MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9bcef7a768d2b521697d3b28fe9eeb6d48df1a9ef92007d4bc33a5de7a5c557. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9bcef7a768d2b521697d3b28fe9eeb6d48df1a9ef92007d4bc33a5de7a5c557
SHA3-384 hash: 3894e2610937fcdf30ea7a0b6d2f18519149f2362cb453cfde6905b2b420221dd50b7c6d18dfe10fac41558ed1c7f36f
SHA1 hash: d6a1367819834c109c5d8ac6fe53d14a849ecee2
MD5 hash: fccbd65b610feefe5269d6f6811e1005
humanhash: alanine-thirteen-alabama-enemy
File name:fccbd65b610feefe5269d6f6811e1005
Download: download sample
Signature GCleaner
Create hunting rule
File size:398'336 bytes
First seen:2022-11-01 06:23:25 UTC
Last seen:2022-11-01 08:18:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e369a4548b0ade94747bb92a0b0d2d15 (4 x Amadey, 2 x Smoke Loader, 2 x GCleaner)
ssdeep 6144:xww/S5xnZkURqLFy8UapqobJkpYcItESdtkJrx7ITsq:xww/4xSUspNUsJkHItESdtK7
TLSH T1F584E0D17990C032D45678748A37DFA0AABBBD62E9748D433778322D6E323C16676347
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 42d4e8e8e0f0e822 (1 x GCleaner)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fccbd65b610feefe5269d6f6811e1005
Verdict:
No threats detected
Analysis date:
2022-11-01 06:26:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a291f494-869c-4114-8715-5b27adc7bb80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326684/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.10422.25230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware lockbit
Link:
https://www.filescan.io/uploads/6360bb8358409ff7bc0c6dd9/reports/ae920562-3cc6-46e0-a55a-e3a429c29042/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a29d37c5-a534-4fb5-9005-fa18c2c10648
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1102274
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9bcef7a768d2b521697d3b28fe9eeb6d48df1a9ef92007d4bc33a5de7a5c557/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 06:24:08 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vg6o66twruvvefux2ozi72pow3ki34nj56jaa7klym5f3z5fyvlq._file
Verdict:
malicious
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/221101-g52rcaggg5/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
NyMaim
Malware Config
C2 Extraction:
45.139.105.171
85.31.46.167
Unpacked files
SH256 hash:
d4682fad13146ccfcb058f396ab660f767ee02e6a3fc30b8745c95a2b98c47e5
MD5 hash:
578f2af8fbbf35a8aa9680da3ace6084
SHA1 hash:
2b44ee8a9c4c4c9f10255692af11f4513a27ccc3
Detections:
win_nymaim_g0
Create hunting rule
Nymaim
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/ded1650c-4041-4c06-932e-f07eed2f2125/
Parent samples :
8405a59e0d13ee969c38e123328e08caf2a5f9100afe61544aff05c384a99f70
a9bcef7a768d2b521697d3b28fe9eeb6d48df1a9ef92007d4bc33a5de7a5c557
2fdbdce5b0e9ed475227c3b6b6ede5b1b8afbe727d44fe7279951c8151a5314a
d4682fad13146ccfcb058f396ab660f767ee02e6a3fc30b8745c95a2b98c47e5
138e37382279146b147a115f956bed45a13a8701252cb18b9875d55d3920bcc8
b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3
a13589f335147b2c2703d7eded2a9c592d282f439315b404b76b298a09d37ba0
30874230e72e52ffc9ab190856dc099e1f81c778b9c56d2af70805489f7d8279
c920e82d1a56b26205e4f8956edadce709403ba044b608d0ff35690882ba2376
b34edbe1b903e3b9b93ce170c9298bfb4fcc964a7b8dc6a131750be4d487ece6
d9ad071b8a1580636fad78a01aced6efb029870af5a57167c7744247c8a1aa08
9c8e8b7a65db59215b739fb24203f56fc13a317b981c0b76e2d7b23000abe354
8bb48c700d88cf9a700abcf517848d86e5854877a00a5945f9374cf68a338666
5eb0b4b21107152dfbfaed3a9c61233233d3cab8a650cbb88dcfc34cff1f99ec
6f9a1370e6e0c1e36d61fd0a790d76c58392b99ca8f25549bca0b9388dbdea1a
5ef67f8e51b449211ced12b0331374960517332e6c23a8e9a97d4bb7b2c65472
d33c52f3046ba948150cbfc5c08a4f8848690c0b28a20fb6765540a5ca79cda1
e43527558b3c86ee60badbfc76fe825136abd935181a71f753d3fa8288e3d04d
3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c
5139de19309ffe544e92c535f651440a1d43bb9bc1c45f5dbb4a3a763f6b6017
2d19810dd9356f72dc65d6b0521b4a6294ac04634c28c00f9e04751c6a8505ae
6783cfad82b43f038bea849c511d1ed511bfd6e1c39d9ffe76c808cd1003b1d4
8c69f995e6aa47a25048993654a5318787a009891c5687a35859a1d7abccd487
f3a7d831c9fa8577a6dffae63ca18f8c05274b49a5a0f3a6091165fe1a212d85
a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39
6306356060c0d04116e7d1a59af7960cdfea8606429e2ffac14bc930efaf032a
1641ef6e4857c7ea1b96dcbbd9ce5f62358e2868a91ce10e0360da52dee92806
SH256 hash:
a9bcef7a768d2b521697d3b28fe9eeb6d48df1a9ef92007d4bc33a5de7a5c557
MD5 hash:
fccbd65b610feefe5269d6f6811e1005
SHA1 hash:
d6a1367819834c109c5d8ac6fe53d14a849ecee2
Link:
https://www.unpac.me/results/ded1650c-4041-4c06-932e-f07eed2f2125/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9bcef7a768d2b521697d3b28fe9eeb6d48df1a9ef92007d4bc33a5de7a5c557

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe a9bcef7a768d2b521697d3b28fe9eeb6d48df1a9ef92007d4bc33a5de7a5c557

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/326684/

Comments


Avatar
zbet commented on 2022-11-01 06:23:36 UTC

url : hxxp://95.214.24.96/load.php?pub=mixfive/