MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a17bb3e305532ac8e6dd2785ae50cf5f18a3de6a9ea2a4b75ea841b66ba94509. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a17bb3e305532ac8e6dd2785ae50cf5f18a3de6a9ea2a4b75ea841b66ba94509
SHA3-384 hash: 32fd5908da6181ca6949ce1e35c53b978fdbd1fcd0d7fbbf3be912ae38a8d554a083156b1046f5c6613cdc2978d64794
SHA1 hash: f0521b0119f2dd4cef29c9a130ea8cb79696d1e0
MD5 hash: 27a6847162c333d39b9885b8e72546cd
humanhash: emma-winter-cardinal-mobile
File name:27a6847162c333d39b9885b8e72546cd.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:373'248 bytes
First seen:2021-05-24 06:37:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1547c738f79c15afc554fcab1eba054 (2 x DanaBot, 1 x RaccoonStealer, 1 x GCleaner)
ssdeep 6144:vGSdutDd8fUHYtXuKpJGyaXLeRdufmCCONvOnONwQ09/0+VY2FYkpv:vGSdutDdyUsHpJGyabygXNvO5i+N
Threatray 81 similar samples on MalwareBazaar
TLSH 7484BF0067A1C039F5FB26B40A7593A9A53F7DE17B2080DB62D13AEE5A351E1EC3075B
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
27a6847162c333d39b9885b8e72546cd.exe
Verdict:
Malicious activity
Analysis date:
2021-05-24 06:47:52 UTC
Tags:
trojan loader stealer vidar
Link:
https://app.any.run/tasks/a8bdb47d-9942-41fc-80e1-51d571f59371

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161261/
Detection(s):
SecuriteInfo.com.Mal.GandCrypt-B.25673.7664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/790081
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a17bb3e305532ac8e6dd2785ae50cf5f18a3de6a9ea2a4b75ea841b66ba94509/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 06:38:12 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
43eb032fa36ff0b40420df7d5fa121910ec02ba7ba03581a5a7188939ddc24ee
GCleaner
80f4e35d825fcd2816deb95b0a2694203238b769cbf6267dcca8d10d6e1394c4
GCleaner
8c085bb6591e5d7b0846eda3d7758a1c882be7f5bfb35210c831dc52848c6fa9
GCleaner
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
GCleaner
a5e79ae2f930e6ae8ba7057f14c5b96a7962c0720ddd040a655e59c8dae4b959
GCleaner
c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72
GCleaner
d00184f7ae894b5bfd832771e9a920f9c399ba785e9a2f89382d499ec32e54a2
GCleaner
dab1943418275fa0a684702d291fa2fd693bebc19b99f7af9ad8dc3dd0a47cb5
GCleaner
e9da1da3a4fb2050b9b17f5dbb1dd5f334f22637fc8186052d152cc631839f9b
GCleaner
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
GCleaner
+ 71 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210524-4pbep9rqpa/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a17bb3e305532ac8e6dd2785ae50cf5f18a3de6a9ea2a4b75ea841b66ba94509

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe a17bb3e305532ac8e6dd2785ae50cf5f18a3de6a9ea2a4b75ea841b66ba94509

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1247378/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/161261/

Comments