MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
GCleaner
Vendor detections: 14
| SHA256 hash: | d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929 |
|---|---|
| SHA3-384 hash: | 38b287b154a596b9263bc83915e4d01e9779b346ac269e1a014ff9fe9d133f05c156a3863f8628904df4a26cc3dc0db9 |
| SHA1 hash: | 18aee3a331b88dff778db6a9d305f251c6cfb27c |
| MD5 hash: | e4d73a0221396429df0bbb7a8eea5957 |
| humanhash: | lamp-ack-fifteen-two |
| File name: | D5E7DE2FD5987B8356F29D011CD95EA37875A697120C5.exe |
| Download: | download sample |
| Signature | GCleaner |
| File size: | 5'676'149 bytes |
| First seen: | 2022-06-24 11:44:31 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox) |
| ssdeep | 98304:JYVGTPpORXWQGfK3CWHZSQxL73vj464YtvlYu2Fi4EP2TAyQP0zbHZ72Um1G:JYUXKNZr8wtv4lT6P0zb57Hd |
| TLSH | T1BD46338469BECB4FD0B50D32AE5C7EB61BFDA9C1215C1753CDCCE19A912AB0B0C2A355 |
| TrID | 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter |  abuse_ch |
| Tags: | exe gcleaner |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 195.242.111.189:20113 | https://threatfox.abuse.ch/ioc/723474/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
ID:
1
File name:
http://ec2-3-228-9-217.compute-1.amazonaws.com/?6181c12eb5e6f=408c5061ee5c5291eb75bb127cd6c9e7e78a4c93Array&m=310&q=Bandicam%205.3.1.1880%20Crack%20With%20Serial%20Number%20Free%20Download%202022&dedica=16&tron=6181c12eb5e74.asp
Verdict:
Malicious activity
Analysis date:
2021-11-02 23:09:12 UTC
Tags:
loader evasion trojan rat redline stealer vidar formbook
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
80%
Tags:
barys diskwriter overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Verdict:
Malicious
Result
Threat name:
Nymaim, PrivateLoader, RedLine, Socelars
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Redlinestealer
Status:
Malicious
First seen:
2021-11-03 09:50:20 UTC
File Type:
PE (Exe)
Extracted files:
281
AV detection:
21 of 25 (84.00%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
unknown
Result
Malware family:
vidar
Score:
10/10
Tags:
family:djvu family:onlylogger family:redline family:socelars family:vidar botnet:916 botnet:@asasasasaasass botnet:media0321 botnet:newjust aspackv2 discovery infostealer loader ransomware spyware stealer suricata upx vmprotect
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
OnlyLogger Payload
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup (fouratlinks .com)
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
Malware Config
C2 Extraction:
https://mas.to/@romashkin
91.121.67.60:23325
http://www.hhgenice.top/
135.181.129.119:4805
http://abababa.org/test3/get.php
46.8.220.88:65531
91.121.67.60:23325
http://www.hhgenice.top/
135.181.129.119:4805
http://abababa.org/test3/get.php
46.8.220.88:65531
Unpacked files
SH256 hash:
88b2d8a7fbf025987947226c9d6d72c72f93bdc182d05857893027289059ef09
MD5 hash:
3addf1aab7f2237dd61b6857f2832c9c
SHA1 hash:
2e9f422f0717ca2e8fd9d0b4fff720dcd367e2c4
SH256 hash:
382dc91dfdf466b6335b4c1c51ac8166cdb7b0a1b1f89c38579f04aafbf54e6c
MD5 hash:
19bfee1e23f5ce8adb83a0fee1eb6489
SHA1 hash:
c0e955dc5bd431669ffa0aa85adfd490c957138d
Detections:
win_smokeloader_a2
SH256 hash:
701f151ac7a870467880737a908fd35b0363f97d399d4b4e9f4ef0fee1625f9e
MD5 hash:
f59ef12c6785be332ad31cbcc0057257
SHA1 hash:
e2ab1acfda5dd9b046929ea9bc162b0f4ef853b2
SH256 hash:
5ae2de33b5c09fd0cc0c02a252b98dabad58724f64863638abf8debcdd95fa85
MD5 hash:
534f7ffd56fb35f49001e40c3538339b
SHA1 hash:
f805ea75ce2f26f5368ff4f631fc47cf262dd84b
SH256 hash:
f693ceadc70acdf3631ffa4863705efd7d7c4d2dbbb5ba6a3f148016bb807ce1
MD5 hash:
e2428edd6fa0955ca2ae099631c8d9a6
SHA1 hash:
a6315ed7361b4d21015557bf58779ba72dfd2d7b
SH256 hash:
7846b20941aa353bfa144e60f4be9810d77fa64315b87329221c7778de181c29
MD5 hash:
576dca8c5e92565b4a6aa7327457140d
SHA1 hash:
916035d861fbbbeccb85b73d352a61ab77e7cb4b
SH256 hash:
041b0014f630910ab7f8a03c8d65f1f391f2ba791632391302b606b0467fdca9
MD5 hash:
c617db1a41bca58864a680c2da043cb5
SHA1 hash:
76c328cf5c5cc64a035453a6d50628783133413f
SH256 hash:
a721d6f5cc6c874a5fd7f3d8016ab56d3e28b2defb3b2120e976b0f325eaa5e7
MD5 hash:
82633afacee03028702dd9cd46667f46
SHA1 hash:
72076cbd22654af713c495bc94f5d666a14a515b
SH256 hash:
eee3051d737af11e5ba9496d6b7b2d158ad8e82bebf4dd0b2256d27f827565cc
MD5 hash:
3521be6f924ff7a3b8986bd4684c22e7
SHA1 hash:
551378f0cf312be0d3bcaa49bd7be6918dd0a9ff
SH256 hash:
fac5b32668b2d2fb0fd7eec3e0fd01e73b8bc42fddb078f1335094fd57c062a5
MD5 hash:
c903fb3da19f88c190b2b4fd08c65a15
SHA1 hash:
540db8e4801530e25c8cdb82b3c0e70fc8f372bb
SH256 hash:
f8691c5960460d1217c02761ba8889eec43d014003ab5fb3961be7510ec4bbc4
MD5 hash:
f6d8334b6451a04f41280ff63c7c4f96
SHA1 hash:
51d82a1e9d6727c20f083d4137e9e576d4f1587d
SH256 hash:
94cc663decac1385bfa4830f2d456100fdb6efe887a86bb0bb60c41780a28fc8
MD5 hash:
fa352bd8c46c6eb5b445cb5357e8609d
SHA1 hash:
475ef16622fbca6462d8ae498e3be376fe2006c1
SH256 hash:
6391cd90b88f256ace72b668591c16986e8b6400f358cd431b3711a4a3cccff6
MD5 hash:
ee74d4fb6ef9701b8510f7db1eb9b32c
SHA1 hash:
340f902aa2acfed6b2909b67bccf23fedde2b1bc
SH256 hash:
bb8a7c1b562f237be0d4a4632ba846a385f7e2b99801bcec50032dd6d7ae810e
MD5 hash:
766307df4f374205b6ac39afa41050f4
SHA1 hash:
212e6547e98364acfbc27c899cc64712fec39708
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
SH256 hash:
6b42eb8dd779be6f748f1a7bf097feb4f94820e5ba0cb4b3e865450db096444a
MD5 hash:
4e3bc05c92eb039490c043237313a63b
SHA1 hash:
b970f4868ce7ed56fc360a3f0f3b9b084f1d3431
SH256 hash:
83c6e5f937becb928c5a2e5bf475db8cc243d9ca4233a69dd70864f3a1faef11
MD5 hash:
12033e8b1b4b23ffb5897779f87ad37d
SHA1 hash:
dff3acd501a0fc4ab51c50e0a90e735c596fc2a0
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
SH256 hash:
292cd5748289c853c554fb76b5933dc4f78dc8a4e61dab0b2c035f4107bcdcb6
MD5 hash:
2861a063a41280464207dcb7e59c5340
SHA1 hash:
c0efb6722eeb5dc95cafb0c47670567df05d2da7
Detections:
win_vidar_auto
SH256 hash:
560d4b7209c0d24703afb9eafbd33935593707ed7be4482b9d953ff9d5ffb13b
MD5 hash:
14972205663f6103bc171f1b56fd4e70
SHA1 hash:
86511d5e7eefcd544e514a8cf0f80b709b472e01
SH256 hash:
73919287fceca4187a730cf5f8fc5436c62895503df303c61a4c69c8d594d034
MD5 hash:
fa100ccd8c02b7b0c49691ade360ac7e
SHA1 hash:
37d06676e3792ca374d6af5907350349669a0e06
SH256 hash:
3ae5cab47537cb321ecde15de33d36b522cd9a0bf1710a6f1e9a81895ba1cac1
MD5 hash:
9a036c2e114c48717bb5688bbaa831db
SHA1 hash:
7c4fca48be597325850a4509f2117e3b84e182ba
SH256 hash:
d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929
MD5 hash:
e4d73a0221396429df0bbb7a8eea5957
SHA1 hash:
18aee3a331b88dff778db6a9d305f251c6cfb27c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.