MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b26c331dd8cc9afc8cfea552033a91a2fd57af71829498f7280408e814d9d962. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b26c331dd8cc9afc8cfea552033a91a2fd57af71829498f7280408e814d9d962
SHA3-384 hash: 49c8131af8bd91591f888a2d3b89a39b5f886cf028a6db58e55b61fe4509d2528f2f1a96403b8bac791497d5267039a9
SHA1 hash: 1606e824ecaa0cafd6d96d3209465817d9812ecd
MD5 hash: fb45bef160a9e634b5937ed8ffb822a7
humanhash: mango-mobile-august-robert
File name:univ.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:355'840 bytes
First seen:2024-08-17 21:59:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0e01523a88c7ef829ae7639fb78bdab6 (2 x GCleaner)
ssdeep 3072:fXwCrrH1MZwnWfIlZ53SSI9RHXRBchfWMW6PAWni3UPjQOwH7Jw2oUs5LlN+LkNc:TP1BnWeKcRswi0MOwkzSkNo
TLSH T13A74BF11B6E0E825CD9A0F3A0975D6E8057BBC655BB1529FB390376F6E732E14E22303
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b248c8f0d8e17284 (1 x GCleaner)
Reporter NDA0E
Tags:exe gcleaner NyMaim

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3L69ITPMK4Y8C170ENFTY3WOS7KTSK8P3GKDBE5YRGCTR8PBS8
Verdict:
Malicious activity
Analysis date:
2024-08-17 21:51:37 UTC
Tags:
gcleaner loader
Link:
https://app.any.run/tasks/f9b69d59-3899-4aea-8681-2f977dfd63d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Ransomware.Convagent-10034455-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c11d64b35234d5cc65f69d
Tags:
Infostealer Network Stealth
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b26c331dd8cc9afc8cfea552033a91a2fd57af71829498f7280408e814d9d962
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0db9e7b-c134-49c8-bf4a-f83e20899f25
Result
Threat name:
GCleaner, Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1494265
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GCleaner
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b26c331dd8cc9afc8cfea552033a91a2fd57af71829498f7280408e814d9d962
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b26c331dd8cc9afc8cfea552033a91a2fd57af71829498f7280408e814d9d962/
Threat name:
Win32.Trojan.AceCrypter
Create hunting rule
Status:
Malicious
First seen:
2024-08-17 21:51:39 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjwdghoyzsnpzdh6uvjagourul6vpl3rqkkjr5ziaqeoqfgz3fra._file
Verdict:
malicious
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/240817-1wmqlssbqp/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Program crash
System Location Discovery: System Language Discovery
GCleaner
Malware Config
C2 Extraction:
80.66.75.114
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9798cf28-65b2-4825-aec9-4eaae2708bb2
Unpacked files
SH256 hash:
e3752915e9b12609fa22a99275111e4533903ad3af8ca01419562a2871a5c071
MD5 hash:
df84064620e647c9f8ad0f966c1f1576
SHA1 hash:
f7427ed939f043601f270eb9c7b8f685328574ae
Detections:
GCleaner
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/491ce4e5-fb75-4971-9778-1548201f3f04/
Parent samples :
b26c331dd8cc9afc8cfea552033a91a2fd57af71829498f7280408e814d9d962
54330d7c8d654c7821fdd80c29bbad67e1f959fb668a63c433348182f879a101
04005821bb6ca54143febc9434856e4ac7e4f6ba61cfcecfb4c1f7f25301f3ca
c91aa7e772a145d0266b4eb22f3527008ae88380a6155fe2ee9b5b27dfc6e1b7
21feed85dcffec9c7a76343729beecd6a53ffe854d972af207edddf154da1814
SH256 hash:
b26c331dd8cc9afc8cfea552033a91a2fd57af71829498f7280408e814d9d962
MD5 hash:
fb45bef160a9e634b5937ed8ffb822a7
SHA1 hash:
1606e824ecaa0cafd6d96d3209465817d9812ecd
Link:
https://www.unpac.me/results/491ce4e5-fb75-4971-9778-1548201f3f04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b26c331dd8cc9afc8cfea552033a91a2fd57af71829498f7280408e814d9d962

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe b26c331dd8cc9afc8cfea552033a91a2fd57af71829498f7280408e814d9d962

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3112906/
  
URLhaus
https://urlhaus.abuse.ch/url/3112907/
  
URLhaus
https://urlhaus.abuse.ch/url/3112908/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::FillConsoleOutputCharacterA
KERNEL32.dll::ReadConsoleOutputA
KERNEL32.dll::GetConsoleAliasesLengthA
KERNEL32.dll::GetConsoleSelectionInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA

Comments