MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95972f593721107647a703bdd022f36f88737204c2ad575a77c25acfc2f21d4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95972f593721107647a703bdd022f36f88737204c2ad575a77c25acfc2f21d4f
SHA3-384 hash: acc454167213417dbf82281e1e9a90e8784b16f9255883f455a151788446df698ad8db325142d5f3c6846abbfce8cf7f
SHA1 hash: e816730b9fc1cef43ae269452fbd60dc7a178c3a
MD5 hash: 4ea672ca05b3c1e7d131ecc108c7e7f1
humanhash: alpha-december-violet-fanta
File name:4ea672ca05b3c1e7d131ecc108c7e7f1
Download: download sample
Signature GCleaner
Create hunting rule
File size:176'128 bytes
First seen:2021-11-03 19:00:27 UTC
Last seen:2021-11-03 20:26:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c02c1999142edb52caad79376c81ce6 (5 x GCleaner)
ssdeep 3072:LSftzo1YmKFiiIKhb6xKcB3bV3g2Zh+15/yyvcOGkXOxTxoAHL+laxn1955Nh8uq:8H4qMxKeV3PANyyvcOGkXYTxjil61b55
TLSH T1B5043B386291B436E4F30435A4ED97F598687A3067948CFBB7854F2E0B796C2D630B27
File icon (PE):PE icon
dhash icon 87393d7cb8393332 (5 x GCleaner, 1 x Smoke Loader, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4ea672ca05b3c1e7d131ecc108c7e7f1
Verdict:
No threats detected
Analysis date:
2021-11-03 22:02:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/605c10a2-ce3c-41d1-bfaf-b09db8f3ac32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201961/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31388.20402.15723.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware
Link:
https://www.filescan.io/uploads/6182dc729982ff7c3f7e0796/reports/f99cf2f4-0dd1-4fde-92d2-512c34abda2a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5da67155-d136-41cf-8fbc-6a9b708d5ced
Result
Threat name:
Backstage Stealer SmokeLoader Socelars V
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/882545
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Backstage Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 514981 Sample: FSK4yW6vgu Startdate: 03/11/2021 Architecture: WINDOWS Score: 100 163 Antivirus detection for URL or domain 2->163 165 Antivirus detection for dropped file 2->165 167 Multi AV Scanner detection for dropped file 2->167 169 12 other signatures 2->169 9 FSK4yW6vgu.exe 4 22 2->9         started        14 PowerControl_Svc.exe 2->14         started        16 PowerControl_Svc.exe 2->16         started        18 WmiPrvSE.exe 2->18         started        process3 dnsIp4 151 212.192.241.62 RAPMSB-ASRU Russian Federation 9->151 153 88.99.66.31 HETZNER-ASDE Germany 9->153 155 4 other IPs or domains 9->155 107 C:\Users\...\MTf9F365iEjycVNEY081ye13.exe, PE32 9->107 dropped 109 C:\Users\...\DTbVXRR9LhyXzADJtYMLrTyl.exe, PE32 9->109 dropped 111 C:\Users\user\AppData\...\Service[1].bmp, PE32 9->111 dropped 117 2 other files (1 malicious) 9->117 dropped 179 Detected unpacking (creates a PE file in dynamic memory) 9->179 181 Disable Windows Defender real time protection (registry) 9->181 20 MTf9F365iEjycVNEY081ye13.exe 17 9->20         started        24 DTbVXRR9LhyXzADJtYMLrTyl.exe 74 9->24         started        27 JfARzbCRLboFpEz5OiB9xNsG.exe 1 9->27         started        113 C:\Users\...\atEbAP0EDe7HGC7OkRwEZMXi.exe, PE32 14->113 dropped 115 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 14->115 dropped 29 atEbAP0EDe7HGC7OkRwEZMXi.exe 14->29         started        31 schtasks.exe 14->31         started        33 schtasks.exe 14->33         started        35 atEbAP0EDe7HGC7OkRwEZMXi.exe 16->35         started        37 schtasks.exe 16->37         started        39 schtasks.exe 16->39         started        file5 signatures6 process7 dnsIp8 137 149.154.167.99 TELEGRAMRU United Kingdom 20->137 139 45.133.1.182 DEDIPATH-LLCUS Netherlands 20->139 141 162.159.134.233 CLOUDFLARENETUS United States 20->141 89 C:\Users\...\KtHP_uT93qAd7XU4IRdBTQCi.exe, PE32 20->89 dropped 99 2 other malicious files 20->99 dropped 41 KtHP_uT93qAd7XU4IRdBTQCi.exe 32 20->41         started        59 2 other processes 20->59 143 88.99.75.82 HETZNER-ASDE Germany 24->143 145 65.108.80.190 ALABANZA-BALTUS United States 24->145 101 12 other files (none is malicious) 24->101 dropped 171 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->171 173 Tries to harvest and steal browser information (history, passwords, etc) 24->173 175 Tries to steal Crypto Currency Wallets 24->175 45 cmd.exe 24->45         started        91 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 27->91 dropped 147 52.219.158.50 AMAZON-02US United States 29->147 93 C:\Users\...\qibKqm4ysB9kNHniOoG035vL.exe, PE32 29->93 dropped 95 C:\Users\user\AppData\Local\...\pub33[1].exe, PE32 29->95 dropped 103 12 other files (3 malicious) 29->103 dropped 177 Detected unpacking (creates a PE file in dynamic memory) 29->177 47 rU7mWyUIW2lVlQMxlthfWB9n.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        149 2 other IPs or domains 35->149 97 C:\Users\...\9F2DEjULaTKYZTO2buuXMHTx.exe, PE32 35->97 dropped 105 14 other files (4 malicious) 35->105 dropped 53 lH785JgET6S74GyfWDZ7Fjb7.exe 35->53         started        55 conhost.exe 37->55         started        57 conhost.exe 39->57         started        file9 signatures10 process11 dnsIp12 157 45.142.182.152 XSSERVERNL Germany 41->157 159 5.8.76.205 SELECTELRU Russian Federation 41->159 161 6 other IPs or domains 41->161 119 C:\Users\...\eP1VQTVVIwDvWZMpdq0k5qWY.exe, PE32 41->119 dropped 121 C:\Users\...\dIPzdBUnK91e2XDYQmJ4jifO.exe, PE32 41->121 dropped 123 C:\Users\...\Dyq842LpWV0exSZChQ0oRSzq.exe, PE32 41->123 dropped 125 12 other files (8 malicious) 41->125 dropped 61 dIPzdBUnK91e2XDYQmJ4jifO.exe 41->61         started        64 0LekavtfbzjVanNze4LmJy9j.exe 41->64         started        67 Dyq842LpWV0exSZChQ0oRSzq.exe 41->67         started        79 4 other processes 41->79 69 conhost.exe 45->69         started        71 taskkill.exe 45->71         started        73 timeout.exe 45->73         started        75 conhost.exe 59->75         started        77 conhost.exe 59->77         started        file13 process14 dnsIp15 183 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 61->183 185 Maps a DLL or memory area into another process 61->185 187 Checks if the current machine is a virtual machine (disk enumeration) 61->187 189 Creates a thread in another existing process (thread injection) 61->189 127 208.95.112.1 TUT-ASUS United States 64->127 129 45.136.151.102 ENZUINC-US Latvia 64->129 191 Tries to harvest and steal browser information (history, passwords, etc) 64->191 81 Dyq842LpWV0exSZChQ0oRSzq.exe 67->81         started        85 conhost.exe 67->85         started        131 149.28.253.196 AS-CHOOPAUS United States 79->131 signatures16 process17 dnsIp18 133 104.21.85.99 CLOUDFLARENETUS United States 81->133 135 172.67.204.112 CLOUDFLARENETUS United States 81->135 87 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 81->87 dropped file19
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/95972f593721107647a703bdd022f36f88737204c2ad575a77c25acfc2f21d4f/
Threat name:
Win32.Infostealer.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-11-03 06:47:44 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=swls6wjxeeihmr5hao65aixtn6ehg4qeykwvowtxyjnm7qxsdvhq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:865 discovery evasion spyware stealer suricata trojan
Link:
https://tria.ge/reports/211103-xn7t2abfbk/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
https://mas.to/@romashkin
Unpacked files
SH256 hash:
95972f593721107647a703bdd022f36f88737204c2ad575a77c25acfc2f21d4f
MD5 hash:
4ea672ca05b3c1e7d131ecc108c7e7f1
SHA1 hash:
e816730b9fc1cef43ae269452fbd60dc7a178c3a
Link:
https://www.unpac.me/results/09af3c13-559d-4e3b-ba92-884b3c12583e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95972f593721107647a703bdd022f36f88737204c2ad575a77c25acfc2f21d4f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 95972f593721107647a703bdd022f36f88737204c2ad575a77c25acfc2f21d4f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1744428/
Cape
Cape
https://www.capesandbox.com/analysis/201961/

Comments


Avatar
zbet commented on 2021-11-03 19:00:29 UTC

url : hxxp://2.56.59.42/WW/ww_testFS_0211_single.exe