MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a61814efa6a532d5e946f145a5452da57326e3b048a26afd9882237af674a7aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a61814efa6a532d5e946f145a5452da57326e3b048a26afd9882237af674a7aa
SHA3-384 hash: a07728dfc6e88e6e4cc34b0201fd54e38f4541a82d5f4d13f1eef6f1957bdb90cbfe35151297f0a3f4aaed82e2cff5f3
SHA1 hash: e0ea2e7aefb66eede5b814991ccc5b5de53b2093
MD5 hash: c64912bd0ad4592c67cdcbb1afba4d0f
humanhash: october-kitten-lithium-social
File name:c64912bd0ad4592c67cdcbb1afba4d0f.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:343'040 bytes
First seen:2022-07-09 06:44:24 UTC
Last seen:2022-07-09 07:43:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d1352e534403183ee67a752d94667cc4 (3 x Smoke Loader, 2 x RedLineStealer, 1 x GCleaner)
ssdeep 6144:uZo3eoMQKwX1lU3L4aa6j8Dmab4k6cigafwVf:uZToMHwQJ37A4k65
Threatray 10'008 similar samples on MalwareBazaar
TLSH T1F574D002BBA2DC70E8A12E30587197B51BB7FC621534960BF7B4771F2DB27806A75392
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b3f0e8686868e9bb (1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
403
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285769/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.15556.28314.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/24707/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62c9242ca9394d64214cb22e/reports/f3a75dbb-5be2-4798-a9fd-a4db4d3cb43f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af54a52c-b43a-4aff-a135-9c4bad1cea93
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1027682
Signature
Machine Learning detection for sample
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 660177 Sample: HH1l4m570n.exe Startdate: 09/07/2022 Architecture: WINDOWS Score: 52 39 Yara detected Nymaim 2->39 41 Machine Learning detection for sample 2->41 7 HH1l4m570n.exe 14 2->7         started        process3 dnsIp4 37 45.141.237.38, 49769, 80 SPECTRAIPSpectraIPBVNL Netherlands 7->37 10 WerFault.exe 9 7->10         started        13 WerFault.exe 9 7->13         started        15 WerFault.exe 9 7->15         started        17 7 other processes 7->17 process5 file6 23 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 10->23 dropped 25 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->25 dropped 27 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->27 dropped 29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->29 dropped 31 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->31 dropped 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->33 dropped 35 3 other malicious files 17->35 dropped 19 conhost.exe 17->19         started        21 taskkill.exe 17->21         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a61814efa6a532d5e946f145a5452da57326e3b048a26afd9882237af674a7aa/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-07-09 06:45:07 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uymbj35guuznl2kg6fc2krjnuvzsny5qjcrgv7myqirxv5tuu6va._file
Verdict:
malicious
Similar samples:
18611dcae62b67c4c20668fc9c2a68951771ab8f98106324a0ad00bc3a0fc88a
GCleaner
1d7adfdf90ca831a45425d3efd6ce639f2fece4f48f5b0a55d7fc5a645b9acc4
GCleaner
81a110de18613503c0f3075da56cdbe363091cebcd8c52423ac1d63aa791bb22
GCleaner
b20b5b83ae80ff7ef35cbd639a5f9aba16dfcb7064a853dd66ff1d2e9c617991
GCleaner
ba190bed2c9d862bae6ff089259090d300df3a253d1094314cc679af8ad890b2
GCleaner
bbc5780d11e999375d901fa9ebd8c3b4c9b3eff78513aa20774000ebd84e5b1c
GCleaner
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
GCleaner
+ 9'998 additional samples on MalwareBazaar
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/220709-hh292aceel/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
NyMaim
Malware Config
C2 Extraction:
45.141.237.3
31.210.20.149
212.192.241.16
Unpacked files
SH256 hash:
24fb26cf1a1694c045a8bd48b86b2cc026b00960d0aa022670bca7e718313d85
MD5 hash:
5a89f9889d5ce2eecebf296c97b7dcd0
SHA1 hash:
51a8fb4460799abd78a6f350a1dcc126514063bf
Detections:
win_nymaim_g0
Create hunting rule
Link:
https://www.unpac.me/results/550fdc08-c42d-4d88-a36b-301c99599a2f/
Parent samples :
3a63d841127db00b33801e3adea64957fed311ed975c859b94268ae0691753f9
18611dcae62b67c4c20668fc9c2a68951771ab8f98106324a0ad00bc3a0fc88a
1d7adfdf90ca831a45425d3efd6ce639f2fece4f48f5b0a55d7fc5a645b9acc4
e1db3adcc4c401e8c97ac2e611646ab215343319b265c86346dff8b4e2bf905d
afb05f48bbae2b98bac394587d1352b9e5569e930d695230b21b73669be9c535
92af5f6f914082eaa1235c9ad0a2826db0beead07c3b25795829f7da90f83d59
371592f94e67f272e53786a8643058131f7d48edea6c709b6a7c4731ec6d2839
ba190bed2c9d862bae6ff089259090d300df3a253d1094314cc679af8ad890b2
bbc5780d11e999375d901fa9ebd8c3b4c9b3eff78513aa20774000ebd84e5b1c
a61814efa6a532d5e946f145a5452da57326e3b048a26afd9882237af674a7aa
b0b7af84e61ce5805ad317b113981aee691d96cbca0970a4db6d7777f4706b58
6f5943433e4cd2d3a1021f376334be10b3dd81757a5f30e928e12f5dc8cf154a
ebef7dcb2d186e10e2ab8da7c5eb75da1461ed684bf90c3abd54afa27ef79874
168db9afbe5c293f3ec6cabb476242e81add823382a5879ab78ecf7af6035f2a
1b0978a0a98bd88a39ecf38e36ed18b3d96a1db98eec62f7e5257e2bf7a4a153
ca0d985323d0497a5261faefad130b084d1084c28f748d964f1e5d4aaaf351d7
SH256 hash:
a61814efa6a532d5e946f145a5452da57326e3b048a26afd9882237af674a7aa
MD5 hash:
c64912bd0ad4592c67cdcbb1afba4d0f
SHA1 hash:
e0ea2e7aefb66eede5b814991ccc5b5de53b2093
Link:
https://www.unpac.me/results/550fdc08-c42d-4d88-a36b-301c99599a2f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a61814efa6a532d5e946f145a5452da57326e3b048a26afd9882237af674a7aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_gcleaner_de41
Create hunting rule
Author:Johannes Bader
Description:detects GCleaner

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe a61814efa6a532d5e946f145a5452da57326e3b048a26afd9882237af674a7aa

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/285769/
  
URLhaus
https://urlhaus.abuse.ch/url/2212368/
  
Delivery method
Distributed via web download

Comments