MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9eef76a0625d12521e6d0b3c46f0fcf44df56ec9cf2822c475f85297b3ee051e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9eef76a0625d12521e6d0b3c46f0fcf44df56ec9cf2822c475f85297b3ee051e
SHA3-384 hash: e5feb34a010c17b99bb0adc821b128f13b4bcd6a48dd314844bcbb326acd658ee82fb915cd1f9f6eb7fcf5c0cb6df1fe
SHA1 hash: 32ac2a1b5f9543ec5c393c352716ad2e690a84d8
MD5 hash: dc099eca424486276efa63f740e84f15
humanhash: table-wyoming-california-autumn
File name:9EEF76A0625D12521E6D0B3C46F0FCF44DF56EC9CF282.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'837'953 bytes
First seen:2021-11-18 14:01:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JqhCxHNmm6nv+AviWGTC5Uf9gORzngUvn3BZz1zKW11txMp:JBz+v+AvibTJuYzn7vX1/1XxQ
TLSH T19A263321F384E517C697253A4A32B1DB4F489432FB910EB75FAD7D7E0E184E19E9C228
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
91.243.59.56:61911

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.243.59.56:61911 https://threatfox.abuse.ch/ioc/250728/

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901324-1
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901387-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Reading critical registry keys
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61965cec4912a8c920a29ee7/reports/a11d9912-6e0d-4b78-b3c5-c7fd1b1f9e67/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ff890e4-843d-45b5-905a-c27cee7e5a83
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/891990
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 524463 Sample: 9EEF76A0625D12521E6D0B3C46F... Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 94 91.121.67.60 OVHFR France 2->94 96 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->96 144 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->144 146 Antivirus detection for URL or domain 2->146 148 Antivirus detection for dropped file 2->148 150 20 other signatures 2->150 13 9EEF76A0625D12521E6D0B3C46F0FCF44DF56EC9CF282.exe 10 2->13         started        16 WmiPrvSE.exe 2->16         started        signatures3 process4 file5 92 C:\Users\user\AppData\...\setup_installer.exe, PE32 13->92 dropped 18 setup_installer.exe 20 13->18         started        process6 file7 70 C:\Users\user\AppData\...\setup_install.exe, PE32 18->70 dropped 72 C:\Users\user\AppData\...\Thu00fe27dc89.exe, PE32 18->72 dropped 74 C:\Users\user\...\Thu00f2d78f01026.exe, PE32 18->74 dropped 76 15 other files (10 malicious) 18->76 dropped 21 setup_install.exe 1 18->21         started        process8 dnsIp9 104 hsiens.xyz 21->104 106 127.0.0.1 unknown unknown 21->106 156 Performs DNS queries to domains with low reputation 21->156 158 Adds a directory exclusion to Windows Defender 21->158 25 cmd.exe 21->25         started        27 cmd.exe 1 21->27         started        29 cmd.exe 21->29         started        31 11 other processes 21->31 signatures10 160 May check the online IP address of the machine 104->160 process11 signatures12 34 Thu0057a84dcc825.exe 25->34         started        37 Thu0029506cd188626f5.exe 27->37         started        39 Thu001c731aeee.exe 29->39         started        162 Adds a directory exclusion to Windows Defender 31->162 42 Thu001f27bab1046c.exe 31->42         started        45 Thu0068a778653b.exe 31->45         started        47 Thu001699aad0c.exe 31->47         started        49 7 other processes 31->49 process13 dnsIp14 120 Antivirus detection for dropped file 34->120 122 Multi AV Scanner detection for dropped file 34->122 124 Detected unpacking (changes PE section rights) 34->124 142 4 other signatures 34->142 51 explorer.exe 34->51 injected 126 Machine Learning detection for dropped file 37->126 56 mshta.exe 37->56         started        108 ip-api.com 208.95.112.1, 49749, 80 TUT-ASUS United States 39->108 110 192.168.2.1 unknown unknown 39->110 112 staticimg.youtuuee.com 39->112 128 May check the online IP address of the machine 39->128 130 Tries to harvest and steal browser information (history, passwords, etc) 39->130 86 C:\Users\user\...\Thu001f27bab1046c.tmp, PE32 42->86 dropped 132 Obfuscated command line found 42->132 58 Thu001f27bab1046c.tmp 42->58         started        134 Injects a PE file into a foreign processes 45->134 136 Sample uses process hollowing technique 47->136 114 iplogger.org 5.9.162.45, 443, 49753 HETZNER-ASDE Germany 49->114 116 mas.to 88.99.75.82, 443, 49752 HETZNER-ASDE Germany 49->116 118 11 other IPs or domains 49->118 88 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 49->88 dropped 138 Creates processes via WMI 49->138 140 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 49->140 file15 signatures16 process17 dnsIp18 98 187.212.183.165 UninetSAdeCVMX Mexico 51->98 78 C:\Users\user\AppData\Roaming\dfcfhsa, PE32 51->78 dropped 152 Benign windows process drops PE files 51->152 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->154 60 cmd.exe 56->60         started        100 safialinks.com 58->100 102 best-link-app.com 58->102 80 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 58->80 dropped 82 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 58->82 dropped 84 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->84 dropped file19 signatures20 process21 file22 90 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 60->90 dropped 63 09xU.exE 60->63         started        66 conhost.exe 60->66         started        68 taskkill.exe 60->68         started        process23 signatures24 164 Multi AV Scanner detection for dropped file 63->164 166 Machine Learning detection for dropped file 63->166
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9eef76a0625d12521e6d0b3c46f0fcf44df56ec9cf2822c475f85297b3ee051e/
Threat name:
Win32.Trojan.ArkeiStealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 11:11:27 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3xxnidclujfehtnbm6en4h46rg7k3wjz4ucfrdv7bjjpm7oaupa._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:916 botnet:james2 botnet:media214 aspackv2 backdoor discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211118-rb57sagec8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
https://mas.to/@serg4325
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
135.181.129.119:4805
91.121.67.60:2151
Unpacked files
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
9835ad76c3cff16a01e452ffd4d9dbdc20f27373b0811eb68ee7923cd0cebca2
MD5 hash:
1b81a0d6e725d8f5581cf5d8dc76f18e
SHA1 hash:
8bbfe541dc28598c680170d9281fa80476b024b2
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
4107c225002d3383cabe5c61d0b58cf874b41acb00577fa5d2431d1ff3779c9b
MD5 hash:
a2eee9dea2767da9d6801cd6fd19dc97
SHA1 hash:
70eb9e114b3e16831869a41d1d74d62a7effd9ef
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
5f6b8584f366709de312c1538d845049ff3dbceaa4ff321e706c29196d5578ab
MD5 hash:
6a00dffd5a467d99fa66fdb7937b79d5
SHA1 hash:
665afd1f6a7d04b9190c8967c3769334d9782134
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
cd35ce7aa0ef6194b24e1c71a27d26852762cde87476d716de947d0172eb3b4b
MD5 hash:
50a60cc9e706ceb3466b09ebbfaa2ec3
SHA1 hash:
49d6e5b8f2db4f6545ff78c447af0dbad909c5c7
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
87ea5b65df83c7199819d0dec06b7ed69f0f5118e4e22bb0b67bd64ebdb7d7e8
MD5 hash:
06e4540ebcb838d408d150f6fa906ee8
SHA1 hash:
2217f65bc30e7e4a21088a50b7ccab922cc39817
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
a3a7b30f1a960efd004bd1b81e5fa479d68a02d56db7ecb28228b538690d1f18
MD5 hash:
2bbad1e553ad103047627bc039bd0151
SHA1 hash:
d7c56921cc254238d86e2a04710e02d10bc3f8a9
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
b0907562ec1ac4ff1abc08598c77804ea6a4434b6955ef1d8ea7cfa99a6cb849
MD5 hash:
2aa74bffcea929cdd73b163a1dfabbcf
SHA1 hash:
74a2007532e312d234fbadcc0fb7d081a1932bc0
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
Parent samples :
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
6a51e5a1287d9ecbc64c29a433d7d1eefb9eecdf492c9012ff0e8f9eee92bc25
MD5 hash:
e6a964c704753d01dde1f6a1a4d9c34e
SHA1 hash:
be5100dc27435f416ac63b4276560fbbac4ca4b6
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
6e859314b1420d5d14f1f2054351659edfec19895a434e455d17ba4ff683072a
MD5 hash:
b284d20c170f6ab911074a95ce3c1897
SHA1 hash:
95fb8bf5fb1a96d3235dfc8df25289d575322e2f
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
cd64bc181ab54af7a04f19a3147ddc94edfa0b29c3c6508a43689f9142a86b42
MD5 hash:
23da0ebe2368430f2a742175b3597b97
SHA1 hash:
6cb0edc71a836a23741ddad7f8d47a91e599f222
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
87e319b6a3ae8e68df577471f317c8a2e20c12e7a73675e951b1f0d104e0b674
MD5 hash:
db189211b65b37253a6f19b51c956918
SHA1 hash:
79817a58fc93f8605fd7e5a156d7c7ee34e3315f
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
617f65fc3b7b2809c58b0e4d4625550f727694041e135dff3e651e763bd8f9d8
MD5 hash:
f13eddc0e83b98a196d11264679f63dd
SHA1 hash:
d778c291c2aa0117f5281387b888ab9a9f6a3462
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
SH256 hash:
9eef76a0625d12521e6d0b3c46f0fcf44df56ec9cf2822c475f85297b3ee051e
MD5 hash:
dc099eca424486276efa63f740e84f15
SHA1 hash:
32ac2a1b5f9543ec5c393c352716ad2e690a84d8
Link:
https://www.unpac.me/results/d94cbb77-0163-45c5-9246-c1a5b7ec1879/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9eef76a0625d12521e6d0b3c46f0fcf44df56ec9cf2822c475f85297b3ee051e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207254/

Comments