MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c17da239e18fc02f6f945a0c27e55743b77de3b659bb7d71bc9cb51757bfcf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	8c17da239e18fc02f6f945a0c27e55743b77de3b659bb7d71bc9cb51757bfcf4
SHA3-384 hash:	7cf0e1c7e5403362191f89cdeca677a2afe4a4d7fb5ccb29d5321b5d0014288309594dab37414993203eb510e31f8764
SHA1 hash:	43b79e3feb8ad2e330ff872bcece806f98f18922
MD5 hash:	784ee835d30ad4df883215e77a7803b3
humanhash:	bravo-lemon-earth-foxtrot
File name:	file
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	1'169'097 bytes
First seen:	2023-07-08 15:38:23 UTC
Last seen:	2023-07-08 16:27:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'447 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	24576:8fOyyTd+E0Uh+fUNwRKORRfE5tu8gx+GwU/C4OjB6/+PDEYtpD/LFKdRtP/O1:8G5d+HUNw7E5t3gx+GnK4Ol6/y9pDzFd
Threatray	177 similar samples on MalwareBazaar
TLSH	T1CC45338693A24478D00053B84E664322F99F7E7E1238B11DE94FC45DAF3D9296B7E3C2
TrID	50.8% (.EXE) Win32 Executable PowerBASIC/Win 9.x (148303/79/28) 37.6% (.EXE) Inno Setup installer (109740/4/30) 4.8% (.EXE) Win32 Executable Delphi generic (14182/79/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	ddfee6e4e6fedc00 (17 x GCleaner)
Reporter	andretavare5
Tags:	exe gcleaner

andretavare5

Sample downloaded from http://45.12.253.74/pineapple.php?pub=mixinte

Intelligence

File Origin

# of uploads :

# of downloads :

299

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-07-08 15:39:21 UTC

Tags:

installer gcleaner

Link:

https://app.any.run/tasks/1c0cbbbc-ae64-4327-af7f-809d136bc518

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/412144/

Detection(s):

Win.Malware.Agen-10005057-0

SecuriteInfo.com.Adware.Generic2.DOZ.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Launching the process to interact with network services

Modifying a system file

Launching a process

Launching a tool to kill processes

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/96589/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control greyware installer lolbin overlay packed packed shell32

Link:

https://www.filescan.io/uploads/64a98317dbb9e835463f16b1/reports/3d7d725b-61c1-41b5-bca9-99546e690ce7/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/8c17da239e18fc02f6f945a0c27e55743b77de3b659bb7d71bc9cb51757bfcf4

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/42123019-573e-4455-a790-c2a3f372d759

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8c17da239e18fc02f6f945a0c27e55743b77de3b659bb7d71bc9cb51757bfcf4/

Threat name:

Win32.Trojan.Privateloader

Status:

Suspicious

First seen:

2023-07-08 15:39:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rql5ui46dd6af5xziwqme7svoq5xpxr3mwn3pvy3zhfvc5l37t2a._file

Verdict:

unknown

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner discovery loader

Link:

https://tria.ge/reports/230708-s3lswsfb23/

Behaviour

Kills process with taskkill

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

GCleaner

Malware Config

C2 Extraction:

45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75

Unpacked files

SH256 hash:

375ea612a06ec4f316e763ae319ade1b0acd1db7f2295a1348cf6acea07f2e07

MD5 hash:

b49f43548b1b07d683130a66c6a83e53

SHA1 hash:

c51c315b934a75d707c12431c3602f85af6ea590

Detections:

Nymaim

win_nymaim_g0

win_gcleaner_auto

Nymaim

win_nymaim_g0

win_gcleaner_auto

Nymaim

win_nymaim_g0

win_gcleaner_auto

Link:

https://www.unpac.me/results/6a59e99d-f881-4c1f-9ccb-775dbd811bb3/

SH256 hash:

375ea612a06ec4f316e763ae319ade1b0acd1db7f2295a1348cf6acea07f2e07

MD5 hash:

b49f43548b1b07d683130a66c6a83e53

SHA1 hash:

c51c315b934a75d707c12431c3602f85af6ea590

Detections:

Nymaim

win_nymaim_g0

win_gcleaner_auto

Nymaim

win_nymaim_g0

win_gcleaner_auto

Nymaim

win_nymaim_g0

win_gcleaner_auto

Link:

https://www.unpac.me/results/6a59e99d-f881-4c1f-9ccb-775dbd811bb3/

SH256 hash:

adc0cabedeeef9cdcc2c0eabc6df23f35676608a2d0aa680673f83c57798ff9f

MD5 hash:

a84d178f0f22c822f421ed4635eec039

SHA1 hash:

0135a436c5941cea278bbddd80dc8f34e5d11e5d

Link:

https://www.unpac.me/results/6a59e99d-f881-4c1f-9ccb-775dbd811bb3/

SH256 hash:

adc0cabedeeef9cdcc2c0eabc6df23f35676608a2d0aa680673f83c57798ff9f

MD5 hash:

a84d178f0f22c822f421ed4635eec039

SHA1 hash:

0135a436c5941cea278bbddd80dc8f34e5d11e5d

Link:

https://www.unpac.me/results/6a59e99d-f881-4c1f-9ccb-775dbd811bb3/

SH256 hash:

4e4058b70ae1c83acefafe38db58a571e109f9e3e762a41285c74f8aa2a6932f

MD5 hash:

142f2878ec925ad245a59b46f5ceeeb5

SHA1 hash:

3cb7d28101cd58c6db815f568569aa021d0f7b62

Link:

https://www.unpac.me/results/6a59e99d-f881-4c1f-9ccb-775dbd811bb3/

SH256 hash:

4e4058b70ae1c83acefafe38db58a571e109f9e3e762a41285c74f8aa2a6932f

MD5 hash:

142f2878ec925ad245a59b46f5ceeeb5

SHA1 hash:

3cb7d28101cd58c6db815f568569aa021d0f7b62

Link:

https://www.unpac.me/results/6a59e99d-f881-4c1f-9ccb-775dbd811bb3/

SH256 hash:

375ea612a06ec4f316e763ae319ade1b0acd1db7f2295a1348cf6acea07f2e07

MD5 hash:

b49f43548b1b07d683130a66c6a83e53

SHA1 hash:

c51c315b934a75d707c12431c3602f85af6ea590

Detections:

Nymaim

win_nymaim_g0

win_gcleaner_auto

Nymaim

win_nymaim_g0

win_gcleaner_auto

Nymaim

win_nymaim_g0

win_gcleaner_auto

Link:

https://www.unpac.me/results/6a59e99d-f881-4c1f-9ccb-775dbd811bb3/

SH256 hash:

adc0cabedeeef9cdcc2c0eabc6df23f35676608a2d0aa680673f83c57798ff9f

MD5 hash:

a84d178f0f22c822f421ed4635eec039

SHA1 hash:

0135a436c5941cea278bbddd80dc8f34e5d11e5d

Link:

https://www.unpac.me/results/6a59e99d-f881-4c1f-9ccb-775dbd811bb3/

SH256 hash:

4e4058b70ae1c83acefafe38db58a571e109f9e3e762a41285c74f8aa2a6932f

MD5 hash:

142f2878ec925ad245a59b46f5ceeeb5

SHA1 hash:

3cb7d28101cd58c6db815f568569aa021d0f7b62

Link:

https://www.unpac.me/results/6a59e99d-f881-4c1f-9ccb-775dbd811bb3/

SH256 hash:

8c17da239e18fc02f6f945a0c27e55743b77de3b659bb7d71bc9cb51757bfcf4

MD5 hash:

784ee835d30ad4df883215e77a7803b3

SHA1 hash:

43b79e3feb8ad2e330ff872bcece806f98f18922

Link:

https://www.unpac.me/results/6a59e99d-f881-4c1f-9ccb-775dbd811bb3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8c17da239e18fc02f6f945a0c27e55743b77de3b659bb7d71bc9cb51757bfcf4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	win_gcleaner_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2509470/

Cape

https://www.capesandbox.com/analysis/412144/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample