443, 49716, 49720 CLOUDFLARENETUS United States 35->154 100 4 other malicious files 35->100 dropped 46 v113.exe 35->46         started        file9 signatures10 process11 dnsIp12 48 conhost.exe 37->48         started        102 C:\Users\user\AppData\Local\Temp\...\s4.tmp, PE32 39->102 dropped 50 s4.tmp 39->50         started        158 collect.installeranalytics.com 42->158 104 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 42->104 dropped 106 C:\Users\user\AppData\...\Windows Updater.exe, PE32 42->106 dropped 108 C:\Users\user\AppData\Local\...\shiD480.tmp, PE32+ 42->108 dropped 116 3 other malicious files 42->116 dropped 172 Multi AV Scanner detection for dropped file 42->172 54 msiexec.exe 42->54         started        110 C:\Windows\Temp\shi4168.tmp, PE32+ 46->110 dropped 112 C:\Windows\Temp\MSI43FA.tmp, PE32 46->112 dropped 114 C:\Windows\Temp\MSI42D0.tmp, PE32 46->114 dropped 118 2 other malicious files 46->118 dropped 56 msiexec.exe 46->56         started        file13 signatures14 process15 dnsIp16 138 api.joinmassive.com 65.9.86.117 AMAZON-02US United States 50->138 140 aka.ms 104.83.112.120 AKAMAI-ASUS United States 50->140 74 C:\Users\user\...\vc_redist.x64.exe (copy), PE32 50->74 dropped 76 C:\Users\user\AppData\Local\...\is-RQI3F.tmp, PE32 50->76 dropped 78 C:\Users\user\AppData\...\PEInjector.dll, PE32 50->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->80 dropped 58 vc_redist.x64.exe 50->58         started        file17 process18 file19 120 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 58->120 dropped 61 vc_redist.x64.exe 58->61         started        process20 file21 134 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 61->134 dropped 136 C:\Windows\Temp\...\wixstdba.dll, PE32 61->136 dropped 64 VC_redist.x64.exe 61->64         started        process22 file23 72 C:\ProgramData\...\VC_redist.x64.exe, PE32 64->72 dropped 67 VC_redist.x64.exe 64->67         started        process24 process25 69 VC_redist.x64.exe 67->69         started        file26 82 C:\Windows\Temp\...\wixstdba.dll, PE32 69->82 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2023-06-27 06:18:06 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q72ysvutp6chbbyg6ukwoxiljajfvtqt5xtqdcdoim6mrmzwoigq._file
Verdict:
malicious
Similar samples:
036a1add9895a7554cefaeb07d48cd9e2af856aaf42c5901ba99f45717008f34
GCleaner
361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327
GCleaner
4cdace17e01f554f4fc14414d4a634136c7c3afe58d09a7eee935ebeefc17540
GCleaner
5a4b558e3f228adc43c877a56890612ba69b2e112ca8e0fdd538581e0dc6898b
GCleaner
63fe94f5903f4d969dd1e3032497a9f7ed693410a1a58a9857aaf22826bb0115
GCleaner
759e360b7e36dd9f7365f452324aafd783f2ed9c057cea4bd8d394b4e69b2e66
GCleaner
770ecdc1bbda3d9400d992448dcb03597ecb46a1c596dc9b6018a9cd0df681bf
GCleaner
f95fdca4f8709816b40f99b492f57e383ab60dee9d34cfe1aa919e0c90dd48ba
GCleaner
fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
GCleaner
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230627-g2lwqadc38/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
8e85ffd9cda6c02d496e06acdc5e87944df8f7ca527f55d1470b598c6834acab
MD5 hash:
50548b8ca3c3e147abcf1fcba38513d5
SHA1 hash:
8dd066a7b8f8b281fbe81a1c4973a8ad353b5d7d
Link:
https://www.unpac.me/results/aa09f072-0da2-4fbe-a400-fe3fbe3d6e79/
SH256 hash:
d617958b99557b1dd7b5aa28e2ba79e4cd31979084265395df025aaa35c56c1f
MD5 hash:
4695e6a36d54e6fee9be7a50da78cfb9
SHA1 hash:
ac37f466374e96f6f358c316b0b57abfc1cc0c1b
Link:
https://www.unpac.me/results/aa09f072-0da2-4fbe-a400-fe3fbe3d6e79/
SH256 hash:
9e5fccd267505c1bbfa1d82047b81e186d3c9e99293981f06c0302d61daca0d1
MD5 hash:
f0084bdbf4600c1a6aed7fd685f5d191
SHA1 hash:
898aae4b745e08ca4c7a19fc768d79f1248f2b75
Link:
https://www.unpac.me/results/aa09f072-0da2-4fbe-a400-fe3fbe3d6e79/
SH256 hash:
8e85ffd9cda6c02d496e06acdc5e87944df8f7ca527f55d1470b598c6834acab
MD5 hash:
50548b8ca3c3e147abcf1fcba38513d5
SHA1 hash:
8dd066a7b8f8b281fbe81a1c4973a8ad353b5d7d
Link:
https://www.unpac.me/results/aa09f072-0da2-4fbe-a400-fe3fbe3d6e79/
SH256 hash:
d617958b99557b1dd7b5aa28e2ba79e4cd31979084265395df025aaa35c56c1f
MD5 hash:
4695e6a36d54e6fee9be7a50da78cfb9
SHA1 hash:
ac37f466374e96f6f358c316b0b57abfc1cc0c1b
Link:
https://www.unpac.me/results/aa09f072-0da2-4fbe-a400-fe3fbe3d6e79/
SH256 hash:
9e5fccd267505c1bbfa1d82047b81e186d3c9e99293981f06c0302d61daca0d1
MD5 hash:
f0084bdbf4600c1a6aed7fd685f5d191
SHA1 hash:
898aae4b745e08ca4c7a19fc768d79f1248f2b75
Link:
https://www.unpac.me/results/aa09f072-0da2-4fbe-a400-fe3fbe3d6e79/
SH256 hash:
8e85ffd9cda6c02d496e06acdc5e87944df8f7ca527f55d1470b598c6834acab
MD5 hash:
50548b8ca3c3e147abcf1fcba38513d5
SHA1 hash:
8dd066a7b8f8b281fbe81a1c4973a8ad353b5d7d
Link:
https://www.unpac.me/results/aa09f072-0da2-4fbe-a400-fe3fbe3d6e79/
SH256 hash:
d617958b99557b1dd7b5aa28e2ba79e4cd31979084265395df025aaa35c56c1f
MD5 hash:
4695e6a36d54e6fee9be7a50da78cfb9
SHA1 hash:
ac37f466374e96f6f358c316b0b57abfc1cc0c1b
Link:
https://www.unpac.me/results/aa09f072-0da2-4fbe-a400-fe3fbe3d6e79/
SH256 hash:
9e5fccd267505c1bbfa1d82047b81e186d3c9e99293981f06c0302d61daca0d1
MD5 hash:
f0084bdbf4600c1a6aed7fd685f5d191
SHA1 hash:
898aae4b745e08ca4c7a19fc768d79f1248f2b75
Link:
https://www.unpac.me/results/aa09f072-0da2-4fbe-a400-fe3fbe3d6e79/
SH256 hash:
87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d
MD5 hash:
da40d4429f3cb3d91164ff418cd75332
SHA1 hash:
c0efe0e15fc7316ec46e6dc0e0f1c587894a9ec5
Link:
https://www.unpac.me/results/aa09f072-0da2-4fbe-a400-fe3fbe3d6e79/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87f58956937f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/403112/

Comments