MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c864ec31f34d9628ff59965b1a43eb4ec2fa511a30d36fd45a862ff5efd7ad8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c864ec31f34d9628ff59965b1a43eb4ec2fa511a30d36fd45a862ff5efd7ad8e
SHA3-384 hash: f0557e1c2525da0f5b61aaaaa6a532de14197d050f45e3a3af1e0e640d77fbc70bab3a60f84cf1d9ba8f06135fc4df1a
SHA1 hash: 42c2269f390a22b283ca72158a0481416a139107
MD5 hash: fcb755961054f48694eb13170b93a195
humanhash: kilo-nebraska-comet-butter
File name:fcb755961054f48694eb13170b93a195.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:441'856 bytes
First seen:2021-10-18 12:32:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f62cde959e9e12a6ba3449e452359154 (6 x RaccoonStealer, 1 x GCleaner)
ssdeep 12288:6H2Bc9c+G8OVZqkPQItMi4IUbEbmEJyNVlmWweMMM:6HOkQPqkPQIB4IjJyNVNMMM
Threatray 116 similar samples on MalwareBazaar
TLSH T11594AF10A661C039F5F252F98ABA9378A52E7FE16B2450CB53D51BEE97355E0EC3030B
File icon (PE):PE icon
dhash icon 48a4f0c8c4c8f0c1 (1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Gcleaner
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198171/
Detection(s):
Win.Trojan.Generic-9903173-0
Create hunting rule

Win.Trojan.Generic-9903177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit greyware packed
Link:
https://www.filescan.io/uploads/616d6982db358dd15ebf6dd7/reports/be60f989-43c5-445a-a98c-f20a177e29e1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7180dac-5a6a-43db-aa77-f4a0849542d7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/872597
Signature
Antivirus detection for URL or domain
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c864ec31f34d9628ff59965b1a43eb4ec2fa511a30d36fd45a862ff5efd7ad8e/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-10-17 17:47:00 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbsoymptjwlcr72zsznruq7lj3bpuui2gdjw7vc2qyx7l36xvwha._file
Verdict:
malicious
Similar samples:
02883fa63667972547fe36023646554c3d2895b41c5a8683ab5b2292f5d2d464
GCleaner
6c2ad98af84288aff6f49ae92f9f71befbfaa4ac35d1a05b1441f1ce15124ee0
GCleaner
b18aad2f2f6dd798cb2e30e96d2825aa9c21c32611a699790319d94b70b92e21
GCleaner
ca77cc344a3c2f6ab1cbee4e6da2ba30f3a14b824bdc00a0da73271e8c365e14
GCleaner
ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3
GCleaner
dd43bb324c3d7cd49b899331e1e43a0aa2746d00c4cbb693c4ebc1a9c6425624
GCleaner
fe622c4801737dede008dfecf2bcf48316f0adebbc080d27a2664ee8b606415c
GCleaner
+ 106 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/211018-pq7ytaeecm/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M5
Unpacked files
SH256 hash:
630a641bebd6ded36fb1c42520e4c7ddc5ace49436dede6c255d8f12ddbfbe54
MD5 hash:
cbbdd5a549a37602019203e20a21866a
SHA1 hash:
50c80b98548b24565decfa94c034b43b753a197a
Link:
https://www.unpac.me/results/f2a76c27-99c3-42bd-a2da-cfb78b8b80ba/
SH256 hash:
c864ec31f34d9628ff59965b1a43eb4ec2fa511a30d36fd45a862ff5efd7ad8e
MD5 hash:
fcb755961054f48694eb13170b93a195
SHA1 hash:
42c2269f390a22b283ca72158a0481416a139107
Link:
https://www.unpac.me/results/f2a76c27-99c3-42bd-a2da-cfb78b8b80ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c864ec31f34d9628ff59965b1a43eb4ec2fa511a30d36fd45a862ff5efd7ad8e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198171/

Comments