MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
SHA3-384 hash: bd457ecc76f1bf1ce66a582fcd0f69d61d5eb40a73000f1f2bfe6f0d88de546579336333f0706a03c4d969855b952f13
SHA1 hash: 0de8e73173ed7791250242fe1521554f38bcfd36
MD5 hash: e2c4d15d52ad163feff9485adf5d577d
humanhash: nebraska-lactose-charlie-georgia
File name:e2c4d15d52ad163feff9485adf5d577d
Download: download sample
Signature GCleaner
Create hunting rule
File size:336'384 bytes
First seen:2023-07-22 09:19:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d688d9cc0f6602b42d54dce0edb5c52 (3 x GCleaner, 2 x RedLineStealer, 1 x Amadey)
ssdeep 6144:GZy8qgW5ixeelIUsI4lmCfm7fpdWNgwOE/Caf:AfqgWEDlIUaIg6d0bO7W
Threatray 61 similar samples on MalwareBazaar
TLSH T13664F11139A08072E59B693099B1D6512E7BFD63273506CB7BA4372E9F303D11B34B9B
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 26e0d0c0d8d8f062 (1 x GCleaner)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-19 22:27:52 UTC
Tags:
amadey trojan loader gcleaner smoke
Link:
https://app.any.run/tasks/e07cc4e5-fd24-47c5-9745-c49b9bfa6d76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/428456/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68268883.32598.11619.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/306a992b-6fb3-4a3d-ae85-93561848e61c
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277754
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa/
Threat name:
Win32.Ransomware.Stopcrypt
Create hunting rule
Status:
Malicious
First seen:
2023-07-19 16:39:51 UTC
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4igykagctiui3g5cqbjrmunnotebz7cmo6uvxrhqrthcgl7rw2va._file
Verdict:
malicious
Similar samples:
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
GCleaner
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65
GCleaner
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
GCleaner
51f7cb2bce2460bec286f14978cb796e6858be4335c10401a1fb9e54893cca92
GCleaner
5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011
GCleaner
60da6ce55330f4f38e98b39bf07cf75fdabd80296429f1538c48d5df499d48d2
GCleaner
dcba1aa4b4d92b68713b03f12985b0b0689055b3921e0273506d23f7e675ff52
GCleaner
de8385440c23789f44c418bdf2e30578559b1c6b142c820f081f81280d1c0888
GCleaner
+ 51 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/230722-laq4ksah6z/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
b98acf1c6f5edc3a6eb80f9d5cc07eb8e2cc0f25f6d63e5f79a1090876e2d588
MD5 hash:
31bd047f848d0efc202b7406960872fe
SHA1 hash:
13b3409430b62ce3fee441f7eca58d827df47005
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/6f257168-4bd7-4427-8bc3-ca061a327430/
Parent samples :
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65
60da6ce55330f4f38e98b39bf07cf75fdabd80296429f1538c48d5df499d48d2
f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e
a75c766167a44c78f3824d28780078cf2cc31522a55372958cefd5f3f093e4c1
c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3
dcba1aa4b4d92b68713b03f12985b0b0689055b3921e0273506d23f7e675ff52
e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
ee366039716c1ca70c1c1744faaf2aeeae8d780c6bbd438cc0c1fef3f7a57cc7
SH256 hash:
e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
MD5 hash:
e2c4d15d52ad163feff9485adf5d577d
SHA1 hash:
0de8e73173ed7791250242fe1521554f38bcfd36
Link:
https://www.unpac.me/results/6f257168-4bd7-4427-8bc3-ca061a327430/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e20d8500c29a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/428456/

Comments


Avatar
zbet commented on 2023-07-22 09:19:16 UTC

url : hxxp://45.9.74.80/setup.exe