MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0939b52f7bdeca4468eb6c46cc1f8b5d804e17dda93b30eee5572b097ac6609. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0939b52f7bdeca4468eb6c46cc1f8b5d804e17dda93b30eee5572b097ac6609
SHA3-384 hash: ac167d9364b926a3ee9235fd4d9b527a1e4f9cc244f9f7af613cd96945cae12c363771cfe2a49b3f78524a4aaf0256d7
SHA1 hash: 2857b76dc35c128427616e4c4442fafcc0e60e67
MD5 hash: 558c696027a60035c914e93a00f5de37
humanhash: mexico-harry-purple-crazy
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:420'764 bytes
First seen:2023-09-12 20:32:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 12288:pANwRo+mv8QD4+0V16r07WR8dm2/65Ay9iwg7ogQ:pAT8QE+kPWRymm65+mgQ
Threatray 204 similar samples on MalwareBazaar
TLSH T10F94E035A281857AC0621935484FD3B6F53BBB005B7869CFB7DD0E2C8D3734A2A653DA
TrID 86.9% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.6% (.EXE) InstallShield setup (43053/19/16)
1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.7% (.SCR) Windows screen saver (13097/50/3)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter jstrosch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
326
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-12 19:14:51 UTC
Tags:
loader smoke amadey botnet stealer trojan opendir fabookie lgoogloader redline ransomware stop vidar arkei
Link:
https://app.any.run/tasks/a0b53c0f-b55d-41ae-bdf7-6499872d4262

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448269/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Modifying a system file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Launching a process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint greyware lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6500cb061a86bbaa1f8293d4/reports/894cefc3-8f8d-42e0-bb6b-feb3d8c6bea2/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d0939b52f7bdeca4468eb6c46cc1f8b5d804e17dda93b30eee5572b097ac6609
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1540d9ef-7fd1-4dea-8a1a-d1ad18a08322
Result
Threat name:
RedLine, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308482
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected onlyLogger
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308482 Sample: file.exe Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 13 other signatures 2->55 8 file.exe 14 11 2->8         started        process3 file4 29 C:\Program Files (x86)\Installrox\...\s5.exe, PE32 8->29 dropped 31 C:\Program Files (x86)\...\Uninstall.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\Local\...\temp_0.tmp, Microsoft 8->33 dropped 11 s5.exe 23 8->11         started        process5 dnsIp6 43 5.42.64.10, 49730, 49731, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 11->43 45 googlehosted.l.googleusercontent.com 142.251.32.65, 443, 49734 GOOGLEUS United States 11->45 47 2 other IPs or domains 11->47 35 C:\Users\user\AppData\...\5090934847.exe, PE32 11->35 dropped 37 C:\Users\user\AppData\Local\...\s51[1], PE32 11->37 dropped 39 C:\Users\user\AppData\Local\...\s51[1], PE32 11->39 dropped 15 cmd.exe 1 11->15         started        17 cmd.exe 1 11->17         started        file7 process8 process9 19 5090934847.exe 4 15->19         started        23 conhost.exe 15->23         started        25 taskkill.exe 1 17->25         started        27 conhost.exe 17->27         started        dnsIp10 41 15.235.130.167, 30947, 49739 HP-INTERNET-ASUS United States 19->41 57 Multi AV Scanner detection for dropped file 19->57 59 Detected unpacking (changes PE section rights) 19->59 61 Detected unpacking (overwrites its own PE header) 19->61 63 6 other signatures 19->63 signatures11
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d0939b52f7bdeca4468eb6c46cc1f8b5d804e17dda93b30eee5572b097ac6609/
Threat name:
Win32.Trojan.Babar
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 20:33:09 UTC
File Type:
PE (Exe)
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2cjzwuxxxxwkiruow3cgzqpywxmajyl53kj3gdxokvzlbf5mmyeq._file
Verdict:
malicious
Similar samples:
5bc686767e91684fa336f10d26abaa5a497fd6d2fa1e3bb1f0790500e73bb717
GCleaner
a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6
GCleaner
a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e677e003d3adf74f4e9ec
GCleaner
addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51
GCleaner
d17068cc5a649c9207f0e197fc035a26a83c295323d880cb6f5753ad8de5426f
GCleaner
d53c96e1118d3119e4fc33b88f07ad59da1ea16f74b5de07551d259b0ef9440f
GCleaner
e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edfaea681a98abb04f92b6
GCleaner
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
GCleaner
+ 194 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor collection discovery trojan
Link:
https://tria.ge/reports/230912-zbv1tafd7z/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
SmokeLoader
Malware Config
C2 Extraction:
http://unity.us.com/
http://unity.bz/
http://logitech.bio/
http://logitech.wiki/
Unpacked files
SH256 hash:
80978d46225030bf7e3aa308d9339d2df6da61c58f6099064c6f2d5eb9d79712
MD5 hash:
98e96e494b760a7578bb2865ffa3bd1e
SHA1 hash:
cccd4bcdfbd509edb77078000e624568b353a0e3
Link:
https://www.unpac.me/results/54fe6b2b-ca09-4a42-bba1-c49e7fd3459c/
SH256 hash:
d0939b52f7bdeca4468eb6c46cc1f8b5d804e17dda93b30eee5572b097ac6609
MD5 hash:
558c696027a60035c914e93a00f5de37
SHA1 hash:
2857b76dc35c128427616e4c4442fafcc0e60e67
Link:
https://www.unpac.me/results/54fe6b2b-ca09-4a42-bba1-c49e7fd3459c/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0939b52f7bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0939b52f7bdeca4468eb6c46cc1f8b5d804e17dda93b30eee5572b097ac6609

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe d0939b52f7bdeca4468eb6c46cc1f8b5d804e17dda93b30eee5572b097ac6609

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448269/

Comments