MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d64061edbb7be2e6c37f10774b44fbbd137ea7bc2410bf0dd79b1ba970e0b948. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d64061edbb7be2e6c37f10774b44fbbd137ea7bc2410bf0dd79b1ba970e0b948
SHA3-384 hash: 810fe15cc175d4685d1805f02f4f9c61fcacc5aee36a41b2bcb1c6890bb78c78d54f0397f5d085ccc54c249ef35b9cf3
SHA1 hash: d208e316c5bbdd77131e4b0c98f72a98f95c95f8
MD5 hash: 88067ab2af0043cba0aaf801065042eb
humanhash: thirteen-montana-virginia-november
File name:88067ab2af0043cba0aaf801065042eb
Download: download sample
Signature GCleaner
Create hunting rule
File size:374'784 bytes
First seen:2023-10-04 03:49:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 775c7d434cffd499e537a34db4132a29 (3 x Stealc, 2 x MarsStealer, 2 x GCleaner)
ssdeep 3072:Oa76H83vPA5XZsOn/8cpa3xQs1Vo3G7RieE8ACrVbaKwemPnxzgcsTWJrz/+GjZd:vOHYvY5XZsOUA7s1VWG7ksrSxOWlzXq
Threatray 64 similar samples on MalwareBazaar
TLSH T1E784CF02B290F871D4725A315E39C6A46B2EFDA19E2A97DB33587F3F49701E1D622703
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10d8c2da72606840 (1 x GCleaner)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.MulDrop9.52626.21418.4042.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/651ce0eb5befb75cf35fd979/reports/f6fd79ea-522e-4cdd-ba0e-56bc92656fd5/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/d64061edbb7be2e6c37f10774b44fbbd137ea7bc2410bf0dd79b1ba970e0b948
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Meduza
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79e3d0c9-8941-4135-830c-80c5861aff70
Result
Threat name:
onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1319164
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected onlyLogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1319164 Sample: qlbLQahAiQ.exe Startdate: 04/10/2023 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 6 other signatures 2->50 7 qlbLQahAiQ.exe 23 2->7         started        process3 dnsIp4 34 5.42.64.10, 49795, 49796, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 7->34 36 script.google.com 142.251.2.101, 443, 49798, 49799 GOOGLEUS United States 7->36 38 2 other IPs or domains 7->38 26 C:\Users\user\AppData\...\4497521852.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\s62[1], PE32 7->28 dropped 30 C:\Users\user\AppData\Local\...\s62[1], PE32 7->30 dropped 52 Detected unpacking (changes PE section rights) 7->52 54 Detected unpacking (overwrites its own PE header) 7->54 12 cmd.exe 1 7->12         started        14 cmd.exe 1 7->14         started        file5 signatures6 process7 process8 16 4497521852.exe 12->16         started        20 conhost.exe 12->20         started        22 taskkill.exe 1 14->22         started        24 conhost.exe 14->24         started        dnsIp9 32 mediasitenews.com 194.87.32.213, 443, 49797 BANDWIDTH-ASGB Russian Federation 16->32 40 Multi AV Scanner detection for dropped file 16->40 42 Machine Learning detection for dropped file 16->42 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d64061edbb7be2e6c37f10774b44fbbd137ea7bc2410bf0dd79b1ba970e0b948/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 22:06:08 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
27 of 35 (77.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zagd3n3ppronq37cb3uwrh3xujx5j54eqil6doxtmn2s4haxfea._file
Verdict:
malicious
Similar samples:
578c111169f21fce527b0643847937dea9dc1d41035be05c104eaeceeb590132
GCleaner
5f3892f2aeaa6ac6f1c6b26d85cb50957381585376f4a23209c5d6c6219fc1bd
GCleaner
652ed9fea38372018ce53bcd4e7bcf562fa3446714fd894ab77ecbea7fe50b34
GCleaner
6e75be092dacc4f00da72baf4ea2d7fcc84220ec04f213e0b14eed89004f4ae0
GCleaner
981923aeeddd4c6f2b68c6b1c0e80f6b4ca6495e200562f371215e37cb7885ac
GCleaner
98ec96ba074e1edbb26f8466ba001fb0a495f932878a2bf201da5f17424fe59f
GCleaner
beca325649a048fb9d8517b206b82f94a0663138725660ee957b75e8d5ebe494
GCleaner
e5e5abe00e82ad616e13abd1768769dc8d31b4e1a5b79955219cea34c395e9df
GCleaner
fd6995c5ee825d39df3c80ef4e14625534faa92c4e7650d862695b7e1e5516cd
GCleaner
fe83636233da5eeb406ddcd43a4beb5ed9629797073fba5415c2b4450aad0647
GCleaner
+ 54 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/231004-edxxzaha3y/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
6711983a2b83509f3d8711d64f0c6f7a7bdbe82fcb66c3f58611132bb03d0b62
MD5 hash:
2b01e6d9f123445932a8245b050aa045
SHA1 hash:
8362142bba41f20d84a3effe24e9325514265f07
Link:
https://www.unpac.me/results/d3575444-8429-41bc-8b27-459d679a1de1/
SH256 hash:
d64061edbb7be2e6c37f10774b44fbbd137ea7bc2410bf0dd79b1ba970e0b948
MD5 hash:
88067ab2af0043cba0aaf801065042eb
SHA1 hash:
d208e316c5bbdd77131e4b0c98f72a98f95c95f8
Link:
https://www.unpac.me/results/d3575444-8429-41bc-8b27-459d679a1de1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d64061edbb7be2e6c37f10774b44fbbd137ea7bc2410bf0dd79b1ba970e0b948

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe d64061edbb7be2e6c37f10774b44fbbd137ea7bc2410bf0dd79b1ba970e0b948

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2716274/

Comments


Avatar
zbet commented on 2023-10-04 03:49:16 UTC

url : hxxp://5.42.64.10/api/files/software/s6.exe