MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aba7585008a92523b09b28c94fdd8fb7afc39b5b466efac8ca5f7f2b520bbedd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aba7585008a92523b09b28c94fdd8fb7afc39b5b466efac8ca5f7f2b520bbedd
SHA3-384 hash: ef7b6f4c86f7908b4b5cab4f04a8a57b8b9f729dee92e29467957cabc0eb557380fd2b2a0f2ab10525cfe2e1d5d82c77
SHA1 hash: 419136b5d0e372eed1993e84fc3bf4baae135182
MD5 hash: 9fcffe2ca3531d1066c9c5aa12221d91
humanhash: oklahoma-hydrogen-queen-xray
File name:Soft.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:5'430'048 bytes
First seen:2025-07-10 11:39:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e66b10da276c8bc56c38837de7cf91ca (1 x GCleaner)
ssdeep 49152:iBnbw8yBeEdd7uN5oQ5sTOT7EHXVLKKYpvm9v6Eu8i71:i9bwBnyP8TCWLKK8B
TLSH T14A46E02E73519832E832863DBF9FA29C6C25F8C00C2FD85976943F492A775427D271A7
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter aachum
Tags:exe gcleaner


Avatar
iamaachum
https://file-download.eu/kmspico/ => https://mega.nz/folder/GEkRCKaT#f93dJ6myfe3fENhDS4wqxQ

GCleaner C2: 176.46.157.48

Intelligence

File Origin
# of uploads :
1
# of downloads :
28
Origin country :
CZ CZ
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Soft.exe
Verdict:
Malicious activity
Analysis date:
2025-07-10 12:03:14 UTC
Tags:
delphi gcleaner loader
Link:
https://app.any.run/tasks/06437039-2123-49ba-bdc4-316b6e5af58a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13781/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686fa672900df8e7f8694aa6
Tags:
delphi emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint invalid-signature keylogger obfuscated signed
Link:
https://www.filescan.io/uploads/686fa67e61f15fb42a3825c6/reports/a6bc1524-8dc6-468a-ad29-7a04799df881/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/aba7585008a92523b09b28c94fdd8fb7afc39b5b466efac8ca5f7f2b520bbedd
Gathering data
Result
Threat name:
CryptOne, LummaC Stealer, Socks5Systemz,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1732733
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates / moves files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries Google from non browser process on port 80
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected LummaC Stealer
Yara detected Socks5Systemz
Yara detected Tofsee
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1732733 Sample: Soft.exe Startdate: 10/07/2025 Architecture: WINDOWS Score: 100 112 urarfx.xyz 2->112 114 nbcsfar.xyz 2->114 116 17 other IPs or domains 2->116 132 Suricata IDS alerts for network traffic 2->132 134 Found malware configuration 2->134 136 Malicious sample detected (through community Yara rule) 2->136 140 18 other signatures 2->140 14 Soft.exe 2 2->14         started        18 regsvr32.exe 2->18         started        signatures3 138 Performs DNS queries to domains with low reputation 114->138 process4 file5 98 C:\Users\user\AppData\...\svchost015.exe, PE32 14->98 dropped 100 C:\Users\user\AppData\Local\...\svc24FF.tmp, PE32 14->100 dropped 164 Writes to foreign memory regions 14->164 166 Found hidden mapped module (file has been removed from disk) 14->166 168 Maps a DLL or memory area into another process 14->168 20 svchost015.exe 27 14->20         started        24 regsvr32.exe 18->24         started        signatures6 process7 dnsIp8 124 drive.usercontent.google.com 192.178.218.132, 443, 49695 GOOGLEUS United States 20->124 126 176.46.157.48, 49696, 49697, 49702 ESTPAKEE Iran (ISLAMIC Republic Of) 20->126 80 C:\Users\user\AppData\...\MIlS8gwmLqQ3Q.exe, PE32 20->80 dropped 82 C:\Users\user\AppData\...\bbeQzu9iw7j.exe, PE32 20->82 dropped 84 C:\Users\user\AppData\...\DvzyZ5Es1s.exe, PE32 20->84 dropped 86 3 other malicious files 20->86 dropped 27 MIlS8gwmLqQ3Q.exe 2 20->27         started        30 bbeQzu9iw7j.exe 2 20->30         started        33 DvzyZ5Es1s.exe 20->33         started        152 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->152 file9 signatures10 process11 dnsIp12 94 C:\Users\user\AppData\...\MIlS8gwmLqQ3Q.tmp, PE32 27->94 dropped 36 MIlS8gwmLqQ3Q.tmp 18 19 27->36         started        96 C:\Users\user\AppData\...\bbeQzu9iw7j.tmp, PE32 30->96 dropped 154 Found many strings related to Crypto-Wallets (likely being stolen) 30->154 39 bbeQzu9iw7j.tmp 6 30->39         started        110 urarfx.xyz 144.172.115.212, 443, 49699, 49700 QUICKPACKETUS United States 33->110 156 Multi AV Scanner detection for dropped file 33->156 158 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->158 160 Query firmware table information (likely to detect VMs) 33->160 162 3 other signatures 33->162 file13 signatures14 process15 file16 66 C:\Users\user\...\xmldriveimage681.exe, PE32 36->66 dropped 68 C:\Users\user\AppData\...\unins000.exe (copy), PE32 36->68 dropped 70 C:\Users\user\AppData\Local\...\is-GGKG9.tmp, PE32 36->70 dropped 78 21 other malicious files 36->78 dropped 41 xmldriveimage681.exe 1 19 36->41         started        72 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 39->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->74 dropped 76 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 39->76 dropped 45 bbeQzu9iw7j.exe 2 39->45         started        process17 dnsIp18 128 66.63.187.153, 443, 50154, 50198 ASN-QUADRANET-GLOBALUS United States 41->128 130 89.105.201.183, 2024, 50229, 50330 NOVOSERVE-ASNL Netherlands 41->130 88 C:\ProgramData\XMLDriveImage\sqlite3.dll, PE32 41->88 dropped 90 C:\ProgramData\...\XMLDriveImage.exe, PE32 41->90 dropped 92 C:\Users\user\AppData\...\bbeQzu9iw7j.tmp, PE32 45->92 dropped 47 bbeQzu9iw7j.tmp 6 45->47         started        file19 process20 file21 102 C:\Users\user\AppData\Local\is-MSA10.tmp, PE32 47->102 dropped 104 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 47->104 dropped 106 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->106 dropped 108 2 other malicious files 47->108 dropped 50 regsvr32.exe 47->50         started        process22 dnsIp23 118 80.66.75.11, 484, 49709, 49717 RISS-ASRU Russian Federation 50->118 120 80.66.75.39, 428, 49710, 49718 RISS-ASRU Russian Federation 50->120 122 10 other IPs or domains 50->122 64 C:\Users\user:.repos, data 50->64 dropped 142 System process connects to network (likely due to code injection or exploit) 50->142 144 Suspicious powershell command line found 50->144 146 Creates / moves files in alternative data streams (ADS) 50->146 148 Found strings related to Crypto-Mining 50->148 55 powershell.exe 50->55         started        58 powershell.exe 50->58         started        file24 signatures25 process26 signatures27 150 Loading BitLocker PowerShell Module 55->150 60 conhost.exe 55->60         started        62 conhost.exe 58->62         started        process28
Score:
75%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aba7585008a92523b09b28c94fdd8fb7afc39b5b466efac8ca5f7f2b520bbedd
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/9fcffe2ca3531d1066c9c5aa12221d91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aba7585008a92523b09b28c94fdd8fb7afc39b5b466efac8ca5f7f2b520bbedd/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-07-10 02:22:28 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=votvquaivesshme3fdeu7xmpw6x4hg23izxpvsgkl57swuqlx3oq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250710-nsd8vattfx/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6b7bcad8-5f38-4561-b7a5-037b050019a9
Unpacked files
SH256 hash:
aba7585008a92523b09b28c94fdd8fb7afc39b5b466efac8ca5f7f2b520bbedd
MD5 hash:
9fcffe2ca3531d1066c9c5aa12221d91
SHA1 hash:
419136b5d0e372eed1993e84fc3bf4baae135182
Link:
https://www.unpac.me/results/77fc9460-451e-4fe0-a6b3-341aa56b5448/
SH256 hash:
5a5ed78e04c7ad144a4580c19e9743d252b4a25e84ba7e6c4c43fc459c956a9a
MD5 hash:
8aadb7e2a4e0128b357b6e90d924d128
SHA1 hash:
cfc4678d82f0e4b0cebd1fb0b01f479dc25134d5
Detections:
GCleaner
Create hunting rule
Link:
https://www.unpac.me/results/77fc9460-451e-4fe0-a6b3-341aa56b5448/
Parent samples :
2046f265e025776e7199a9e576be5ed49483841f5203c3e3eeb79d0a24f73920
384cdb291c4006761018b84c0c02f37afbfa0b51c6bf0220639abc91f74009b1
768f9ecc19a84b15234ead8058f24a9c8a337430312eab9ecbbcbfa8ab69d0f3
aba7585008a92523b09b28c94fdd8fb7afc39b5b466efac8ca5f7f2b520bbedd
ca4a5fcd9eff405f9f8037e89e1a72914eda7129e5aa9476283021c03c56500c
c5e135c050b4ecbc73acae15b6dbbfaf5157e60fe62c96913b4c56df77ae4feb
dd717fcb7d845a4bb7e0380a9df665219b9b2de29ca8a12600c52f831069f1b3
c582323df2a900ae3b0b1860ff768aa5e90f3e595b33aecb57040b130a65e632
e65f22bbb7a32f6fd436eb0ea6de0c000542ffd6785a983d8f0594b791331994
70cc21383260ea0cb520627324853ae7665cb4b8f6462c5a96e07375a2c26317
3c4cd60b0bcf381bfdeae2397ae2011016d1d389df0cb524d5e12ac9aea5e71b
408ef63acd027f6ba843e30d00d51e506d714804ee842a83f4f31a4b5d7aa7d9
f62ad9ecb4facb02dead75e27e29db58519b6805f49278852d02298b55e59cf5
758e36455c17152210a6ae8001e3b9d7680159440e0e6ae702b9302ec2160d50
a91a863821ef21472adfeeed5e90eebf3fe5e559f257f7d37de401c2a0553485
8b2d9358a329089c3bd96cce97b91e9b8a4d900abd0aaa8e55c3c0466e930c88
9653fb267376aa1495996d935a8bb8b6d73b46aa372d814bfb3c91ba0ebbf7f3
e41b1aa6ff791b7611638851db2ba42c47a125a81b5c74d10354f4f87d4e8770
4fb3fb9750c68de93bee10692827f5630635ef39ed13a86dba52b9cd1e02280d
05664da4d3ea8b39b6183a1112e67f46a8715536faa0a9469bc2659f4ef16289
d3a77d8bcd9963d30fd3e51acee6654e3ccbf2b2b81fbe47e97b9b9068c76f06
1a757566caa5edd32fd5c190b9e8da7d7abf3398b9a3ceddd365a95886434767
53afe13ca6d157bec8b1cc467764abd1194fb3bbd06c0a67a2ee5f560b63d1a4
82bf3e8991a22f67e5cf9b7340eb3c1fa5456c9d9a9e27fdc107c46572713897
512b629f01ce1668bcc60ea305e93fb264cf2b7f2f87bb3aafef29beeb604cce
cc261502042db67adb917ce03321ee47277cfbc1712b770c6b71c035b89793cb
477df2a52197bd71524c4ccf192ce2d2afb8b4b3d8e33f8efa418910342f30e7
a53952ad1b88e5d6b4fc14f09e4ccd0f2ce4be72df7c5693abd8cdad953a4871
5dfcdc1c491fbf2f7f2fbac6bbf27b84be652583b66b252c46e8ed86577c3c60
SH256 hash:
0a0b083cc0e62db594b7be21088202c7fe0970d609b2847085d0bf2be8e54a5c
MD5 hash:
4ce3ce196eda86d92b68362b6269b618
SHA1 hash:
fd42ee0aca0315acac25c297f1ce33634c549559
Link:
https://www.unpac.me/results/77fc9460-451e-4fe0-a6b3-341aa56b5448/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/aba7585008a92523b09b28c94fdd8fb7afc39b5b466efac8ca5f7f2b520bbedd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe 8a5850bb9793850879c2d4c5c040e120f404032161cf37d21ff5305601bf0b8c

GCleaner

Executable exe aba7585008a92523b09b28c94fdd8fb7afc39b5b466efac8ca5f7f2b520bbedd

(this sample)

  
Link
https://tria.ge/250710-nnbxxs1qv7/behavioral1
  
Dropped by
SHA256 8a5850bb9793850879c2d4c5c040e120f404032161cf37d21ff5305601bf0b8c
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/13781/
  
Dropped by
MD5 1c6eb8a6f72ccb74a5b07658b2273fc2

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments