MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3
SHA3-384 hash: 07dcd1eeb03a9700c6973afd700a829eda870332a668b11c258fa586a1b4ce6cfebd2e768252e6de75cf7578c34ba976
SHA1 hash: 2ca374c876946334a9f71d3b68f669791e1dc2ba
MD5 hash: 188332f8d229131789a0b760aec2dd91
humanhash: april-eight-sixteen-table
File name:188332f8d229131789a0b760aec2dd91
Download: download sample
Signature GCleaner
Create hunting rule
File size:331'264 bytes
First seen:2023-07-16 11:27:16 UTC
Last seen:2023-07-19 03:41:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0af0ab32fec6d387d477684bace95bf2 (1 x Stop, 1 x Tofsee, 1 x RedLineStealer)
ssdeep 6144:FLFccXjKG6w81kQOqQi+dzbObhnjuZpBKZ6oW/aT:FJLj16wrXhi2u5juZbMaM
Threatray 5'708 similar samples on MalwareBazaar
TLSH T1F4645B4392D0FD54E9295B32CE2FC3E8764EF6508E497BA56129AE2F04B30B2D173749
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71f0696969696923 (1 x GCleaner)
Reporter zbetcheckin
Tags:32 exe FruitMiX gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
ae13c397b88228c9300476c26f6758f0
Verdict:
Malicious activity
Analysis date:
2023-07-16 04:21:18 UTC
Tags:
amadey trojan loader smoke
Link:
https://app.any.run/tasks/522ef103-ef25-4b16-b63d-1c89159b43fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/421552/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64b3d443fd9e198dc1149a54/reports/646bb6f6-e83c-4e3d-8815-811995b7c195/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d515db3-f3b7-4698-ac7f-35defe5a4154
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273955
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1273955 Sample: QsvFJjljYu.exe Startdate: 16/07/2023 Architecture: WINDOWS Score: 100 40 45.12.253.72 CMCSUS Germany 2->40 42 45.12.253.75 CMCSUS Germany 2->42 44 45.12.253.98 CMCSUS Germany 2->44 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 6 other signatures 2->56 8 QsvFJjljYu.exe 14 2->8         started        signatures3 process4 dnsIp5 46 45.12.253.56, 49707, 80 CMCSUS Germany 8->46 58 Detected unpacking (changes PE section rights) 8->58 60 Detected unpacking (overwrites its own PE header) 8->60 12 WerFault.exe 9 8->12         started        16 WerFault.exe 9 8->16         started        18 WerFault.exe 9 8->18         started        20 7 other processes 8->20 signatures6 process7 dnsIp8 48 192.168.2.1 unknown unknown 12->48 26 C:\ProgramData\Microsoft\...\Report.wer, Unicode 12->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Unicode 16->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->36 dropped 38 3 other malicious files 20->38 dropped 22 conhost.exe 20->22         started        24 taskkill.exe 20->24         started        file9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3/
Threat name:
Win32.Ransomware.Phobos
Create hunting rule
Status:
Malicious
First seen:
2023-07-15 20:11:55 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2baefxq6pdzg564f66q5auxdeimztnab35g3yl74cisa5xpvtbq._file
Verdict:
malicious
Similar samples:
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
GCleaner
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65
GCleaner
51f7cb2bce2460bec286f14978cb796e6858be4335c10401a1fb9e54893cca92
GCleaner
60da6ce55330f4f38e98b39bf07cf75fdabd80296429f1538c48d5df499d48d2
GCleaner
a75c766167a44c78f3824d28780078cf2cc31522a55372958cefd5f3f093e4c1
GCleaner
de8385440c23789f44c418bdf2e30578559b1c6b142c820f081f81280d1c0888
GCleaner
f88b778d7c3819667ad835b83140d188c47d6897be4aa0ec7fc8ba16eb5490bd
GCleaner
+ 5'698 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/230716-nkzvksfd5z/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
b98acf1c6f5edc3a6eb80f9d5cc07eb8e2cc0f25f6d63e5f79a1090876e2d588
MD5 hash:
31bd047f848d0efc202b7406960872fe
SHA1 hash:
13b3409430b62ce3fee441f7eca58d827df47005
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/541c1b1b-7a1d-4f51-9d6d-2d6a94c921c9/
Parent samples :
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65
60da6ce55330f4f38e98b39bf07cf75fdabd80296429f1538c48d5df499d48d2
f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e
a75c766167a44c78f3824d28780078cf2cc31522a55372958cefd5f3f093e4c1
c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3
dcba1aa4b4d92b68713b03f12985b0b0689055b3921e0273506d23f7e675ff52
e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
ee366039716c1ca70c1c1744faaf2aeeae8d780c6bbd438cc0c1fef3f7a57cc7
SH256 hash:
c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3
MD5 hash:
188332f8d229131789a0b760aec2dd91
SHA1 hash:
2ca374c876946334a9f71d3b68f669791e1dc2ba
Link:
https://www.unpac.me/results/541c1b1b-7a1d-4f51-9d6d-2d6a94c921c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2683786/
Cape
Cape
https://www.capesandbox.com/analysis/421552/

Comments


Avatar
zbet commented on 2023-07-16 11:27:17 UTC

url : hxxp://45.9.74.80/new/setup.exe