MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfbe50f556eda63daf7ef0322fc1d71cf8e7a4dd92b262534ee8492cc38e82e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfbe50f556eda63daf7ef0322fc1d71cf8e7a4dd92b262534ee8492cc38e82e8
SHA3-384 hash: 69f5b5814b6f2612b25bc70544181faf9bfd4abed62927a163cd46e4333e48db7f353c1e2b4992806e7699e0222d20a6
SHA1 hash: fedc2817e43a89201bb0353403a72a04f07f7e7b
MD5 hash: 7a06005b14d8579a285e15b761bcb131
humanhash: two-early-lemon-two
File name:random.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:3'782'144 bytes
First seen:2026-02-01 07:26:39 UTC
Last seen:2026-02-01 08:49:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c114e38e6126e1bc1d98b7b90a551bc1 (1 x GCleaner)
ssdeep 98304:/leqaweraT6zUqc5E38uA1/9jer9XjJMieQl:/8rjraTOUqQ88u4VKjGiR
Threatray 593 similar samples on MalwareBazaar
TLSH T1EE06E0257058AEEBF0C81D74ACAAC09EDA506B243D33935E97C42BC4B7D4CE01657DAE
TrID 90.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.8% (.EXE) InstallShield setup (43053/19/16)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
0.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
SE SE
Vendor Threat Intelligence
Gathering data
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-02-01 05:58:21 UTC
Tags:
auto redline stealer amadey botnet stealc vidar evasion uac loader quasar rat auto-reg salatstealer arch-doc credentialflusher neoreklami adware auto-sch gcleaner generic python rdp api-base64 kamasers udados xor-url upx purecrypter purelogs xmrig miner pastebin goproxy winring0-sys vuln-driver
Link:
https://app.any.run/tasks/24bc0295-8e4d-4d7a-930e-54737aef266f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51087/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.77287954.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697f005ad93e7233498c4896
Tags:
delphi emotet cobalt
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 borland_delphi fingerprint installer-heuristic keylogger packed
Link:
https://www.filescan.io/uploads/697f005b2ffccda09765343c/reports/79fef629-e1e2-405b-bca9-e988bd043b04/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dfbe50f556eda63daf7ef0322fc1d71cf8e7a4dd92b262534ee8492cc38e82e8
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-01T03:33:00Z UTC
Last seen:
2026-02-01T04:00:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Qshell.gen Trojan.Win32.Qshell.sb Trojan.Win32.Delf.sb
Link:
https://opentip.kaspersky.com/dfbe50f556eda63daf7ef0322fc1d71cf8e7a4dd92b262534ee8492cc38e82e8/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7dd51140-4c7c-4798-bbd2-321ceaaaba0b
Result
Threat name:
CryptOne, Socks5Systemz, Stealc v2, Tofs
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1861139
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates / moves files in alternative data streams (ADS)
Creates multiple autostart registry keys
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries Google from non browser process on port 80
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected Socks5Systemz
Yara detected Stealc v2
Yara detected Tofsee
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1861139 Sample: random.exe Startdate: 01/02/2026 Architecture: WINDOWS Score: 100 127 uyu.munsitex.com.lk 2->127 129 uYkpUuSPanJl.uYkpUuSPanJl 2->129 131 27 other IPs or domains 2->131 187 Suricata IDS alerts for network traffic 2->187 189 Found malware configuration 2->189 191 Malicious sample detected (through community Yara rule) 2->191 193 15 other signatures 2->193 12 random.exe 1 2->12         started        16 jIWX8QwFPwXgP.exe 2->16         started        18 SkySync.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 file5 115 C:\Users\user\AppData\...\svchost015.exe, PE32 12->115 dropped 203 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->203 205 Hijacks the control flow in another process 12->205 207 Writes to foreign memory regions 12->207 209 Allocates memory in foreign processes 12->209 22 svchost015.exe 46 12->22         started        211 Injects a PE file into a foreign processes 16->211 27 jIWX8QwFPwXgP.exe 16->27         started        29 jIWX8QwFPwXgP.exe 16->29         started        31 SkySync.exe 18->31         started        signatures6 process7 dnsIp8 147 195.178.136.38, 49693, 80 URANKievUkraineRU Ukraine 22->147 149 drive.usercontent.google.com 64.233.180.132, 443, 49689 GOOGLEUS United States 22->149 97 C:\Users\user\AppData\...\uNQtvPD6sIhOJ.exe, PE32+ 22->97 dropped 99 C:\Users\user\AppData\...\tX6tkjHCpMjv.exe, PE32+ 22->99 dropped 101 C:\Users\user\AppData\...\srkZVSYSO9ab.exe, PE32+ 22->101 dropped 103 29 other malicious files 22->103 dropped 201 Unusual module load detection (module proxying) 22->201 33 S37pRdJR8Nf.exe 22->33         started        37 lowbT8tMRO9ip.exe 16 22->37         started        40 MMGyIKmljsgf.exe 22->40         started        42 8 other processes 22->42 file9 signatures10 process11 dnsIp12 93 C:\Users\user\AppData\...\S37pRdJR8Nf.tmp, PE32 33->93 dropped 159 Multi AV Scanner detection for dropped file 33->159 44 S37pRdJR8Nf.tmp 33->44         started        143 uyu.munsitex.com.lk 172.67.216.58 CLOUDFLARENETUS United States 37->143 145 telegram.me 149.154.167.99 TELEGRAMRU United Kingdom 37->145 161 Tries to harvest and steal browser information (history, passwords, etc) 37->161 163 Sets debug register (to hijack the execution of another thread) 37->163 165 Writes to foreign memory regions 37->165 179 2 other signatures 37->179 47 chrome.exe 37->47         started        167 Injects code into the Windows Explorer (explorer.exe) 40->167 169 Allocates memory in foreign processes 40->169 171 Injects a PE file into a foreign processes 40->171 50 explorer.exe 40->50         started        173 Creates multiple autostart registry keys 42->173 175 Tries to detect virtualization through RDTSC time measurements 42->175 177 Unusual module load detection (module proxying) 42->177 53 cmd.exe 1 42->53         started        55 jIWX8QwFPwXgP.exe 42->55         started        57 reg.exe 1 42->57         started        59 4 other processes 42->59 file13 signatures14 process15 dnsIp16 117 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->117 dropped 61 S37pRdJR8Nf.exe 44->61         started        151 192.168.2.6, 443, 49689, 49690 unknown unknown 47->151 153 45.93.20.34 COGENT-174US Netherlands 50->153 181 System process connects to network (likely due to code injection or exploit) 50->181 183 Unusual module load detection (module proxying) 50->183 64 WerFault.exe 50->64         started        66 cmd.exe 4 53->66         started        68 cmd.exe 1 53->68         started        70 conhost.exe 53->70         started        155 smtp.gmail.com 142.250.31.109 GOOGLEUS United States 55->155 157 laf.oahgsfwklg.top 178.16.54.79 DUSNET-ASDE Germany 55->157 119 C:\Users\user\AppData\Local\...\ssleay32.dll, PE32 55->119 dropped 121 C:\Users\user\AppData\Local\...\libeay32.dll, PE32 55->121 dropped 185 Creates multiple autostart registry keys 55->185 72 conhost.exe 57->72         started        file17 signatures18 process19 file20 123 C:\Users\user\AppData\...\S37pRdJR8Nf.tmp, PE32 61->123 dropped 74 S37pRdJR8Nf.tmp 61->74         started        125 C:\Users\user\AppData\Local\...\Thumb.exe, PE32 66->125 dropped 77 Thumb.exe 6 66->77         started        80 findstr.exe 1 66->80         started        process21 file22 105 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 74->105 dropped 107 C:\ProgramData\...\is-VUKSA.tmp, PE32 74->107 dropped 109 C:\ProgramData\...\is-1KCOF.tmp, PE32 74->109 dropped 113 2 other malicious files 74->113 dropped 82 Fondue.exe 74->82         started        111 C:\Users\user\AppData\Local\...\SkySync.exe, PE32 77->111 dropped 213 Injects a PE file into a foreign processes 77->213 215 Unusual module load detection (module proxying) 77->215 87 Thumb.exe 77->87         started        89 Thumb.exe 77->89         started        91 Thumb.exe 77->91         started        signatures23 process24 dnsIp25 133 quag.cn 150.241.105.195 TECNALIAES Spain 82->133 135 make.mydaymakemyday.info 82->135 141 20 other IPs or domains 82->141 95 C:\Users\user:.repos, data 82->95 dropped 195 Creates / moves files in alternative data streams (ADS) 82->195 197 Unusual module load detection (module proxying) 82->197 199 Queries Google from non browser process on port 80 82->199 137 178.16.54.31 DUSNET-ASDE Germany 87->137 139 193.176.153.180 AGROSVITUA unknown 87->139 file26 signatures27
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dfbe50f556eda63daf7ef0322fc1d71cf8e7a4dd92b262534ee8492cc38e82e8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/7a06005b14d8579a285e15b761bcb131
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfbe50f556eda63daf7ef0322fc1d71cf8e7a4dd92b262534ee8492cc38e82e8/
Verdict:
Malicious
Threat:
Family.GCLEANER
Link:
https://tip.neiki.dev/file/dfbe50f556eda63daf7ef0322fc1d71cf8e7a4dd92b262534ee8492cc38e82e8
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=367fb5kw5wtd3l366azc7qoxdt4opjg5skzgeu2o5beszq4oqlua._file
Verdict:
malicious
Label(s):
gcleaner
Create hunting rule
Similar samples:
0c0e5e91675463f212561ef25be47926e72d2f429c6aeb015ad414c6645c85d2
GCleaner
14c25ba4e521aa9dff9ef3af884cec759441d7bb48729e7f8231b2c071dc34b9
GCleaner
1b27ce3f9861f424caf255273f7aa6e970518bc97477086d6793d0d5012d18ca
GCleaner
2f1dd61daf36492c36c806bab5e986f179bcceb47d0aa1ff8f83b119f2958372
GCleaner
49375b0ec28ad02f868c29d05dce587ef572718c84644309653941298c3df81e
GCleaner
5892c047a128423e4c90e6923dc5476e4ea17790b2550e87a93b4e1e9c831e9e
GCleaner
c475a07cdd7087d6e7aa6a375506ad43a9b3ac847026e9c8dcf6c58c20e25fe8
GCleaner
edbabaad95e351834d16b716beaba89d1db6008d8995ffc203cab539b767d731
GCleaner
error
GCleaner
+ 583 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/260201-h94xyadt4c/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
GCleaner
Gcleaner family
Malware Config
C2 Extraction:
185.156.73.98
Unpacked files
SH256 hash:
dfbe50f556eda63daf7ef0322fc1d71cf8e7a4dd92b262534ee8492cc38e82e8
MD5 hash:
7a06005b14d8579a285e15b761bcb131
SHA1 hash:
fedc2817e43a89201bb0353403a72a04f07f7e7b
Link:
https://www.unpac.me/results/c856c718-0806-4117-8f30-60642842da2a/
SH256 hash:
9bb8b3434d85b675273c4c79c0de74a5fc185061a5a776f8587060018119b1f7
MD5 hash:
a7821a8a0864068e95c8a2ab53c754da
SHA1 hash:
189cfe7937b18c6e128d08e3e1c32827e476e3c2
Link:
https://www.unpac.me/results/c856c718-0806-4117-8f30-60642842da2a/
SH256 hash:
d3d3224b50e7ff955cba76e05f5058471add627c6f15658420146040192b3e1b
MD5 hash:
61f30fea94c55ee3199526448a73e58f
SHA1 hash:
71c175173df87bda7ffc77b2208b28f04bbdc628
Link:
https://www.unpac.me/results/c856c718-0806-4117-8f30-60642842da2a/
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dfbe50f556ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/dfbe50f556eda63daf7ef0322fc1d71cf8e7a4dd92b262534ee8492cc38e82e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe dfbe50f556eda63daf7ef0322fc1d71cf8e7a4dd92b262534ee8492cc38e82e8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3743700/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/51087/

Comments