MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8c2d9fd30bed8d8431437ce0453a27018e80c1500f89ad72d453737423a0ba0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8c2d9fd30bed8d8431437ce0453a27018e80c1500f89ad72d453737423a0ba0
SHA3-384 hash: 4e53c8edea5626a471cf7d08fb8bddfbfa3488b3cac7bb7850adb1233df86c9a7bb6dacff8b861a61f345efea1cd8555
SHA1 hash: aa9e46719212510f2dd3237361efb16066c834b3
MD5 hash: b5ae06be4454d7017b786c6bd51079ea
humanhash: nuts-comet-helium-robin
File name:b5ae06be4454d7017b786c6bd51079ea.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:6'057'188 bytes
First seen:2022-02-18 23:46:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xvqARneiRYYU8qbrpctFXrYzVZUIYjrNBe7Uo3iLIfWxPZ1RMhhCyOt9eXJ4BYy6:xJRPq582FArZ3jrKUoyLIfSZ1R+OtuJf
Threatray 5'874 similar samples on MalwareBazaar
TLSH T1EE563300BBFC4077EF2045B45E0CAFF169EC96B8072A8C6B6B982D4C5CAC6A57D4165F
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
185.81.114.134:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.81.114.134:81 https://threatfox.abuse.ch/ioc/389290/
2.56.57.212:13040 https://threatfox.abuse.ch/ioc/389291/

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242610/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6643/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mokes overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62102fbd875593a3cce86cb9/reports/0d258a9f-a833-44f3-917b-74101012d643/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c902bef0-c9f8-469a-af52-ef15f2fd2fa7
Result
Threat name:
SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942492
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Yara detected onlyLogger
Yara detected SmokeLoader
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 574970 Sample: yBOQ9K4O9e.exe Startdate: 19/02/2022 Architecture: WINDOWS Score: 100 76 151.115.10.1 OnlineSASFR United Kingdom 2->76 78 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->78 96 Multi AV Scanner detection for domain / URL 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 Antivirus detection for URL or domain 2->100 102 12 other signatures 2->102 10 yBOQ9K4O9e.exe 21 2->10         started        13 WmiPrvSE.exe 2->13         started        signatures3 process4 file5 48 C:\Users\user\AppData\...\setup_install.exe, PE32 10->48 dropped 50 C:\Users\...\6209e0b92c5b3_Mon04d9846c065.exe, PE32 10->50 dropped 52 C:\Users\...\6209e0b831b64_Mon04b775f2.exe, PE32 10->52 dropped 54 16 other files (10 malicious) 10->54 dropped 15 setup_install.exe 1 10->15         started        process6 signatures7 126 Disables Windows Defender (via service or powershell) 15->126 18 cmd.exe 1 15->18         started        20 cmd.exe 1 15->20         started        22 cmd.exe 15->22         started        24 12 other processes 15->24 process8 signatures9 27 6209e0a631720_Mon04bf59103.exe 15 5 18->27         started        32 6209e0a8c0b05_Mon04ac94738.exe 20->32         started        34 6209e0ac6f68a_Mon040bed13891f.exe 22->34         started        104 Disables Windows Defender (via service or powershell) 24->104 36 6209e0b58c83c_Mon045edf7c9a8.exe 24->36         started        38 6209e0b92c5b3_Mon04d9846c065.exe 24->38         started        40 6209e0b831b64_Mon04b775f2.exe 24->40         started        42 8 other processes 24->42 process10 dnsIp11 80 172.67.201.63 CLOUDFLARENETUS United States 27->80 56 86dabeb2-0614-4bbf-9287-9f8d587e3a2d.exe, PE32 27->56 dropped 106 Detected unpacking (changes PE section rights) 27->106 108 Detected unpacking (overwrites its own PE header) 27->108 110 Machine Learning detection for dropped file 27->110 82 148.251.234.83 HETZNER-ASDE Germany 32->82 90 3 other IPs or domains 32->90 58 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32+ 32->58 dropped 112 Antivirus detection for dropped file 32->112 114 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->114 116 Checks if the current machine is a virtual machine (disk enumeration) 34->116 84 208.95.112.1 TUT-ASUS United States 36->84 86 45.136.151.102 ENZUINC-US Latvia 36->86 60 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 36->60 dropped 62 C:\Users\...\6209e0b92c5b3_Mon04d9846c065.tmp, PE32 38->62 dropped 118 Obfuscated command line found 38->118 88 45.86.86.8 DALANETKZ Italy 40->88 64 C:\Users\user\AppData\...\source2[1].cfg, PE32 40->64 dropped 66 C:\Users\user\AppData\Local\...\setup[1].exe, PE32 40->66 dropped 72 2 other files (none is malicious) 40->72 dropped 92 2 other IPs or domains 42->92 68 C:\Users\...\6209e0ab21363_Mon04d2bcfdf1.tmp, PE32 42->68 dropped 70 C:\Users\user\AppData\Local\Temp_O21.cpl, PE32 42->70 dropped 120 Creates processes via WMI 42->120 122 Injects a PE file into a foreign processes 42->122 124 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 42->124 44 6209e0a8722b1_Mon04c91617e21.exe 42->44         started        file12 signatures13 process14 dnsIp15 94 104.21.40.196 CLOUDFLARENETUS United States 44->94 74 C:\Users\user\AppData\Local\Temp\db.dll, PE32 44->74 dropped file16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8c2d9fd30bed8d8431437ce0453a27018e80c1500f89ad72d453737423a0ba0/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 15:46:34 UTC
File Type:
PE (Exe)
Extracted files:
423
AV detection:
31 of 43 (72.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zdbnt7jqx3mnqqyug7haiu5coamoqdavad4jvvzniu3toqr2boqa._file
Verdict:
malicious
Similar samples:
0608db47a51634204b29ea7e166c28e039721eefc409173f804fb2c488440e72
GCleaner
0e144c258913a35001fd23c3413005c90e7bc35be3baff3f90ca77570a8c0a27
GCleaner
73e25ced557e8008074958707573a4d6ad68e3861d04a98a22cfdaed57fab84f
GCleaner
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
GCleaner
c9e89292fdb05da1abf2fe75b33be2cb892611477c4373d2746edbafa951ddba
GCleaner
cd32b9face07e67bd602c5fc4eabba1f1cd9d8ea969832d13e5c0fa829e9b948
GCleaner
+ 5'864 additional samples on MalwareBazaar
Unpacked files
SH256 hash:
c578b4ca291f2b9bcb20137c146bb23d3220dda34226a97fe37e2cf021d8f3c0
MD5 hash:
da70ba6fa59896248f7c05fdcb7d581e
SHA1 hash:
174cb2b083e327a362b6ecac68fe939a40743ffb
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
ff0348ca29b8555653a1a247f383c9de1c4c315b56c698ed81a28e1ec4bededf
MD5 hash:
9afef03f69fff468ced48c8b76225948
SHA1 hash:
cdccde5b2b3deb312630e0be63a6a8874bb1ef32
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
c0435688deefa339eed8ac6bd33be477a808c3b6c2aa07b04a5e037187527fda
MD5 hash:
48383b5a96da94631f5ecee308ab2467
SHA1 hash:
e2f12cbce185eac38539d2cdab81c7d9f40295d1
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
602df66a480937559ff571011cd3e301b126a1762bf7fa74d04123ac32d58642
MD5 hash:
686a012d54b3700b61f359aee777ec4b
SHA1 hash:
db2d831123edb5bc1982e4dadf08027277608ce0
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
13df58cb2a7de61146bfeff4f4a54b00268bc3532c909616448342b1e99c0591
MD5 hash:
b590da9906b79a4fd97c9162c62df7e7
SHA1 hash:
ac9b803d28fcb841b339a147c864a354e1f1ae28
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
f4e3b4baaa99b85b4d4aca5b7ed9fbd43e7dcbced0bba1acefbdd99b0c996fad
MD5 hash:
8d97744e1c2a9c765c2bdb6cc7ecbfcb
SHA1 hash:
6b161c80d345e3c623e35bdd0d8b68d25a39d757
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
9f9eb1c0f8eba9c60138dd213caff1fe16b50e28fabadeaaca4698d4ab7ef8b0
MD5 hash:
45dcd92a1d420bc0c4095b4b6f6f1f8e
SHA1 hash:
615379abca315823f9eb284d6aed60ca55aa66fb
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
cb65ea99478ee6fdfa86d4434772bec7697d3b802fd999918951d3142fb94ca5
MD5 hash:
f8eb7ba5f9d533b7080fca18faf5887c
SHA1 hash:
45aeb10794efc628483761dc1a736371598f6dcc
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
92ce4e0c5a0c8e43f60588ca4e9832eb28da48944ea49b1a3a284ecdf20a5472
MD5 hash:
908fdf1a195063027f732ca349a27056
SHA1 hash:
119d281a7022ba76b46e71605e84631125b6b01d
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
4c39adada1739d251159fe2aaee1f46b5cb9d0c4007389ddf9644487f971917c
MD5 hash:
5520d4fef8bc0df476a0a9beedf222be
SHA1 hash:
1225a59c30a341c6a9c92d8abeaafc6c8b033221
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
c972dc7a0ab4e0365ed93698448cd563c24bf238519565bb07443648c7dfccfd
MD5 hash:
5f5b37c3e2444aecf0c6715e1a16db43
SHA1 hash:
b1df53aa7e34e5644eebb3c6a9130356c20b4c48
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
9a0d4e48154775e667c1bfd1f5515d51a1314d4633f04cae4ca4ff08bfff6c62
MD5 hash:
91aef7e762b0727c3d4fffb1a79002db
SHA1 hash:
3604ecf6f35afdae581c7150dc423ee242d8556d
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
b671346c904b5275732b0403b06b40cf0cafafa6964221e099638cdc83699bb6
MD5 hash:
d0fb28e5be003d8ac99f9a413fa99565
SHA1 hash:
f670b76cbf9c525d02fccd4733be2371484ac472
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
cd6fb0621981b72669da40a310505336dacbbcceea9113c1422cf12c5a2f5875
MD5 hash:
c0c5d6ccbfa7db44911e866b53baacd6
SHA1 hash:
a5fb53e2a8bb40e0369086744f61410641e6469c
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
0a586a02202d428e10df26b65e7006741e57343e35a92fb3b24ff323e1481071
MD5 hash:
c80f2a4741e534112e9a42db435bccd0
SHA1 hash:
14e303eb30a59f43e71ec705b96686f4a7f1070b
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
SH256 hash:
c8c2d9fd30bed8d8431437ce0453a27018e80c1500f89ad72d453737423a0ba0
MD5 hash:
b5ae06be4454d7017b786c6bd51079ea
SHA1 hash:
aa9e46719212510f2dd3237361efb16066c834b3
Link:
https://www.unpac.me/results/2e8da2d9-310a-441a-af44-e5dcf45d94ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8c2d9fd30bed8d8431437ce0453a27018e80c1500f89ad72d453737423a0ba0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242610/

Comments