MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de0ea6b286c73aef00f5bb96a5469160360e09848708e6537e260007e85456bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	de0ea6b286c73aef00f5bb96a5469160360e09848708e6537e260007e85456bb
SHA3-384 hash:	d2647c6944646f4b103d0e28ef072401dfb4e1df482552b52376765496387e3e31fb067f021c423c810a1aae57e33977
SHA1 hash:	74aadc051ec59c8dba804de5d8b4bdbb67b4b62c
MD5 hash:	14772550b68e119b3a992911747337e0
humanhash:	friend-skylark-mobile-autumn
File name:	14772550b68e119b3a992911747337e0.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	198'656 bytes
First seen:	2022-10-20 18:13:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	07b403af92a54ebc39607926cde55697 (2 x Smoke Loader, 1 x ArkeiStealer, 1 x RecordBreaker)
ssdeep	3072:EX1+l+L2swJbn5tyPPXCWcr/xmCYU/cp0KAwdce:A8l+LJw92fW/sCTC0N/
Threatray	209 similar samples on MalwareBazaar
TLSH	T1A214D0147DD2C8B1C485C0748868DB70EABBA4F1EA6C5A8B3BA4176D5F303E1677E346
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	38b078cccacccc43 (123 x Smoke Loader, 83 x Stop, 63 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe gcleaner

Intelligence

File Origin

# of uploads :

# of downloads :

257

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

14772550b68e119b3a992911747337e0.exe

Verdict:

Suspicious activity

Analysis date:

2022-10-20 18:15:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b46f03d7-c600-487d-842c-f39ba3191f8c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/322102/

Detection(s):

Win.Packed.Tofsee-9951336-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending an HTTP GET request

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

babar glupteba greyware lockbit smokeloader tofsee

Link:

https://www.filescan.io/uploads/63518feb66721ebd9b2f4da6/reports/976d9d47-9c94-4c85-be01-a5ea030b23c7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

GCleaner

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a54f760d-2657-496a-b906-2654cb709fce

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1094404

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de0ea6b286c73aef00f5bb96a5469160360e09848708e6537e260007e85456bb/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-10-20 16:33:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 42 (73.81%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3yhknmugy45o6ahvxolkkrurma3a4cmeq4eomu36eyaap2cuk25q._file

Verdict:

malicious

GCleaner

8438ad1ffe70db037598eef6c156200ac013bc60feaf68457e980e3395e130bb

GCleaner

9463150d06446a9f7476c81e556fb8757cdc04eafa822a74c4ca1c3db5ffb4d4

GCleaner

ab811e76bf3f2f92e7d02fec935d648472a5f1b4afb9079b6e264931f45a7461

GCleaner

c9a038bcf6ace06350965874b5eced965f225990ff05ac11a179f3013d3eadc6

GCleaner

ce69c1ce0021cbf3858ac6aa7438ff4a0a5facb527fe97d4ab9ed6957abd86d8

GCleaner

ec9d5791f02cc5b005e9bb3619092d1645c8c29b50a34ed23381c3514cf512bf

GCleaner

+ 199 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/221020-wvax7shaf2/

Behaviour

Program crash

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/63179a15-22cc-4dca-a2af-268d2dca9d3b

Unpacked files

SH256 hash:

553d0d8e7799ca58cc7f6bd786f8ae0babe9de4b6db63afa8563b2ad0b733dce

MD5 hash:

0ed31dfaec4506d4f00edb0f13c36960

SHA1 hash:

d095246996888defe48711e0e626763213bd487c

Link:

https://www.unpac.me/results/7a902a38-4bb2-47f5-82d9-ce7d4a5e3f48/

SH256 hash:

de0ea6b286c73aef00f5bb96a5469160360e09848708e6537e260007e85456bb

MD5 hash:

14772550b68e119b3a992911747337e0

SHA1 hash:

74aadc051ec59c8dba804de5d8b4bdbb67b4b62c

Link:

https://www.unpac.me/results/7a902a38-4bb2-47f5-82d9-ce7d4a5e3f48/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/de0ea6b286c73aef00f5bb96a5469160360e09848708e6537e260007e85456bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.