MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99ed2c0d3b0794097cbd6dc373c3dd16863de97e057befeb32d289412650cfd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 10


Intelligence 10 IOCs 6 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99ed2c0d3b0794097cbd6dc373c3dd16863de97e057befeb32d289412650cfd9
SHA3-384 hash: 2bb707527721036e50598c77376a09f6d51fac7830bc59fcd684a3b1fa75311bd3b446491c7eb40201cb66d85476df60
SHA1 hash: 3562639596280241a17c54f2e0d33baa25ff25fd
MD5 hash: a223fb0a5696c84dc2d3d29b17500016
humanhash: white-berlin-green-fix
File name:a223fb0a5696c84dc2d3d29b17500016.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:162'304 bytes
First seen:2022-01-15 11:21:29 UTC
Last seen:2022-01-15 12:57:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b729f0e96e3a4a76f606dc40e4bc36c9 (1 x GCleaner, 1 x RaccoonStealer)
ssdeep 3072:AoTswA0ODS23VWK6BuEkqe7ebJHmFrdO+Tpu/AzHYesr9dgYfrr:pAZ0cf3VW8EkTg0rdbTpu/AB8r
TLSH T137F37C157AD1D0B2D572053529E4CB70892DFD304F659DAF33823B3A6B301E2AA65F2B
File icon (PE):PE icon
dhash icon 92aae8c8e8f2b29a (3 x RedLineStealer, 2 x GCleaner, 2 x PrivateLoader)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
95.143.177.76:34098

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
116.202.24.62:9295 https://threatfox.abuse.ch/ioc/295246/
95.143.177.76:34098 https://threatfox.abuse.ch/ioc/295247/
78.46.137.240:21314 https://threatfox.abuse.ch/ioc/295286/
185.112.83.121:60168 https://threatfox.abuse.ch/ioc/295439/
167.99.211.66:26250 https://threatfox.abuse.ch/ioc/295440/
91.243.59.75:44301 https://threatfox.abuse.ch/ioc/295441/

Intelligence

File Origin
# of uploads :
2
# of downloads :
374
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a223fb0a5696c84dc2d3d29b17500016.exe
Verdict:
No threats detected
Analysis date:
2022-01-15 11:24:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fef867e0-b250-45c1-a11c-8a53fd5f63ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219508/
Detection(s):
SecuriteInfo.com.Variant.Zusy.411981.5878.8965.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a window
Launching a process
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4283/overview
Behaviour
MalwareBazaar
MeasuringTime
CallSleep
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61e2ae61e997359713f20802/reports/d954ff2d-34a1-4f0e-9bbe-4b33aa90df88/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/118ca576-a985-4e29-8525-762c416e2fba
Result
Threat name:
RedLine SmartSearch Installer SmokeLoade
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921165
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies Chrome's extension installation force list
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmartSearch nstaller
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553639 Sample: 414YLLerpQ.exe Startdate: 15/01/2022 Architecture: WINDOWS Score: 100 63 208.95.112.1 TUT-ASUS United States 2->63 65 151.115.10.1 OnlineSASFR United Kingdom 2->65 67 2 other IPs or domains 2->67 95 Multi AV Scanner detection for domain / URL 2->95 97 Antivirus detection for URL or domain 2->97 99 Antivirus detection for dropped file 2->99 101 26 other signatures 2->101 8 414YLLerpQ.exe 4 103 2->8         started        signatures3 process4 dnsIp5 69 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 8->69 71 212.193.30.29 SPD-NETTR Russian Federation 8->71 73 19 other IPs or domains 8->73 37 C:\Users\...\wn80v9Zm0r8Fpm_rLsi1kOp3.exe, PE32 8->37 dropped 39 C:\Users\...\oes_dUVyMOOH5vpQ7FY5mDKm.exe, PE32 8->39 dropped 41 C:\Users\...\g2_6QVmtYvS8FZcGtcZRURds.exe, PE32 8->41 dropped 43 45 other files (31 malicious) 8->43 dropped 111 Creates HTML files with .exe extension (expired dropper behavior) 8->111 113 Tries to harvest and steal browser information (history, passwords, etc) 8->113 115 Disable Windows Defender real time protection (registry) 8->115 117 Writes many files with high entropy 8->117 13 _7l1jRFTFfZvOpzH83tCsUpN.exe 17 8->13         started        17 1FckxHZlpivvmjyF8hCbz3wv.exe 8->17         started        20 KplpiLlpkLnWxd7o5uCrgedS.exe 8->20         started        22 10 other processes 8->22 file6 signatures7 process8 dnsIp9 75 149.154.167.99 TELEGRAMRU United Kingdom 13->75 45 C:\Users\...\5wrvQlpA5b_34eWtiE8M_95y.exe, PE32 13->45 dropped 47 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 13->47 dropped 49 C:\...\PowerControl_Svc.exe, PE32 13->49 dropped 24 5wrvQlpA5b_34eWtiE8M_95y.exe 13->24         started        85 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->85 87 Checks if the current machine is a virtual machine (disk enumeration) 17->87 51 C:\Users\...\KplpiLlpkLnWxd7o5uCrgedS.tmp, PE32 20->51 dropped 89 Obfuscated command line found 20->89 77 91.107.126.191 MGNHOST-ASRU Russian Federation 22->77 79 37.220.10.229 IOMART-ASGB United Kingdom 22->79 81 4 other IPs or domains 22->81 53 C:\Users\user\AppData\...\59385818432.exe, PE32 22->53 dropped 55 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 22->55 dropped 57 C:\Users\user\AppData\Local\...\empty[1], PE32 22->57 dropped 59 3 other files (none is malicious) 22->59 dropped 91 Hides threads from debuggers 22->91 93 Injects a PE file into a foreign processes 22->93 27 oes_dUVyMOOH5vpQ7FY5mDKm.exe 22->27         started        29 J0b6bdksBbj1dhwijGIH_2xc.exe 22->29         started        33 conhost.exe 22->33         started        35 conhost.exe 22->35         started        file10 signatures11 process12 dnsIp13 103 Antivirus detection for dropped file 24->103 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->105 107 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->107 109 Modifies Chrome's extension installation force list 27->109 83 172.67.188.70 CLOUDFLARENETUS United States 29->83 61 C:\Users\user\AppData\Local\Temp\db.dll, PE32 29->61 dropped file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99ed2c0d3b0794097cbd6dc373c3dd16863de97e057befeb32d289412650cfd9/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 11:46:33 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=thwsydj3a6kas7f5nxbxhq65c2dd32l6av5672zs2keucjsqz7mq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion spyware stealer trojan
Link:
https://tria.ge/reports/220115-ngk71seaa7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
99ed2c0d3b0794097cbd6dc373c3dd16863de97e057befeb32d289412650cfd9
MD5 hash:
a223fb0a5696c84dc2d3d29b17500016
SHA1 hash:
3562639596280241a17c54f2e0d33baa25ff25fd
Link:
https://www.unpac.me/results/4d58682c-5c9c-4724-be8d-847bf191241e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99ed2c0d3b0794097cbd6dc373c3dd16863de97e057befeb32d289412650cfd9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219508/

Comments