MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 912534a5380738d96e8ddb7873ecb004667d72d5df783cabce2e398c11b14912. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
GCleaner
Vendor detections: 15
| SHA256 hash: | 912534a5380738d96e8ddb7873ecb004667d72d5df783cabce2e398c11b14912 |
|---|---|
| SHA3-384 hash: | 4cc9ace411eaa3b749cc0c9d1ae0df2258d61ce1d96c917ffa81822a0ec392f4c9f09347741bfa2295ec778ec3557a07 |
| SHA1 hash: | e827272cd42a9030741f4acb6004a97f6e13ba40 |
| MD5 hash: | 8b7b82eb83d4a6760ecf8e9398ffda64 |
| humanhash: | xray-johnny-mirror-pennsylvania |
| File name: | 912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe |
| Download: | download sample |
| Signature | GCleaner |
| File size: | 4'250'831 bytes |
| First seen: | 2021-12-04 22:26:59 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer) |
| ssdeep | 98304:xECvLUBsg2UgIhYr0/6nicI8HIDfPg6aiwm0CPtNXQCslQymye0:xZLUCgUIuw/6i8oDfY6Bwm0QtNX52Qp0 |
| TLSH | T16B163381B2CF98F3CE055874DB8C5BB9607EC6E62F684DC377288A4A57AC841D17F885 |
| File icon (PE): |  |
| dhash icon | 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox) |
| Reporter |  abuse_ch |
| Tags: | exe gcleaner |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 62.182.157.172:33718 | https://threatfox.abuse.ch/ioc/259591/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
912534A5380738D96E8DDB7873ECB004667D72D5DF783.exe
Verdict:
No threats detected
Analysis date:
2021-12-04 22:30:29 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
0/10
Tags:
n/a
Behaviour
CheckCmdLine
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
barys overlay packed socelars
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Verdict:
Malicious
Result
Threat name:
RedLine Socelars Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Detection:
redlinestealer
Threat name:
Win32.Spyware.Socelars
Status:
Malicious
First seen:
2021-12-04 01:22:00 UTC
File Type:
PE (Exe)
Extracted files:
138
AV detection:
22 of 28 (78.57%)
Threat level:
2/5
Detection(s):
Suspicious file
Verdict:
malicious
Result
Malware family:
vidar
Score:
10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:janesam botnet:nanani aspackv2 backdoor discovery evasion infostealer spyware stealer trojan
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
https://petrenko96.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
65.108.20.195:6774
45.142.215.47:27643
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
https://petrenko96.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
65.108.20.195:6774
45.142.215.47:27643
Unpacked files
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
SH256 hash:
fea58ea431672f1c19c3188e2799febb7109562536c61891c5b09e9234b00606
MD5 hash:
a02fcf1984e958501da2ef4ac1565559
SHA1 hash:
b97003d8ce7c98c70a7a17a90b13f07046b9e129
SH256 hash:
558762206aeb3e95d5238df12d04ea042c0d6fa1d16945d41669823177626758
MD5 hash:
84141e18fcbfb78e995820c8a3d91919
SHA1 hash:
8f375e116fdb924954ab4135e2fb973101ef61ac
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
SH256 hash:
894300eca1742f48ed61be1043d3cb9924e89522c24b0f01b7cceb261a1fa073
MD5 hash:
7c82c868054a4fc8a5f6337a55f8d82e
SHA1 hash:
279ef02de285cbaf873e1ac2794406baa1f84f19
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
SH256 hash:
03d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745
MD5 hash:
ae0bb0ef615f4606fbe1f050b6f08ca3
SHA1 hash:
f69b6d6496d8941ef53bca7c3578ad616cf5a4b1
SH256 hash:
fbc75a565c0d1896171feb728d011c1a91c0d9548e0e529a76dcf0a6679d1f20
MD5 hash:
d9bdc8a637733704c3b25360ae0f8d07
SHA1 hash:
e40a87a4226f9f31ae9df39b61ed501f356c70b2
SH256 hash:
e8c6ba1c1f91c9cac35402fe3878a9bd2e14daa23503b691ca622fefdad94f7f
MD5 hash:
e9e407c69fbd0bd0ef47259798ed5a8e
SHA1 hash:
df51f1ce2cbd5db5c5fde30ebc582b48ab6bd6e4
SH256 hash:
11d3500b3da7ebcf1575263485d1e6c0c995c4775c91291346191012791667af
MD5 hash:
e03680c90591496bada8fc7db6139f59
SHA1 hash:
af1de55205dae97a47df674801d301a6eb8e3471
SH256 hash:
1d04bbabdb6da4db379ca057ac0d63fb27d8891b01cf3ffcb94573be1853ecaf
MD5 hash:
d58b4be4f3dec4843801511def20ae7d
SHA1 hash:
90be9caf1efa58d6ea70ae6783bfc8e05bd9ea16
SH256 hash:
1e50bead67a29eaeec16eb7f67ae9624e2e117c21838753b339f8dedcc1d0819
MD5 hash:
34a48b5bb71c3e586ab70823760ab20a
SHA1 hash:
4a2a5053f44be79b897a9c126befbdf32df5c4d3
SH256 hash:
00f43f5cfa6aea34fc6b0f21acb7cf2b82d57047732ef781f19a1ba319aaf1cc
MD5 hash:
99ca75fc71354d2f501566c7205928a9
SHA1 hash:
23397cd12c5ff791826ba97e65737de785d7efb6
SH256 hash:
bb2945f781f40e44e726cff767c2ff22a04fea840f3396215851e93e2b6b215e
MD5 hash:
d58aa0f3060aaff76a3faad86670ced2
SHA1 hash:
20ed6c79a560dc2f63a3e4b541989c4545934f07
SH256 hash:
bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e
MD5 hash:
9535f08bd5920f84ac344f8884fe155d
SHA1 hash:
05acf56d12840558ebc17a138d4390dad7a96d5a
SH256 hash:
c9513c0be9864d06ffc483260f0e79ddeb0b2b8d805976384ee31c0628fee901
MD5 hash:
ac64c3fff08ee8ce352766ef57aa45d7
SHA1 hash:
02b0ed5fc2a4fe3b9c7145c15c5ecb631d1ca7b8
SH256 hash:
ff236ccbd61d322a223e3152e768d0a195bde866d4debbe98929a80946382832
MD5 hash:
14b846dbd77dbedb574227310467d5fb
SHA1 hash:
01318111c3ae602914839f4f44f66dc095f3aa51
SH256 hash:
3a924457ad70770ebd0d7fcb98094473236f3135dd916c90b2a37f26e32ff3d5
MD5 hash:
675d81d3a257e808f2e71e3313c834eb
SHA1 hash:
8cbf0818b0fdb2e63d6f0c9d60d7b510a8ad8a44
SH256 hash:
a835d3c4baa029a407a32b29b55cdfe10127dcfd906323bbce050caf4f5818a0
MD5 hash:
0399c89a7b383e371553485d80e47374
SHA1 hash:
5ab2320b04e6b60d48671ad3b0c6c296c8182d72
SH256 hash:
6dbb8e19ae7920d930e4520754985aa13aaa8452575b78a67096db52286f81b0
MD5 hash:
887ea9ba0c70e6050407be1bc12bebd9
SHA1 hash:
632e2d0730ba08ca887d9b3b927fa524ab32502d
SH256 hash:
c9010724d05f7325aabc3d20398506323c4a0d778e28c366474fb3d3145af375
MD5 hash:
451845539b9b980b84d245e34853a8a6
SHA1 hash:
c4703edbe372f660869685a6462d27ab392f9fdc
SH256 hash:
44b9b6078a5cd9b5a25aa8a66add33999d4837cd7dce6a7a7224c3ab1b79008c
MD5 hash:
0164618be630f5b5f3ba60bb2d01e4df
SHA1 hash:
5321f9653fba0f4b372a36ea89c29647be85f2b9
Detections:
win_socelars_auto
SH256 hash:
912534a5380738d96e8ddb7873ecb004667d72d5df783cabce2e398c11b14912
MD5 hash:
8b7b82eb83d4a6760ecf8e9398ffda64
SHA1 hash:
e827272cd42a9030741f4acb6004a97f6e13ba40
Malware family:
SmokeLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.