MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs 3 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
SHA3-384 hash: 4090843bfbf06cef19f2d10b1d57f7c2b59c0361b41c547d225c6c99e240daa73c31463ab90eaa79bbcc7581d155baa8
SHA1 hash: 59b99c73776d555a985b2f2dcc38b826933766b3
MD5 hash: 83cc20c8d4dd098313434b405648ebfd
humanhash: december-saturn-aspen-white
File name:83CC20C8D4DD098313434B405648EBFD.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:8'192 bytes
First seen:2021-08-13 07:55:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 96:2JOElmu1B9ilJJMOfEkdEKozt1ExEfvcqkTzNt:aLkJwGE3EeK1
Threatray 380 similar samples on MalwareBazaar
TLSH T114F1C606B7E90737ECBE4B7E9CB3431052B2E7154D12DB1E58D8825E5CA37140EA2BB6
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://ggc-partners.info/stats/remember.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.info/stats/remember.php https://threatfox.abuse.ch/ioc/184297/
http://ggc-partners.info/dlc/distribution.php https://threatfox.abuse.ch/ioc/184298/
http://45.67.231.40/ https://threatfox.abuse.ch/ioc/184315/

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main_setup_x86x64.exe
Verdict:
Malicious activity
Analysis date:
2021-08-11 10:31:00 UTC
Tags:
evasion trojan rat redline phishing
Link:
https://app.any.run/tasks/aa32fe53-e1e8-4a58-b7e4-5f9689016425

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178865/
Detection(s):
Win.Packed.Tiny-9879243-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Connection attempt to an infection source
Sending an HTTP GET request
Creating a window
Creating a file in the %AppData% directory
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Reading critical registry keys
Running batch commands
Using the Windows Management Instrumentation requests
Launching a process
Changing a file
Searching for the window
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mokes
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00f7a326-7bbb-495a-ac2b-247349aea50a
Result
Threat name:
Cookie Stealer RedLine Socelars Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832315
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Cookie Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 464748 Sample: jLep4y8UdR.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 84 51.15.67.17 OnlineSASFR France 2->84 86 51.83.33.228 OVHFR France 2->86 88 6 other IPs or domains 2->88 108 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus detection for URL or domain 2->112 114 14 other signatures 2->114 10 jLep4y8UdR.exe 14 5 2->10         started        14 svchost.exe 1 2->14         started        17 services64.exe 2->17         started        19 svchost.exe 2->19         started        signatures3 process4 dnsIp5 94 cdn.discordapp.com 162.159.135.233, 443, 49719 CLOUDFLARENETUS United States 10->94 60 C:\Users\user\AppData\...\jLep4y8UdR.exe.log, ASCII 10->60 dropped 62 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 10->62 dropped 21 LzmwAqmV.exe 10 10->21         started        126 System process connects to network (likely due to code injection or exploit) 14->126 64 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 17->64 dropped file6 signatures7 process8 file9 52 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32+ 21->52 dropped 54 C:\Users\user\AppData\...\askinstall54.exe, PE32 21->54 dropped 56 C:\Users\user\AppData\...56GlorySetp.exe, PE32 21->56 dropped 58 5 other files (2 malicious) 21->58 dropped 24 3002.exe 2 21->24         started        27 setup.exe 21->27         started        31 chrome2.exe 5 21->31         started        33 4 other processes 21->33 process10 dnsIp11 116 Multi AV Scanner detection for dropped file 24->116 118 Creates processes via WMI 24->118 35 3002.exe 24->35         started        39 conhost.exe 24->39         started        96 23.105.246.166 SERVERS-COMUS Russian Federation 27->96 98 45.67.228.68 SERVERIUS-ASNL Moldova Republic of 27->98 100 179.43.147.69 PLI-ASCH Panama 27->100 66 C:\Users\user\AppData\...\rollerkind2[1].exe, PE32 27->66 dropped 68 C:\Users\user\AppData\...\rollerkind2[1].exe, PE32 27->68 dropped 70 C:\Users\user\AppData\...\61506908329.exe, PE32 27->70 dropped 80 6 other files (none is malicious) 27->80 dropped 72 C:\Users\user\AppData\...\services64.exe, PE32+ 31->72 dropped 41 cmd.exe 1 31->41         started        102 ip-api.com 208.95.112.1, 49728, 80 TUT-ASUS United States 33->102 104 iplogger.org 88.99.66.31, 443, 49722, 49730 HETZNER-ASDE Germany 33->104 106 7 other IPs or domains 33->106 74 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 33->74 dropped 76 C:\Users\user\AppData\Roaming\8684874.exe, PE32 33->76 dropped 78 C:\Users\user\AppData\Roaming\7821664.exe, PE32 33->78 dropped 82 3 other files (none is malicious) 33->82 dropped 120 Detected unpacking (changes PE section rights) 33->120 122 May check the online IP address of the machine 33->122 file12 signatures13 process14 dnsIp15 90 live.goatgame.live 104.21.70.98, 443, 49727 CLOUDFLARENETUS United States 35->90 92 172.67.222.125, 443, 49731 CLOUDFLARENETUS United States 35->92 50 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 35->50 dropped 44 conhost.exe 35->44         started        124 Uses schtasks.exe or at.exe to add and modify task schedules 41->124 46 conhost.exe 41->46         started        48 schtasks.exe 41->48         started        file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8/
Threat name:
ByteCode-MSIL.Trojan.SmallDownloader
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 13:38:56 UTC
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=scfsoxlpylza5hie5bqjvhmzj57irjbjypvquvoztsq4napbp3ea._file
Verdict:
malicious
Similar samples:
2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491
GCleaner
67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
GCleaner
75b77800228079a5b6b94166581b2b406f6dca7baf3a9fb163aa0a2d2a89926b
GCleaner
9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e
GCleaner
aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443
GCleaner
d94fd5cde3574048397162ee252ed9fd3b6ad79ad02b63eb513c78911c2191ab
GCleaner
ef25bb229ec8ca7d7b2e3d4e23036b74bdc8b9154bb4c5b532e7ea2a0a7c8ee6
GCleaner
f54decb2e130b98a9bfe13d57fe46af74d408720f490a1df519417125d2c206c
GCleaner
+ 370 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:socelars family:xmrig botnet:7new backdoor discovery dropper infostealer loader miner persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210813-ytvfw88hs6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
XMRig Miner Payload
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
xmrig
Malware Config
C2 Extraction:
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
Unpacked files
SH256 hash:
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
MD5 hash:
83cc20c8d4dd098313434b405648ebfd
SHA1 hash:
59b99c73776d555a985b2f2dcc38b826933766b3
Link:
https://www.unpac.me/results/b27a10a1-c1c8-4d01-838e-4280c9d90059/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/908b275d6fc2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178865/

Comments