MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b1257e4bff2c5701e7201fdbf0ab1a2d8d6773237d227794b39cca91eb39b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0b1257e4bff2c5701e7201fdbf0ab1a2d8d6773237d227794b39cca91eb39b5
SHA3-384 hash: f52638f3978cafd828b4d6fa554b9ab003972a7cfbd5f8ecfadd98933f541818ef682afa74d712dfb0d04847b1f6f94d
SHA1 hash: f5db35848ca3646768dda7d01107a3547d8306d8
MD5 hash: 26209088bd2c7e376ca5234fbc8a8232
humanhash: uncle-fifteen-salami-may
File name:random.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:3'648'800 bytes
First seen:2025-10-02 06:15:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 006b9a72956f31105c5e9311f7262b56 (10 x GCleaner)
ssdeep 49152:U2kXFWYQXq1WItFTi9MGONLelybrBSnlzSF6t7Lo6z4suPFwuWlWSnhe66ww03n:UvEY3Zto9H+YIBSBSF6tPMyfWGheFf+
Threatray 146 similar samples on MalwareBazaar
TLSH T1B7F5E016FBD1B771D6FA3A35AD1AC378BC03F9C0F5A8BE05D6A0C1008460A65AF1AD75
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0_c36ed034d523da1f54d43176334d4bda9f9adcb940948646b43902a620ebda45.exe
Verdict:
Malicious activity
Analysis date:
2025-10-01 22:15:52 UTC
Tags:
auto redline stealer amadey botnet rdp autoit inno installer generic delphi anti-evasion darkvision remote purecrypter hijackloader loader ultravnc rmm-tool evasion ms-smartcard lumma stealc vidar miner silentcryptominer winring0-sys vuln-driver gcleaner
Link:
https://app.any.run/tasks/76db94ae-1c05-4add-a649-57f3cb6451d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29882/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68de1904b54520161ad44f9f
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint invalid-signature keylogger obfuscated packed packed packer_detected signed threat
Link:
https://www.filescan.io/uploads/68de1925c564c8e81d0c4998/reports/c766c8bc-5bbc-43b5-b9a8-14c7c87531d5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c0b1257e4bff2c5701e7201fdbf0ab1a2d8d6773237d227794b39cca91eb39b5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-01T20:45:00Z UTC
Last seen:
2025-10-01T21:16:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/c0b1257e4bff2c5701e7201fdbf0ab1a2d8d6773237d227794b39cca91eb39b5/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a2074759-590a-4f99-8774-dda79b61a82f
Result
Threat name:
CryptOne, GCleaner
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1787904
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Hijacks the control flow in another process
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected GCleaner
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c0b1257e4bff2c5701e7201fdbf0ab1a2d8d6773237d227794b39cca91eb39b5
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0b1257e4bff2c5701e7201fdbf0ab1a2d8d6773237d227794b39cca91eb39b5/
Verdict:
Malicious
Threat:
Family.GCLEANER
Link:
https://tip.neiki.dev/file/c0b1257e4bff2c5701e7201fdbf0ab1a2d8d6773237d227794b39cca91eb39b5
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-10-02 05:34:44 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ycysk7sl74wfoapheap5x4fldiwy2z3ten6se54uwoomveplhg2q._file
Verdict:
malicious
Label(s):
gcleaner
Create hunting rule
Similar samples:
3dca408f1a829db781437822c86f916429e886c783b4503cc216af8b2d0e9dd6
GCleaner
40a90620b086327cda0068f45833040882f11215982c3b322941469db8db6ffd
GCleaner
4d0a5ddcaf86fe9ab13639dfa588563b0e5ced5d1910d098bf208db2f20ec250
GCleaner
4feb860c5e7c9f51b28565be3aa1febeeed05637ad37ef98010e0adf82708d52
GCleaner
59df49cdd7de3db18e53309cc1d2e3687537958e79e5eeef224a7ee9dfa167a5
GCleaner
75a97aa621f58a68e71434a3396e6c88840b968c6a3fb02d01e71a36ba9fa3d5
GCleaner
934321709512828e2c6d0a509f7e7fb447438086055f699ae46befa155e8f7af
GCleaner
c0b1257e4bff2c5701e7201fdbf0ab1a2d8d6773237d227794b39cca91eb39b5
GCleaner
e9fe7bd6bd35f37c70539d64e9a5f285fa7f2a1a696de5b64e8050004b2cd5c0
GCleaner
error
GCleaner
fad90b975af603df711f6533415835b1362b476c1f214530d620aace0532c36c
GCleaner
+ 136 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/251002-g2j25ahr8w/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d150dbbb-989c-4576-84ed-f935a141e7d9
Unpacked files
SH256 hash:
c0b1257e4bff2c5701e7201fdbf0ab1a2d8d6773237d227794b39cca91eb39b5
MD5 hash:
26209088bd2c7e376ca5234fbc8a8232
SHA1 hash:
f5db35848ca3646768dda7d01107a3547d8306d8
Link:
https://www.unpac.me/results/b0f5973f-3090-40ae-8715-7ee7e4dc64ab/
SH256 hash:
d5e6fb22f020c0662fbe3b4e5568575560834711769c7fb07b495ceaceadbc6e
MD5 hash:
c853d5e60669b92e7317438723e31f35
SHA1 hash:
1f900d5d5847f04fc17fa07e37684a617c6a76bc
Detections:
GCleaner
Create hunting rule
Link:
https://www.unpac.me/results/b0f5973f-3090-40ae-8715-7ee7e4dc64ab/
SH256 hash:
d3d3224b50e7ff955cba76e05f5058471add627c6f15658420146040192b3e1b
MD5 hash:
61f30fea94c55ee3199526448a73e58f
SHA1 hash:
71c175173df87bda7ffc77b2208b28f04bbdc628
Link:
https://www.unpac.me/results/b0f5973f-3090-40ae-8715-7ee7e4dc64ab/
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c0b1257e4bff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c0b1257e4bff2c5701e7201fdbf0ab1a2d8d6773237d227794b39cca91eb39b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe c0b1257e4bff2c5701e7201fdbf0ab1a2d8d6773237d227794b39cca91eb39b5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3607394/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/29882/

Comments