MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a12aa651589ac345f319501bda42488fc12d1b8f6daffa35680535bb99c37488. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a12aa651589ac345f319501bda42488fc12d1b8f6daffa35680535bb99c37488
SHA3-384 hash: 599e6c03b1b3697ce85d4151fb82ee5b0383498258974b2565923c9a91976d97e612d06ca7a7506d98e53762bd846bd2
SHA1 hash: 7749c87cae74439628ef0d706477700dbd306d06
MD5 hash: 887974d84eeae88582a854f8099c5102
humanhash: east-zebra-lake-finch
File name:cp.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'615'680 bytes
First seen:2024-02-01 16:26:17 UTC
Last seen:2024-02-01 18:41:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 98304:pFK09T8gpBnq8c7zw9RbGNdj5dhdI3uvHF/XK:po0J8gt7bAdPIp
Threatray 1 similar samples on MalwareBazaar
TLSH T128268C027785DE01D56E6337C8CF401497FCEC912BA2EB1B7E9972AC6572326AC0D5CA
TrID 32.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
25.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
5.7% (.SCR) Windows screen saver (13097/50/3)
File icon (PE):PE icon
dhash icon f8f4e4cce4f4f4f0 (1 x GCleaner, 1 x RiseProStealer)
Reporter Anonymous
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
CZ CZ
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474065/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.15537.29389.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin net net_reactor obfuscated packed packed regasm remote stealer
Link:
https://www.filescan.io/uploads/65bbc6604f733f8cc1bc7759/reports/d6b2bd6d-88bb-4caf-b84a-59818b1f96df/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/a12aa651589ac345f319501bda42488fc12d1b8f6daffa35680535bb99c37488
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7712062-1aa5-404b-9de0-f63945e61351
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
5 / 100
Link:
https://www.joesandbox.com/analysis/1385026
Behaviour
Behavior Graph:
n/a
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a12aa651589ac345f319501bda42488fc12d1b8f6daffa35680535bb99c37488
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a12aa651589ac345f319501bda42488fc12d1b8f6daffa35680535bb99c37488/
Threat name:
ByteCode-MSIL.Trojan.ZgRAT
Create hunting rule
Status:
Malicious
First seen:
2024-02-01 16:27:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
72
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uevkmukytlbul4yzkan5uqsir7as2g4pnwx7unliau23xgodosea._file
Verdict:
malicious
Similar samples:
a12aa651589ac345f319501bda42488fc12d1b8f6daffa35680535bb99c37488
GCleaner
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/240201-tx4beshgd3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Unpacked files
SH256 hash:
c5fee8594f29e6d8ff46ded41096431c3916a2be23a16f653b87457bf5a17909
MD5 hash:
2ba8610608687f0b83963409b326940c
SHA1 hash:
cd3b71a2653c89f2ba6f10c4ed340e056790c422
Link:
https://www.unpac.me/results/cd2a6320-52fc-4aaa-9095-86e08b3f053e/
SH256 hash:
63366bb58836a4d9fc6a7fb5632ce6aeb52fd2ec57ea5d766b27bfedf7b7deee
MD5 hash:
a6810a5899b5a89ee483c9e94dacb015
SHA1 hash:
c787d081f7534936636b17d94ecee651fd64fdac
Link:
https://www.unpac.me/results/cd2a6320-52fc-4aaa-9095-86e08b3f053e/
SH256 hash:
6a26df7ee49de6fec6c5de1f3f7a94075d2dfbc50922e3b30fd8111f2e734f33
MD5 hash:
f45c1512d5a47375e6e396b4d1111e58
SHA1 hash:
8af036b8c60d10e85cf82212930bb04bc0553f36
Link:
https://www.unpac.me/results/cd2a6320-52fc-4aaa-9095-86e08b3f053e/
SH256 hash:
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
MD5 hash:
544cd51a596619b78e9b54b70088307d
SHA1 hash:
4769ddd2dbc1dc44b758964ed0bd231b85880b65
Link:
https://www.unpac.me/results/cd2a6320-52fc-4aaa-9095-86e08b3f053e/
SH256 hash:
ee5d8d19b12e43459490c9c27024416c670a133fc3f1972fc8f24c6f2b80544c
MD5 hash:
2a3d628b8e04f48a8aea26a687cdc545
SHA1 hash:
e44b4764e00b4e3607f226ab0388403ee785e0bd
Link:
https://www.unpac.me/results/cd2a6320-52fc-4aaa-9095-86e08b3f053e/
SH256 hash:
a12aa651589ac345f319501bda42488fc12d1b8f6daffa35680535bb99c37488
MD5 hash:
887974d84eeae88582a854f8099c5102
SHA1 hash:
7749c87cae74439628ef0d706477700dbd306d06
Detections:
SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Link:
https://www.unpac.me/results/cd2a6320-52fc-4aaa-9095-86e08b3f053e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a12aa651589a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a12aa651589ac345f319501bda42488fc12d1b8f6daffa35680535bb99c37488

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe a12aa651589ac345f319501bda42488fc12d1b8f6daffa35680535bb99c37488

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2739592/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2742874/
  
URLhaus
https://urlhaus.abuse.ch/url/2733619/
Cape
Cape
https://www.capesandbox.com/analysis/474065/
  
URLhaus
https://urlhaus.abuse.ch/url/2735404/
  
URLhaus
https://urlhaus.abuse.ch/url/2737076/

Comments