MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4db7d1e957d2225520705672e86d4ee9d14cb8df62248c26d5442fd414d48a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4db7d1e957d2225520705672e86d4ee9d14cb8df62248c26d5442fd414d48a2
SHA3-384 hash: 2be2cd71b77a554a9214a8bc32703b80279b291ba25f8bf84da50f62589e2f144f4220d8e0509b7c7afdc6cda59e38a8
SHA1 hash: 953ee8b296a9e726e5e110d5a85c54cd4be46364
MD5 hash: 3c4ac73bd7b5f178cb17acd51769391e
humanhash: moon-orange-monkey-hydrogen
File name:3c4ac73bd7b5f178cb17acd51769391e.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'766'304 bytes
First seen:2023-05-02 09:34:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/5GqKeVKic6QL3E2vVsjECUAQT45deRV9RL:sBuZrEUMgVKIy029s4C1eH9B
TLSH T1D385CF3FF268A13EC46A1B3245739320997BBA61B81A8C1E47FC344DCF765601E3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3c4ac73bd7b5f178cb17acd51769391e.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-02 09:36:37 UTC
Tags:
installer
Link:
https://app.any.run/tasks/976631c9-5407-4c6c-af23-5b58280a777c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386043/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.24880.15415.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82199/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6450d948463eacbc57db6980/reports/5ec98ecf-dcff-49e4-87d0-5ff80a694aab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/c4db7d1e957d2225520705672e86d4ee9d14cb8df62248c26d5442fd414d48a2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f0873b70-604c-4cb6-8565-de6cc310e51c
Result
Threat name:
MinerDownloader, Nymaim, RedLine, Vidar,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1224502
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Generic MinerDownloader
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 857466 Sample: V1lIaJpTZP.exe Startdate: 02/05/2023 Architecture: WINDOWS Score: 100 136 pstbbk.com 2->136 138 pastebin.com 2->138 140 4 other IPs or domains 2->140 180 Snort IDS alert for network traffic 2->180 182 Found malware configuration 2->182 184 Malicious sample detected (through community Yara rule) 2->184 186 16 other signatures 2->186 15 V1lIaJpTZP.exe 2 2->15         started        signatures3 process4 file5 120 C:\Users\user\AppData\...\V1lIaJpTZP.tmp, PE32 15->120 dropped 166 Obfuscated command line found 15->166 19 V1lIaJpTZP.tmp 3 22 15->19         started        signatures6 process7 dnsIp8 142 45.12.253.74, 49682, 80 CMCSUS Germany 19->142 144 log.angersummer.xyz 172.67.152.155 CLOUDFLARENETUS United States 19->144 146 londontownlink.com 164.92.247.217 ASN-DPSDUS United States 19->146 94 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 19->94 dropped 96 C:\Users\user\AppData\Local\Temp\...\s0.exe, PE32 19->96 dropped 98 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 19->98 dropped 100 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->100 dropped 188 Performs DNS queries to domains with low reputation 19->188 24 s0.exe 33 19->24         started        29 s1.exe 19->29         started        file9 signatures10 process11 dnsIp12 154 45.12.253.56, 49688, 80 CMCSUS Germany 24->154 156 45.12.253.72, 49689, 80 CMCSUS Germany 24->156 158 2 other IPs or domains 24->158 102 C:\Users\user\AppData\...\777LyGTS.exe, PE32 24->102 dropped 104 C:\Users\user\AppData\...\LNuqTac6.exe, PE32 24->104 dropped 106 C:\Users\user\AppData\Roaming\...\T9806n.exe, PE32 24->106 dropped 114 7 other malicious files 24->114 dropped 204 Multi AV Scanner detection for dropped file 24->204 31 777LyGTS.exe 24->31         started        35 LNuqTac6.exe 24->35         started        38 T9806n.exe 24->38         started        40 11 other processes 24->40 108 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 29->108 dropped 110 C:\Users\user\AppData\...\Windows Updater.exe, PE32 29->110 dropped 112 C:\Users\user\AppData\Local\...\shi982E.tmp, PE32+ 29->112 dropped 116 3 other malicious files 29->116 dropped file13 signatures14 process15 dnsIp16 122 C:\Users\user\AppData\Local\...\v7ra2.exe, PE32 31->122 dropped 124 C:\Users\user\AppData\...\imzi9tku9w.exe, PE32 31->124 dropped 168 Multi AV Scanner detection for dropped file 31->168 42 cmd.exe 31->42         started        148 t.me 149.154.167.99, 443, 49692 TELEGRAMRU United Kingdom 35->148 150 88.99.124.27, 1010, 49693 HETZNER-ASDE Germany 35->150 152 2 other IPs or domains 35->152 170 Detected unpacking (changes PE section rights) 35->170 172 Detected unpacking (overwrites its own PE header) 35->172 174 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->174 176 2 other signatures 35->176 126 C:\Users\user\AppData\...\edesupwbdh.dat, PE32+ 38->126 dropped 44 cmd.exe 38->44         started        48 Cleaner.exe 40->48         started        50 conhost.exe 40->50         started        52 conhost.exe 40->52         started        54 taskkill.exe 40->54         started        file17 signatures18 process19 file20 56 v7ra2.exe 42->56         started        59 imzi9tku9w.exe 42->59         started        61 conhost.exe 42->61         started        63 cmd.exe 42->63         started        118 C:\Users\user\AppData\Local\...\conhost.exe, PE32 44->118 dropped 206 Encrypted powershell cmdline option found 44->206 65 conhost.exe 44->65         started        67 conhost.exe 44->67         started        208 Multi AV Scanner detection for dropped file 48->208 signatures21 process22 signatures23 196 Multi AV Scanner detection for dropped file 56->196 198 Writes to foreign memory regions 56->198 200 Allocates memory in foreign processes 56->200 69 RegSvcs.exe 56->69         started        72 WerFault.exe 56->72         started        202 Injects a PE file into a foreign processes 59->202 74 RegSvcs.exe 59->74         started        76 WerFault.exe 59->76         started        process24 signatures25 190 Writes to foreign memory regions 69->190 192 Injects a PE file into a foreign processes 69->192 78 AppLaunch.exe 69->78         started        83 conhost.exe 69->83         started        process26 dnsIp27 160 github.com 140.82.121.4 GITHUBUS United States 78->160 162 raw.githubusercontent.com 185.199.108.133 FASTLYUS Netherlands 78->162 164 pastebin.com 104.20.67.143 CLOUDFLARENETUS United States 78->164 128 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 78->128 dropped 130 C:\ProgramData\Dllhost\dllhost.exe, PE32 78->130 dropped 132 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 78->132 dropped 134 C:\ProgramData\HostData\logs.uce, ASCII 78->134 dropped 178 Sample is not signed and drops a device driver 78->178 85 cmd.exe 78->85         started        88 cmd.exe 78->88         started        90 cmd.exe 78->90         started        file28 signatures29 process30 signatures31 194 Encrypted powershell cmdline option found 85->194 92 conhost.exe 85->92         started        process32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4db7d1e957d2225520705672e86d4ee9d14cb8df62248c26d5442fd414d48a2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-02 09:35:08 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytnx2huvpurckuqhavts5bwu52orjs4n6yrerqtnkrbp2qknjcra._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230502-lkb3eacc9w/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/4492e49a-2c7d-4cb2-b0b9-60e6dcad1946/
SH256 hash:
12cfecf98d5c6d68d59d70debc7f49af009f3796ca53a0b7a1d2c4d99fcdb028
MD5 hash:
f9d533362c74190219b3ed7a709f8f41
SHA1 hash:
e64bb2f4c4b1bb38f5aae4b7236ed12a055bd72b
Link:
https://www.unpac.me/results/4492e49a-2c7d-4cb2-b0b9-60e6dcad1946/
SH256 hash:
c4db7d1e957d2225520705672e86d4ee9d14cb8df62248c26d5442fd414d48a2
MD5 hash:
3c4ac73bd7b5f178cb17acd51769391e
SHA1 hash:
953ee8b296a9e726e5e110d5a85c54cd4be46364
Link:
https://www.unpac.me/results/4492e49a-2c7d-4cb2-b0b9-60e6dcad1946/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c4db7d1e957d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/386043/

Comments