MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 18

Intelligence 18 IOCs YARA 12 File information Comments

SHA256 hash:	d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9
SHA3-384 hash:	8fc603e10e438ca2fcf1cc77aa8aa0a050d25bbf542163ef726b5243f71aa403f1eec8178467704703250b098a8970d7
SHA1 hash:	0ee7042e4f79ccacdb7c90ce078cd17054d3724d
MD5 hash:	01f35b7f32a5510d328b4591bd0fab90
humanhash:	finch-hotel-skylark-cat
File name:	file
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	3'590'432 bytes
First seen:	2025-09-29 04:01:44 UTC
Last seen:	2025-10-02 04:06:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	443536f9e43e197f10df038887db93bf (3 x GCleaner)
ssdeep	49152:Mh0ZbviJ6qbhp8XypbX8PkNwWf0pEKAU7ywrwvWb6Lu9eDXQb5SSw:MhCLuRbpgsQWCyH06rDXI5q
TLSH	T19CF5F191A2913136D4A23B373E1BF1B4FB7999247D1A65612BD90BC84F2F6406C3E372
TrID	52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 16.8% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) 7.5% (.EXE) OS/2 Executable (generic) (2029/13) 7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe gcleaner

Bitsight

url: http://178.16.55.189/files/740061926/ojjvpn1.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

random.exe

Verdict:

Malicious activity

Analysis date:

2025-09-28 20:28:00 UTC

Tags:

amadey auto redline stealer botnet loader auto-reg unlocker-eject tool vidar themida arch-exec rdp gcleaner generic stealc screenconnect rmm-tool anti-evasion lumma autoit rhadamanthys ultravnc

Link:

https://app.any.run/tasks/32cc1707-3747-43bf-92fc-affd52977f64

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/29344/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68da04ce73afd01b31e0ebb8

Tags:

delphi cobalt emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Unauthorized injection to a recently created process by context flags manipulation

Connection attempt to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context amadey anti-debug borland_delphi expired-cert fingerprint infostealer invalid-signature keylogger packed signed unsafe

Link:

https://www.filescan.io/uploads/68da04c474e5a28989976501/reports/1a6fe723-14f8-470e-b05e-a48bdd556389/overview

Verdict:

Malicious

Labled as:

Fragtor.Generic

Link:

https://www.hybrid-analysis.com/sample/d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-28T17:26:00Z UTC

Last seen:

2025-09-28T17:26:00Z UTC

Hits:

~10

Detections:

Trojan-PSW.Tepfer.HTTP.C&C PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.Win32.Tepfer.gen VHO:Backdoor.Win32.Agent.gen

Link:

https://opentip.kaspersky.com/d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9/results?tab=lookup

Malware family:

RealVNC

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a67bab96-ad90-4555-b3d0-b15d60ebd03d

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/01f35b7f32a5510d328b4591bd0fab90

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9/

Verdict:

Malicious

Threat:

Family.GCLEANER

Link:

https://tip.neiki.dev/file/d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2025-09-28 19:57:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2zudxqyfkumuvwvfviqcpedlo2kygrnncbvhmoblavqfhiupzlmq._file

Verdict:

malicious

Label(s):

dbatloader

Similar samples:

error

GCleaner

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner discovery loader

Link:

https://tria.ge/reports/250929-ely51ael4x/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

GCleaner

Gcleaner family

Malware Config

C2 Extraction:

185.156.73.98
45.91.200.135

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b243f11f-048d-475c-a7d6-d593790784aa

Unpacked files

SH256 hash:

d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9

MD5 hash:

01f35b7f32a5510d328b4591bd0fab90

SHA1 hash:

0ee7042e4f79ccacdb7c90ce078cd17054d3724d

Link:

https://www.unpac.me/results/e40bbf37-9264-4c60-ad41-9199efdc3307/

SH256 hash:

98319dca4b6c9753c2c453bd5a65a8b24af871eeba2814717cafb4b9b19e86f1

MD5 hash:

bad066fd2ad613587f7db533c67a6633

SHA1 hash:

80c51ebf1d99c481369d69877b75c63bda8c2150

Detections:

GCleaner

Link:

https://www.unpac.me/results/e40bbf37-9264-4c60-ad41-9199efdc3307/

Parent samples :

6dec6fafe591442490190c51cdc26aba6a18620ee6331f2c77ee01d6a3e83fe4
f4efaf8d0985471ff7b41505859fa674fbc5d289d111b209a36ff356e07a1ba2
c8fcfe4f00cf5d042ec4015c6563847786fa4f01ad1c6c8ffeded44315600e57
2644f133ad541942e868ba65f4182adc6937ec9546ba1b63b092369cc47529a4
353bb7ff551cc81d11dd41b3ac03084ab2ce72a86099a6010a9ac5d6a67cc5d0
9b9a9ca1eadeef898fdd32ecc2e11d9f916793d5c07011fb40a379d2ddc01970
d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9

SH256 hash:

0a0b083cc0e62db594b7be21088202c7fe0970d609b2847085d0bf2be8e54a5c

MD5 hash:

4ce3ce196eda86d92b68362b6269b618

SHA1 hash:

fd42ee0aca0315acac25c297f1ce33634c549559

Link:

https://www.unpac.me/results/e40bbf37-9264-4c60-ad41-9199efdc3307/

Malware family:

GCleaner

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d6683bc30555/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

exe d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3615934/

Cape

https://www.capesandbox.com/analysis/29344/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample