MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b20b5b83ae80ff7ef35cbd639a5f9aba16dfcb7064a853dd66ff1d2e9c617991. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b20b5b83ae80ff7ef35cbd639a5f9aba16dfcb7064a853dd66ff1d2e9c617991
SHA3-384 hash: d44d738b9af1d8ae5036d254d4bbcc1ac1d032debf19a2893226281ae5f31c78fbbbc094b966e7749af76c0196e31718
SHA1 hash: d8899443e669dce3b015f58057609fe661296605
MD5 hash: e8999d3f35274af416aa7f021733b4d9
humanhash: solar-mountain-december-salami
File name:e8999d3f35274af416aa7f021733b4d9.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:319'488 bytes
First seen:2022-06-11 12:36:34 UTC
Last seen:2022-06-11 13:48:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 54de43968b5ee05e48d8c2a1f6c0d56f (1 x Nymaim, 1 x GCleaner)
ssdeep 6144:bj+YXBOVJjg/kM+BNnDCOf/HVJABw7y52kbaC:b3ROrjgcRDDHzABD52Qa
TLSH T17D64E1227BE2CD72DCA768305CB1DD261BFB64505134568B77F813399FA1A805EB83CA
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f8ece4e4e4e4f4b0 (1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
e8999d3f35274af416aa7f021733b4d9.exe
Verdict:
Malicious activity
Analysis date:
2022-06-11 12:38:58 UTC
Tags:
loader evasion trojan opendir rat redline
Link:
https://app.any.run/tasks/10e30c8d-a107-4e89-b1fb-6972e5489554

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/278908/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.30337.7905.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/20659/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypter greyware lockbit packed ransomware virus
Link:
https://www.filescan.io/uploads/62a48cab8763ffd4adb36ede/reports/4fc670f1-1d12-4186-b285-d56899a2de26/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d08d53b8-2f88-417c-8619-6c08215e8232
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1011333
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b20b5b83ae80ff7ef35cbd639a5f9aba16dfcb7064a853dd66ff1d2e9c617991/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-11 10:51:27 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 41 (53.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wifvxa5oqd7x5424xvrzux42xiln7s3qmsufhxlg74os5hdbpgiq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220611-ptgwssafb9/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
Unpacked files
SH256 hash:
a0b348ae08664e5ccc0f3596020aecc5cc779c56b1db07f726a163a152cd9457
MD5 hash:
0eea16edb874efb6cbbf2d1dc71c6480
SHA1 hash:
c948bd3f07e1785a160d272c533d2d11fe79cf7c
Link:
https://www.unpac.me/results/544d9018-4fdc-4924-ba22-1ceb770f509a/
Parent samples :
b14fb1b11ccf9793912a1bbda9a027c01c75155135b1cb177b77c0de7a4d6b34
45f64ad405eaa4ed35eb74b4e773cb1041c377abdc2b80599168018a2e1406bc
4eecbfc54480c8b8e98d3abba71b70d63575355141f4892a55d49631841ebfba
190a63203f7970e14c4f9f886ad814bbb5b30160dcba66d22b78583baaae478e
d97409bc67beeca578cfa94b5058501dd8951e4206a18a019702e039966a22dc
81a110de18613503c0f3075da56cdbe363091cebcd8c52423ac1d63aa791bb22
cd8fdfee914d46d345bedd2868f2aec93c48fd00385492e377793f06cd42dc1f
6763b0b45f0fd8e32e29377a207058fc42a02bb6d1db368c76fd0af470abc341
5ec64b926c9e2f1d2c69f92b69b5c9169b23d533f327ac944776e8e266eaab99
SH256 hash:
b20b5b83ae80ff7ef35cbd639a5f9aba16dfcb7064a853dd66ff1d2e9c617991
MD5 hash:
e8999d3f35274af416aa7f021733b4d9
SHA1 hash:
d8899443e669dce3b015f58057609fe661296605
Link:
https://www.unpac.me/results/544d9018-4fdc-4924-ba22-1ceb770f509a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b20b5b83ae80ff7ef35cbd639a5f9aba16dfcb7064a853dd66ff1d2e9c617991

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe b20b5b83ae80ff7ef35cbd639a5f9aba16dfcb7064a853dd66ff1d2e9c617991

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2212368/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/278908/

Comments