MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae4eed42944be196258440fbc1b71953459c7f8c2169fb3606edc69d26a149f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae4eed42944be196258440fbc1b71953459c7f8c2169fb3606edc69d26a149f4
SHA3-384 hash: 0d40ae6fd8d6353df559c081048d0c706cf3cc4262f0b862533b8b8c07d682ad1deabeddb0f81e49a1d3afec244ded6a
SHA1 hash: 211b5be519d5a6bf92176f3e22e2e35742663cfd
MD5 hash: 8a0cab4e3230e9c1ad2042aeba09c22e
humanhash: uniform-chicken-pip-mike
File name:8a0cab4e3230e9c1ad2042aeba09c22e
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'817'920 bytes
First seen:2026-01-19 15:04:44 UTC
Last seen:2026-01-26 08:37:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2ffa2849c00e7786f87f4780dd60e8d (18 x GCleaner)
ssdeep 98304:DNaDD+FcUliaxL02UKScY9b7A30GbHu8JHGl1ZOKCVpSbyhlw9Eec9HDZq3KAgBD:DNaX+eUs12UKRY9b7G0GS8JHoZOKCVpp
Threatray 424 similar samples on MalwareBazaar
TLSH T1B726E0CAFE40413BC736A97C18569D2C84FE7A052924B84CD7D859CF1EF26F7192B622
TrID 96.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
2.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
0.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
0.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter adrian__luca
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
vidar
Create hunting rule
ID:
1
File name:
_ae4eed42944be196258440fbc1b71953459c7f8c2169fb3606edc69d26a149f4.exe
Verdict:
Malicious activity
Analysis date:
2026-01-19 15:40:09 UTC
Tags:
auto generic gcleaner loader inno installer stealc stealer delphi vidar evasion qrcode golang xor-url stego payload ta558 apt stegocampaign reverseloader auto-reg upx pastebin donutloader
Link:
https://app.any.run/tasks/1127b266-3e23-4ff8-98ee-b9aa91381673

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49379/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696e4937bcad3327ec067111
Tags:
delphi virus zusy
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi fingerprint installer-heuristic keylogger packed
Link:
https://www.filescan.io/uploads/696e490b55805a763fe8d7f0/reports/fe00f8a7-6435-422c-ac25-cc838abd73b3/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/ae4eed42944be196258440fbc1b71953459c7f8c2169fb3606edc69d26a149f4
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-19T05:43:00Z UTC
Last seen:
2026-01-19T06:16:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Injuke.gen Trojan.Win32.Qshell.sb Trojan.Win32.Inject.sb Trojan.Win32.Delf.sb
Link:
https://opentip.kaspersky.com/ae4eed42944be196258440fbc1b71953459c7f8c2169fb3606edc69d26a149f4/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3d26e16a-5dde-49bb-9569-a833903b49aa
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ae4eed42944be196258440fbc1b71953459c7f8c2169fb3606edc69d26a149f4
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/8a0cab4e3230e9c1ad2042aeba09c22e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae4eed42944be196258440fbc1b71953459c7f8c2169fb3606edc69d26a149f4/
Verdict:
Malicious
Threat:
Family.GCLEANER
Link:
https://tip.neiki.dev/file/ae4eed42944be196258440fbc1b71953459c7f8c2169fb3606edc69d26a149f4
Threat name:
Win32.Trojan.GCleaner
Create hunting rule
Status:
Malicious
First seen:
2026-01-19 15:09:39 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzho2quujpqzmjmeid54dnyzknczy74mefu7wnqg5xdj2jvbjh2a._file
Verdict:
malicious
Label(s):
gcleaner
Create hunting rule
Similar samples:
1a38918a094b23b6f21269eef556533dd31c1e3139da3c1da985bb35d40a33a6
GCleaner
44e956e20e767066f5f27479436996b2f91c131c19bacd6623a72ce1ba7a6358
GCleaner
4f43a343277a31f9c477d5b47adda8ae55ae8f00c42c5e2b1b769fc559722747
GCleaner
5cd1fc9ee873f1f3d65640f0b67fa8d251d35634a29ce21853e9130d1016e205
GCleaner
9eaa406ec5b5abefb96a285724af519f7ee7c3241b75e67acee2eaa9b7a40daf
GCleaner
a95f207caf93b3447cc7d612fffeca504c71ed8945975b939422115cea301fc5
GCleaner
b357ace9d2161166465c831da5ef856bc36de458338b78944426ac7f5e8ffb1d
GCleaner
d0b44329fec0f42c9e45e7374bb90ca7349d83f62d0bd8304a1b42a5c6cd6298
GCleaner
+ 414 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/260119-shya7aez9a/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
GCleaner
Gcleaner family
Malware Config
C2 Extraction:
185.156.73.98
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/531a274a-d33a-45c7-9a25-ef2d7c115e16
Unpacked files
SH256 hash:
ae4eed42944be196258440fbc1b71953459c7f8c2169fb3606edc69d26a149f4
MD5 hash:
8a0cab4e3230e9c1ad2042aeba09c22e
SHA1 hash:
211b5be519d5a6bf92176f3e22e2e35742663cfd
Link:
https://www.unpac.me/results/5aee1a53-6798-44df-b91b-4aef5cde9444/
SH256 hash:
257aeac7e82717eec30f13677bd533131adee3c8d915a8fe87f7ae8df1f09ca6
MD5 hash:
763f115998661764571cbc1e0774bf37
SHA1 hash:
09bfc7ae04ce7038c60680ba536f7d7701ba9b72
Link:
https://www.unpac.me/results/5aee1a53-6798-44df-b91b-4aef5cde9444/
SH256 hash:
d3d3224b50e7ff955cba76e05f5058471add627c6f15658420146040192b3e1b
MD5 hash:
61f30fea94c55ee3199526448a73e58f
SHA1 hash:
71c175173df87bda7ffc77b2208b28f04bbdc628
Link:
https://www.unpac.me/results/5aee1a53-6798-44df-b91b-4aef5cde9444/
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae4eed42944b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GCleaner

Executable exe ae4eed42944be196258440fbc1b71953459c7f8c2169fb3606edc69d26a149f4

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/3743700/
Cape
Cape
https://www.capesandbox.com/analysis/49379/

Comments