MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c67037c258ab3294e4d8a13e83d4256845b48dbf9568483c58a2b9e3c17db1b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c67037c258ab3294e4d8a13e83d4256845b48dbf9568483c58a2b9e3c17db1b0
SHA3-384 hash: f9219d66a5b77a15fde3b0a1f6a27a7a4fcb99df03f41383d93d89b2121c4c7f0a33981a9f448049d8e11f0a70892b7b
SHA1 hash: bc69db46d8d9bb4dea16789d47ce8cc0d81451e8
MD5 hash: 7cdd8a8e0fab1b1661cac6b8a442bc6a
humanhash: black-river-florida-butter
File name:C67037C258AB3294E4D8A13E83D4256845B48DBF95684.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:3'516'573 bytes
First seen:2021-11-09 12:06:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 98304:SKqyVpUv6IelYLRSljOwuKQXl8LSZ8Z56Nj6qDI6AHZQTgJ:S6pUv6IFLgljOGQXl8LSk5W6BfQsJ
Threatray 217 similar samples on MalwareBazaar
TLSH T19FF522C3B78D87ECD1B1DD3414F496618C386D205E2389DA5398FDFC2DB04A1AA66A37
File icon (PE):PE icon
dhash icon f0f0e8dcdce8f0f0 (1 x RedLineStealer, 1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://194.180.174.182/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.182/ https://threatfox.abuse.ch/ioc/245154/
70.36.97.202:27526 https://threatfox.abuse.ch/ioc/245430/

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cracknet.net
Verdict:
Malicious activity
Analysis date:
2021-09-09 00:26:09 UTC
Tags:
evasion trojan rat azorult stealer raccoon loader fareit pony redline vidar danabot
Link:
https://app.any.run/tasks/3ce3f7e0-617e-4f17-a168-1a42a186a013

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204467/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.49527.6517.21589.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.PECompact-2
Create hunting rule

Win.Packed.Generic-9891538-0
Create hunting rule

Win.Malware.Raccoon-9891492-1
Create hunting rule

Win.Packed.Raccoon-9894107-1
Create hunting rule

Win.Malware.Zusy-9891357-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/618a6469175442ca93a90b26/reports/c78c12da-c745-4ec4-bdc6-023fee3a9c0e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mokes
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9ce18af-1b66-4412-a175-98eba0a32021
Result
Threat name:
Backstage Stealer BitCoin Miner Cookie S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885954
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Contains functionality to steal Chrome passwords or cookies
Creates files with lurking names (e.g. Crack.exe)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected BitCoin Miner
Yara detected Cookie Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 518424 Sample: C67037C258AB3294E4D8A13E83D... Startdate: 09/11/2021 Architecture: WINDOWS Score: 100 85 213.32.74.157, 14433, 49848 OVHFR France 2->85 87 pastebin.com 104.23.98.190, 443, 49849 CLOUDFLARENETUS United States 2->87 89 9 other IPs or domains 2->89 125 Sigma detected: Xmrig 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 Antivirus detection for dropped file 2->129 131 18 other signatures 2->131 10 C67037C258AB3294E4D8A13E83D4256845B48DBF95684.exe 14 2->10         started        14 svchost.exe 2->14         started        16 services64.exe 2->16         started        signatures3 process4 file5 71 C:\Users\user\AppData\Local\...\md1_1eaf.exe, PE32 10->71 dropped 73 C:\Users\user\AppData\Local\...\Setup.exe, PE32 10->73 dropped 75 C:\Users\user\AppData\...\PBrowFile28.exe, PE32 10->75 dropped 77 3 other malicious files 10->77 dropped 169 Creates files with lurking names (e.g. Crack.exe) 10->169 18 PBrowFile28.exe 7 10->18         started        22 md1_1eaf.exe 10->22         started        25 Crack.exe 2 10->25         started        27 WerFault.exe 14->27         started        29 WerFault.exe 14->29         started        signatures6 process7 dnsIp8 61 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32+ 18->61 dropped 63 C:\Users\user\...\PublicDwlBrowser188.exe, PE32 18->63 dropped 65 C:\Users\user\AppData\Local\Temp\2.exe, PE32 18->65 dropped 69 2 other files (none is malicious) 18->69 dropped 133 Antivirus detection for dropped file 18->133 135 Multi AV Scanner detection for dropped file 18->135 137 Machine Learning detection for dropped file 18->137 31 chrome3.exe 5 18->31         started        34 PublicDwlBrowser188.exe 15 3 18->34         started        38 2.exe 18->38         started        44 2 other processes 18->44 105 186.2.171.3, 49773, 80 DDOS-GUARDCORPBZ Belize 22->105 107 iplogger.org 22->107 67 C:\Users\user\Documents\...\md1_1eaf.exe, PE32 22->67 dropped 139 Detected unpacking (changes PE section rights) 22->139 141 May check the online IP address of the machine 22->141 143 Tries to harvest and steal browser information (history, passwords, etc) 22->143 40 Crack.exe 1 25->40         started        42 conhost.exe 25->42         started        file9 signatures10 process11 dnsIp12 79 C:\Users\user\AppData\...\services64.exe, PE32+ 31->79 dropped 46 services64.exe 31->46         started        51 cmd.exe 31->51         started        91 iplogger.org 88.99.66.31, 443, 49769, 49771 HETZNER-ASDE Germany 34->91 101 5 other IPs or domains 34->101 145 Antivirus detection for dropped file 34->145 147 Multi AV Scanner detection for dropped file 34->147 149 Detected unpacking (changes PE section rights) 34->149 151 Detected unpacking (overwrites its own PE header) 34->151 93 qwertys.info 172.67.194.30, 443, 49766 CLOUDFLARENETUS United States 38->93 153 Creates HTML files with .exe extension (expired dropper behavior) 38->153 155 Machine Learning detection for dropped file 38->155 95 live.goatgame.live 40->95 97 192.168.2.1 unknown unknown 40->97 53 conhost.exe 40->53         started        99 ip-api.com 208.95.112.1, 49765, 80 TUT-ASUS United States 44->99 103 2 other IPs or domains 44->103 157 Contains functionality to steal Chrome passwords or cookies 44->157 159 Tries to harvest and steal browser information (history, passwords, etc) 44->159 55 WerFault.exe 44->55         started        file13 161 System process connects to network (likely due to code injection or exploit) 95->161 163 May check the online IP address of the machine 95->163 165 Performs DNS queries to domains with low reputation 95->165 167 DNS related to crypt mining pools 95->167 signatures14 process15 dnsIp16 109 github.com 140.82.121.3, 443, 49776 GITHUBUS United States 46->109 111 raw.githubusercontent.com 185.199.110.133, 443, 49778 FASTLYUS Netherlands 46->111 113 sanctam.net 46->113 81 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 46->81 dropped 83 C:\Users\user\AppData\...\sihost64.exe, PE32+ 46->83 dropped 115 Injects code into the Windows Explorer (explorer.exe) 46->115 117 Writes to foreign memory regions 46->117 119 Allocates memory in foreign processes 46->119 123 3 other signatures 46->123 121 Uses schtasks.exe or at.exe to add and modify task schedules 51->121 57 conhost.exe 51->57         started        59 schtasks.exe 51->59         started        file17 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c67037c258ab3294e4d8a13e83d4256845b48dbf9568483c58a2b9e3c17db1b0/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 08:36:00 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzydpqsyvmzjjzgyue7ihvbfnbc3jdn7svueqpcyuk46hql5wgya._file
Verdict:
malicious
Similar samples:
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
GCleaner
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
GCleaner
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
GCleaner
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
GCleaner
a7dfdd77617ff0d9ab80e43a147683d595b231369ddf9c18d2c4bf68d5133d3a
GCleaner
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
GCleaner
fff25302774366cdb466fa0e4015f9c7de93fd0192585a3cab2e2f51b635047c
GCleaner
+ 207 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb family:redline family:smokeloader family:xmrig backdoor banker evasion infostealer miner spyware stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/211109-paa9xaccbq/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
XMRig Miner Payload
Gozi, Gozi IFSB
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
xmrig
Malware Config
C2 Extraction:
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
2a8f8f346efcab91c1227649eef4cb923af39c18352542af8b40bcfc604f78b4
MD5 hash:
fd5113b674216c8395b8857209d7f7a3
SHA1 hash:
6a79e85ab36e08f1a97699f19e3c3558e41257ce
Link:
https://www.unpac.me/results/40941f50-e062-4ff8-a71a-cb797adf4294/
SH256 hash:
2dd1f8e9e635065172c063a043518f8cccdd0fcad44ae6efb7ca5e5e8e51c994
MD5 hash:
164d085232ae95f59c1453e45d2c3c97
SHA1 hash:
35f9f42205cf98129c5748ac001f246e863f982b
Link:
https://www.unpac.me/results/40941f50-e062-4ff8-a71a-cb797adf4294/
SH256 hash:
3bad85e5c9579d5999a57c840a428b8e582e268cc474ccffb070c4ad2e9ec3a3
MD5 hash:
a695b90319a5fe54b5a987ba51f2da30
SHA1 hash:
2ba801f094a6e50bef8e0d6ba3b4293ed1b78753
Link:
https://www.unpac.me/results/40941f50-e062-4ff8-a71a-cb797adf4294/
SH256 hash:
8910e28abfb8d69c1df71dcdbc303602ae9216e7d2905ea6c1792cb01bd80434
MD5 hash:
c296942def43c8323f9393887c3910c8
SHA1 hash:
3e4cc399c66f831ee10145115aef4e8c5a5582ca
Link:
https://www.unpac.me/results/40941f50-e062-4ff8-a71a-cb797adf4294/
SH256 hash:
90949911b0abe9511523d46a31c61b3a8d0618f4170f0512620c80fb1a94408f
MD5 hash:
b37761da14aa7bab1319e94ce9d3dadb
SHA1 hash:
05d8ec638c27cfff585cdd5d0c1fdcb494ea674c
Link:
https://www.unpac.me/results/40941f50-e062-4ff8-a71a-cb797adf4294/
SH256 hash:
fb4c0c7289f7bbc747304e63c9b3777d3ae087cbf6c34dcf758c546ba8502a6e
MD5 hash:
ea5403cefd2de7f2b9ff177a8c0492f5
SHA1 hash:
d98d917bab8ee519f8d66cf60d44124d6d591f33
Link:
https://www.unpac.me/results/40941f50-e062-4ff8-a71a-cb797adf4294/
SH256 hash:
7dba894d572fdf587f6163ccf3b28ad84e46595a52b5403db75144b489c063e7
MD5 hash:
95ba9a86c8e5ff9dde1e6b606b17491b
SHA1 hash:
3ff1143153c4d1ad1f0ad1dc79e1acba680d65b9
Link:
https://www.unpac.me/results/40941f50-e062-4ff8-a71a-cb797adf4294/
SH256 hash:
827282fbce087891bac89b6ae52f039bb8402f86e82e3fbe0ac236b8b4163e94
MD5 hash:
e323bbf869a0935c233ad1acef8c627e
SHA1 hash:
2b1de042eecf9103fb99711c6e9045c66e746169
Link:
https://www.unpac.me/results/40941f50-e062-4ff8-a71a-cb797adf4294/
SH256 hash:
ec10022761cc5408f59921e100768ec844ac155b6500ebf542caa1f002d43deb
MD5 hash:
0a1ecca312b732d6d12e57adda1c781b
SHA1 hash:
6b7966c12502a81da1a2760f31146faa283f7d15
Link:
https://www.unpac.me/results/40941f50-e062-4ff8-a71a-cb797adf4294/
SH256 hash:
c67037c258ab3294e4d8a13e83d4256845b48dbf9568483c58a2b9e3c17db1b0
MD5 hash:
7cdd8a8e0fab1b1661cac6b8a442bc6a
SHA1 hash:
bc69db46d8d9bb4dea16789d47ce8cc0d81451e8
Link:
https://www.unpac.me/results/40941f50-e062-4ff8-a71a-cb797adf4294/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c67037c258ab3294e4d8a13e83d4256845b48dbf9568483c58a2b9e3c17db1b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204467/

Comments