MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c7c39736cf9d51e1763ec21d68b0ff45b229fb265239fcd3b467087ecb2aa80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c7c39736cf9d51e1763ec21d68b0ff45b229fb265239fcd3b467087ecb2aa80
SHA3-384 hash: 13ea4f772d2afba8c6807a35652e367467b863ea04e659e936742f5bbf0331f6faa098b692b8e14169fa7d26a6d9c9be
SHA1 hash: 9e3473579faaa1af077435b19861642521aff489
MD5 hash: c3f84e4d4071f4a83cb1b62d0529729c
humanhash: two-carbon-equal-zebra
File name:c3f84e4d4071f4a83cb1b62d0529729c
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'828'462 bytes
First seen:2024-01-18 04:04:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep 24576:uPd6/vuprBc7kzjPjlz1UPoF+xQwkQonlenubHPUFrKsh+3jw2xKbak/6isHM:Ss6zPjlztkxQw1yenqcFw35Jc6DM
Threatray 107 similar samples on MalwareBazaar
TLSH T1048523B1BB54C8B8F6EE1F342BA6D4700AA93F064C5106973695FF866CF29012A75F70
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f4e0f0f0e0f070 (2 x GCleaner, 2 x Mimikatz, 1 x Formbook)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
349
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471398/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1550.2.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Reading critical registry keys
Changing a file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65a8a36f5d1422b2081539c6/reports/9be5ebb7-7d99-4517-87ce-d7a72cd09ae9/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/8c7c39736cf9d51e1763ec21d68b0ff45b229fb265239fcd3b467087ecb2aa80
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50ebe379-0453-4409-a7fc-2d6d0459dc03
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1376484
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1376484 Sample: 3NEgXpl54q.exe Startdate: 18/01/2024 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 64 10 other signatures 2->64 8 3NEgXpl54q.exe 1 34 2->8         started        process3 dnsIp4 52 185.172.128.53, 49705, 80 NADYMSS-ASRU Russian Federation 8->52 54 185.172.128.90, 49704, 80 NADYMSS-ASRU Russian Federation 8->54 36 C:\Users\user\AppData\Local\...\nsy8E45.tmp, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\INetC.dll, PE32 8->38 dropped 40 C:\Users\user\AppData\...\BroomSetup.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 8->42 dropped 12 nsy8E45.tmp 55 8->12         started        17 BroomSetup.exe 2 5 8->17         started        file5 process6 dnsIp7 56 185.172.128.79, 49714, 80 NADYMSS-ASRU Russian Federation 12->56 44 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->44 dropped 46 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->46 dropped 48 C:\Users\user\AppData\...\mozglue[1].dll, PE32 12->48 dropped 50 9 other files (5 malicious) 12->50 dropped 68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Detected unpacking (changes PE section rights) 12->72 74 6 other signatures 12->74 19 cmd.exe 1 12->19         started        21 WerFault.exe 16 12->21         started        23 cmd.exe 1 17->23         started        file8 signatures9 process10 signatures11 26 conhost.exe 19->26         started        28 timeout.exe 1 19->28         started        66 Uses schtasks.exe or at.exe to add and modify task schedules 23->66 30 conhost.exe 23->30         started        32 schtasks.exe 1 23->32         started        34 chcp.com 1 23->34         started        process12
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8c7c39736cf9d51e1763ec21d68b0ff45b229fb265239fcd3b467087ecb2aa80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c7c39736cf9d51e1763ec21d68b0ff45b229fb265239fcd3b467087ecb2aa80/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-01-18 04:05:06 UTC
File Type:
PE (Exe)
Extracted files:
127
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rr6ds43m7hkr4f3d5qq5ncyp6rnsfh5smurz7tj3izyip3fsvkaa._file
Verdict:
unknown
Similar samples:
1aa7193bbb01beafb0c15358d24d0642685bec304bfe65a2938542fa5fc9e46f
GCleaner
43d7e7f51f3ee88c66a2d6062d82d444c04978b3323c5caf5424585be9c0294c
GCleaner
4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d
GCleaner
69a94b658bce41d361945a1594fdc801209d8719ae67df8d2d3df5056e9b0537
GCleaner
6fe8ab034a34587aadbae158e721c37a120f1e4fe3a106d74182a18e2c4270c4
GCleaner
772039456ff22019e827028fcc18661a350c032687d8625427380c941690fcac
GCleaner
ff3bd8bcbd9f93c0b48fac3dad59735db9db2343da3126bc836a3134b563924d
GCleaner
+ 97 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery spyware stealer
Link:
https://tria.ge/reports/240118-enhk2adac8/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://185.172.128.79
Unpacked files
SH256 hash:
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
MD5 hash:
40d7eca32b2f4d29db98715dd45bfac5
SHA1 hash:
124df3f617f562e46095776454e1c0c7bb791cc7
Link:
https://www.unpac.me/results/71b89481-608b-41d0-a24d-7edded13f9e1/
SH256 hash:
50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503
MD5 hash:
5e94f0f6265f9e8b2f706f1d46bbd39e
SHA1 hash:
d0189cba430f5eea07efe1ab4f89adf5ae2453db
Link:
https://www.unpac.me/results/71b89481-608b-41d0-a24d-7edded13f9e1/
SH256 hash:
fa0a79ffbde6e206c50a8bc613a6d43183ba15069b5b67b65b6a465c8732ff0e
MD5 hash:
41cb3cc2d552d21e9982274b13cf0657
SHA1 hash:
dd0f104ea90b5b16d7e4fb198e2c893c4641eafb
Link:
https://www.unpac.me/results/71b89481-608b-41d0-a24d-7edded13f9e1/
SH256 hash:
8c7c39736cf9d51e1763ec21d68b0ff45b229fb265239fcd3b467087ecb2aa80
MD5 hash:
c3f84e4d4071f4a83cb1b62d0529729c
SHA1 hash:
9e3473579faaa1af077435b19861642521aff489
Link:
https://www.unpac.me/results/71b89481-608b-41d0-a24d-7edded13f9e1/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c7c39736cf9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c7c39736cf9d51e1763ec21d68b0ff45b229fb265239fcd3b467087ecb2aa80

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 8c7c39736cf9d51e1763ec21d68b0ff45b229fb265239fcd3b467087ecb2aa80

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/471398/
  
URLhaus
https://urlhaus.abuse.ch/url/2749255/

Comments


Avatar
zbet commented on 2024-01-18 04:04:07 UTC

url : hxxp://185.172.128.109/InstallSetup8.exe