MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs 3 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c
SHA3-384 hash: 14d688510e8f56be6feec67021dae1178e45bfca2f58b221935487a9f7b8d32ffc78f297490705e575857e46e5ad76fd
SHA1 hash: 789dad79552581e4b24cb0b57d36aba44200041d
MD5 hash: 57c9479f9b4b3a71a8af9f8bfb7dda53
humanhash: sink-angel-washington-california
File name:57C9479F9B4B3A71A8AF9F8BFB7DDA53.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'827'122 bytes
First seen:2021-08-11 21:10:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xvCvLUBsgObqoJ9Gc8Jgm+JfewzfSAE9ql4WQAVFOKNPi7QZW4/A:xcLUCgObqq9Umm+JjzfVEw4WLZWaA
Threatray 293 similar samples on MalwareBazaar
TLSH T108263310BBE2D0FBCDA902319F8D2FB6607C875A0B104ED77755C54E2AA5913A32B94F
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://74.119.195.135/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://74.119.195.135/ https://threatfox.abuse.ch/ioc/171652/
http://cleaner-partners.top/decision.php https://threatfox.abuse.ch/ioc/172113/
45.14.49.128:16334 https://threatfox.abuse.ch/ioc/172157/

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178394/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f44127bf-e6fa-4b06-87bd-c3f643165020
Result
Threat name:
RedLine Socelars Vidar Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831267
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463698 Sample: zd2hmJErfx.exe Startdate: 11/08/2021 Architecture: WINDOWS Score: 100 93 88.99.66.31 HETZNER-ASDE Germany 2->93 95 185.65.135.248 ESAB-ASSE Sweden 2->95 97 5 other IPs or domains 2->97 117 Antivirus detection for URL or domain 2->117 119 Antivirus detection for dropped file 2->119 121 Multi AV Scanner detection for dropped file 2->121 123 12 other signatures 2->123 11 zd2hmJErfx.exe 8 2->11         started        14 svchost.exe 1 2->14         started        signatures3 process4 file5 61 C:\Users\user\AppData\...\setup_install.exe, PE32 11->61 dropped 63 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 11->63 dropped 65 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 11->65 dropped 67 3 other files (none is malicious) 11->67 dropped 16 setup_install.exe 11 11->16         started        process6 dnsIp7 89 104.21.54.206 CLOUDFLARENETUS United States 16->89 91 127.0.0.1 unknown unknown 16->91 53 C:\Users\user\...\eb1988139610f343.exe, PE32 16->53 dropped 55 C:\Users\user\AppData\...\9a3e880c6937.exe, PE32 16->55 dropped 57 C:\Users\user\AppData\...\66c299e192.exe, PE32 16->57 dropped 59 7 other files (2 malicious) 16->59 dropped 20 cmd.exe 1 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 8 other processes 16->26 file8 process9 process10 28 9a3e880c6937.exe 20->28         started        33 eb1988139610f343.exe 90 22->33         started        35 66c299e192.exe 24->35         started        37 2e7285fd71.exe 2 26->37         started        39 fcc788d66.exe 26->39         started        41 1ac1015ba6795c5.exe 26->41         started        43 3 other processes 26->43 dnsIp11 99 37.0.10.236 WKD-ASIE Netherlands 28->99 101 37.0.11.8 WKD-ASIE Netherlands 28->101 107 15 other IPs or domains 28->107 69 C:\Users\...\xpebwx3u9T2R05dDglrBQVny.exe, PE32 28->69 dropped 71 C:\Users\...\s_ldKTCm35_ooM2o_fnnTf6N.exe, PE32 28->71 dropped 73 C:\Users\...\lEdEOLLoI_lw4du6llpmPhFA.exe, PE32 28->73 dropped 77 41 other files (37 malicious) 28->77 dropped 125 Drops PE files to the document folder of the user 28->125 127 Tries to harvest and steal browser information (history, passwords, etc) 28->127 129 Disable Windows Defender real time protection (registry) 28->129 109 2 other IPs or domains 33->109 79 12 other files (none is malicious) 33->79 dropped 131 Detected unpacking (changes PE section rights) 33->131 133 Detected unpacking (overwrites its own PE header) 33->133 135 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->135 137 Tries to steal Crypto Currency Wallets 33->137 139 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->139 141 Maps a DLL or memory area into another process 35->141 143 Checks if the current machine is a virtual machine (disk enumeration) 35->143 145 Creates a thread in another existing process (thread injection) 35->145 147 Creates processes via WMI 37->147 45 2e7285fd71.exe 3 37->45         started        103 172.67.190.140 CLOUDFLARENETUS United States 39->103 75 C:\Users\user\AppData\Roaming\7951826.exe, PE32 39->75 dropped 81 3 other files (none is malicious) 39->81 dropped 83 2 other files (none is malicious) 41->83 dropped 49 1cr.exe 41->49         started        105 208.95.112.1 TUT-ASUS United States 43->105 111 3 other IPs or domains 43->111 85 5 other files (none is malicious) 43->85 dropped file12 signatures13 process14 dnsIp15 113 104.21.70.98 CLOUDFLARENETUS United States 45->113 115 192.168.2.1 unknown unknown 45->115 87 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 45->87 dropped 51 conhost.exe 45->51         started        file16 process17
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c/
Threat name:
Win32.Spyware.Socelars
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 12:10:27 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yvji65qzcr35gdz5mri5qk7qafozunygkzp53u36q4jqmnptdawa._file
Verdict:
unknown
Similar samples:
1a263b2603212ff1e492d9e0c718f12601789e27eaaba9a7a7048b4080c08bcb
GCleaner
39ec80621b9b8fcefe89e543622c4263b7629a1207107bebd239a50124bb7fc7
GCleaner
44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e
GCleaner
51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3
GCleaner
7ca942cc19eb3d9f6bd2e5947eb77af104948ccea1f4b96c87270e91065650c7
GCleaner
854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a
GCleaner
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
GCleaner
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
GCleaner
+ 283 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:39b871ed120e56ecbdc546b8a8a78c4e5516bc1f botnet:706 botnet:7new botnet:916 aspackv2 backdoor infostealer persistence stealer suricata trojan
Link:
https://tria.ge/reports/210811-778226d3le/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
https://prophefliloc.tumblr.com/
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
61494bca647b46aa9c7cfe3530385a7d6f9dc2287c9b0b4fd61dfa701ba7a4ad
MD5 hash:
df2208cc1e06995916314451713aa5b0
SHA1 hash:
ae2d9d9cdbe24556f5359b13767533bbe9c046d1
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13
MD5 hash:
9806f3f87bcb267281009a6fc5c420fa
SHA1 hash:
1e36820c67183d74e9c1f94cfa63863e520b0598
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
Parent samples :
549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
b91ab30061e7c4bcf5249492c5d9216d03f848561e8ed46e0dfc818298ebebdd
MD5 hash:
2f581d722cd1c7cc9f9c29569c7d32b1
SHA1 hash:
deb8843ca6bf82ad0e141c886ba2332c14d0eab7
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
081f98edcc1f80cf0ce2c428a9324820ed6f039ffbff4dbd5566d95cc0b5cdf3
MD5 hash:
914ed92ed191f615e8fde6c30586a1dd
SHA1 hash:
d83a6c7764636122e91311bf526fd31fdf89ae97
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a
MD5 hash:
0f3487e49d6f3a5c1846cd9eebc7e3fc
SHA1 hash:
17ba797b3d36960790e7b983c432f81ffb9df709
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
a7abe50505fc2fd6a920828b3cad0d45756d5c645dbed69f1fbabb006a78f9ec
MD5 hash:
c94637bcd99414ea70328b46a9ae9a97
SHA1 hash:
f6cc4ffa67c2092e7535921d716db695cd4a7222
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
83c2a2cfd871019e276346507fcceb9ca41834dab06bd309c07ededc6795e95d
MD5 hash:
dd2bd2d64ae4a04fca8f20345e14ed68
SHA1 hash:
e7701f7f28942d94894486dfda26b0fd943b3922
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
MD5 hash:
7aaf005f77eea53dc227734db8d7090b
SHA1 hash:
b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
0d43ea2a7557cd0c50b93f755fb483bc78018f626c18cf9c46c36bbaf5c45e7f
MD5 hash:
6680a46d684d7d50cf8bd594f3918be0
SHA1 hash:
1ea9a8c835fecc952057094073595accdc388eb8
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
ab883a9fae91f7e7df7489b0c84b06b5ca0edf7db4f420bcdd61c8bc171fc7f8
MD5 hash:
596f028c80b22d7596ab5a03c238b09c
SHA1 hash:
577eb4330fe75fb14ee596118cab3d7424ce5caa
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
43afaca63b19649a79e189c11997090fa2aba4eb640910af4cc1cd258f07aa3a
MD5 hash:
4751983df6b0baa367d0fa4c79be7896
SHA1 hash:
677bd0379b16c16807098b6a23ef25bf9017e900
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
SH256 hash:
c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c
MD5 hash:
57c9479f9b4b3a71a8af9f8bfb7dda53
SHA1 hash:
789dad79552581e4b24cb0b57d36aba44200041d
Link:
https://www.unpac.me/results/9867763e-b694-4080-afad-9248a53dc944/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5528f76191477d30f3d6451d82bf0015d9a3706565fddd37e87130635f3182c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178394/

Comments