MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93e58a581fb7d8255acb59225be980d5e45c41e23840f6826946dbfc72bed743. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93e58a581fb7d8255acb59225be980d5e45c41e23840f6826946dbfc72bed743
SHA3-384 hash: bb261c3c7b8e842b27a5bba6116a53b6e7c684eda3430e024e8fc561d26495d6ce1f2c42c493037cc9613796ed48c01d
SHA1 hash: 1c465fd788d0f2dab92bb355d8af1cf5cd9be6d7
MD5 hash: 8a20ec937144c98dd5e1a116aa3d7aab
humanhash: washington-august-blossom-friend
File name:random.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'652'032 bytes
First seen:2026-02-16 09:33:12 UTC
Last seen:2026-02-16 10:30:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099b2b7fa2a0044e2ca25418be2f8a70 (3 x GCleaner)
ssdeep 49152:Sto5htPI9ZnqHLlp//yCwxaDVA+rYttHWrtrJaJzrQUCSdGYDRy8MtqOwRPOozHW:Ste90OSWyZLYJ2zcg0mwckaAP5
TLSH T17B26F027F7460DFDE171AC3D7F07A3BCC2766E011A31AAFE21CA29D645609612F2425E
TrID 96.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
2.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
0.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
0.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2026-02-16 09:36:23 UTC
Tags:
delphi auto generic gcleaner loader
Link:
https://app.any.run/tasks/42995108-57a2-4795-9afa-8d4a8260e851

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53410/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader48.64288.8687.29139.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6992e4692715406c647a0e10
Tags:
delphi cobalt emotet
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi fingerprint installer-heuristic keylogger krypt packed
Link:
https://www.filescan.io/uploads/6992e45bc9bfb60ece203190/reports/348a94df-4dc5-451b-9ed4-bbc975086673/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/93e58a581fb7d8255acb59225be980d5e45c41e23840f6826946dbfc72bed743
Verdict:
Malicious
File Type:
exe x32
Detections:
HEUR:Trojan.Win32.Qshell.gen
Link:
https://opentip.kaspersky.com/93e58a581fb7d8255acb59225be980d5e45c41e23840f6826946dbfc72bed743/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/90c4f46d-36e6-4135-92cd-f5ba51fb7f2b
Result
Threat name:
CryptOne, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1869824
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates multiple autostart registry keys
Found suspicious powershell code related to unpacking or dynamic code loading
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1869824 Sample: random.exe Startdate: 16/02/2026 Architecture: WINDOWS Score: 100 155 yaso.su 2->155 157 jvz.alpinematters.com 2->157 159 6 other IPs or domains 2->159 185 Suricata IDS alerts for network traffic 2->185 187 Malicious sample detected (through community Yara rule) 2->187 189 Antivirus detection for dropped file 2->189 191 16 other signatures 2->191 13 random.exe 1 2->13         started        17 cmd.exe 2->17         started        19 cmd.exe 2->19         started        21 12 other processes 2->21 signatures3 process4 dnsIp5 145 C:\Users\user\AppData\...\svchost015.exe, PE32 13->145 dropped 231 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->231 233 Hijacks the control flow in another process 13->233 235 Writes to foreign memory regions 13->235 241 2 other signatures 13->241 24 svchost015.exe 38 13->24         started        237 Suspicious powershell command line found 17->237 29 powershell.exe 17->29         started        31 conhost.exe 17->31         started        33 powershell.exe 19->33         started        35 conhost.exe 19->35         started        171 127.0.0.1 unknown unknown 21->171 239 Changes security center settings (notifications, updates, antivirus, firewall) 21->239 37 powershell.exe 21->37         started        39 powershell.exe 21->39         started        41 MpCmdRun.exe 21->41         started        43 6 other processes 21->43 file6 signatures7 process8 dnsIp9 177 178.16.52.65, 49687, 49693, 80 DUSNET-ASDE Germany 24->177 179 drive.usercontent.google.com 172.217.4.33, 443, 49681 GOOGLEUS United States 24->179 137 C:\Users\user\AppData\...\7RSpDSvffpy.exe, PE32 24->137 dropped 139 C:\Users\user\AppData\...\QU9X3t7Wtk.exe, PE32 24->139 dropped 141 C:\Users\user\AppData\...\dnIjT73sC6T.exe, PE32+ 24->141 dropped 143 11 other malicious files 24->143 dropped 213 Unusual module load detection (module proxying) 24->213 45 7RSpDSvffpy.exe 2 24->45         started        48 5cLfoxDsLO8T.exe 2 24->48         started        50 QU9X3t7Wtk.exe 24->50         started        64 4 other processes 24->64 215 Suspicious powershell command line found 29->215 54 powershell.exe 29->54         started        56 powershell.exe 33->56         started        58 powershell.exe 37->58         started        60 powershell.exe 39->60         started        62 conhost.exe 41->62         started        file10 signatures11 process12 dnsIp13 147 C:\Users\user\AppData\...\7RSpDSvffpy.tmp, PE32 45->147 dropped 66 7RSpDSvffpy.tmp 18 26 45->66         started        149 ecf2cbef-33db-4305-a06e-fa828d20a5d3.bat, DOS 48->149 dropped 69 cmd.exe 1 48->69         started        161 dns.google 8.8.4.4 GOOGLEUS United States 50->161 163 cloudflare-dns.com 104.16.249.249 CLOUDFLARENETUS United States 50->163 165 salat.cn 172.67.194.254 CLOUDFLARENETUS United States 50->165 151 C:\Users\user\AppData\Local\...\ctfmon.exe, PE32 50->151 dropped 153 C:\Program Files (x86)\...\kBfXYaeD.exe, PE32 50->153 dropped 193 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->193 195 Creates multiple autostart registry keys 50->195 197 Unusual module load detection (module proxying) 50->197 72 ctfmon.exe 50->72         started        199 Hijacks the control flow in another process 54->199 201 Writes to foreign memory regions 54->201 203 Modifies the context of a thread in another process (thread injection) 54->203 74 cmd.exe 54->74         started        80 2 other processes 54->80 205 Injects a PE file into a foreign processes 56->205 82 3 other processes 56->82 76 conhost.exe 58->76         started        78 conhost.exe 60->78         started        167 jvz.alpinematters.com 104.21.15.212 CLOUDFLARENETUS United States 64->167 169 telegram.me 149.154.167.99 TELEGRAMRU United Kingdom 64->169 207 Tries to detect virtualization through RDTSC time measurements 64->207 84 3 other processes 64->84 file14 signatures15 process16 file17 125 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 66->125 dropped 127 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 66->127 dropped 129 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 66->129 dropped 131 21 other malicious files 66->131 dropped 86 mediafiletable.exe 1 18 66->86         started        209 Suspicious powershell command line found 69->209 90 powershell.exe 13 69->90         started        93 conhost.exe 69->93         started        211 Unusual module load detection (module proxying) 72->211 95 conhost.exe 74->95         started        97 timeout.exe 74->97         started        99 WerFault.exe 80->99         started        101 WerFault.exe 82->101         started        103 conhost.exe 82->103         started        105 timeout.exe 82->105         started        signatures18 process19 dnsIp20 173 178.16.54.31 DUSNET-ASDE Germany 86->173 175 178.16.55.188 DUSNET-ASDE Germany 86->175 133 C:\ProgramData\...\MediaFileTable.exe, PE32 86->133 dropped 135 C:\ProgramData\Windows Defender Core.bat, DOS 90->135 dropped 217 Suspicious powershell command line found 90->217 219 Suspicious execution chain found 90->219 221 Found suspicious powershell code related to unpacking or dynamic code loading 90->221 107 powershell.exe 90->107         started        file21 signatures22 process23 dnsIp24 181 yaso.su 172.67.213.5, 443, 49695 CLOUDFLARENETUS United States 107->181 183 au72nuxzv2.ufs.sh 104.21.43.201, 443, 49694 CLOUDFLARENETUS United States 107->183 223 Creates multiple autostart registry keys 107->223 225 Writes to foreign memory regions 107->225 227 Modifies the context of a thread in another process (thread injection) 107->227 229 Injects a PE file into a foreign processes 107->229 111 cmd.exe 107->111         started        113 RegAsm.exe 107->113         started        115 conhost.exe 107->115         started        signatures25 process26 process27 117 conhost.exe 111->117         started        119 timeout.exe 111->119         started        121 tasklist.exe 111->121         started        123 WerFault.exe 113->123         started       
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/93e58a581fb7d8255acb59225be980d5e45c41e23840f6826946dbfc72bed743
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/8a20ec937144c98dd5e1a116aa3d7aab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93e58a581fb7d8255acb59225be980d5e45c41e23840f6826946dbfc72bed743/
Verdict:
Malicious
Threat:
Family.GCLEANER
Link:
https://tip.neiki.dev/file/93e58a581fb7d8255acb59225be980d5e45c41e23840f6826946dbfc72bed743
Threat name:
Win32.Trojan.GCleaner
Create hunting rule
Status:
Malicious
First seen:
2026-02-15 16:56:29 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=spsyuwa7w7mckwwllerfx2ma2xsfyqpchbapnatji3n7y4v625bq._file
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/260216-ljbp9aay9d/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
GCleaner
Gcleaner family
Malware Config
C2 Extraction:
185.156.73.98
45.91.200.135
Unpacked files
SH256 hash:
93e58a581fb7d8255acb59225be980d5e45c41e23840f6826946dbfc72bed743
MD5 hash:
8a20ec937144c98dd5e1a116aa3d7aab
SHA1 hash:
1c465fd788d0f2dab92bb355d8af1cf5cd9be6d7
Link:
https://www.unpac.me/results/45e0196a-93d3-4aa7-8702-9dd42826a46b/
SH256 hash:
a3e5763a0b27b258d9750277e4f3d7bfe4fa7c90f37301b32f404d81d0258bcc
MD5 hash:
21baff68c0bacef19191e62b92fc23a5
SHA1 hash:
43c69407c276a2b50f068b9f917f0e7b1b87f71b
Detections:
GCleaner
Create hunting rule
Link:
https://www.unpac.me/results/45e0196a-93d3-4aa7-8702-9dd42826a46b/
SH256 hash:
d3d3224b50e7ff955cba76e05f5058471add627c6f15658420146040192b3e1b
MD5 hash:
61f30fea94c55ee3199526448a73e58f
SHA1 hash:
71c175173df87bda7ffc77b2208b28f04bbdc628
Link:
https://www.unpac.me/results/45e0196a-93d3-4aa7-8702-9dd42826a46b/
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/93e58a581fb7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/93e58a581fb7d8255acb59225be980d5e45c41e23840f6826946dbfc72bed743

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 93e58a581fb7d8255acb59225be980d5e45c41e23840f6826946dbfc72bed743

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3743700/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/53410/

Comments