MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e19d26c91d02ddf021ed5dcc087062685a8ea49778cfde4876bc2489284e796f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e19d26c91d02ddf021ed5dcc087062685a8ea49778cfde4876bc2489284e796f
SHA3-384 hash: 99a7342740091681d54a1a944d184293963d358c6caebaa1d1fbcb6e585cccd3740d8bd7473763713a1f090439bb2f98
SHA1 hash: d893ea470afde96b96d67c04487d2e40cbfd300b
MD5 hash: 5de20fb299d935ec1f4f9ca4e42bf2e1
humanhash: october-dakota-single-blossom
File name:🗝️ 𝐒𝐄𝐓𝐔𝐏.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:5'014'816 bytes
First seen:2025-08-02 15:06:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 06449c1d5d5bd625ddbc642fdf7f8ff4 (3 x GCleaner)
ssdeep 49152:vOU4JKT0BqCVP9xxRrxWr5A/tRlhybLdsW3wraTS3V/Iy+G0jLcu7A1HWP:vOpDBvP0raHlhyPdNGV/IrzjLu12P
TLSH T18136F111F2E0B4ADC32D9B765E4F61C88A0E94D43D6E4582EB9C0D0BAD5DF04AD3D26E
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter aachum
Tags:exe gcleaner


Avatar
iamaachum
https://www.file-hosters.com/ => https://mega.nz/file/6wwmlIpL#ejssWBmuIJot_7M2hErdmbp_ZKQrcjoZwxpEjwfF4IY

GCleaner C2: 176.46.158.23

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
b937d4bb-d377-4574-a1c5-34a0537e9219
Verdict:
Malicious activity
Analysis date:
2025-08-02 15:08:45 UTC
Tags:
gcleaner loader lumma stealer autoit golang amadey telegram botnet auto redline auto-reg rdp stealc
Link:
https://app.any.run/tasks/b937d4bb-d377-4574-a1c5-34a0537e9219

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18468/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688e29af0b4775fb213534d7
Tags:
delphi emotet cobalt
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi expired-cert fingerprint invalid-signature keylogger packed signed
Link:
https://www.filescan.io/uploads/688e29aa32e61090868b2235/reports/f3d9dc63-5bca-4729-90bf-0f0604148022/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e19d26c91d02ddf021ed5dcc087062685a8ea49778cfde4876bc2489284e796f
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df4e958a-9b0d-411f-b116-0fdb3b111ea8
Result
Threat name:
Amadey, CryptOne, GCleaner, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749087
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Search for Antivirus process
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected CryptOne packer
Yara detected GCleaner
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1749087 Sample: #Ud83d#Udddd#Ufe0f #Ud835#U... Startdate: 02/08/2025 Architecture: WINDOWS Score: 100 156 185.156.73.98 RELDAS-NETRU Russian Federation 2->156 158 45.91.200.135 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 2->158 180 Found malware configuration 2->180 182 Antivirus detection for dropped file 2->182 184 Multi AV Scanner detection for dropped file 2->184 186 15 other signatures 2->186 11 #Ud83d#Udddd#Ufe0f #Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f.exe 2 2->11         started        15 svchost.exe 2->15         started        17 svchost.exe 3 14 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 152 C:\Users\user\AppData\...\svchost015.exe, PE32 11->152 dropped 154 C:\Users\user\AppData\Local\...\svcB361.tmp, PE32 11->154 dropped 222 Writes to foreign memory regions 11->222 22 svchost015.exe 42 11->22         started        224 Changes security center settings (notifications, updates, antivirus, firewall) 15->224 27 MpCmdRun.exe 15->27         started        29 WerFault.exe 2 17->29         started        31 WerFault.exe 17->31         started        160 20.190.152.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->160 33 conhost.exe 19->33         started        35 Qx0fBuVB.R56iV 19->35         started        file6 signatures7 process8 dnsIp9 168 142.250.80.65 GOOGLEUS United States 22->168 170 176.46.158.23 ESTPAKEE Iran (ISLAMIC Republic Of) 22->170 140 C:\Users\user\AppData\...\WMrdStWtfklD.exe, PE32 22->140 dropped 142 C:\Users\user\AppData\...\6IBCkdXhk1.exe, PE32+ 22->142 dropped 144 C:\Users\user\AppData\...\q0KR9Q1mFE3.exe, PE32 22->144 dropped 146 10 other malicious files 22->146 dropped 208 Writes many files with high entropy 22->208 37 q0KR9Q1mFE3.exe 22->37         started        40 Cvzpn6Rf8tpks.exe 24 22->40         started        43 WMrdStWtfklD.exe 22->43         started        47 3 other processes 22->47 45 conhost.exe 27->45         started        file10 signatures11 process12 dnsIp13 114 C:\Users\user\AppData\Local\...\2j3459.exe, PE32 37->114 dropped 116 C:\Users\user\AppData\Local\...\1D02P6.exe, PE32 37->116 dropped 50 1D02P6.exe 37->50         started        53 2j3459.exe 37->53         started        118 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 40->118 dropped 120 C:\Users\user\AppData\...\Transcript.adt, data 40->120 dropped 128 3 other malicious files 40->128 dropped 210 Multi AV Scanner detection for dropped file 40->210 212 Writes many files with high entropy 40->212 56 cmd.exe 1 40->56         started        122 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 43->122 dropped 124 C:\Users\user\AppData\Local\...\Thinkpad.adts, data 43->124 dropped 130 7 other malicious files 43->130 dropped 58 cmd.exe 43->58         started        178 45.61.165.8 ASN-QUADRANET-GLOBALUS United States 47->178 126 C:\Users\user\AppData\...\b0OEzopOvOb.tmp, PE32 47->126 dropped 214 Detected unpacking (changes PE section rights) 47->214 216 Injects code into the Windows Explorer (explorer.exe) 47->216 218 Writes to foreign memory regions 47->218 220 2 other signatures 47->220 60 WerFault.exe 21 16 47->60         started        63 WerFault.exe 47->63         started        file14 signatures15 process16 dnsIp17 106 C:\Users\user\Desktop\Qx0fBuVB.R56iV, PE32 50->106 dropped 108 C:\Users\user\AppData\Local\...jPA6wwv.xml, XML 50->108 dropped 65 cmd.exe 50->65         started        67 cmd.exe 50->67         started        69 cmd.exe 50->69         started        81 2 other processes 50->81 188 Detected unpacking (changes PE section rights) 53->188 190 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 53->190 192 Query firmware table information (likely to detect VMs) 53->192 200 5 other signatures 53->200 194 Drops PE files with a suspicious file extension 56->194 196 Uses schtasks.exe or at.exe to add and modify task schedules 56->196 198 Writes many files with high entropy 56->198 71 cmd.exe 4 56->71         started        74 conhost.exe 56->74         started        110 C:\Users\user\AppData\Local\...\Market.com, PE32 58->110 dropped 112 C:\Users\user\AppData\Local\Temp\282683\z, data 58->112 dropped 76 Market.com 58->76         started        79 conhost.exe 58->79         started        83 6 other processes 58->83 172 135.233.45.223 LUCENT-CIOUS United States 60->172 174 135.234.160.244 LUCENT-CIOUS United States 63->174 file18 signatures19 process20 dnsIp21 85 Qx0fBuVB.R56iV 65->85         started        90 conhost.exe 65->90         started        98 2 other processes 67->98 100 2 other processes 69->100 148 C:\Users\user\AppData\Local\...\Mapping.pif, PE32 71->148 dropped 150 C:\Users\user\AppData\Local\Temp\98109\W, data 71->150 dropped 92 Mapping.pif 71->92         started        94 tasklist.exe 71->94         started        96 findstr.exe 71->96         started        102 3 other processes 71->102 176 23.54.187.178 AKAMAI-ASUS United States 76->176 104 4 other processes 81->104 file22 process23 dnsIp24 162 94.154.35.25 SELECTELRU Ukraine 85->162 164 160.153.173.80 GODADDY-AMSDE United States 85->164 166 45.141.233.196 ASDETUKhttpwwwheficedcomGB Bulgaria 85->166 132 C:\Users\user\AppData\Local\...\tt7w3kO.exe, PE32 85->132 dropped 134 C:\Users\user\AppData\Local\...\AICzqlN.exe, PE32 85->134 dropped 136 C:\Users\user\AppData\Local\...\zu3sNjZ.exe, PE32 85->136 dropped 138 7 other malicious files 85->138 dropped 202 Writes many files with high entropy 85->202 204 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 92->204 206 Query firmware table information (likely to detect VMs) 92->206 file25 signatures26
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e19d26c91d02ddf021ed5dcc087062685a8ea49778cfde4876bc2489284e796f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/5de20fb299d935ec1f4f9ca4e42bf2e1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e19d26c91d02ddf021ed5dcc087062685a8ea49778cfde4876bc2489284e796f/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-07-29 08:35:52 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
22 of 38 (57.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gosnsi5alo7aipnlxgaq4dcnbni5jexpdh54sdwxqsiskcopfxq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250802-shgnfatqz4/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0afa48a1-3b37-416a-af86-1c6454c1d289
Unpacked files
SH256 hash:
e19d26c91d02ddf021ed5dcc087062685a8ea49778cfde4876bc2489284e796f
MD5 hash:
5de20fb299d935ec1f4f9ca4e42bf2e1
SHA1 hash:
d893ea470afde96b96d67c04487d2e40cbfd300b
Link:
https://www.unpac.me/results/aa929fdb-06e3-4bab-8b8c-ef4c5d79f2fc/
SH256 hash:
2bb2f213535a2727180ebde168b06e3d25af3d323dcdb7cab075488a4c3989ba
MD5 hash:
a55890b9ab6837889425e87e8cd9c676
SHA1 hash:
eee14827c8236e33f839a432c6b1753484ad2c95
Detections:
GCleaner
Create hunting rule
Link:
https://www.unpac.me/results/aa929fdb-06e3-4bab-8b8c-ef4c5d79f2fc/
Parent samples :
e19d26c91d02ddf021ed5dcc087062685a8ea49778cfde4876bc2489284e796f
8c956f6ec00eccb3512e92c0bfd28d9ff7e0fcdc9c7602b096686613ab235b1c
79a2fa17db3d9e811ed4ee08615daeb52151ea966f5ae1b2bd1911e2bf86c3c4
9dfdf3dbf222a53f5fb4fb01d471ad18531a9f0758d25a08bdfe738bdbbcf253
88c44434bfc18a43db7b95517faad86f6578e41e363491898940bca95eefe7c8
6621b9465a5a1ca10921c22b8a6403027eccea0c29f5fb72e8923886b7a8ae1c
8cffde47fdc80f45778bcf6427429a04e2c3d707b72376ab574d81f1621f9af7
2fd3d4a53dba424e61cab4f1f7b2f6d02079e0d0f06ed91dcc9f5214b1ee174a
5c8ea23ead27baa5043989cc62b59fc93ace1d0d9a4a6037e0d9bb98bbd011a1
SH256 hash:
0a0b083cc0e62db594b7be21088202c7fe0970d609b2847085d0bf2be8e54a5c
MD5 hash:
4ce3ce196eda86d92b68362b6269b618
SHA1 hash:
fd42ee0aca0315acac25c297f1ce33634c549559
Link:
https://www.unpac.me/results/aa929fdb-06e3-4bab-8b8c-ef4c5d79f2fc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e19d26c91d02ddf021ed5dcc087062685a8ea49778cfde4876bc2489284e796f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe e19d26c91d02ddf021ed5dcc087062685a8ea49778cfde4876bc2489284e796f

(this sample)

  
Link
https://tria.ge/250802-sefa7sam2z/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/18468/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments