MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
SHA3-384 hash: 9f1f9f4a6a79c8cb3c57dda6575fc59c502fce3943fe597d41318833722d1ea834c6e7b3e42ef9e99bc33b2166f9eff7
SHA1 hash: dc94c45a64975a66edfa975f8adb7fbcaa98ea51
MD5 hash: 2b53286bb7ffd5815d84282d4011d66d
humanhash: georgia-vegan-blue-may
File name:setup_x86_x64_install.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'766'878 bytes
First seen:2021-10-18 13:28:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JkZlS29v0XERypMbYCev1eRcnRVh1j/1KspBSXGNt8lSOl7V56S3:J+WXEREmYrNeCZ1jcW8XGb8IO5T6S3
Threatray 638 similar samples on MalwareBazaar
TLSH T1C82633A9D2A86CA1F5A7A9FCE13BAAD2D0F5CE0C306D50531B61370B6C4F1D5C98CB52
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Gcleaner
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198227/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/616d76a39a5a1e91c5c3dff4/reports/78d2d624-a492-4cd7-955b-75434ab2af7a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5190974-b4f6-420b-92af-9f70fc62b12d
Result
Threat name:
RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872305
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 504735 Sample: setup_x86_x64_install.exe Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 52 188.72.236.239 WEBZILLANL Netherlands 2->52 54 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 2->54 56 19 other IPs or domains 2->56 66 Antivirus detection for URL or domain 2->66 68 Antivirus detection for dropped file 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 13 other signatures 2->72 10 setup_x86_x64_install.exe 10 2->10         started        13 svchost.exe 10 2 2->13         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 50 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->50 dropped 21 setup_installer.exe 22 10->21         started        60 34.104.35.123 GOOGLEUS United States 13->60 62 8.8.8.8 GOOGLEUS United States 13->62 64 2 other IPs or domains 13->64 82 Sets debug register (to hijack the execution of another thread) 13->82 84 Writes to foreign memory regions 13->84 86 Modifies the context of a thread in another process (thread injection) 13->86 88 Changes security center settings (notifications, updates, antivirus, firewall) 17->88 file6 signatures7 process8 file9 42 C:\Users\user\AppData\...\setup_install.exe, PE32 21->42 dropped 44 C:\Users\user\...\Mon11f55cde4ec30.exe, PE32 21->44 dropped 46 C:\Users\user\...\Mon11cd46e0d889458.exe, PE32 21->46 dropped 48 17 other files (10 malicious) 21->48 dropped 24 setup_install.exe 1 21->24         started        process10 dnsIp11 58 104.21.87.76 CLOUDFLARENETUS United States 24->58 80 Adds a directory exclusion to Windows Defender 24->80 28 cmd.exe 1 24->28         started        30 cmd.exe 1 24->30         started        33 conhost.exe 24->33         started        35 cmd.exe 1 24->35         started        signatures12 process13 signatures14 37 Mon11b7ab2df056a.exe 28->37         started        90 Adds a directory exclusion to Windows Defender 30->90 40 powershell.exe 26 30->40         started        process15 signatures16 74 Multi AV Scanner detection for dropped file 37->74 76 Machine Learning detection for dropped file 37->76 78 Injects a PE file into a foreign processes 37->78
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 13:29:07 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=26ydqasb4tkh7qaool5kbcbrwunqvy3a2xgmivyx6optcbwdaifa._file
Verdict:
malicious
Similar samples:
08dcc0cd8aa90a04708aab25c7de5b66d62b4218ef0c5d2654a24b3cef83e534
GCleaner
3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841
GCleaner
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
GCleaner
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
GCleaner
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
GCleaner
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
GCleaner
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
GCleaner
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
GCleaner
f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7
GCleaner
+ 628 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:916 botnet:933 botnet:ani botnet:fuck1 botnet:media17 aspackv2 backdoor evasion infostealer stealer suricata trojan
Link:
https://tria.ge/reports/211018-qq9cbaefbm/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://mas.to/@sslam
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
135.181.129.119:4805
194.104.136.5:46013
91.121.67.60:2151
Unpacked files
SH256 hash:
a96e486b8fce8777c47b8cb34e7cc24708b3728c785775a0f3ce73b4045b690d
MD5 hash:
d02319bd2818d7362ff9e83282cbd7bc
SHA1 hash:
2729e315497fce193fe9f8045ad6a133bd8fd87f
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
b7400825df4e2e22e14b51b60809bb7706cd5f8c0c758c08dbb7f97ef3bd0597
MD5 hash:
1651d2eee32c15f79fd5f2e42551f4dc
SHA1 hash:
f254b220184e991792401f4818bcae33ac37ad4f
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
a3105fa467202e8db5083789211f7eff93c00e98d7b920ca54603afcceb7aa8d
MD5 hash:
10afc080415ab7684c680c10b3a428ca
SHA1 hash:
b074f2767838e42e2d8f379086ba1168581d766c
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
801e645e6f900769b8d31a772ca6b10a7e9545e2412ff952482c8ee11de90b2f
MD5 hash:
d0af0937d2e8ec46d4960ec55227b942
SHA1 hash:
e0664d0ddb3f657e1fe80ff2e45ad012e3b6e8e8
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
dfdee8a4b23e17d1e5ee73e381aef33e00c7230cae2bd8fe3a333c9d7a54a9ca
MD5 hash:
380d3c2f9e7a9d712bbd6b160a00ea71
SHA1 hash:
bc465e91b51c32b3b55bac47f8eede129a191c5e
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
e72c165aa772b3a4a26cc1f9696ddae35fba03efd4be08287c39b5472d6857c0
MD5 hash:
4ece9f08f81bc7b16b137e9151ba8979
SHA1 hash:
9e73840ea498adfc0260f51927102e2d89d4a0d3
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
b6b356d67763a96e81bbdb817eeb5d40a4b50b4f21418b6deb6defb8e4c413dc
MD5 hash:
1e1972955ec66a9d7d97348580d69ce4
SHA1 hash:
980446eb538fdea204c7d465aea752d8a0fc39a0
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
f85b5a24bf8dba92cd14dc18eebd8d6002e54a5e7f06641808e5926169b9e9cc
MD5 hash:
e439268946322b7d080e1ea3b6aba92b
SHA1 hash:
8dab88cb9a3b63bfea9ccf6d490a10f7d4ade70e
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
e59d4f22fdf6e098413d1f141c20094f5e25ab3672a360122baaf9061b7360e8
MD5 hash:
5b52614d8523f0d7a96bad591af419b3
SHA1 hash:
589ad07e4f9bfaf3954968485aa1c62b8051d0dd
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
b255788e6e73d19176b5c905fcbaa93cd46daa1d14aab8ffa6983503101f7445
MD5 hash:
caaed03adf12fc0ce3a4f61e2c522309
SHA1 hash:
3fa81280c12aabd9a1605ef9c84668947a69e112
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
f7bd20f20b99c00dc5a59cd715dadc81febb6e3966f49da21fda7c1b08a84ad4
MD5 hash:
8f54c1adeae8ee1f05f9e4b69726de9b
SHA1 hash:
3525571bc3a4b55493ea309594e080b1c6905868
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
e56d237d2102ee42cf200cb8312b09c497eb1fc8e098c61ebba4daf9a7ff7aea
MD5 hash:
dfdf56832f4c12aaff4c0f9049b99496
SHA1 hash:
2de86ad3568b3d275b3e4cf57bf0286cfef68309
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d
MD5 hash:
7dc5f09dde69421bd8581b40d994ccd7
SHA1 hash:
23788ae65ec05a9e542636c6c4e1d9d6be26d05c
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
8dcbf6f9c0215b80d3087678c175551353748678f5b80515690d0bbf10b8cdd7
MD5 hash:
73ce5f0d0259e6886910452856436c9c
SHA1 hash:
d2dbae67d39ea4c21550f4bdc125d146d6e2fe4b
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
630a641bebd6ded36fb1c42520e4c7ddc5ace49436dede6c255d8f12ddbfbe54
MD5 hash:
cbbdd5a549a37602019203e20a21866a
SHA1 hash:
50c80b98548b24565decfa94c034b43b753a197a
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
8afdd0ee3541d8485b12b4ac03dad2c109f6ef6faf9dc17cfabf0b7dc449f853
MD5 hash:
8a6280a98e5cd98d14a5f57358368090
SHA1 hash:
4a247340ad056e319209894817c94d23c0ea8315
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
68c88bb46c4327cd395f58bb0a03d5ed5604c12d546e1d8d9cf457f0c8b07ecb
MD5 hash:
cfb149d8025895c921b46ee4d2447dd6
SHA1 hash:
363a3ce4ef9f674f48cfcff1873d26948c043bc8
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
896ce54f9fbc8640736f7f10a351172c8636c5c73fa74e7b7c60bf0f1c156c5a
MD5 hash:
045aa6ce650a826c7e07b07f5d740d75
SHA1 hash:
4cd0a86729d81fe1e5416120c48d425e474480e9
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
af60a93fb577bedfc2df325946bd5051324c3fe8611daaa0660dc9d7034f18f6
MD5 hash:
247caa501e7464a4f4e23723cfa76e58
SHA1 hash:
02a0c9824091a7637ca8251af194b2f5b004f26d
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
SH256 hash:
d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
MD5 hash:
2b53286bb7ffd5815d84282d4011d66d
SHA1 hash:
dc94c45a64975a66edfa975f8adb7fbcaa98ea51
Link:
https://www.unpac.me/results/efd8fa94-f12b-4ec6-ad44-54017523f9e4/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d7b0380241e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198227/

Comments