MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88
SHA3-384 hash:	ccbc6bd71f71a001851304f33930c6166ad18a827eb7e9ed01ca691d74b02204c1c399b197919780215de8cc8285a1a0
SHA1 hash:	f9abcc5b2b577b3880f3f96a3bfc6479b0c25e55
MD5 hash:	135e407e9b530c881c039c87dfb271b0
humanhash:	kitten-venus-solar-jersey
File name:	Soft.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	3'472'160 bytes
First seen:	2025-08-08 23:35:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	085c732dcd123fa9e0760a6a98b6faa4 (8 x GCleaner, 1 x RedLineStealer)
ssdeep	49152:hDavqFKoFfhyXpO22o0EZxehUeGOBQMOaZAso4yJHijiTo5lDFn98iAR5QaN:hDaS8orjkxCUeZeM/o4yNS51F98pp
TLSH	T146F5F18946A4D0FFEC1303F9E81B7A482ABABD3D3D2452555AE401DCFA75BB1905E323
TrID	52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 16.8% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) 7.5% (.EXE) OS/2 Executable (generic) (2029/13) 7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	aachum
Tags:	exe gcleaner

iamaachum

https://download-trust.eu//Download.html => https://mega.nz/folder/jtg1DSqR#KARWjGq6m4hNelDO0L-lIQ

GCleaner C2: 176.46.158.23

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

Soft.exe

Verdict:

Malicious activity

Analysis date:

2025-08-08 23:19:17 UTC

Tags:

gcleaner loader telegram vidar stealer stealc inno installer delphi rust golang

Link:

https://app.any.run/tasks/1bb3879a-61f5-4f4e-8b53-4a8894676670

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/19774/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689685f311d7f9b979e6c29e

Tags:

delphi emotet cobalt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Unauthorized injection to a recently created process by context flags manipulation

Connection attempt to an infection source

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88

Malware family:

RealVNC

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c99ddcc8-391a-4d8a-8f2a-4fd50011f408

Result

Threat name:

CryptOne, GCleaner

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1753409

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Found hidden mapped module (file has been removed from disk)

Found malware configuration

Found stalling execution ending in API Sleep call

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected CryptOne packer

Yara detected GCleaner

Behaviour

Behavior Graph:

Download SVG

Score:

91%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/135e407e9b530c881c039c87dfb271b0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88/

Verdict:

Malicious

Threat:

Family.GCLEANER

Link:

https://tip.neiki.dev/file/8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88

Threat name:

Win32.Trojan.Gcleaner

Status:

Suspicious

First seen:

2025-08-08 23:19:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rmwzgwfdfeejyo6znthjpoi6tofe3eakxufkvdsvypaem3utbsea._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/250808-3l8lfavpw9/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/efcd5a37-1265-426e-9fb5-1da8b0acbfec

Unpacked files

SH256 hash:

8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88

MD5 hash:

135e407e9b530c881c039c87dfb271b0

SHA1 hash:

f9abcc5b2b577b3880f3f96a3bfc6479b0c25e55

Link:

https://www.unpac.me/results/227839de-a45e-418b-a509-15a28aded68d/

SH256 hash:

5a5ed78e04c7ad144a4580c19e9743d252b4a25e84ba7e6c4c43fc459c956a9a

MD5 hash:

8aadb7e2a4e0128b357b6e90d924d128

SHA1 hash:

cfc4678d82f0e4b0cebd1fb0b01f479dc25134d5

Detections:

GCleaner

Link:

https://www.unpac.me/results/227839de-a45e-418b-a509-15a28aded68d/

Parent samples :

2046f265e025776e7199a9e576be5ed49483841f5203c3e3eeb79d0a24f73920
384cdb291c4006761018b84c0c02f37afbfa0b51c6bf0220639abc91f74009b1
768f9ecc19a84b15234ead8058f24a9c8a337430312eab9ecbbcbfa8ab69d0f3
aba7585008a92523b09b28c94fdd8fb7afc39b5b466efac8ca5f7f2b520bbedd
ca4a5fcd9eff405f9f8037e89e1a72914eda7129e5aa9476283021c03c56500c
c5e135c050b4ecbc73acae15b6dbbfaf5157e60fe62c96913b4c56df77ae4feb
dd717fcb7d845a4bb7e0380a9df665219b9b2de29ca8a12600c52f831069f1b3
c582323df2a900ae3b0b1860ff768aa5e90f3e595b33aecb57040b130a65e632
e65f22bbb7a32f6fd436eb0ea6de0c000542ffd6785a983d8f0594b791331994
70cc21383260ea0cb520627324853ae7665cb4b8f6462c5a96e07375a2c26317
3c4cd60b0bcf381bfdeae2397ae2011016d1d389df0cb524d5e12ac9aea5e71b
408ef63acd027f6ba843e30d00d51e506d714804ee842a83f4f31a4b5d7aa7d9
f62ad9ecb4facb02dead75e27e29db58519b6805f49278852d02298b55e59cf5
758e36455c17152210a6ae8001e3b9d7680159440e0e6ae702b9302ec2160d50
a91a863821ef21472adfeeed5e90eebf3fe5e559f257f7d37de401c2a0553485
8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88
9653fb267376aa1495996d935a8bb8b6d73b46aa372d814bfb3c91ba0ebbf7f3
e41b1aa6ff791b7611638851db2ba42c47a125a81b5c74d10354f4f87d4e8770
4fb3fb9750c68de93bee10692827f5630635ef39ed13a86dba52b9cd1e02280d
05664da4d3ea8b39b6183a1112e67f46a8715536faa0a9469bc2659f4ef16289
d3a77d8bcd9963d30fd3e51acee6654e3ccbf2b2b81fbe47e97b9b9068c76f06
1a757566caa5edd32fd5c190b9e8da7d7abf3398b9a3ceddd365a95886434767
53afe13ca6d157bec8b1cc467764abd1194fb3bbd06c0a67a2ee5f560b63d1a4
82bf3e8991a22f67e5cf9b7340eb3c1fa5456c9d9a9e27fdc107c46572713897
512b629f01ce1668bcc60ea305e93fb264cf2b7f2f87bb3aafef29beeb604cce
cc261502042db67adb917ce03321ee47277cfbc1712b770c6b71c035b89793cb
477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7
a53952ad1b88e5d6b4fc14f09e4ccd0f2ce4be72df7c5693abd8cdad953a4871
5dfcdc1c491fbf2f7f2fbac6bbf27b84be652583b66b252c46e8ed86577c3c60

SH256 hash:

0a0b083cc0e62db594b7be21088202c7fe0970d609b2847085d0bf2be8e54a5c

MD5 hash:

4ce3ce196eda86d92b68362b6269b618

SHA1 hash:

fd42ee0aca0315acac25c297f1ce33634c549559

Link:

https://www.unpac.me/results/227839de-a45e-418b-a509-15a28aded68d/

Malware family:

Vidar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8b2d9358a329/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

exe 8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88

(this sample)

Link

https://tria.ge/250808-27xwdszvgx/behavioral2

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/19774/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample