MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 b024a39550e5668bff7fe4d1cacb83c770c7b21d1b5a52bf81acb847c7414031. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
GCleaner
Vendor detections: 14
| SHA256 hash: | b024a39550e5668bff7fe4d1cacb83c770c7b21d1b5a52bf81acb847c7414031 |
|---|---|
| SHA3-384 hash: | 13a5e99013d42f5430230ef364def88058225e9498402222af82e742f20a6079e2806224d13fe56702eee612fc0c5291 |
| SHA1 hash: | 51ecf6fc4f4e13f1a7634ae2e09b0ef3549a5be1 |
| MD5 hash: | 5c82f9d43748af8b52b4d11ea71cb323 |
| humanhash: | wyoming-virginia-purple-charlie |
| File name: | 5c82f9d43748af8b52b4d11ea71cb323 |
| Download: | download sample |
| Signature | GCleaner |
| File size: | 276'992 bytes |
| First seen: | 2023-03-08 15:46:49 UTC |
| Last seen: | 2023-03-08 17:30:59 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 4f4daab76687771b70451dd07468ed63 (5 x RedLineStealer, 3 x GCleaner, 1 x Smoke Loader) |
| ssdeep | 6144:Bpr91XKOC5bWr/gvbh4XcqXft+hCmaX/uqt:BTxjC5bIIvbeVvtAZuG |
| Threatray | 6'853 similar samples on MalwareBazaar |
| TLSH | T18C44BF02A3E0AC25E6364A315E3AF2F4363FFD629D6BE7D922142B1B09711E1C563752 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | d2c8e8e8f8f8f4ec (1 x GCleaner) |
| Reporter |  zbetcheckin |
| Tags: | 32 exe gcleaner |
Intelligence
File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5c82f9d43748af8b52b4d11ea71cb323
Verdict:
Suspicious activity
Analysis date:
2023-03-08 15:51:35 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
greyware packed ransomx ursnif
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Verdict:
Malicious
Result
Threat name:
Nymaim
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.SmokeLoader
Status:
Malicious
First seen:
2023-03-08 15:47:05 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
18 of 24 (75.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 6'843 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Score:
10/10
Tags:
family:gcleaner loader
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
4f0320b2cc44e44e4bc10710f15e20c53e7f3c01184bc3a6bc62fc7882153570
MD5 hash:
b758ebc7ede72055b15eead42e55bc11
SHA1 hash:
6a4ac216a9ea3cf73f23a0f75aed37b9dbfcb8e8
Detections:
Nymaim
win_nymaim_g0
win_gcleaner_w0
win_gcleaner_auto
Parent samples :
5129b994ac50a91ca300198f43ded159d98273ec141570aa8d7f5c7f0a91c017
d7a93a4b3e833c1e29a849d81a268acea5c24758671a7279deea89272a5786eb
ce93917c271af51a27103f649134b19d04d5f42969459a0130d500f13cb1c98c
110e47aaeaea6592c8976ca151de6c0239befb9f77e8be152f53de18d72c55b8
fb861a782af83e33211b8f76e715076528e753326056257e15c33463073b5a2b
cdb88cddfd3e81c0f435aec27a8433729a3df4bb309d82ddec2d020a6f447ab9
1f7238c076998aac38498baeb7cb89b7ba5cf01f645388d71b6a55687f8419af
64808008f7ef24db29276293022cdf9366bd17153634f505b453154677d4f0df
871cd84eca691a97cdccca5fd3676e935ae7c2aab360b8b2be1ca631b67320d3
0db3bb2a4c4547e3cae58e0225fdd0cadadb3fc3bd70e5a418d1002d2b486605
1ef8dd1b6c059bbf50984bc00eeb54c8b2a05db6dd52b560605292da412bd6f9
e5b7cdaeae094252fe53692478b4008228e7156feb7809b3ddd4a2591885587a
183980cbe08b23d76cf678d3587ccfba2981c0e7ec2994fba29b95955ec2c11e
c512928ddb1233b5da918e61aa7faf46058a3c3e1e321eea1d03f7047935d828
ea0a69fb6f1d0394dc98405912e438f7206f9996d0d2ef3c00a9fb6fe5846919
dfd64c49a09e7f26984832c12d18a1f0f46360817af1ed74027e403822ae4d66
ef74358d363b6f70c9e7e35f34bf4d8c9feeca657c9497b39ef3fb439283704a
04d92877f99c177d348c2c51173303ab27b02989a23c5377105a33394730dfb0
8477758adafcbd2f292d6a1cf38b8a61e3606eea86e9930d1e347353e26f142b
623399af649200a0e92da55f00fe0a5e61ec2a665a1b6c289add61cc74ab2c11
94551b68fcb65d49a5d1d29a0dba5ec3f2e98252fef337a4fba2416ecb8cea76
bf1da988e71f4e6b5aa9ad169d1637ac47ac43b548fdb1173733922d620572c5
8618199e5b16a6850103f128f1be7a088464842039012a3b26d27fb7a7b69bc2
6f09a1d30715544623eab7c311813fab28fe4b31068960263ccd7ff5812edb14
9654564e437afa4a9cfb133343e379c8c3c69f53f5b81f4cf2425c9cb9a487f4
8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e
b4a0890b7b896b28d86af7c066ce54f9a9f51e17fc7e78349a1ceee92114f522
4fbb67c0ef74f07ac1b31dba5d136938735bbd00544d27b4931a4a79e12f1f5f
5e0687c0c3822213bb9710c1499e6b57d87bbe12285dbf059fbb4750294c070f
15e8fbd7bf5a5f967c87deaeff5389b9409bdc51a0d75c55d765b2e1b99d9ba0
b58e7960e34921d61b87169ed3465b816145d06f04ab42723688bf12e3201faa
b024a39550e5668bff7fe4d1cacb83c770c7b21d1b5a52bf81acb847c7414031
485cadde1de44b50c205f7019b7f63222af1e779b9a14b9363bd811d6933f80c
42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282
65e20e0a32a80a16df59c15013463c1e5b53d46058f318d3b0902ce1adb1176f
d7a93a4b3e833c1e29a849d81a268acea5c24758671a7279deea89272a5786eb
ce93917c271af51a27103f649134b19d04d5f42969459a0130d500f13cb1c98c
110e47aaeaea6592c8976ca151de6c0239befb9f77e8be152f53de18d72c55b8
fb861a782af83e33211b8f76e715076528e753326056257e15c33463073b5a2b
cdb88cddfd3e81c0f435aec27a8433729a3df4bb309d82ddec2d020a6f447ab9
1f7238c076998aac38498baeb7cb89b7ba5cf01f645388d71b6a55687f8419af
64808008f7ef24db29276293022cdf9366bd17153634f505b453154677d4f0df
871cd84eca691a97cdccca5fd3676e935ae7c2aab360b8b2be1ca631b67320d3
0db3bb2a4c4547e3cae58e0225fdd0cadadb3fc3bd70e5a418d1002d2b486605
1ef8dd1b6c059bbf50984bc00eeb54c8b2a05db6dd52b560605292da412bd6f9
e5b7cdaeae094252fe53692478b4008228e7156feb7809b3ddd4a2591885587a
183980cbe08b23d76cf678d3587ccfba2981c0e7ec2994fba29b95955ec2c11e
c512928ddb1233b5da918e61aa7faf46058a3c3e1e321eea1d03f7047935d828
ea0a69fb6f1d0394dc98405912e438f7206f9996d0d2ef3c00a9fb6fe5846919
dfd64c49a09e7f26984832c12d18a1f0f46360817af1ed74027e403822ae4d66
ef74358d363b6f70c9e7e35f34bf4d8c9feeca657c9497b39ef3fb439283704a
04d92877f99c177d348c2c51173303ab27b02989a23c5377105a33394730dfb0
8477758adafcbd2f292d6a1cf38b8a61e3606eea86e9930d1e347353e26f142b
623399af649200a0e92da55f00fe0a5e61ec2a665a1b6c289add61cc74ab2c11
94551b68fcb65d49a5d1d29a0dba5ec3f2e98252fef337a4fba2416ecb8cea76
bf1da988e71f4e6b5aa9ad169d1637ac47ac43b548fdb1173733922d620572c5
8618199e5b16a6850103f128f1be7a088464842039012a3b26d27fb7a7b69bc2
6f09a1d30715544623eab7c311813fab28fe4b31068960263ccd7ff5812edb14
9654564e437afa4a9cfb133343e379c8c3c69f53f5b81f4cf2425c9cb9a487f4
8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e
b4a0890b7b896b28d86af7c066ce54f9a9f51e17fc7e78349a1ceee92114f522
4fbb67c0ef74f07ac1b31dba5d136938735bbd00544d27b4931a4a79e12f1f5f
5e0687c0c3822213bb9710c1499e6b57d87bbe12285dbf059fbb4750294c070f
15e8fbd7bf5a5f967c87deaeff5389b9409bdc51a0d75c55d765b2e1b99d9ba0
b58e7960e34921d61b87169ed3465b816145d06f04ab42723688bf12e3201faa
b024a39550e5668bff7fe4d1cacb83c770c7b21d1b5a52bf81acb847c7414031
485cadde1de44b50c205f7019b7f63222af1e779b9a14b9363bd811d6933f80c
42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282
65e20e0a32a80a16df59c15013463c1e5b53d46058f318d3b0902ce1adb1176f
SH256 hash:
b024a39550e5668bff7fe4d1cacb83c770c7b21d1b5a52bf81acb847c7414031
MD5 hash:
5c82f9d43748af8b52b4d11ea71cb323
SHA1 hash:
51ecf6fc4f4e13f1a7634ae2e09b0ef3549a5be1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | reverse_http |
|---|---|
| Author: | CD_R0M_ |
| Description: | Identify strings with http reversed (ptth) |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://45.12.253.74/pineapple.php?pub=mixfive/