MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbcd57dd83369317946567dba9624dedbf2ce33acc796b2ba6f4c57b7d3cf49a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 8

Intelligence 8 IOCs 1 YARA File information Comments

SHA256 hash:	cbcd57dd83369317946567dba9624dedbf2ce33acc796b2ba6f4c57b7d3cf49a
SHA3-384 hash:	15e046dc59a96729f67c7a02e0ca013dd5452b9e7a393c958e099006b6bf2752d271b314ac0fd93941e7074a2991c005
SHA1 hash:	5b3705ff2130ddd63a312a09ac6e3111e7e41f10
MD5 hash:	6244ed13512a21b23867d705d80bb4fa
humanhash:	rugby-chicken-salami-seventeen
File name:	6244ED13512A21B23867D705D80BB4FA.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	392'704 bytes
First seen:	2021-08-08 16:25:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c27a98a29b21693846ec47ce91a249f1 (2 x RaccoonStealer, 2 x Smoke Loader, 2 x GCleaner)
ssdeep	6144:JuKPDM0nqwyEuBR+4KkhuJrIYG8wh5XB2QFe2z3gecF:TPg0nqwyLBRphuyAwPR2/43Bk
Threatray	262 similar samples on MalwareBazaar
TLSH	T1AD84AE30B690C035F4B722F845B9937CA9397EE16B3480CBA2D53AEE52356E59C30797
dhash icon	b6714cbc74dcf166 (4 x GCleaner)
Reporter	abuse_ch
Tags:	exe gcleaner

abuse_ch

GCleaner C2:
http://gc-prtnrs.top/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://gc-prtnrs.top/decision.php	https://threatfox.abuse.ch/ioc/166045/

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6244ED13512A21B23867D705D80BB4FA.exe

Verdict:

Malicious activity

Analysis date:

2021-08-08 16:30:13 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/5dca42b1-abdc-44fc-9fe0-9c7b7a470a0b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/177277/

Detection(s):

Win.Malware.Generic-9882390-0

Win.Dropper.Raccoon-9882479-0

Win.Malware.Generic-9882656-0

Win.Packed.Generic-9882710-0

Win.Malware.Generic-9882754-0

Win.Malware.Generic-9882761-0

Win.Packed.Raccoon-9882823-1

Win.Dropper.Wacatac-9884057-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

DNS request

Connection attempt

Sending an HTTP GET request

Running batch commands

Creating a process with a hidden window

Sending a UDP request

Using the Windows Management Instrumentation requests

Searching for the window

Launching a tool to kill processes

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/29d05d03-74c9-4f3d-8e5a-7fabc8d32d7d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/828842

Signature

Antivirus detection for URL or domain

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cbcd57dd83369317946567dba9624dedbf2ce33acc796b2ba6f4c57b7d3cf49a/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-03 05:11:00 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

unknown

GCleaner

4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b

GCleaner

b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317

GCleaner

c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0

GCleaner

d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702

GCleaner

f70d4b4fc9941796d149798614345b8e8bf6e0c69022ac407cb8b03bf26fdc7c

GCleaner

fcfe0e26e945ba5fbde5d01cad9bcb66b2c9623bc8cdc627e9c886e32fde6134

GCleaner

+ 252 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/210808-xpl8hqgjwa/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Deletes itself

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE GCleaner Downloader Activity M1

Unpacked files

SH256 hash:

3b309236695517c2e06ff8af3f5c073e1b8e8c99768f5141f4cf9e704050dfdb

MD5 hash:

048d3824dae9ba8c0b48a841c56f2e24

SHA1 hash:

8da82b6a497c97a5512009ef57b4d25f77c57dc1

Link:

https://www.unpac.me/results/112fad1b-0f03-4cc6-9136-2c3fcc5cf8a8/

SH256 hash:

cbcd57dd83369317946567dba9624dedbf2ce33acc796b2ba6f4c57b7d3cf49a

MD5 hash:

6244ed13512a21b23867d705d80bb4fa

SHA1 hash:

5b3705ff2130ddd63a312a09ac6e3111e7e41f10

Link:

https://www.unpac.me/results/112fad1b-0f03-4cc6-9136-2c3fcc5cf8a8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cbcd57dd83369317946567dba9624dedbf2ce33acc796b2ba6f4c57b7d3cf49a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/177277/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample