MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d53c96e1118d3119e4fc33b88f07ad59da1ea16f74b5de07551d259b0ef9440f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	d53c96e1118d3119e4fc33b88f07ad59da1ea16f74b5de07551d259b0ef9440f
SHA3-384 hash:	0f63719714d635edf7bb5a0d6df1eab17fa8b11f7eb7b48d4f7715e1eb8e201e8c29237e6fdcab19b3e4cb3a2741cccb
SHA1 hash:	89f7a0c35976fb65d16731b31c3863172caf1474
MD5 hash:	a0d6950b3b1b338756413856e9e92f9b
humanhash:	colorado-violet-batman-florida
File name:	file
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	282'624 bytes
First seen:	2023-09-12 20:32:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	50336730aab6a44b219b2034858cbd09 (3 x RedLineStealer, 2 x Tofsee, 1 x Smoke Loader)
ssdeep	6144:JDVLMv90M4RuMORY8SrcugNJq5vXDzXZty:JZAv90MLVSfnLZw
TLSH	T18F54F12375E0C832D5A7553988309F805B7FB9215A72814FB36827AE1F327E25AF6353
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0200000200102000 (1 x GCleaner)
Reporter	jstrosch
Tags:	exe gcleaner

Intelligence

File Origin

# of uploads :

# of downloads :

324

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-09-12 20:33:54 UTC

Tags:

gcleaner loader smoke stealer

Link:

https://app.any.run/tasks/f3d62365-d9e0-449f-963c-cdcd22a8e809

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

OnlyLogger

Link:

https://www.capesandbox.com/analysis/448266/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6500cb017aa68bd3a1f83919/reports/dc922230-18a8-4584-894d-2ff1b5f03602/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/d53c96e1118d3119e4fc33b88f07ad59da1ea16f74b5de07551d259b0ef9440f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dbc4b95a-e9c4-4c33-817c-eddd4f315f28

Result

Threat name:

onlyLogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1308484

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected onlyLogger

Behaviour

Behavior Graph:

Download SVG

Detection:

smokeloader

Link:

https://mwdb.cert.pl/sample/d53c96e1118d3119e4fc33b88f07ad59da1ea16f74b5de07551d259b0ef9440f/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2023-09-12 20:33:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 22 (81.82%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2u6jnyirruyrtzh4go4i6b5nlhnb5ilpos254b2vduszwdxziqhq._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor collection trojan

Link:

https://tria.ge/reports/230912-zbt4hsfd7x/

Behaviour

Checks SCSI registry key(s)

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Accesses Microsoft Outlook profiles

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

SmokeLoader

Malware Config

C2 Extraction:

http://unity.us.com/
http://unity.bz/
http://logitech.bio/
http://logitech.wiki/

Unpacked files

SH256 hash:

80978d46225030bf7e3aa308d9339d2df6da61c58f6099064c6f2d5eb9d79712

MD5 hash:

98e96e494b760a7578bb2865ffa3bd1e

SHA1 hash:

cccd4bcdfbd509edb77078000e624568b353a0e3

Link:

https://www.unpac.me/results/947e4be6-cf12-425b-9cd3-7634281e34ee/

SH256 hash:

d53c96e1118d3119e4fc33b88f07ad59da1ea16f74b5de07551d259b0ef9440f

MD5 hash:

a0d6950b3b1b338756413856e9e92f9b

SHA1 hash:

89f7a0c35976fb65d16731b31c3863172caf1474

Link:

https://www.unpac.me/results/947e4be6-cf12-425b-9cd3-7634281e34ee/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d53c96e1118d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d53c96e1118d3119e4fc33b88f07ad59da1ea16f74b5de07551d259b0ef9440f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

exe d53c96e1118d3119e4fc33b88f07ad59da1ea16f74b5de07551d259b0ef9440f

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/448266/

URLhaus

https://urlhaus.abuse.ch/url/2708737/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample