MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b357ace9d2161166465c831da5ef856bc36de458338b78944426ac7f5e8ffb1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b357ace9d2161166465c831da5ef856bc36de458338b78944426ac7f5e8ffb1d
SHA3-384 hash: e81b435088cac2b615bc4b4503ed08d1a1ca72d7068c91825653ebead55fc72397e28b3c108cc51ef016a11e43b7dc56
SHA1 hash: 77c83b2f557a8e612318fee03abb9fce4d895c42
MD5 hash: a1bf5b4d50a38fd847ead0f671b1e153
humanhash: batman-cardinal-fish-massachusetts
File name:a1bf5b4d50a38fd847ead0f671b1e153
Download: download sample
Signature GCleaner
Create hunting rule
File size:5'606'160 bytes
First seen:2026-01-02 20:29:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 229ea82d8ce3465f3083bcb663b250ac (8 x GCleaner)
ssdeep 98304:CC1N0O+Yndh60x1MkJiXPOTF1ErRA8904xR9he/q4az:CgS5Y/xx1MkJ28+FA8/z
Threatray 399 similar samples on MalwareBazaar
TLSH T1B046E016CD78473DE78B25386443AE1498EA5AD2DE29272EEEC108B2F71C48117D7FB1
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter adrian__luca
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
25
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
a1bf5b4d50a38fd847ead0f671b1e153
Verdict:
Malicious activity
Analysis date:
2026-01-02 23:14:26 UTC
Tags:
auto generic gcleaner loader
Link:
https://app.any.run/tasks/7c47c94a-c6d9-48a5-8ab3-c20873a68ed1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47163/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69582f97d2357cccc3dec076
Tags:
delphi agentb cobalt emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 borland_delphi expired-cert fingerprint gcleaner installer-heuristic invalid-signature keylogger packed signed zusy
Link:
https://www.filescan.io/uploads/69582de5148c21e830ef9ca4/reports/f8d99df3-d774-48ba-bfce-8e3151776827/overview
Verdict:
Malicious
Labled as:
TrojWare.TrojanDownloader.Dadobra
Link:
https://www.hybrid-analysis.com/sample/b357ace9d2161166465c831da5ef856bc36de458338b78944426ac7f5e8ffb1d
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-17T12:55:00Z UTC
Last seen:
2026-01-04T12:43:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/b357ace9d2161166465c831da5ef856bc36de458338b78944426ac7f5e8ffb1d/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/104bce7f-ac09-4d0a-9830-1a5581277237
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b357ace9d2161166465c831da5ef856bc36de458338b78944426ac7f5e8ffb1d
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/a1bf5b4d50a38fd847ead0f671b1e153
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b357ace9d2161166465c831da5ef856bc36de458338b78944426ac7f5e8ffb1d/
Threat name:
Win32.Trojan.GCleaner
Create hunting rule
Status:
Malicious
First seen:
2025-12-17 19:03:50 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wnl2z2oscyiwmrs4qmo2l34fnpbw3zcygofxrfcee2wh6xup7moq._file
Verdict:
malicious
Label(s):
gcleaner
Create hunting rule
Similar samples:
0fb5428a57dd4df24c55f00a59b19e4a824d4646fade20d3fb4acf3707ccac25
GCleaner
1a38918a094b23b6f21269eef556533dd31c1e3139da3c1da985bb35d40a33a6
GCleaner
44e956e20e767066f5f27479436996b2f91c131c19bacd6623a72ce1ba7a6358
GCleaner
5883bfbb8849529d61723a2ed3082eab3ab5145fdac7f76408d43114b36b1647
GCleaner
71e4d38127af57ea7f4071a67b3012b550f3bc0e28c6372cb230f82711c6c1a4
GCleaner
951940c3e5a71d8f9d668ee2f2627dd46eab03542f49f5f30e45611f8cba7d49
GCleaner
9eaa406ec5b5abefb96a285724af519f7ee7c3241b75e67acee2eaa9b7a40daf
GCleaner
b357ace9d2161166465c831da5ef856bc36de458338b78944426ac7f5e8ffb1d
GCleaner
d4b9ac5a080412aae02c21c4f48ef1760aab9807e4e2e3a7f2ceaac68d25a79d
GCleaner
error
GCleaner
+ 389 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/260106-lancpaeq9s/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
GCleaner
Gcleaner family
Malware Config
C2 Extraction:
185.156.73.98
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bc593ad9-d66f-4bd9-a18c-646f1963f216
Unpacked files
SH256 hash:
d3d3224b50e7ff955cba76e05f5058471add627c6f15658420146040192b3e1b
MD5 hash:
61f30fea94c55ee3199526448a73e58f
SHA1 hash:
71c175173df87bda7ffc77b2208b28f04bbdc628
Link:
https://www.unpac.me/results/6110bb41-7e66-4b7f-a66b-5ef7ec72bf53/
SH256 hash:
2c73ab74a03f6c986e2c475d5cd18ff7bac13203e895832e32e6517dd0ac2a98
MD5 hash:
17c4e186866e34b1295bf6f27f85ec6e
SHA1 hash:
8a1f1bcfebe951d533fee5abe886f729302aac68
Link:
https://www.unpac.me/results/6110bb41-7e66-4b7f-a66b-5ef7ec72bf53/
SH256 hash:
b357ace9d2161166465c831da5ef856bc36de458338b78944426ac7f5e8ffb1d
MD5 hash:
a1bf5b4d50a38fd847ead0f671b1e153
SHA1 hash:
77c83b2f557a8e612318fee03abb9fce4d895c42
Link:
https://www.unpac.me/results/6110bb41-7e66-4b7f-a66b-5ef7ec72bf53/
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b357ace9d216/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b357ace9d2161166465c831da5ef856bc36de458338b78944426ac7f5e8ffb1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GCleaner

Executable exe b357ace9d2161166465c831da5ef856bc36de458338b78944426ac7f5e8ffb1d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47163/

Comments