MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d955d46ec08ca93f77e12023d637bdddb55799a20b494054dbbf6236d808dafc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GCleaner


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments

SHA256 hash: d955d46ec08ca93f77e12023d637bdddb55799a20b494054dbbf6236d808dafc
SHA3-384 hash: 0103c9991fe56cfd7c29a22640bffb70ec8d685f9a7377efb4e0af0129ff1f51eba5423a9e5c727b950605ef9d9f7d21
SHA1 hash: 820ef436cc5a56b6e7190664796aaf19cb097f06
MD5 hash: 76d65ac53796a7f66108081018447ffc
humanhash: vermont-berlin-mobile-single
File name:SecuriteInfo.com.Trojan.DownLoader49.20261.16528.9036
Download: download sample
Signature GCleaner
File size:5'560'080 bytes
First seen:2025-12-26 05:26:09 UTC
Last seen:2025-12-26 06:36:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d9602d58db63e796034d7dc7a7754fb8 (7 x GCleaner)
ssdeep 49152:wS89bJYLXiT7xBQPTwnnJCwCDBXriN9p2+zBZ+vGgivtMHK98hIEhD/sI:wS2bqG06IiR2agivSH+8tLZ
Threatray 301 similar samples on MalwareBazaar
TLSH T1E046E067DFBD802BC5B3C2756C7E46629C1F3A41F594482F4B875BBD262828610732FA
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 00c4f0aae894c400 (89 x GCleaner, 4 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe gcleaner

Intelligence


File Origin
# of uploads :
2
# of downloads :
122
Origin country :
FR FR
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.DownLoader49.20261.16528.9036
Verdict:
Malicious activity
Analysis date:
2025-12-26 05:26:26 UTC
Tags:
auto generic gcleaner loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
delphi cobalt emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi crypt expired-cert fingerprint installer-heuristic invalid-signature keylogger packed signed stealer unsafe zusy
Verdict:
Malicious
Labled as:
TrojWare.TrojanDownloader.Dadobra
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-26T02:24:00Z UTC
Last seen:
2025-12-26T02:42:00Z UTC
Hits:
~10
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Backdoor.Androm
Status:
Malicious
First seen:
2025-12-26 05:26:19 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Result
Malware family:
gcleaner
Score:
  10/10
Tags:
family:gcleaner discovery loader
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Downloads MZ/PE file
Gcleaner family
GCleaner
Unpacked files
SH256 hash:
d955d46ec08ca93f77e12023d637bdddb55799a20b494054dbbf6236d808dafc
MD5 hash:
76d65ac53796a7f66108081018447ffc
SHA1 hash:
820ef436cc5a56b6e7190664796aaf19cb097f06
SH256 hash:
ff0de10e6409eb425e4a15ce164267a0cecda3d0ed2dcc4abb34b3a560a0557e
MD5 hash:
412624ff5a732cdbbf23ffe6f875eb83
SHA1 hash:
66783e71a363fb9787c93b45673dbfdcb6bc9c88
Detections:
GCleaner
SH256 hash:
d3d3224b50e7ff955cba76e05f5058471add627c6f15658420146040192b3e1b
MD5 hash:
61f30fea94c55ee3199526448a73e58f
SHA1 hash:
71c175173df87bda7ffc77b2208b28f04bbdc628
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Author:malware-lu
Rule name:Borland
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments