MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d373fe483977f095f6017d9d62190c73a48e75b55dbd81b933af93edb7de72b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	8d373fe483977f095f6017d9d62190c73a48e75b55dbd81b933af93edb7de72b
SHA3-384 hash:	b6204b1cc1b91edb9b46e57831ea395b929f8ece5f403c5e606b7c982dd485eba661fd8f14b72a1d254decae7eac04a8
SHA1 hash:	27002576173bc56690b8ca08351d1d6e2941c92c
MD5 hash:	81a953d9ee346ef7115b1c34fcf387ca
humanhash:	alaska-fruit-march-alpha
File name:	81a953d9ee346ef7115b1c34fcf387ca.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	348'160 bytes
First seen:	2023-04-05 12:04:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	262ebebc1125c68c79c87bc329257c28 (5 x Stop, 3 x Smoke Loader, 3 x Rhadamanthys)
ssdeep	6144:tjONygp6w335FFFu2/5OQ+KsPC1YB9vpDuxfPaW:tjONygww335FFFft+KKT8x3
Threatray	10 similar samples on MalwareBazaar
TLSH	T11E74C01163E06830E61B0B318E2EC7FD2A6EB860AD657E5E17B9497F1D303A1D27271D
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	82b4f0e0e0e0c85a (1 x GCleaner)
Reporter	abuse_ch
Tags:	exe gcleaner

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

81a953d9ee346ef7115b1c34fcf387ca.exe

Verdict:

Malicious activity

Analysis date:

2023-04-05 12:07:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9727d831-4d05-4255-a2b9-1f23781ab2f4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Nymaim

Link:

https://www.capesandbox.com/analysis/380273/

Detection(s):

SecuriteInfo.com.Variant.Zusy.456185.6841.31603.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Creating a file in the %temp% subdirectories

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/642d63ef7dc0445b2389140f/reports/394b4fd9-3748-4550-9301-5edca8a18b11/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/8d373fe483977f095f6017d9d62190c73a48e75b55dbd81b933af93edb7de72b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0f95da6b-acd0-41f7-9f9b-8c7964450977

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8d373fe483977f095f6017d9d62190c73a48e75b55dbd81b933af93edb7de72b/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-04-05 12:05:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ru3t7zeds57qsx3ac7m5mimqy45erz23kxn5qg4thl4t5w3544vq._file

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner loader

Link:

https://tria.ge/reports/230405-n86b9sge5s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Program crash

GCleaner

Malware Config

C2 Extraction:

45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75

Unpacked files

SH256 hash:

16d83341ac209c9ed19f2047051cd92b023990254d9a6e5b70182efd31ac3b8b

MD5 hash:

55020deabd33896bf93dd5d46c233899

SHA1 hash:

9d3646225a6e4a7d33d0df7c3dbdc6ff94bd23d0

Detections:

Nymaim

win_nymaim_g0

win_gcleaner_w0

win_gcleaner_auto

Link:

https://www.unpac.me/results/df4ac1ab-a341-40be-8634-3c91e241377b/

Parent samples :

d60e0e8b2261c2e7f926b9c3ba901bfab250d86b383833a987efcd53fe69104a
8d373fe483977f095f6017d9d62190c73a48e75b55dbd81b933af93edb7de72b
209fdb1e0d3624b400c9c6d348c05a92062c8cb771d240f1d490a7b1a631b80d

SH256 hash:

8d373fe483977f095f6017d9d62190c73a48e75b55dbd81b933af93edb7de72b

MD5 hash:

81a953d9ee346ef7115b1c34fcf387ca

SHA1 hash:

27002576173bc56690b8ca08351d1d6e2941c92c

Link:

https://www.unpac.me/results/df4ac1ab-a341-40be-8634-3c91e241377b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8d373fe483977f095f6017d9d62190c73a48e75b55dbd81b933af93edb7de72b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/380273/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample