MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9b6ded9a373ec4acf4b426c4ad5fd318b6a3f8077429e9fe5b27bd66d6b5be6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 12


Intelligence 12 IOCs 2 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9b6ded9a373ec4acf4b426c4ad5fd318b6a3f8077429e9fe5b27bd66d6b5be6
SHA3-384 hash: 35f1bddfc7cf0ece91982eb8018cc61b97f3c50d528f47e86d83269cde28304e6d1399d0ddbd8799c700a5b04ab132ec
SHA1 hash: ac48d930b7a4474d94aa32ec1866c34849f05335
MD5 hash: 08b0c8a78a4e6c9d9bfc0f32bb9c5304
humanhash: california-wolfram-jig-failed
File name:08B0C8A78A4E6C9D9BFC0F32BB9C5304.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:301'568 bytes
First seen:2021-08-13 07:55:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e4e1e1e6e225074b287b0f65b50fbc7e (3 x ArkeiStealer, 2 x RedLineStealer, 1 x GCleaner)
ssdeep 3072:rqVRhqlyewShRzCBjpWfB7v+6Hcng2EEBviYSyyEmCL5dWc7YWnLH5SnCNeoBNTz:cbfShRWBjiB7WbdEEBHPWPW75SCIwY8
Threatray 4'063 similar samples on MalwareBazaar
TLSH T1AA54D0303690F872F097563038ADDBA4F7AABD616B50924767943F2F2E732D01729396
dhash icon e2d89c6cbcb0c21c (1 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://ggc-partners.info/stats/remember.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.info/stats/remember.php https://threatfox.abuse.ch/ioc/184297/
http://ggc-partners.info/dlc/distribution.php https://threatfox.abuse.ch/ioc/184298/

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
08B0C8A78A4E6C9D9BFC0F32BB9C5304.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-13 08:01:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e601c17-bff1-4e0f-b629-3214f86a2ce5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178864/
Detection(s):
Win.Dropper.Upatre-9884831-0
Create hunting rule

Win.Packed.Generic-9884888-0
Create hunting rule

Win.Malware.Generic-9884893-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9bff2cbc-69aa-4aa6-a028-3ab865cafb1b
Result
Threat name:
Cryptbot Raccoon RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832316
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Cryptbot
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 464749 Sample: HfNd63rzqE.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 61 frekodi.top 2->61 63 api.ip.sb 2->63 65 iplogger.org 2->65 77 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 10 other signatures 2->83 8 HfNd63rzqE.exe 36 2->8         started        signatures3 process4 dnsIp5 71 damomw06.top 23.105.246.166, 49738, 49739, 49740 SERVERS-COMUS Russian Federation 8->71 73 ggc-partners.info 179.43.147.69, 49725, 49731, 49735 PLI-ASCH Panama 8->73 75 4 other IPs or domains 8->75 53 C:\Users\user\AppData\...\29420869504.exe, PE32 8->53 dropped 55 C:\Users\user\AppData\...\22228852179.exe, PE32 8->55 dropped 57 C:\ProgramData\...behaviorgrapharbage Cleaner.exe, PE32 8->57 dropped 59 10 other files (none is malicious) 8->59 dropped 93 May check the online IP address of the machine 8->93 13 cmd.exe 8->13         started        15 cmd.exe 8->15         started        17 WerFault.exe 9 8->17         started        20 7 other processes 8->20 file6 signatures7 process8 file9 22 22228852179.exe 13->22         started        27 conhost.exe 13->27         started        29 29420869504.exe 15->29         started        31 conhost.exe 15->31         started        35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->35 dropped 33 WerFault.exe 17->33         started        37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->37 dropped 39 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->39 dropped 41 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->41 dropped 43 4 other malicious files 20->43 dropped process10 dnsIp11 67 telete.in 195.201.225.248, 443, 49746 HETZNER-ASDE Germany 22->67 69 45.67.231.40, 49747, 49763, 80 SERVERIUS-ASNL Moldova Republic of 22->69 45 C:\Users\user\AppData\...\vcruntime140.dll, PE32 22->45 dropped 47 C:\Users\user\AppData\...\ucrtbase.dll, PE32 22->47 dropped 49 C:\Users\user\AppData\...\softokn3.dll, PE32 22->49 dropped 51 56 other files (none is malicious) 22->51 dropped 85 Tries to steal Mail credentials (via file access) 22->85 87 Detected unpacking (changes PE section rights) 29->87 89 Detected unpacking (overwrites its own PE header) 29->89 91 Tries to harvest and steal browser information (history, passwords, etc) 29->91 file12 signatures13
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9b6ded9a373ec4acf4b426c4ad5fd318b6a3f8077429e9fe5b27bd66d6b5be6/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 05:28:43 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3g3n5wndopwevt2lijwevvp5ggfwup4ao5bj5h7fwj55m3lllpta._file
Verdict:
unknown
Similar samples:
00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
GCleaner
322e2172b60d694797e91a98109d97e2b167953bb82f8f0b007b159351f8350e
GCleaner
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
GCleaner
83b3a04479c4310f0ac695041b3c1d60c144be650d4b8838a395ca5a46e722e2
GCleaner
8f2789b6a628a92f9f6313305b255c405f867c49161bb864263dcfef5a6f712d
GCleaner
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
GCleaner
d03c955b566ad3308d6f9fe90c320300b097e649c9c7380d48cf06815d4988b9
GCleaner
fcebd1383b524b3ed55ce93204ab0199fc3c8871783dc2b197ce3148c66a5ca1
GCleaner
+ 4'053 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:raccoon family:redline botnet:022f7f19749a47aa4d6a10b25bfd352ecb963373 botnet:mix 12.08 discovery infostealer spyware stealer suricata
Link:
https://tria.ge/reports/210813-mwcfrkej7e/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M2
suricata: ET MALWARE GCleaner Downloader Activity M3
suricata: ET MALWARE GCleaner Related Downloader User-Agent
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
lysano52.top
morecj05.top
185.215.113.17:18597
Unpacked files
SH256 hash:
bd69fc833aed94efaa8d71ad68a7d1a630fb56ac08a0035417d4ac5d0c1c7a28
MD5 hash:
1837eebd43f1bcec9bc5c8af2519cf9e
SHA1 hash:
f3af3d1070673e8afe1148fcfb4a4404607068d7
Link:
https://www.unpac.me/results/cc2b9716-881f-4d22-9891-96ffe37e5786/
SH256 hash:
d9b6ded9a373ec4acf4b426c4ad5fd318b6a3f8077429e9fe5b27bd66d6b5be6
MD5 hash:
08b0c8a78a4e6c9d9bfc0f32bb9c5304
SHA1 hash:
ac48d930b7a4474d94aa32ec1866c34849f05335
Link:
https://www.unpac.me/results/cc2b9716-881f-4d22-9891-96ffe37e5786/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d9b6ded9a373/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9b6ded9a373ec4acf4b426c4ad5fd318b6a3f8077429e9fe5b27bd66d6b5be6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178864/

Comments