MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs 3 YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c
SHA3-384 hash: 0cf895489abd53fafd50cae74ac33b1dd487c4b872612dd17d47aee640dcb407a8f4034fbe25733ab688f149ed6f8a42
SHA1 hash: 0e3c85f03fd36cc4001fb68996b53ff8afb17f7e
MD5 hash: 44ac6fc2f8d02857f9d7a7bfde1e2376
humanhash: violet-football-ohio-minnesota
File name:44AC6FC2F8D02857F9D7A7BFDE1E2376.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'072'477 bytes
First seen:2021-08-13 19:35:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yRRSck04HegEY+uTckcooqU/q6DvkT2WT7Xz4OwQ:yucwegEuTckXCu9fMOT
Threatray 332 similar samples on MalwareBazaar
TLSH T13016331835E1DA96E9816FB36B3B874209347BEB418F333A65105BCDB09E2E67961133
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://ggc-partners.info/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.info/decision.php https://threatfox.abuse.ch/ioc/184302/
65.21.228.92:46802 https://threatfox.abuse.ch/ioc/184313/
http://34.77.115.2/ https://threatfox.abuse.ch/ioc/185163/

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Gcleaner
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179081/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Jaik-9885437-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Running batch commands
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% directory
DNS request
Creating a process from a recently created file
Sending a UDP request
Creating a file
Searching for the window
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35bfe28c-42df-4b66-b55c-2e0524c196e8
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832646
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465077 Sample: oY50Yc6Eh4.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 107 116.203.127.162 HETZNER-ASDE Germany 2->107 109 206.166.251.242 CTCUS United States 2->109 111 13 other IPs or domains 2->111 131 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->131 133 Multi AV Scanner detection for domain / URL 2->133 135 Antivirus detection for URL or domain 2->135 137 15 other signatures 2->137 11 oY50Yc6Eh4.exe 10 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 1 2->17         started        19 rundll32.exe 2->19         started        signatures3 process4 file5 105 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->105 dropped 21 setup_installer.exe 8 11->21         started        157 Sets debug register (to hijack the execution of another thread) 14->157 159 Modifies the context of a thread in another process (thread injection) 14->159 signatures6 process7 file8 61 C:\Users\user\AppData\...\setup_install.exe, PE32 21->61 dropped 63 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 21->63 dropped 65 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 21->65 dropped 67 3 other files (none is malicious) 21->67 dropped 24 setup_install.exe 10 21->24         started        process9 dnsIp10 127 marisana.xyz 172.67.186.33, 49723, 80 CLOUDFLARENETUS United States 24->127 129 127.0.0.1 unknown unknown 24->129 97 C:\Users\user\AppData\...\acd8df2828a741.exe, PE32+ 24->97 dropped 99 C:\Users\user\...\69229f3d88908bd2.exe, PE32 24->99 dropped 101 C:\Users\user\AppData\...\3471594dd7.exe, PE32 24->101 dropped 103 6 other files (1 malicious) 24->103 dropped 155 Performs DNS queries to domains with low reputation 24->155 29 cmd.exe 1 24->29         started        31 cmd.exe 24->31         started        33 cmd.exe 1 24->33         started        35 7 other processes 24->35 file11 signatures12 process13 process14 37 69229f3d88908bd2.exe 4 64 29->37         started        42 2fb5007056.exe 31->42         started        44 acd8df2828a741.exe 1 14 33->44         started        46 3471594dd7.exe 35->46         started        48 405416bb3.exe 14 5 35->48         started        50 70abe7c2b625.exe 35->50         started        52 3 other processes 35->52 dnsIp15 113 37.0.10.236, 49716, 80 WKD-ASIE Netherlands 37->113 115 37.0.11.8, 49727, 49728, 49787 WKD-ASIE Netherlands 37->115 121 13 other IPs or domains 37->121 69 C:\Users\...\z0OilNnwOLCTOuW_tIcm9Yll.exe, PE32 37->69 dropped 71 C:\Users\...\wDwWGPHUas3h47Yut0TqHOm7.exe, PE32 37->71 dropped 73 C:\Users\...\uBSSRomfe5JIPSM9aMRrFpR6.exe, PE32 37->73 dropped 79 40 other files (34 malicious) 37->79 dropped 139 Drops PE files to the document folder of the user 37->139 141 May check the online IP address of the machine 37->141 143 Creates HTML files with .exe extension (expired dropper behavior) 37->143 153 2 other signatures 37->153 145 Machine Learning detection for dropped file 42->145 147 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->147 149 Checks if the current machine is a virtual machine (disk enumeration) 42->149 123 4 other IPs or domains 44->123 75 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 44->75 dropped 151 Tries to harvest and steal browser information (history, passwords, etc) 44->151 81 2 other files (none is malicious) 46->81 dropped 54 chrome2.exe 46->54         started        117 cdn.discordapp.com 162.159.134.233, 443, 49722, 49732 CLOUDFLARENETUS United States 48->117 77 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 48->77 dropped 57 LzmwAqmV.exe 48->57         started        119 104.21.92.87 CLOUDFLARENETUS United States 50->119 83 5 other files (none is malicious) 50->83 dropped 125 2 other IPs or domains 52->125 85 2 other files (none is malicious) 52->85 dropped 59 1cr.exe 52->59         started        file16 signatures17 process18 file19 87 C:\Users\user\AppData\...\services64.exe, PE32+ 54->87 dropped 89 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32+ 57->89 dropped 91 C:\...\dcc7975c8a99514da06323f0994cd79b.exe, PE32 57->91 dropped 93 C:\Users\user\AppData\...93GlorySetp.exe, PE32 57->93 dropped 95 2 other files (none is malicious) 57->95 dropped
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c/
Threat name:
Win32.Spyware.Fbkatz
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 23:49:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlquheolzho3tgmupnyphf22ome7opkcfibkvij25eiaxkvamuwa._file
Verdict:
unknown
Similar samples:
088559f2192fe04ad85f83e1a3ac931f2bdbb5a88b4146154858d00c40b4b551
GCleaner
0df9cc018e5258e289ffea0bb4137ae6f0bc8fe85b48b544520c7dae95453f68
GCleaner
205b3ed8bb5aaa874ef73d4a47206b16a42397e7d77422936dfa6eb39f038ab6
GCleaner
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
GCleaner
6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347
GCleaner
82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2
GCleaner
c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed
GCleaner
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
GCleaner
f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2
GCleaner
+ 322 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:706 botnet:916 aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210813-bk5em7bt5x/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
Malware Config
C2 Extraction:
https://prophefliloc.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
76fd57122331c7e402c7ab4a48bb9a86529641200f391241e20f31232e5f439b
MD5 hash:
922068b48ff8abb7e513a724443c1f62
SHA1 hash:
fef5db5322dae45dade837d28a2ad1aa159c74b9
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13
MD5 hash:
9806f3f87bcb267281009a6fc5c420fa
SHA1 hash:
1e36820c67183d74e9c1f94cfa63863e520b0598
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
Parent samples :
549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
f8a6a13c339f741262eaa1f67ce2b013e32f1149f973e0f634e830c70e5c4f3c
MD5 hash:
6a2002682a0b4d5a9588b962fa38ef8f
SHA1 hash:
7370b24dee909753f5e9c733c291c8b484c9b366
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2
MD5 hash:
2b32e3fb6d4deb5e9f825f9c9f0c75a6
SHA1 hash:
2049fdbbe5b72ff06a7746b57582c9faa6186146
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
17a09218d7626f1fc6b39a27e233743eaa6a404d01df998fa9df29c7b06a4674
MD5 hash:
6082a0ae46e951178752029cb7be5c94
SHA1 hash:
005c541a92bf28ce6fd737250f68eaeca8abd1d0
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
37342babfd23ab30837a55886012a5125c69d2e5f883dadfc06a42cfb28e5b34
MD5 hash:
3f9f7dfccefb41726d6b99e434155467
SHA1 hash:
f5a7b26fb2aa6ebb7177b30b24a7fdbc067de8f1
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
ee964e1e31ec658976547c00dd0fac70685b9c69e839c0293e03233b57b6023f
MD5 hash:
ef141fae90519e05cce9a6cd06a67252
SHA1 hash:
91a780ec8c70487f402236af46d34b5f0528aee6
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
25481c74bd4fc78899809a6e478454a017116badbd274b8fcfb66bcbacd42132
MD5 hash:
478bba29b1481224b2db77eb2f2e124c
SHA1 hash:
6c078456abab172581cb1ea5b5c1412cd2df32a1
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
153ff6352a52ae81204e426a31f9f5a14dbd19a8ded6d834ae1e0096a4a824da
MD5 hash:
4c5131deba781a5ccfaa5c87f2195462
SHA1 hash:
2a492564398092cc91b0c8b21ebac68482ba9a67
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
17b036f1e98435ea76257df1976e5874cee32fec1c53b256bd54ae277ca3d9dc
MD5 hash:
77812811ef6b669885af504a0d9897e6
SHA1 hash:
0413697ea76b1214c9599dba0ef68026b0da0286
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
SH256 hash:
bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c
MD5 hash:
44ac6fc2f8d02857f9d7a7bfde1e2376
SHA1 hash:
0e3c85f03fd36cc4001fb68996b53ff8afb17f7e
Link:
https://www.unpac.me/results/30bcfa42-ca68-4710-b3ab-3084b3cd948e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179081/

Comments