MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90caa22dfb96b704dc1e122d2cfe1930311b24814537fe59b11ba156a48bfbc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90caa22dfb96b704dc1e122d2cfe1930311b24814537fe59b11ba156a48bfbc0
SHA3-384 hash: 672dcffe1a83c47856ad77efd739c2436e87db7d7ca1553bf137faf08d51ca706a74a87985dc108e5ecace69304f644e
SHA1 hash: 241469bb753d3642d459a93a2a86d9a7b08877bd
MD5 hash: 5aebb5642fd82cb62b79041200cb20fe
humanhash: asparagus-apart-harry-floor
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'720'746 bytes
First seen:2023-07-19 21:16:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'446 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:P2YLzycqm2rrYaipqfc9cgh+L8+i/PfVMHc7B6:OMgOpMfL8n/uc7B6
Threatray 86 similar samples on MalwareBazaar
TLSH T1C7853352E78EA2B9E1F599B47976950B1273B8242C360C2D3BCF9A4C1F334A34987771
TrID 46.3% (.EXE) Win32 Executable PowerBASIC/Win 9.x (148303/79/28)
34.2% (.EXE) Inno Setup installer (109740/4/30)
13.4% (.EXE) InstallShield setup (43053/19/16)
2.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:exe gcleaner


Avatar
andretavare5
Sample downloaded from http://45.12.253.74/pineapple.php?pub=mixinte

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-07-19 21:17:51 UTC
Tags:
installer
Link:
https://app.any.run/tasks/593d62fd-45b9-4a84-b955-649acb7d91a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/425718/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.29702.28915.6231.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64b852cef3c193545ac6f4a0/reports/1c94d391-45da-4eb0-a6ab-6d537b10d0ce/overview
Verdict:
Suspicious
Labled as:
Trojan/DownloadAssistant
Link:
https://www.hybrid-analysis.com/sample/90caa22dfb96b704dc1e122d2cfe1930311b24814537fe59b11ba156a48bfbc0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54681900-c72e-4fc8-bdba-de032445868a
Result
Threat name:
Nymaim, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276315
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1276315 Sample: file.exe Startdate: 19/07/2023 Architecture: WINDOWS Score: 100 97 45.12.253.98 CMCSUS Germany 2->97 133 Snort IDS alert for network traffic 2->133 135 Found malware configuration 2->135 137 Malicious sample detected (through community Yara rule) 2->137 139 15 other signatures 2->139 12 file.exe 2 2->12         started        signatures3 process4 file5 87 C:\Users\user\AppData\Local\...\file.exe.tmp, PE32 12->87 dropped 15 file.exe.tmp 11 102 12->15         started        process6 file7 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->89 dropped 91 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 15->91 dropped 93 C:\...\unins000.exe (copy), PE32 15->93 dropped 95 8 other files (6 malicious) 15->95 dropped 18 FBSpacer719.exe 35 15->18         started        22 net.exe 1 15->22         started        process8 dnsIp9 99 45.12.253.56, 49717, 80 CMCSUS Germany 18->99 101 45.12.253.72, 49718, 80 CMCSUS Germany 18->101 103 45.12.253.75, 49719, 49720, 80 CMCSUS Germany 18->103 75 C:\Users\user\AppData\...\gK9hCw3P.exe, PE32 18->75 dropped 77 C:\Users\user\AppData\...\QPOcbtXv.exe, PE32 18->77 dropped 79 C:\Users\user\AppData\...\JftZAYOD4.exe, PE32 18->79 dropped 81 6 other malicious files 18->81 dropped 24 QPOcbtXv.exe 18->24         started        29 SBbIw3Z2.exe 18->29         started        31 JftZAYOD4.exe 19 18->31         started        37 3 other processes 18->37 33 conhost.exe 22->33         started        35 net1.exe 1 22->35         started        file10 process11 dnsIp12 109 178.32.90.250 OVHFR France 24->109 111 transfer.sh 144.76.136.153 HETZNER-ASDE Germany 24->111 83 C:\Users\user\AppData\Local\Temp\123123.exe, PE32 24->83 dropped 85 C:\Users\user\AppData\Local\Temp\123.exe, PE32 24->85 dropped 161 Multi AV Scanner detection for dropped file 24->161 163 Detected unpacking (changes PE section rights) 24->163 165 Detected unpacking (overwrites its own PE header) 24->165 39 123.exe 24->39         started        43 123123.exe 24->43         started        167 Writes to foreign memory regions 29->167 169 Allocates memory in foreign processes 29->169 171 Injects a PE file into a foreign processes 29->171 45 AppLaunch.exe 29->45         started        47 conhost.exe 29->47         started        49 WerFault.exe 29->49         started        113 t.me 149.154.167.99, 443, 49721 TELEGRAMRU United Kingdom 31->113 115 78.47.123.243, 13370, 49722 HETZNER-ASDE Germany 31->115 117 192.168.2.1 unknown unknown 31->117 173 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->173 175 Tries to steal Crypto Currency Wallets 31->175 51 cmd.exe 31->51         started        119 176.123.9.142 ALEXHOSTMD Moldova Republic of 37->119 177 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->177 179 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->179 53 conhost.exe 37->53         started        55 conhost.exe 37->55         started        57 taskkill.exe 37->57         started        file13 signatures14 process15 dnsIp16 105 127.0.0.1 unknown unknown 39->105 141 Query firmware table information (likely to detect VMs) 39->141 143 Tries to detect sandboxes and other dynamic analysis tools (window names) 39->143 145 Tries to harvest and steal browser information (history, passwords, etc) 39->145 159 2 other signatures 39->159 59 chrome.exe 39->59         started        147 Writes to foreign memory regions 43->147 149 Allocates memory in foreign processes 43->149 151 Injects a PE file into a foreign processes 43->151 61 AppLaunch.exe 43->61         started        64 conhost.exe 43->64         started        66 WerFault.exe 43->66         started        107 77.246.110.195 MEDIAL-ASRU Russian Federation 45->107 153 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->153 155 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->155 157 Tries to steal Crypto Currency Wallets 45->157 68 conhost.exe 51->68         started        70 timeout.exe 51->70         started        signatures17 process18 dnsIp19 72 chrome.exe 59->72         started        127 ip-api.com 208.95.112.1 TUT-ASUS United States 61->127 129 185.159.129.168 ITOS-ASRU Russian Federation 61->129 131 185.149.146.118 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 61->131 process20 dnsIp21 121 plus.l.google.com 172.217.168.46 GOOGLEUS United States 72->121 123 www.google.com 172.217.168.68 GOOGLEUS United States 72->123 125 apis.google.com 72->125
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90caa22dfb96b704dc1e122d2cfe1930311b24814537fe59b11ba156a48bfbc0/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-07-19 21:17:05 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdfkelp3s23qjxa6ciwsz7qzgayrwjebiu374wnrdoqvnjel7paa._file
Verdict:
malicious
Similar samples:
074773bac4924b4d1637b4005b9da53d721a4341ee957f63c16bc4723914e586
GCleaner
23c07eb780fc204fc9a5affdb4247fe72d1fdf10e081bf8095a5e2fd597422c4
GCleaner
5138461b9ded244d5a6c962573a011067e01f50a986d22c18b15efc1e4c17d0f
GCleaner
57962d6e4dea092778ca4b98d68ee62d11a8cfa88fd7fd7b89cb97fba2193355
GCleaner
5b06a1d47febc51608577e8827a61ae277ac79a5d4beeeab6bc1ddd6b9a88077
GCleaner
806374db08f908a0e5622f192bebb29d262b442cda27038d214d3fb802e6311c
GCleaner
8f4c1ec0371f704f03a7d822156d38c2d227a986d331a5c403de5b555161b2f2
GCleaner
93cb045c691341fee5fe4b5aae26233c3bdfb480db20a904ef7f7749db2c6e86
GCleaner
9dc3c210f41de276264b20019ec64beb14955fb59dff048b10fab6a397a26be3
GCleaner
9fba8733adf4186bd258da008bc4ba26e72e871fa6df2815d8a2ce2c9eb4d451
GCleaner
+ 76 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/230719-z41f1abb98/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
Runs net.exe
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
38f7f0b9eab55df84f8107576f7a6886b4bba2037f3d5a8a307c0e3be07e5133
MD5 hash:
d38c95743a0164d6b575e1e19647f138
SHA1 hash:
a5d89062ac0be519221ccdf49e994a53922cb255
Link:
https://www.unpac.me/results/f1e85b58-039f-4f0a-a29d-8f1a1d1af013/
SH256 hash:
0c130a1403bfe19ea1c50f4b4abf2d131cad08d31097672542da4fd5ad1b143c
MD5 hash:
077b17832436dcd5432e97a57047fc21
SHA1 hash:
c3718a55e596d27b0a37b628bb0b5d0d64e64b16
Link:
https://www.unpac.me/results/f1e85b58-039f-4f0a-a29d-8f1a1d1af013/
SH256 hash:
90caa22dfb96b704dc1e122d2cfe1930311b24814537fe59b11ba156a48bfbc0
MD5 hash:
5aebb5642fd82cb62b79041200cb20fe
SHA1 hash:
241469bb753d3642d459a93a2a86d9a7b08877bd
Link:
https://www.unpac.me/results/f1e85b58-039f-4f0a-a29d-8f1a1d1af013/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90caa22dfb96/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90caa22dfb96b704dc1e122d2cfe1930311b24814537fe59b11ba156a48bfbc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/425718/
  
URLhaus
https://urlhaus.abuse.ch/url/2509470/

Comments