MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89284af7e6a258de494058fbcd6f40a10fb1f54b14a54e362e2e01cf731981c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 3 File information Comments

SHA256 hash:	89284af7e6a258de494058fbcd6f40a10fb1f54b14a54e362e2e01cf731981c1
SHA3-384 hash:	324dcff043180aec84633dc31a8f5806ad9bcea43c0b50e0791b01a33538e28751e6c78d2d3afdd9fd68c0811acca24a
SHA1 hash:	10ad5d7a412422c1afaf16498a5686a76ec0a44a
MD5 hash:	a54f209a726c02345e389c6caf913edd
humanhash:	thirteen-utah-sixteen-two
File name:	a54f209a726c02345e389c6caf913edd.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	8'104'376 bytes
First seen:	2022-01-30 23:30:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep	196608:xNBS8zRLn56ir1oSHMKXTZ1hTKRCvXF3uScai+ichsfKygeaLKksy5:xNBSQRLn59oSHMKjZ19KRCu+ichsfKy8
Threatray	1'383 similar samples on MalwareBazaar
TLSH	T123863302BBD52467FA7044F0194C3FB4B8AEA3520D429AE762C4E45D5E3EE63E12B4DD
File icon (PE):
dhash icon	848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter	abuse_ch
Tags:	exe gcleaner

abuse_ch

GCleaner C2:
92.255.57.115:11841

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
92.255.57.115:11841	https://threatfox.abuse.ch/ioc/366527/

Intelligence

File Origin

# of uploads :

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a54f209a726c02345e389c6caf913edd.exe

Verdict:

No threats detected

Analysis date:

2022-01-30 23:35:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/872eab1b-975e-49a7-b95c-df4287fd3e5c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/228188/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

DNS request

Creating a process from a recently created file

Running batch commands

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Creating a window

Searching for analyzing tools

Searching for synchronization primitives

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Launching cmd.exe command interpreter

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5534/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys clipbanker overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/61f71fb8f01ae00db3e125f4/reports/889f44f7-eabf-4a4d-a32e-ffc18f082dc3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Socelars

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/39e5c202-8fdb-479a-a6ec-3d91bff6a1c6

Result

Threat name:

Clipboard Hijacker RedLine SmokeLoader S

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/930471

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/89284af7e6a258de494058fbcd6f40a10fb1f54b14a54e362e2e01cf731981c1/

Threat name:

Win32.Trojan.Jaik

Status:

Malicious

First seen:

2022-01-29 17:35:00 UTC

File Type:

PE (Exe)

Extracted files:

433

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=reuev57gujmn4skald54232aueh3d5klcssu4nrofya464yzqhaq._file

Verdict:

malicious

Label(s):

ryuk

GCleaner

55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb

GCleaner

59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388

GCleaner

a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6

GCleaner

ad8da7f38644aa54c0983c703436a872daecd353e1470e831aa209e0b37f837e

GCleaner

cc2d611eb3f0e462f0c136b1664348fc05669fbac46ebb4b28c900c4dff94318

GCleaner

fea660657f6285124e61fe5dcafe9374344d941e6fbeaa89f3a2640572ccc784

GCleaner

+ 1'373 additional samples on MalwareBazaar

Result

Malware family:

socelars

Score:

10/10

Tags:

family:onlylogger family:redline family:smokeloader family:socelars botnet:20kprofessor2 botnet:media272255 botnet:newmast2 botnet:update aspackv2 backdoor infostealer loader persistence spyware stealer suricata trojan upx

Link:

https://tria.ge/reports/220130-3hpzxscahk/

Behaviour

Checks SCSI registry key(s)

Delays execution with timeout.exe

Enumerates processes with tasklist

Kills process with taskkill

Modifies Internet Explorer settings

Modifies system certificate store

Runs ping.exe

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Loads dropped DLL

Reads user/profile data of web browsers

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

.NET Reactor proctector

OnlyLogger Payload

OnlyLogger

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Malware Config

C2 Extraction:

http://www.anquyebt.com/
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
185.215.113.10:39759
169.197.141.182:47320
92.255.57.115:11841
157.90.17.156:56409

Unpacked files

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

6f727b49bd59c587c69cce00353f7b1ffc71812535a5e399522d8952cd845ecf

MD5 hash:

080547edadadfc9d23ea33dccd8cb9a6

SHA1 hash:

e3c2a07846b5f85f262234acba9afe2367f52a49

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

8dc5a9d34d4c2334dac65c684c7b02d922c8c0a4fe6e214f797d854b6925b66d

MD5 hash:

eb77f09de1ee911469b7c2ae9b905774

SHA1 hash:

6661893082e92df26bf3914955bb348b2449dc51

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

f7f0c9be1f35e7c9627b0712b53e1151f709ddf7a4a1c75b64307e1349ba26f4

MD5 hash:

f1649a995b6562d9cff5e2d3f0baad1c

SHA1 hash:

1da349d3f4d3d1266dd5900ff9758a7d577f1a5a

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

9912e7f9e9c18f46e965ca48ed65de8a28de7d301336500aaa5fd461e948822f

MD5 hash:

32404da1b26037746f9bf0d5628ea968

SHA1 hash:

8d2bf53983638235d5cc2f81171839801ba02e84

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

a7c864d00f3e1289f08710f5a47be1909c34fedb5a20066418fc804ffd61cea5

MD5 hash:

c8cdbc18bea69c8802c311a520c8e56e

SHA1 hash:

a440d612dfd453526653f0338a247c0ea86def45

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa

MD5 hash:

4f93004835598b36011104e6f25dbdba

SHA1 hash:

6cb45092356c54f68d26f959e4a05ce80ef28483

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c

MD5 hash:

83b531c1515044f8241cd9627fbfbe86

SHA1 hash:

d2f7096e18531abb963fc9af7ecc543641570ac8

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec

MD5 hash:

6faec01bf7a3d7f5c5dee2e6e3143a58

SHA1 hash:

603a36f817cab5574e58ab279379e5c112e5fb37

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

069478bbcf2ba6bcb947cec42c8bea85ea93c86fa7ccc985f58ef29b876263a7

MD5 hash:

8562f4d1a71bffd7cdeb6dd49ce319f2

SHA1 hash:

79a943d4b30ec898bc3bdf5d54aa7d1625d67b02

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

6460754c17ab602b0ddfd2a82e637748b4a54139f6dbefa848ff01722a077acc

MD5 hash:

64638fe3e9d9acbcfe027bac3d0a7fab

SHA1 hash:

ff0d35497c4d6676a01a57db299df9847b382126

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

484789373d7418c975487b59efe221192f585bd49b59f87a18d4c8c2de0d640b

MD5 hash:

c441b1c0815b11068ef56174545372df

SHA1 hash:

ec25afa1d637d97f9e7fc1f3186a096b0f698cb9

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

f60816afc4878a48da64d9c56029fdd1192dc5e30fd3b84f0736e02ea1279ce4

MD5 hash:

919f7ffad4526c4744d5ff749a71c95c

SHA1 hash:

8903a8bc8051c2bfb2d570ab420b1913af5f9c7f

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

024e747d01d6e2caf0c14999f0fc97c1f0551a28bae6eaf23b5ff2ab7a2c894f

MD5 hash:

0953078349e0e99b27df4fc8eb910988

SHA1 hash:

63aec5f5fa75b6b773ec13c04ade49902711b2e7

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

4c5123045f433127a08247ad3005e8533bb2b94d960388fb888121ee0b6241c6

MD5 hash:

d4e680c81489bc248dd4199c1a11199f

SHA1 hash:

45ad4e7178450a0181eb523362df36848fb2fff2

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

13cde5a2beb9cc35fe1e71cd9c48904ee73d3a216f51ba361d123fad48a300a8

MD5 hash:

d39fed4e5d508ae0f833028536f7df0e

SHA1 hash:

3a46132eee772a0bb37173a5c12fc292e70c039c

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

176778101f1b5437bead7ac4c19a191b45b41a6a6176bd50bd9abcb60e99ff65

MD5 hash:

ec2e877c09088bf4c6ce5437967cd17c

SHA1 hash:

2ed889075a09f60f1e6f812d11cfdc9ca700b22c

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

e3b3685190ad773532f1db48d10f2b66074897d48c92e2dfc5959505c0507f70

MD5 hash:

b7a9be23b0992209e58e19222d0dc4e1

SHA1 hash:

2be022826e6a350f9f5468ff3183d730004c27c8

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112

MD5 hash:

ce54b9287c3e4b5733035d0be085d989

SHA1 hash:

07a17e423bf89d9b056562d822a8f651aeb33c96

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

19b6d61ebe3fcc173dadf660134ada1a88dfa78d72c6a221f14e42767ccceac5

MD5 hash:

236346e8497a861b04b4a5e3727b91a8

SHA1 hash:

2a0fd1bec9067ba33760c2aad9b3bdbe2b61a245

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

fda850fafc0398bb061212cc2e4057869a942db38c5f5ea5cf909bd2171f3183

MD5 hash:

2bf0e7e3f126691220a41ffc2f25c663

SHA1 hash:

4a2371fa294a06c599cf8cfea5490f5034f6986d

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

78fa316e642fc8bacfbb63e66c82ad0e6b727e6cad88a117850288bfccd1d613

MD5 hash:

30278e182b393d0f0c58179d94a66e41

SHA1 hash:

ba496d49a713b27c32d908c1188772580535f88a

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

b95080a332cda9b667076f1269db9a275438905089b1237fd461333ff811ae75

MD5 hash:

2cd5aaeed02d6e2d6d6c46e02d00bc64

SHA1 hash:

f24e70e52098deb9dcff6eb39838f6aeb7381fef

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

5f4a5ae7c656357111655774a60fea0795109fa17ef04b78faa6eb8776df6108

MD5 hash:

44c4f14a3fa9428e434f7f3596630b47

SHA1 hash:

3fea6c74fa54fa83bd69856ce380b2730736bb87

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

edb131adbdd23a5a5d0cf48c4aa84fe6a940d0c7468060800f907d3d26971aab

MD5 hash:

969c82afdea489e65db42d124e3211ae

SHA1 hash:

15c91a0e041fbfff60c130445694652d4ff60f85

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

34b990fc35e7a010a3a119c19a726276e576017652af8434c209cf0af3a6e1b5

MD5 hash:

75f3c21e8ef3323d5236a04f1cba14df

SHA1 hash:

9e55df9142cc0541a838ada84cf122a927aa3feb

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

06863d284e1d77722803291cb2ff1df97b19337c974cbb9c80b940489961eddd

MD5 hash:

17792443b6be90c3e7fc562b7ea397f0

SHA1 hash:

8551233e70a299778b474a0b97c30752fb521d2e

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

4c82107b6483f7c09c9f2900398226ee556968df14abfb8a3d98e40f2f59b5d2

MD5 hash:

a04fde7b86020684184bae61e31e2a79

SHA1 hash:

f5b223da12b365f6afff854712e912e67dffb91c

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

8fcb41cdaa9ae91a9873cdf967f6cde0f9b1fd073712fc5ca1c492da1cf8c705

MD5 hash:

e6ec4ba5df87cebb784d2353e0bfcb44

SHA1 hash:

5097d2f89c1e4a7c5913578d97f361e5ea607658

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

SH256 hash:

89284af7e6a258de494058fbcd6f40a10fb1f54b14a54e362e2e01cf731981c1

MD5 hash:

a54f209a726c02345e389c6caf913edd

SHA1 hash:

10ad5d7a412422c1afaf16498a5686a76ec0a44a

Link:

https://www.unpac.me/results/9600feeb-777d-40fe-b55d-0ee3357fa7f4/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/89284af7e6a2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/89284af7e6a258de494058fbcd6f40a10fb1f54b14a54e362e2e01cf731981c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/228188/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample