MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0459b2a93edd076eb47b1c00d6689bdf04628e223a2fabb5e93f683b41e60d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GCleaner


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments

SHA256 hash: e0459b2a93edd076eb47b1c00d6689bdf04628e223a2fabb5e93f683b41e60d2
SHA3-384 hash: 0d88bc5892deed75cb86b9becd84b9b38c535a71b0fc65acf2a2e02917ce8e99d39a1bcaa7d3878ace0512c0f7e751cd
SHA1 hash: a991c315de9372286128e0229e0d791bdf69ec04
MD5 hash: 80bd608756224fc5ca38ac32714156dc
humanhash: social-mango-romeo-nuts
File name:setup_euone.bin
Download: download sample
Signature GCleaner
File size:1'251'600 bytes
First seen:2026-07-04 15:16:48 UTC
Last seen:2026-07-04 15:22:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 47e8684ebfb6580430e769529c609065 (1 x GCleaner)
ssdeep 12288:PibHTnMuK0cLp/9oliNIgho9Z8LweV+vUqzATh04pPzXTwnH1cQ47geqckpPWUUz:KrjQ0cJ9o81mawUIwggMyv3ZOqpD3I8
TLSH T163458E26B1C18837D4B2167C9D2BB2BC9836BD215E2C9C4A7BE45E4C1E3AF413625377
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 399998ecd4d46c0e (573 x Quakbot, 302 x GCleaner, 137 x ArkeiStealer)
Reporter aachum
Tags:dropped-by-OffLoader EUONE exe gcleaner


Avatar
iamaachum
http://158.94.209.95/setup?name=euone

Intelligence


File Origin
# of uploads :
2
# of downloads :
126
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
setup_euone.bin.exe
Verdict:
Malicious activity
Analysis date:
2026-07-04 15:19:38 UTC
Tags:
gcleaner loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
cobalt delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Launching a service
Deleting a recently created file
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 borland_delphi expired-cert fingerprint installer-heuristic invalid-signature keylogger masquerade packed signed
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-04T12:28:00Z UTC
Last seen:
2026-07-05T00:53:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Win32.Evilch.gen PDM:Trojan.Win32.Generic
Result
Threat name:
PureCrypter, CryptOne, GCleaner
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected PureCrypter Trojan
Found API chain indicative of debugger detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected GCleaner
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1937469 Sample: setup_euone.bin.exe Startdate: 04/07/2026 Architecture: WINDOWS Score: 100 92 45.91.200.135 PODAONLV Netherlands 2->92 94 185.156.73.98 FDN3UA Netherlands 2->94 96 4 other IPs or domains 2->96 122 Suricata IDS alerts for network traffic 2->122 124 Found malware configuration 2->124 126 Antivirus detection for URL or domain 2->126 128 10 other signatures 2->128 12 setup_euone.bin.exe 2->12         started        signatures3 process4 signatures5 168 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->168 170 Hijacks the control flow in another process 12->170 172 Contains functionality to inject code into remote processes 12->172 174 4 other signatures 12->174 15 svchost.exe 34 12->15         started        process6 dnsIp7 104 158.94.209.95, 49711, 49714, 49715 OMEGATECH-ASSC Netherlands 15->104 106 drive.usercontent.google.com 142.251.214.97, 443, 49709 GOOGLE-GoogleLLCUS United States 15->106 80 C:\Users\user\AppData\...\dQGhg3AtPT26.exe, PE32+ 15->80 dropped 82 C:\Users\user\AppData\...\tspITfbnRc.exe, PE32+ 15->82 dropped 84 C:\Users\user\AppData\...\DKMLm8SUYPtvV.exe, PE32+ 15->84 dropped 86 4 other malicious files 15->86 dropped 108 System process connects to network (likely due to code injection or exploit) 15->108 110 Unusual module load detection (module proxying) 15->110 20 B0PSyNYQtK.exe 2 15->20         started        24 DKMLm8SUYPtvV.exe 4 32 15->24         started        27 Xq3y1Gt8LRE.exe 1 15->27         started        29 2 other processes 15->29 file8 signatures9 process10 dnsIp11 90 C:\Users\user\AppData\...\setup_3c1c9c42.exe, PE32+ 20->90 dropped 138 Writes to foreign memory regions 20->138 140 Allocates memory in foreign processes 20->140 142 Creates a thread in another existing process (thread injection) 20->142 152 2 other signatures 20->152 31 sdclt.exe 20->31         started        33 setup_3c1c9c42.exe 20->33         started        36 RuntimeBroker.exe 20->36         started        38 winver.exe 20->38         started        100 31.77.168.180, 49718, 5000 PLUSNETPlusnetworkoperatorinPolandPL Poland 24->100 102 www.stackoverflow.com 198.252.206.1, 443, 49717, 49719 CLOUDFLARENET-CloudflareIncUS United States 24->102 144 Antivirus detection for dropped file 24->144 146 Found API chain indicative of debugger detection 24->146 148 Creates an autostart registry key pointing to binary in C:\Windows 24->148 40 powershell.exe 7 24->40         started        42 cmd.exe 1 24->42         started        46 4 other processes 24->46 150 Multi AV Scanner detection for dropped file 27->150 44 conhost.exe 27->44         started        48 2 other processes 29->48 file12 signatures13 process14 signatures15 50 B0PSyNYQtK.exe 1 2 31->50         started        112 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 33->112 114 Found many strings related to Crypto-Wallets (likely being stolen) 33->114 116 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->116 120 7 other signatures 33->120 54 sdclt.exe 33->54         started        56 winver.exe 33->56         started        58 RuntimeBroker.exe 33->58         started        118 Unusual module load detection (module proxying) 36->118 60 conhost.exe 40->60         started        62 conhost.exe 42->62         started        64 conhost.exe 46->64         started        66 conhost.exe 46->66         started        process16 file17 88 C:\Users\user\AppData\...\setup_7d16e9e8.exe, PE32+ 50->88 dropped 130 Creates an undocumented autostart registry key 50->130 132 Writes to foreign memory regions 50->132 134 Allocates memory in foreign processes 50->134 136 2 other signatures 50->136 68 setup_7d16e9e8.exe 50->68         started        72 RuntimeBroker.exe 50->72         started        74 setup_3c1c9c42.exe 54->74         started        signatures18 process19 dnsIp20 98 217.60.195.196, 49722, 49723, 49726 NETPOOLIN Netherlands 68->98 154 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 68->154 156 Found many strings related to Crypto-Wallets (likely being stolen) 68->156 158 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 68->158 166 4 other signatures 68->166 76 RuntimeBroker.exe 68->76         started        160 Writes to foreign memory regions 74->160 162 Allocates memory in foreign processes 74->162 164 Tries to harvest and steal Bitcoin Wallet information 74->164 78 RuntimeBroker.exe 74->78         started        signatures21 process22
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Packed.Generic
Status:
Suspicious
First seen:
2026-07-04 15:17:50 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
12 of 24 (50.00%)
Threat level:
  1/5
Result
Malware family:
gcleaner
Score:
  10/10
Tags:
family:gcleaner adware discovery loader persistence ransomware spyware
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Family: GCleaner
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
185.156.73.98
Unpacked files
SH256 hash:
e0459b2a93edd076eb47b1c00d6689bdf04628e223a2fabb5e93f683b41e60d2
MD5 hash:
80bd608756224fc5ca38ac32714156dc
SHA1 hash:
a991c315de9372286128e0229e0d791bdf69ec04
SH256 hash:
41545ed4a199a2c6afe03e9e12888f2e27c681c0b90bc2332a006cfa0587b5d6
MD5 hash:
36687faa4b15d286e8875f8ba994edf1
SHA1 hash:
baf9350c49ea5b700e5bb42c28c8b0b3582badd9
Detections:
GCleaner
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Author:malware-lu
Rule name:Borland
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
Rule name:Suspicious_Process
Author:Security Research Team
Description:Suspicious process creation
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe e0459b2a93edd076eb47b1c00d6689bdf04628e223a2fabb5e93f683b41e60d2

(this sample)

  
Delivery method
Distributed via web download

Comments