MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
SHA3-384 hash: a60c49a1d43b85778ee0d7d2778d53604d9c8bc3acb83ed298af65960350944cd58a10e5904ed46bab8c0b93555ddfee
SHA1 hash: 5576b3328390498bd9706c1e3b1e9e48dd478906
MD5 hash: 7d4ed604a4f010d09afd1b2c396d396f
humanhash: mango-oklahoma-shade-hot
File name:C9DE02209482359466292BE7BC0464FC65037698B38C1.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:5'332'875 bytes
First seen:2021-11-09 11:57:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yaweFJEwamljlXog5veRcqBaYLJ1M4kc2f5ujNBC7S7ymAvuTeKabZdujw:yawvkX1vYl17kcGQNc7S7/ArFdqw
TLSH T1CA36330BCF7841E6C6B4BB7009BE9C68A1F929ED610146039B21E77556B09AEED3CD70
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
70.36.97.202:27526

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
70.36.97.202:27526 https://threatfox.abuse.ch/ioc/245430/

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204463/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9897110-1
Create hunting rule

Win.Packed.Socelars-9898166-1
Create hunting rule

Win.Packed.Socelars-9901328-1
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed redline
Link:
https://www.filescan.io/uploads/618a624e175442ca93a908b0/reports/23110267-9e41-4faa-a5ed-c071a056a8f9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e15ca97-052f-4cfb-a7b4-3259bf682d66
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885949
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to resolve many domain names, but no domain seems valid
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 518426 Sample: C9DE02209482359466292BE7BC0... Startdate: 09/11/2021 Architecture: WINDOWS Score: 100 87 toa.mygametoa.com 2->87 89 people4jan.com 2->89 91 57 other IPs or domains 2->91 101 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->101 103 Antivirus detection for URL or domain 2->103 105 Antivirus detection for dropped file 2->105 109 20 other signatures 2->109 11 C9DE02209482359466292BE7BC0464FC65037698B38C1.exe 10 2->11         started        signatures3 107 Tries to resolve many domain names, but no domain seems valid 89->107 process4 file5 59 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->59 dropped 14 setup_installer.exe 21 11->14         started        process6 file7 61 C:\Users\user\AppData\...\setup_install.exe, PE32 14->61 dropped 63 C:\Users\user\...\Mon11d8fb179d3e13f5c.exe, PE32+ 14->63 dropped 65 C:\Users\user\...\Mon11d864040c1a95.exe, PE32 14->65 dropped 67 16 other files (11 malicious) 14->67 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 69 127.0.0.1 unknown unknown 17->69 71 hsiens.xyz 17->71 97 Performs DNS queries to domains with low reputation 17->97 99 Adds a directory exclusion to Windows Defender 17->99 21 cmd.exe 1 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 1 17->25         started        27 6 other processes 17->27 signatures10 process11 signatures12 30 Mon116b857aaf309275.exe 21->30         started        33 Mon116bdaa602b8f5f.exe 23->33         started        36 Mon11b8ea393f19.exe 2 25->36         started        111 Adds a directory exclusion to Windows Defender 27->111 39 Mon1127ea329ceca.exe 15 2 27->39         started        41 Mon11c63d4708ff.exe 6 27->41         started        43 Mon1128949d3c7.exe 27->43         started        45 powershell.exe 25 27->45         started        process13 dnsIp14 113 Antivirus detection for dropped file 30->113 115 Multi AV Scanner detection for dropped file 30->115 117 Machine Learning detection for dropped file 30->117 125 3 other signatures 30->125 81 2 other IPs or domains 33->81 57 C:\Users\user\AppData\...\Mon11b8ea393f19.tmp, PE32 36->57 dropped 119 Obfuscated command line found 36->119 47 Mon11b8ea393f19.tmp 36->47         started        73 software-services.bar 39->73 75 iplogger.org 39->75 83 3 other IPs or domains 39->83 121 May check the online IP address of the machine 39->121 85 2 other IPs or domains 41->85 77 c.goatgameh.com 43->77 79 192.168.2.1 unknown unknown 43->79 file15 123 Tries to resolve many domain names, but no domain seems valid 77->123 signatures16 process17 dnsIp18 93 safialinks.com 47->93 95 best-link-app.com 47->95 51 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 47->51 dropped 53 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 47->53 dropped 55 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->55 dropped file19
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0/
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-20 23:46:56 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhpaeieuqi2zizrjfpt3ybde7rsqg5uywogbkzwngmlsbzs7r2qa._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:janesam aspackv2 backdoor discovery evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211109-n4631accal/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
http://www.hhgenice.top/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
65.108.20.195:6774
https://petrenko96.tumblr.com/
Unpacked files
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
247d69da57e075f15e7fedc62ef99404f3e4e15988d35c598054f6771567b12a
MD5 hash:
0ef47ae88282ced5a011034e25a46e07
SHA1 hash:
4ee96fa7cf4c7c0d3d909a1726a48551a81aaf72
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
bc8812703394a799d4aa9ac81dc1871e784de5c03273b26d2399935897a12826
MD5 hash:
e67916991085713a7695d91afa633611
SHA1 hash:
e8c108d75bbacfc1a5d16f17cfe81d0205e5ca40
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
ab753f314f8289fa879dc906a5b3e78be5352ef06d0cfd908c2eba70d18d1785
MD5 hash:
56f6840b2b7e680f8323dd66226ed8e0
SHA1 hash:
bf635846ff4e054c7683448cb0ff14224b8d3558
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
cac0630b4b7363b2ce624a14e89ac63524ca9e0fcb9312bc6f54e83b87a63224
MD5 hash:
f7f0a8ebdb76f2ded824bc03963e05a4
SHA1 hash:
ab1d92cb3ee7fd2131a6a293e76f3ba58fa06aa1
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
1d04bbabdb6da4db379ca057ac0d63fb27d8891b01cf3ffcb94573be1853ecaf
MD5 hash:
d58b4be4f3dec4843801511def20ae7d
SHA1 hash:
90be9caf1efa58d6ea70ae6783bfc8e05bd9ea16
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
3247855139d41213b864feac0dab5060e8c5559c820314b1282bde1480ac544e
MD5 hash:
ce56ecd8f298df81b5a60b0a59264801
SHA1 hash:
6f36227373ffd40b2a44bdf117885f6e80fd7f41
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
aff9ab692225614831ee1630686474da45ab76c978f91345309f76dc8f85c039
MD5 hash:
3a07caaa60f3b83b0e230fbfa6b0b357
SHA1 hash:
57d995c58ad58865787f32d7a1a0eedab1cf8e0f
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
5ea52c2702f1066a8e20da718be8a44049bed207d6e11e51a2eb5e5fb59ca456
MD5 hash:
a46c08074e04a7c368f21e1711ece14a
SHA1 hash:
48ffb7750d6c4490f0db8fed6b2a48bec9563188
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
5a5272aa0056cdd49beb92d290076eede4169d8b6549416f6435d6856130109c
MD5 hash:
436a32f4858a7a3965f0730d8749ff5a
SHA1 hash:
3ee45b739c64a76437780ab0407dfebfbdeca099
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
f2debd3c116286de37018e91a8998b9888bf2fb47ed43aabe8f34efb8f5a2e2a
MD5 hash:
a920b31f7c864a2fb0ba57fb89671c0e
SHA1 hash:
3c0d04c21c9a52524ea9d505fbba5d9dec7f6b6a
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
6ce626ff154cd42b714b1abf16b3d77d555ef160c62b5163a0832aac1a5ce4b5
MD5 hash:
32d788536505f9cca1d0b2fbd5ea5237
SHA1 hash:
307e70483b76627852276166686ac50aa29c419b
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
ff236ccbd61d322a223e3152e768d0a195bde866d4debbe98929a80946382832
MD5 hash:
14b846dbd77dbedb574227310467d5fb
SHA1 hash:
01318111c3ae602914839f4f44f66dc095f3aa51
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
067549aff40f7dd3ef70b0362dc48340d0ca687ec17d0c0ee1b32b2141285b88
MD5 hash:
d1c5578e61b6849baecfec6b36b06acd
SHA1 hash:
3ae79884b83bca8d4349e497b951e2d6751220ca
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
f940dd6077310b8ddb49b3bda0398e2be82d54ac194de4290ce70dbffe3e9b10
MD5 hash:
49e46c818040ddaedf7cb05ebded5ede
SHA1 hash:
608808420c2f85adb78f000b5d5e3003410f8fb9
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
43434b4ccaa0eccda8448fc62bd6b49b912bf653203412f3c3fe35e4d06c6acf
MD5 hash:
ed7c9094e19d67e9d8ba1489fb7ff520
SHA1 hash:
25931be5e314769877241a14dcd316edd5b7b513
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
a7a6fa99e41ea89325ff372841f5e77a753fa2348871d5bbc111a8fa15cb291b
MD5 hash:
8a20a5142255cf007e20e0a0d17866b5
SHA1 hash:
315ec7c5b2849728f89252093fa16eca9597d059
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
85e43b11fb182d4803d6336af6773c11c91a647a2c38ba2d936bfa4eebc14962
MD5 hash:
678a0d37cabc0c604aa92174fbd899c2
SHA1 hash:
6113eba2328dbe1b86db24681a229406e4e77fdf
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
SH256 hash:
c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
MD5 hash:
7d4ed604a4f010d09afd1b2c396d396f
SHA1 hash:
5576b3328390498bd9706c1e3b1e9e48dd478906
Link:
https://www.unpac.me/results/46a0d045-1d74-4fd9-bd97-9158a74a70d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204463/

Comments