MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e
SHA3-384 hash: 42faba16950d40ff46c1e692a1ddb29df025500f3b789a730b8c622146b610e80d51d843267e8a62ea264892f11ef68b
SHA1 hash: 3288dfa064922855033d35fcff773dc1a03e4ff6
MD5 hash: c2b789418aac48cba417fb716c3fd796
humanhash: wyoming-sweet-echo-neptune
File name:c2b789418aac48cba417fb716c3fd796.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:292'864 bytes
First seen:2023-03-04 07:52:27 UTC
Last seen:2023-03-04 09:31:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 76cdbf777494f5c49310ced09b70cdce (8 x RedLineStealer, 3 x Amadey, 3 x Smoke Loader)
ssdeep 6144:ofkEUIzKUzqKjPvwIpUKSCNxDGD1BmH8d8xXj:ofkT29zqKjI0S4AeASXj
Threatray 6'831 similar samples on MalwareBazaar
TLSH T18354D03172E1D876C0722531CD22C2A55A3FBC239938959B37983B2E5E703D1963E767
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a4e8e8e8e8e0f0c8 (1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c2b789418aac48cba417fb716c3fd796.exe
Verdict:
Suspicious activity
Analysis date:
2023-03-04 07:53:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/007044cb-90aa-4338-9006-4533ec769ea7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371587/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.21398.719.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6402f8e20e8ce4beca2598d1/reports/5c6c4e23-b8b4-4ae3-8694-1d93e722f4e6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7b66c1c-698e-4a8b-a7b0-7507ab019483
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1187043
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-03-04 08:06:17 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=romkw7bmbqnqkyb7h2ofqdapohu7m437hvnjtvdxpwkfwfgr4z7a._file
Verdict:
malicious
Similar samples:
0db3bb2a4c4547e3cae58e0225fdd0cadadb3fc3bd70e5a418d1002d2b486605
GCleaner
110e47aaeaea6592c8976ca151de6c0239befb9f77e8be152f53de18d72c55b8
GCleaner
1ef8dd1b6c059bbf50984bc00eeb54c8b2a05db6dd52b560605292da412bd6f9
GCleaner
5129b994ac50a91ca300198f43ded159d98273ec141570aa8d7f5c7f0a91c017
GCleaner
871cd84eca691a97cdccca5fd3676e935ae7c2aab360b8b2be1ca631b67320d3
GCleaner
9654564e437afa4a9cfb133343e379c8c3c69f53f5b81f4cf2425c9cb9a487f4
GCleaner
c512928ddb1233b5da918e61aa7faf46058a3c3e1e321eea1d03f7047935d828
GCleaner
ce93917c271af51a27103f649134b19d04d5f42969459a0130d500f13cb1c98c
GCleaner
d7a93a4b3e833c1e29a849d81a268acea5c24758671a7279deea89272a5786eb
GCleaner
e5b7cdaeae094252fe53692478b4008228e7156feb7809b3ddd4a2591885587a
GCleaner
+ 6'821 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/230304-jqzdsadc63/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
4f0320b2cc44e44e4bc10710f15e20c53e7f3c01184bc3a6bc62fc7882153570
MD5 hash:
b758ebc7ede72055b15eead42e55bc11
SHA1 hash:
6a4ac216a9ea3cf73f23a0f75aed37b9dbfcb8e8
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/22ba175b-b577-4075-8aa8-700676cc2f5e/
Parent samples :
5129b994ac50a91ca300198f43ded159d98273ec141570aa8d7f5c7f0a91c017
d7a93a4b3e833c1e29a849d81a268acea5c24758671a7279deea89272a5786eb
ce93917c271af51a27103f649134b19d04d5f42969459a0130d500f13cb1c98c
110e47aaeaea6592c8976ca151de6c0239befb9f77e8be152f53de18d72c55b8
fb861a782af83e33211b8f76e715076528e753326056257e15c33463073b5a2b
cdb88cddfd3e81c0f435aec27a8433729a3df4bb309d82ddec2d020a6f447ab9
1f7238c076998aac38498baeb7cb89b7ba5cf01f645388d71b6a55687f8419af
64808008f7ef24db29276293022cdf9366bd17153634f505b453154677d4f0df
871cd84eca691a97cdccca5fd3676e935ae7c2aab360b8b2be1ca631b67320d3
0db3bb2a4c4547e3cae58e0225fdd0cadadb3fc3bd70e5a418d1002d2b486605
1ef8dd1b6c059bbf50984bc00eeb54c8b2a05db6dd52b560605292da412bd6f9
e5b7cdaeae094252fe53692478b4008228e7156feb7809b3ddd4a2591885587a
183980cbe08b23d76cf678d3587ccfba2981c0e7ec2994fba29b95955ec2c11e
c512928ddb1233b5da918e61aa7faf46058a3c3e1e321eea1d03f7047935d828
ea0a69fb6f1d0394dc98405912e438f7206f9996d0d2ef3c00a9fb6fe5846919
dfd64c49a09e7f26984832c12d18a1f0f46360817af1ed74027e403822ae4d66
ef74358d363b6f70c9e7e35f34bf4d8c9feeca657c9497b39ef3fb439283704a
04d92877f99c177d348c2c51173303ab27b02989a23c5377105a33394730dfb0
8477758adafcbd2f292d6a1cf38b8a61e3606eea86e9930d1e347353e26f142b
623399af649200a0e92da55f00fe0a5e61ec2a665a1b6c289add61cc74ab2c11
94551b68fcb65d49a5d1d29a0dba5ec3f2e98252fef337a4fba2416ecb8cea76
bf1da988e71f4e6b5aa9ad169d1637ac47ac43b548fdb1173733922d620572c5
8618199e5b16a6850103f128f1be7a088464842039012a3b26d27fb7a7b69bc2
6f09a1d30715544623eab7c311813fab28fe4b31068960263ccd7ff5812edb14
9654564e437afa4a9cfb133343e379c8c3c69f53f5b81f4cf2425c9cb9a487f4
8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e
b4a0890b7b896b28d86af7c066ce54f9a9f51e17fc7e78349a1ceee92114f522
4fbb67c0ef74f07ac1b31dba5d136938735bbd00544d27b4931a4a79e12f1f5f
5e0687c0c3822213bb9710c1499e6b57d87bbe12285dbf059fbb4750294c070f
15e8fbd7bf5a5f967c87deaeff5389b9409bdc51a0d75c55d765b2e1b99d9ba0
b58e7960e34921d61b87169ed3465b816145d06f04ab42723688bf12e3201faa
b024a39550e5668bff7fe4d1cacb83c770c7b21d1b5a52bf81acb847c7414031
485cadde1de44b50c205f7019b7f63222af1e779b9a14b9363bd811d6933f80c
42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282
65e20e0a32a80a16df59c15013463c1e5b53d46058f318d3b0902ce1adb1176f
SH256 hash:
8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e
MD5 hash:
c2b789418aac48cba417fb716c3fd796
SHA1 hash:
3288dfa064922855033d35fcff773dc1a03e4ff6
Link:
https://www.unpac.me/results/22ba175b-b577-4075-8aa8-700676cc2f5e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371587/

Comments