MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 11 File information Comments

SHA256 hash:	ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
SHA3-384 hash:	0858e3d8fbcea167fb7943538f307ca916f1bd696f55c3d2b5e3524a6b53171679893d6ca28c234601e5b0c1bda52714
SHA1 hash:	fb5e93762597e79141c4a564c35b57d216ffa600
MD5 hash:	da65f22c08143d5fbf678ed295a41222
humanhash:	may-michigan-mike-connecticut
File name:	CA6B067A980F478A2829C6D326936C449F284E93BF642.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	2'823'714 bytes
First seen:	2022-03-31 12:31:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	49152:EgAODuyZ3djRoClZRbSwBnIHPGa3dMMf59Ri6Rz4VCA05kurFxWuJD7Fc6DscNwq:JAO6gNXb198PfMMjRpt44F6ATvfFcE1/
TLSH	T1EED5338FB3C2CAD1DE9146F81E74B125626981A12073FBC25B1CC6FA3A5B566CD8F701
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe gcleaner

abuse_ch

GCleaner C2:
91.243.59.45:34762

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.243.59.45:34762	https://threatfox.abuse.ch/ioc/470799/

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DLInjector04

Link:

https://www.capesandbox.com/analysis/260094/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Win.Packed.SmokeLoader-9873637-1

Win.Malware.Jaik-9878603-0

Win.Packed.SmokeLoader-9880484-1

Win.Packed.SmokeLoader-9880490-1

Win.Packed.SmokeLoader-9880492-1

Win.Malware.Zenlod-9882704-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Searching for the window

Moving a recently created file

Running batch commands

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12207/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys control.exe glupteba overlay packed shell32.dll upatre

Link:

https://www.filescan.io/uploads/62459f489253b276b7b37184/reports/f36ae426-0f4a-4096-a759-c504d54fc6aa/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Chapak

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f2d16b34-b3f7-4219-bbe0-7d03830b23b7

Result

Threat name:

PCHunter tool AveMaria DanaBot Djvu RedL

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/968304

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-07-16 01:53:23 UTC

File Type:

PE (Exe)

Extracted files:

251

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zjvqm6uyb5dyukbjy3jsne3mispsqtutx5scag76z4able33bhuq._file

Verdict:

malicious

Label(s):

avemaria

Result

Malware family:

vidar

Score:

10/10

Tags:

family:redline family:smokeloader family:vidar botnet:933 botnet:cana01 botnet:ruzki aspackv2 backdoor evasion infostealer stealer themida trojan upx

Link:

https://tria.ge/reports/220331-pql2cabhd3/

Behaviour

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Themida packer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Vidar

Malware Config

C2 Extraction:

https://sslamlssa1.tumblr.com/
176.111.174.254:56328
193.233.48.58:38989
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/

Unpacked files

SH256 hash:

5a580d590efe50a4072580e030ff03a2bdc9cb5bb6424c8167e6cdc106662d80

MD5 hash:

9b8888a96bb81b13d824f42811dd73e4

SHA1 hash:

7a15193d26b0e2fb5f1894fee476aeb6987b2d5f

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

65e857b77577451c4894c0e9b8f3acc64906472b9bf980d76cb209b5b17a6e04

MD5 hash:

385b2e02d14579a16a0f73d48d266191

SHA1 hash:

248abbcee3367b48a98002560f521472b78d51e4

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

140687c607a8adee38572a2b5b5b12dcf4c5eecfa5d2428d34f09b627a71e6bd

MD5 hash:

0b1df2ab5308c2e8927f9adeac08c657

SHA1 hash:

10212be3c4b01016525039786e3f28909be1b96a

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

baec658d6aed06157f1d4421d80b8cb4619aabd1fd93d4d09d8cecd0338c25a4

MD5 hash:

6ffbe98820530ebfc6e5a52568d5484c

SHA1 hash:

5ae18a100278a3a157f4c27df0ac2989547ee7d6

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

6f224c710a5362f9f7a83c9f4e2333019ebc807927fbd50efbc4407c0e820540

MD5 hash:

3f3b3883dcbde2d0cf4d5a7ac731627f

SHA1 hash:

c362de5f7def6ec5987ee4f9c089f00a3792a5c0

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f

MD5 hash:

f5ba66ed9cc96376d02e02bbfc59f460

SHA1 hash:

9d6393ea4739724156dd0cfacc5cb8db2e52f32c

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9

MD5 hash:

ec149486075982428b9d394c1a5375fd

SHA1 hash:

63c94ed4abc8aff9001293045bc4d8ce549a47b8

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

Parent samples :

e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11

SH256 hash:

a0a30765d8de60813e2afee8d8045c6ef32ebdd81edd20e9b4d16cd7e470d24f

MD5 hash:

1c6c5449a374e1d3acecbf374dfcbb03

SHA1 hash:

3af9b2a06e52c6eaa666b3b28df942097f16b078

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

9717f526bf9c56a5d06ccd0fb71eef0579d26b7100d01665b76d8fdd211b48bd

MD5 hash:

dbc3e1e93fe6f9e1806448cd19e703f7

SHA1 hash:

061119a118197ca93f69045abd657aa3627fc2c5

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963

MD5 hash:

f707252b9c9579677fffb013e0cfc646

SHA1 hash:

8ab483023fa8773afb8c13464c39c5b8e687f126

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d

MD5 hash:

559948db5816ae7ab26eb2eb533887ed

SHA1 hash:

e60442c6fb35239d298b01b0f4558264c01b2e7f

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

MD5 hash:

1c7be730bdc4833afb7117d48c3fd513

SHA1 hash:

dc7e38cfe2ae4a117922306aead5a7544af646b8

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435

MD5 hash:

ae7c477ce9bd98d13ccff5fc4a0d190e

SHA1 hash:

249ff902f66c3d0cee6656802b14a9c34807bc8f

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707

MD5 hash:

cfcd04cb50a5d48b368c76a353a8b58a

SHA1 hash:

7d76e8474b4b70d4f8e62653361c7b451a8f2fd2

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

Parent samples :

0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4

SH256 hash:

89a0227ef833a2742f7dd46be36e61b178a8b47846fd3cf557c8b9991b7cfb67

MD5 hash:

55bf2bbdd87ec3ac709c6a247f4a28b4

SHA1 hash:

6df7d9af3a7b2da1c91aff955a4c5aadbe2d13cb

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

Parent samples :

5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7

SH256 hash:

ae33e6803ea079f2d5384e441a7970b3836088d0dff618c3dadca17f73727c87

MD5 hash:

539991cf3212a7886de777aa7363683e

SHA1 hash:

73ad1d82d636ecf58aee979ad78901e794a864b6

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

96669f7512541d928832441407affa3f61deaf4928918628931ea94d79ec9845

MD5 hash:

c6d591f397b633bd308ac1429b68bfb1

SHA1 hash:

fb08f79be3b87bf6324b03a0337a0bf958517e5e

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

SH256 hash:

ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9

MD5 hash:

da65f22c08143d5fbf678ed295a41222

SHA1 hash:

fb5e93762597e79141c4a564c35b57d216ffa600

Link:

https://www.unpac.me/results/35ee33a1-dac6-422f-83bb-e5ef2dcfa62c/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ca6b067a980f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MALWARE_Win_Chebka Create hunting rule
Author:	ditekSHen
Description:	Detects Chebka

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	PowerTool Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerTool, sometimes used by attackers to disable security software.
Reference:	https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml

Rule name:	RedOctoberPluginCollectInfo Create hunting rule

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260094/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample