MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
SHA3-384 hash: 3332d51b40ee893a61a112b48e8e746adff76e39dff671f51f8feca624885a44cba6c974a429011b0f15553965716a76
SHA1 hash: c553780cb609ec91212bcdd25d25dde9c8ef5016
MD5 hash: 24766cc32519b05db878cf9108faeec4
humanhash: football-massachusetts-winner-zulu
File name:24766cc32519b05db878cf9108faeec4.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:176'128 bytes
First seen:2021-11-13 22:46:04 UTC
Last seen:2021-11-14 01:09:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c02c1999142edb52caad79376c81ce6 (5 x GCleaner)
ssdeep 3072:2ltChp7mxic8WjwEu70OOGbV3gqNH+HI/yyvcOGkXtTLvAGLi8MxtBb5bBhGu/hl:PfvQ479V3r0cyyvcOGkXtTLY18wHtbBy
TLSH T154043A386391B436E4F30435A4ED97F494687A3067948CEBB7854F2E0B79AC2D634B27
File icon (PE):PE icon
dhash icon 87393d7cb8393332 (5 x GCleaner, 1 x Smoke Loader, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://185.163.47.175/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.47.175/ https://threatfox.abuse.ch/ioc/247972/
95.181.152.143:42599 https://threatfox.abuse.ch/ioc/247980/
95.143.179.152:42556 https://threatfox.abuse.ch/ioc/248050/

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-30 19:15:39 UTC
Tags:
trojan evasion rat redline loader opendir stealer vidar formbook
Link:
https://app.any.run/tasks/11631b32-62d9-4fdf-b89b-85482f3a3fda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205558/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31388.17616.15757.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a window
Delayed reading of the file
Creating a file in the Program Files subdirectories
Searching for analyzing tools
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Connection attempt to an infection source
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/619040673edf00a722d2aada/reports/22795e79-aa78-4744-b0e3-551b3149d9f0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fdb0ddd9-97a3-48df-8038-da188be813b6
Result
Threat name:
Metasploit Raccoon RedLine Socelars Vida
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888683
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May modify the system service descriptor table (often done to hook functions)
Modifies Chrome's extension installation force list
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Metasploit Payload
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 521156 Sample: lr11Y0eF0m.exe Startdate: 13/11/2021 Architecture: WINDOWS Score: 100 74 Antivirus detection for URL or domain 2->74 76 Antivirus detection for dropped file 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 20 other signatures 2->80 7 lr11Y0eF0m.exe 4 66 2->7         started        process3 dnsIp4 56 45.142.182.152 XSSERVERNL Germany 7->56 58 136.144.41.58 WORLDSTREAMNL Netherlands 7->58 60 12 other IPs or domains 7->60 48 C:\Users\...\w4HWposqLnJllDNmzuuIXZis.exe, PE32 7->48 dropped 50 C:\Users\...\nYF89vGIOKdYpzynCpOylcOd.exe, PE32 7->50 dropped 52 C:\Users\...\hty0ugHehewWmSsvSg65jmk7.exe, PE32 7->52 dropped 54 29 other files (6 malicious) 7->54 dropped 84 Detected unpacking (creates a PE file in dynamic memory) 7->84 86 Creates HTML files with .exe extension (expired dropper behavior) 7->86 88 Disable Windows Defender real time protection (registry) 7->88 12 DqVU0lzZOudBlR29CD2gH4yD.exe 7->12         started        15 hiI5_YD3kA2GztkM9YvybYMN.exe 7->15         started        19 hty0ugHehewWmSsvSg65jmk7.exe 7->19         started        21 16 other processes 7->21 file5 signatures6 process7 dnsIp8 90 Query firmware table information (likely to detect VMs) 12->90 92 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 12->92 94 Injects a PE file into a foreign processes 12->94 96 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->96 62 91.219.236.27 SERVERASTRA-ASHU Hungary 15->62 64 185.163.47.175 MIVOCLOUDMD Moldova Republic of 15->64 30 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 15->30 dropped 32 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->32 dropped 44 20 other files (none is malicious) 15->44 dropped 98 Tries to steal Mail credentials (via file / registry access) 15->98 66 193.56.146.158 LVLT-10753US unknown 19->66 34 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 19->34 dropped 36 C:\ProgramData\sqlite3.dll, PE32 19->36 dropped 100 Tries to harvest and steal browser information (history, passwords, etc) 19->100 102 Tries to steal Crypto Currency Wallets 19->102 68 149.154.167.99 TELEGRAMRU United Kingdom 21->68 70 5.9.162.45 HETZNER-ASDE Germany 21->70 72 7 other IPs or domains 21->72 38 C:\Users\...\hIUGgJa9p4190PUTWZAYow_X.exe, PE32 21->38 dropped 40 C:\...\PowerControl_Svc.exe, PE32 21->40 dropped 42 C:\Program Files (x86)\...\jg1_1faf.exe, PE32 21->42 dropped 46 22 other files (1 malicious) 21->46 dropped 104 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->104 106 Checks if the current machine is a virtual machine (disk enumeration) 21->106 23 OR4LqmVPgTyoIk5C7_CgiV5Q.exe 21->23         started        26 conhost.exe 21->26         started        28 Q2eFKJY12XtIxLAKTMDQlrBn.exe 21->28         started        file9 signatures10 process11 signatures12 82 Modifies Chrome's extension installation force list 23->82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530/
Threat name:
Win32.Infostealer.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-10-30 11:20:39 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=27g7xckzidx5lbghrn7fn6pnoicjci2n6se65hvzvkmmeryu2uya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:gozi_ifsb family:redline family:socelars family:vidar botnet:gggg banker evasion infostealer spyware stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/211113-2pzl9scehj/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
Gozi, Gozi IFSB
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Malware Config
C2 Extraction:
http://www.hhgenice.top/
94.26.249.132:50782
Unpacked files
SH256 hash:
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
MD5 hash:
24766cc32519b05db878cf9108faeec4
SHA1 hash:
c553780cb609ec91212bcdd25d25dde9c8ef5016
Link:
https://www.unpac.me/results/84de36a9-a3f1-40da-97f3-9793e7d7add6/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d7cdfb895940/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205558/

Comments