MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b651d0039a9d6f2383eb3b20eb9712f0fe19d3c96d1a6d6d3481c87cdc94cecc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b651d0039a9d6f2383eb3b20eb9712f0fe19d3c96d1a6d6d3481c87cdc94cecc
SHA3-384 hash: 9a56886b3de4952b0d4b485656d72037317280fff5cb0b668c20c038153c609f0edda1888348ba7603dfc092c984c971
SHA1 hash: 2fc5383450d46555543ab1aa9147ea11acbd71cb
MD5 hash: 5143da7d69bd71d4164ecb1d66fdf57f
humanhash: magazine-victor-mike-football
File name:5143da7d69bd71d4164ecb1d66fdf57f.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'931'872 bytes
First seen:2025-06-29 07:09:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3706620a5dc6506d60f4785ae013d259 (2 x GCleaner)
ssdeep 98304:iJsQzNddROD5T6dcGmGDHZbWk4SMfZgsZ66k:iJ1p/RODJ6dHZbWuMG
TLSH T19336F1A9809D0B7EE1EE1BF2855F9AB7783465003E2D1CE1C2F87A817D75650B06D2B3
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
441
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5143da7d69bd71d4164ecb1d66fdf57f.exe
Verdict:
Malicious activity
Analysis date:
2025-06-29 07:12:13 UTC
Tags:
delphi gcleaner loader auto generic
Link:
https://app.any.run/tasks/b1889eb3-bc7a-4a48-9c36-01592efd03f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/11522/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6860e6fc0fceda814b46c7fc
Tags:
delphi cobalt emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b651d0039a9d6f2383eb3b20eb9712f0fe19d3c96d1a6d6d3481c87cdc94cecc
Malware family:
RealVNC
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/564584af-8bc1-46db-9e27-2eeaca59a54e
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1724937
Signature
Antivirus detection for dropped file
Found hidden mapped module (file has been removed from disk)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
Score:
80%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b651d0039a9d6f2383eb3b20eb9712f0fe19d3c96d1a6d6d3481c87cdc94cecc
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/5143da7d69bd71d4164ecb1d66fdf57f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b651d0039a9d6f2383eb3b20eb9712f0fe19d3c96d1a6d6d3481c87cdc94cecc/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/b651d0039a9d6f2383eb3b20eb9712f0fe19d3c96d1a6d6d3481c87cdc94cecc
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-29 07:11:31 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
20 of 24 (83.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wzi5aa42tvxsha7lhmqoxfys6d7btu6jnung23juqhehzxeuz3ga._file
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/250629-hzw5casmv3/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
GCleaner
Gcleaner family
Malware Config
C2 Extraction:
45.91.200.135
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/891403e7-8c2b-42a2-9388-99a555f52bce
Unpacked files
SH256 hash:
b651d0039a9d6f2383eb3b20eb9712f0fe19d3c96d1a6d6d3481c87cdc94cecc
MD5 hash:
5143da7d69bd71d4164ecb1d66fdf57f
SHA1 hash:
2fc5383450d46555543ab1aa9147ea11acbd71cb
Link:
https://www.unpac.me/results/33535e37-a589-434a-b732-ad279d3454f5/
SH256 hash:
ad4975580d4aed4e0907419c267ab01c8fc153a0b1a31d6af5072dc90482e04e
MD5 hash:
e9f50e18d15e682c7254d71af317b26e
SHA1 hash:
4121448a31ebb44880711fe3adba72306f61d0d5
Detections:
GCleaner
Create hunting rule
Link:
https://www.unpac.me/results/33535e37-a589-434a-b732-ad279d3454f5/
Parent samples :
e1cffe1faffd2a399f833405e2b28960f35ed3ec9dcb9cfaeb2d66f27eccba47
44a56311320ac072e7ddd1972530e7c64631692863cda2193596905ae30311c3
b651d0039a9d6f2383eb3b20eb9712f0fe19d3c96d1a6d6d3481c87cdc94cecc
32c7b0e8a4cc49535ac3925c1208e7740cb9a10fa0b8321cd0b1bc7f3895b230
6cb852252bd2c139c287968e9b3fc186d280dad584e5ea2787aea6182823a0fa
43998d323172b680b5e11457af870adef4f0593eb3c35a0eccbbc172e15cf068
147d8db1e9c0a4ff6ae8b02342054c3d9a8d4d7ea25ab3adea6641cde8c7d065
01c3b22efb07d44d2102650a3896e08c4cd5424b176a943fa7e7e93def3dc231
971df451fef89fe86b63a6d9191ffcb98eb80c579b371cd5a90239eaa0b57380
32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185
6435e02f13a75d9f7fc4bf6cd61e2fcd26969d593f446652796fdf26e3dbd50d
c95aa4a24dedd352cc74f59d5beba29384138c604d796c4e3d4debfbe46899f0
a9155d359d4294909b94945b43251042bce6829d435b1657de73ba898ab35baf
5d2aa06683b97850ac113ccb35dd95c0bdf319c4d0b234e49e8e520fc99c45ac
f21e1c8d6ba7bdf68d3d6f7b683bfa8e5916bda1308e53bd04c89f9d6fff71a7
52bf70e9234332ff325a528581108b749a7e1969143de186a56fb4632ebf4c89
2d899ab191f2c6384d1a9a778bb9488d8584fe13511788e00aa6e97fd932c083
dcd8e3d44e64209ecedf0a61970775a979e1216b540e2d2d07f4e71dbe76ef15
cfdf69d52382bf2c70df628d56ec1464f5318533840313aa951c408f7ce3f8e1
4eb6747cdf61ae87a0c64bd86f49ddf65c61397958a81b33d788dcdcbf61329f
e4995bb20cc990503030d8a67449d3481832f904854892f8b2c4eb0ea05342fd
142a11b087745d831e0298f74f8f39a3fcf4a0dc3035c8bf1bb95517ca59fec3
a3a87de1728f004dbbef953cd7437e31b880206ea38ec809d870110a2ce4f6f0
bdc1e5fc3bcc906b2b551ef2fcf7e744ac54abc8641b5c1e4e0a06c0612f080f
0f82e3f84d0bfdf516099765e67bc0de58a71e2003ad8682a6bd7ff162c8880a
62f17c59bcec354bbfae7a31d549899510fa73345a735684d154eae6bac76daa
a6f22f51bb87c6c02099ffa86c9df12bd8da32f26f0904167ba2361d655fe8be
8e8eacde053628227873d4ebe3a6e4ea992916f204e6e68866b3fe2af8a5ebb2
b89436a6105fe4c036ac87b0c893d84fc6b7a6e848b634c47d0dc5dae7560b7d
9cb2f4a1fc1bc3bd4ca73397789fc0ef9305e42ca539efd8df878ae4fbc2822a
3c1b34a16bc34c149c8c2c3d516527ed6c4c913d9bf8ac47e35a79675075fe67
15a8b61d0bb9b83ee97c6a44f309f2fd2dbad2fa4cfc76af46c98edf9bc0e238
cdb8d74735fd803936cbb3f259418fa76aa5fa7ad03f8cba3b7d310006052e61
1f5ede5de37e1dd4b8242bea76ca13391cc0c3118d949282a91eb95b7ae932a5
d8c44f8a58899360bf30a527082c917bae7b564db5f129f2517a5deb39ba9ff2
050f2713c672fef785c006ad7243e5ed913fa5a396cb2739f0ceaf1ddadadaa0
1a3a2be484d8f6e4a3458ef3c259f13497fc5c10062458c6b2c4373005a3d7fe
75ebdbe16e4e04a657bb1a54f48b6951d1b0a191e79f27d2dbdbf2a4afe929c3
04651b5ea2f5abd76dfffd4630d54ca23bf2a3c30f53e4ccc213f0f669b7e834
65bd0eb4a9c5160b367263e494eebd87dfb74a3032f7acf0f09bb707c0dc2ef2
c3079b1f05b25daaf2add658fdb3f6fddf0c24828142e2234fa8d51b8c8b286f
e4ac1d6f7663f39195e33c4f8da181129b549bfb4b979b7b5990d387ceab128f
67e77189393add966f9e78d19ae43c10ac6b4e8a1db113d04d244e54176985c1
a77c449da95f2a52fc2f4e56e97d18ffa65c52c5475e46f31fb6b2d75b858de6
aa93f1d9999282fbd664e0fa6c9a17413e4ae72ffda564ef915d1a4c00c6218b
cb15de5f46531f8027182000f0c961cb20c4815e992ac8810198cee869bbeb20
fea6875b7e1c0ad8ac615f9d92213b8a9947182dce38c48f2a2e4362acb1a761
d9437b6f08ccecaeba0f25a6eeb2536b72fe8cf2fbe56c127e823ef148653a6f
dfc525e8f983d4bd66ee6dfd4b747e2c981e76e90870a16a9d1df80742b72583
96576ba536ec988cd9c9ad747d77f8fce85e41d14c864a15788c10294b2d02d8
7f7cb842f6e44063f2c77900afae5237d87bdf0d4445abe6e5ea5dd02cf16fcc
1271b5b2e962be9c8da10a8e507b3fd6480a00219ff1c890169d9aa0bb9f234b
c18e539301e1d8e4676e169ef1a5708e7f225689e599726cf51a731935ffb14b
fa47e000ed767d0ab02b6500ccd02bdb0cdaec3892c01a1998a51d3d44a146d8
8f4fd966a0cfe7f2c45f8f0d7a9edc9e6de0623e9f5fda877a4c7c4cf9ee383b
dd9d04563791f4a07d867829bd4ee3d8d6058b0e1ad08ac54a8f2969b53d4d58
ee61018202eadb79f35a3ee4132766f9f4a08ba4dbde38148f4ccc0e58b7d223
ccbda9594a4811b44768ad404fa6c8ff3cd95de5915d8120c3bb66261348b5ef
8eb8647daba57087ab2641d3b20f1bee24fafc72b3b1a5254aa3baa6e79b494a
8450ab027023f8787201965f14dcd4c9dbebda482384f1517767b5fc137d89c7
6557410235018ef55b87a36a66cadcbecd3f028313bfc6d4fded104536cff8c9
aa586630eb5a50f271a1bdc1e20be4673b40a0c9b20433b7b2fcc0a65413526d
909905bc8800c7ecee499411b741585ceed96ecf46099d3cc669a0bf70d621ee
e7f7a21ee9aaf1f982d222aa7637f8f32c88c44e0b24d9a470fe5ccc47ee55fe
74273805a7bd7441f36bdc596eff7b4597c254015727024c2e86717d8954bbe3
e0c21356fdd99942e1d9e89f0afee73e5f14772bf5f8836ab8b96a997ba76768
a639d8ed17108b7cf50aa15e689f62c03a04b409a6204249d0f9503b55d888bd
2203c96ef56407f1c2b8ec820b89beb20ca0d31bc0ba7a4fc21fb99ab67e18ee
b13f24b087cdcd13ceb92ba139fdc48d03fd5f2c394984c4fd4aa2286ca1e81b
e470c9662b570ea239ed7b599322559bc86d2f150dfc5e2503d083b40da3cd89
e6ce0c13aaf5187d4ef76420af9ccd486262292f0c1e68a2f0c25b7c8be4cd09
110fd095374fef103943ce10fcf71d8619dbe65011ad9893bc0fe3b8a24d20c8
b43fe5810af7c86f8b5165f90c607e1d99fc97b2b69e3ff72e14b09a00620fb3
5807f7e7d5b0240ae218cb9e7c50fbdbbe2ea66007c4276b5ad4e7ae4c4b94fd
0829c26f3453be9269c2e48dd3393d7f5e1dc843e4ce309da7704b5e6ac3aa21
e8bd4db9b069b622540be5f46b4fdd426d1488dc6841625d8a5c0ce9b9f652b1
2e543ea9d1bd67be3ae38732a9758c09a9d784d46b1edf0e808c1783c215ccb0
30c323c6e772d3c7648fd6b0306530a0ff9170948cebf9789f73cc25f1de9722
d64773ce84da74f11e774bee4cdfc873e283a0662546d0bd898b800f3a766c90
SH256 hash:
0a0b083cc0e62db594b7be21088202c7fe0970d609b2847085d0bf2be8e54a5c
MD5 hash:
4ce3ce196eda86d92b68362b6269b618
SHA1 hash:
fd42ee0aca0315acac25c297f1ce33634c549559
Link:
https://www.unpac.me/results/33535e37-a589-434a-b732-ad279d3454f5/
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b651d0039a9d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b651d0039a9d6f2383eb3b20eb9712f0fe19d3c96d1a6d6d3481c87cdc94cecc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe b651d0039a9d6f2383eb3b20eb9712f0fe19d3c96d1a6d6d3481c87cdc94cecc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542101/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/11522/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
kernel32.dll::GetTempPathA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments