MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf2d284d8055d732d087c1c9fe1dc69e6165cb5bee28c048a2752ba71ea8b24f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf2d284d8055d732d087c1c9fe1dc69e6165cb5bee28c048a2752ba71ea8b24f
SHA3-384 hash: c4926898cc489bc170f10e369eed2bc5ac521e4fd828f363da2dbc6f07b8ffc745018ff0dfc16adf1bc4f2f23b8caee5
SHA1 hash: 472e2d7e4ddcc3815a5b3ab14610f71fe29242a6
MD5 hash: 36f7c7e6dea0f4c4bf93193349997c6b
humanhash: quiet-two-ten-bacon
File name:36f7c7e6dea0f4c4bf93193349997c6b.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:441'856 bytes
First seen:2023-04-19 16:02:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7137110313ae94daa2401b00bdc7c7a9 (3 x GCleaner, 1 x Rhadamanthys, 1 x TeamBot)
ssdeep 6144:9eZphNzKDfCgff0qETgVsf2MN2TWtqXbILr4+qzNrYJTzM21k30Q/9cIv:9iPNUfCgf8Tr2jWx4SJTr1RQV3v
Threatray 90 similar samples on MalwareBazaar
TLSH T103949E9222F0A831E7635B318E2ECAF82A6EF5604F157BDB27559A3F0D702E1C172355
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 42acf0e0f0e0e0c8 (1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
36f7c7e6dea0f4c4bf93193349997c6b.exe
Verdict:
Malicious activity
Analysis date:
2023-04-19 17:18:43 UTC
Tags:
installer
Link:
https://app.any.run/tasks/2ede53ec-7268-4038-b1ce-67e94435481d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/383431/
Detection(s):
Sanesecurity.Malware.29230.BadIN.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gcleaner greyware packed
Link:
https://www.filescan.io/uploads/644010bbc1735fe5e7569b85/reports/eab7515e-e986-420e-9444-d802443b0e06/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cf2d284d8055d732d087c1c9fe1dc69e6165cb5bee28c048a2752ba71ea8b24f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8b1fd75-41e9-42f8-95e8-617338296cb3
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1217341
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf2d284d8055d732d087c1c9fe1dc69e6165cb5bee28c048a2752ba71ea8b24f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4wsqtmakxltfuehyhe74hogtzqwls235yumasfcouv2ohviwjhq._file
Verdict:
malicious
Similar samples:
00dd5c97e86646df73973ba24085ebb32db19de258f37ed50b5c333087bb6b5c
GCleaner
296ea3aee3266a437e9775894cfc0e9e6225107b488b0ceb757147c947b90855
GCleaner
341c70ac74087e45fe53487b959dfb0fc7777f276b95831aa0756e7d7f132300
GCleaner
384a65cac0d51c5e93eda11fb0b68e5a68c7232a9167a5c71f1075b78894ee79
GCleaner
44b11dab2cc70cd6a219b39b4c03c664e09316c0e414a580f5caab99dd2cb45c
GCleaner
7c8397599a77be839e3b9dc28e089d2067325b1726b4f9fdea2a073c9dff0287
GCleaner
9e28586ab70b1abdccfe087d81e326a0703f75e9551ced187d37c51130ad02f5
GCleaner
b1cffe65db0153110ff26a7fcec396102ecd3af7454712ae4ea6a951ef7fbbdc
GCleaner
b53fecaf6f9c9744258f67008c5adc0f19ff9a4bd765f46818ae12cb9e07d24f
GCleaner
bffdc909227ee8bce072f4f607cde0901b1bbb534930909b2351df3e715943ae
GCleaner
+ 80 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/230419-thcvxsde9x/
Behaviour
Program crash
Downloads MZ/PE file
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
100fe6851f1f743c9abaa108b5cd19367f7b56bca54ab80699da04da34a75b40
MD5 hash:
b625fddb905b3328a712cd39d26c4a05
SHA1 hash:
4e6af66ab9738b32f703dba5f971bc4c4acdd7eb
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/0c25d039-923c-40f0-9b1f-005f014cc5ec/
Parent samples :
f1bcd722667511c3dbc6333ea198d2aacbac786495b507984ff1d0089071e174
4fcfd3b7154bfce760b51d76b2512e1f94fe166c10423cfaa282a91207f27993
3ce8151f750a8b4153accfec20ebff244d462ffd5ed1efbd7ad9b8a868e79015
da639a877dc33fe3de6d5a0488918748a75c674e1b2e20cfc87b79c4723df3b4
fb8edf41ac89e97ac2b214457af0bcb145d587b3a2a52bd703e2501e19aa4c6d
f8c69037e2121108936e7db81791bf7bfc0b627c4f01a2429afde9419e731b48
a6fa889d4997e972e3ad726d36a7546066acf63cf097856062aa644eddd0c7d3
782f9a51fd468803f5f5a43120181580c5ea565c450bb4d291d6cb4eacfbec19
8242ec76a68c23f1395728dfad8eb6449e49b2c5d5cdb67229b9d2dbd8894503
f84c4757e5e61e1d8d66303d5b91944726caa1b0f209c56d36b17957e6a6a884
f4566e61a5e837646a63aa00784e895d353f051013f30a00bf0d6838af7addf1
b00428cb1958bb18fba9e688e1ea13138de89195fe10e98524891d309f4ab47a
be6b59ebb78eae90d730fe77a0cbb28eabf28e19856307134ff892f595d496dd
6e8d47ab5cc60a8ef448fc3fbf1b5545a6fa29e06560ca5a4d8fa25f244d0548
82ee67c2a16400be3102e0c51138cc29118eaabcf1af2ecb6282ef79c4e1cb78
73d52a0e2acc955318c84f67c8f83b04c0e0455031d11e29fabbfd52b09d3771
01050a830b3288b3e4ab09e7e669bdd0ef039520e3ce2f16b3b7c7a9f7c39696
45b5b4972cd637a4b69b650a10e956a8071a46784429d7434b226675bf72a21a
71dfa64187315a09becab456d32e70e43ae68afbff5a601a9227089241b9c460
d3148cbb2b5663ac590670892f28fd4207c978f0aaadfef5024fe04727cb6378
d6e595778c9ee6696003c13a4c6545818035e593e8ebab769e74e103c18014e2
fcab2c1dee3d1b9f248c302758c568afd50adedf778c8deed27ef00c0ee217f2
e28224f0ffce7cf0069c41321c3b162a3c7fe53f4d6875a61ecf846bf30c1ee4
cf2d284d8055d732d087c1c9fe1dc69e6165cb5bee28c048a2752ba71ea8b24f
89bdac2cfc9747cc5d7d01272dac3f58a4e0ec56a6afbe2acac32f702840d51f
5559d3e43563d36e1a97caba8f205acdc978b43c38337c5e1d24c750ed38f842
341c70ac74087e45fe53487b959dfb0fc7777f276b95831aa0756e7d7f132300
274cb95b917882e4392516f6f78c12bf63eb96de873984d048d79a7a58823348
5c3e93d0d5cdec0c69be6c16345b484363b92204dbae3e9f2617ceb398a6b084
5df5d338fcd2cf967c08d5d50aef81f7e27ae868b94f1d0d8bf1aeee86fdcda3
8e32b2687a885a24983a14bf0ad0408bdd972b2c6bc8baee21b61dacaf6627d5
bc5de7ed331b9ff5f10a4f73dc79b99622410930fab1b76340505a150ff4877c
1eaae4ab4338872748b06dfde87deede2e51e7fe3528e9bfd15d4d6154a212c9
SH256 hash:
cf2d284d8055d732d087c1c9fe1dc69e6165cb5bee28c048a2752ba71ea8b24f
MD5 hash:
36f7c7e6dea0f4c4bf93193349997c6b
SHA1 hash:
472e2d7e4ddcc3815a5b3ab14610f71fe29242a6
Link:
https://www.unpac.me/results/0c25d039-923c-40f0-9b1f-005f014cc5ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf2d284d8055d732d087c1c9fe1dc69e6165cb5bee28c048a2752ba71ea8b24f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/383431/

Comments