MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e43527558b3c86ee60badbfc76fe825136abd935181a71f753d3fa8288e3d04d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e43527558b3c86ee60badbfc76fe825136abd935181a71f753d3fa8288e3d04d
SHA3-384 hash: dcb7cd3a6088f812c726e1afa52972cf2d113a8fc362cd11e57309f96a88547551a8c54c7757c489bd30c14da237618f
SHA1 hash: 74625a04a2e031cda81ba99ea82f4b46cd6f7e72
MD5 hash: b6d7196e1f35cb27c415e70aff17ff77
humanhash: london-oranges-william-autumn
File name:b6d7196e1f35cb27c415e70aff17ff77
Download: download sample
Signature GCleaner
Create hunting rule
File size:408'576 bytes
First seen:2022-12-10 11:12:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f2d8566e33b10a41f27f335ecf266e2 (3 x Smoke Loader, 1 x Amadey, 1 x GCleaner)
ssdeep 6144:m0jPd70L0yX8QBREVuyAYYWP9o45aB+p2SrNJtAm0zxDYG0ZrrMC7C9:pjPeAyX8QBRauhBy9ovYpHS/uRQEC9
TLSH T14694D0617681CC71C45611B88462FBE8EB7BB8215864450BFF583E9F6D733C296E238E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 84e8e0e0e0e0d822 (1 x GCleaner)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/344980/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware packed
Link:
https://www.filescan.io/uploads/639469c00c6473d1671a4f19/reports/a64fe703-3ecb-4350-a658-7601597cf7f2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d2ffb50-dc8b-433a-9e0f-d89ad8ef33c0
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1131932
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e43527558b3c86ee60badbfc76fe825136abd935181a71f753d3fa8288e3d04d/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-12-10 11:13:08 UTC
File Type:
PE (Exe)
Extracted files:
61
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4q2sovmlhsdo4yf23p6hn7ucke3kxwjvdanhd52t2p5ifchd2bgq._file
Verdict:
malicious
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim trojan
Link:
https://tria.ge/reports/221210-nbehaafe22/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
NyMaim
Malware Config
C2 Extraction:
45.139.105.171
85.31.46.167
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bbc91667-cee5-4db2-a91f-5403c22fcd22
Unpacked files
SH256 hash:
d4682fad13146ccfcb058f396ab660f767ee02e6a3fc30b8745c95a2b98c47e5
MD5 hash:
578f2af8fbbf35a8aa9680da3ace6084
SHA1 hash:
2b44ee8a9c4c4c9f10255692af11f4513a27ccc3
Detections:
win_nymaim_g0
Create hunting rule
Nymaim
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/9665d38d-6922-4ca2-a592-33380c780309/
Parent samples :
8405a59e0d13ee969c38e123328e08caf2a5f9100afe61544aff05c384a99f70
a9bcef7a768d2b521697d3b28fe9eeb6d48df1a9ef92007d4bc33a5de7a5c557
2fdbdce5b0e9ed475227c3b6b6ede5b1b8afbe727d44fe7279951c8151a5314a
d4682fad13146ccfcb058f396ab660f767ee02e6a3fc30b8745c95a2b98c47e5
138e37382279146b147a115f956bed45a13a8701252cb18b9875d55d3920bcc8
b710c0b327c97e4eac8e88b8618c8b3fa43c0927b485a5a1b2cd49322bdba5b3
a13589f335147b2c2703d7eded2a9c592d282f439315b404b76b298a09d37ba0
30874230e72e52ffc9ab190856dc099e1f81c778b9c56d2af70805489f7d8279
c920e82d1a56b26205e4f8956edadce709403ba044b608d0ff35690882ba2376
b34edbe1b903e3b9b93ce170c9298bfb4fcc964a7b8dc6a131750be4d487ece6
d9ad071b8a1580636fad78a01aced6efb029870af5a57167c7744247c8a1aa08
9c8e8b7a65db59215b739fb24203f56fc13a317b981c0b76e2d7b23000abe354
8bb48c700d88cf9a700abcf517848d86e5854877a00a5945f9374cf68a338666
5eb0b4b21107152dfbfaed3a9c61233233d3cab8a650cbb88dcfc34cff1f99ec
6f9a1370e6e0c1e36d61fd0a790d76c58392b99ca8f25549bca0b9388dbdea1a
5ef67f8e51b449211ced12b0331374960517332e6c23a8e9a97d4bb7b2c65472
d33c52f3046ba948150cbfc5c08a4f8848690c0b28a20fb6765540a5ca79cda1
e43527558b3c86ee60badbfc76fe825136abd935181a71f753d3fa8288e3d04d
3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c
5139de19309ffe544e92c535f651440a1d43bb9bc1c45f5dbb4a3a763f6b6017
2d19810dd9356f72dc65d6b0521b4a6294ac04634c28c00f9e04751c6a8505ae
6783cfad82b43f038bea849c511d1ed511bfd6e1c39d9ffe76c808cd1003b1d4
8c69f995e6aa47a25048993654a5318787a009891c5687a35859a1d7abccd487
f3a7d831c9fa8577a6dffae63ca18f8c05274b49a5a0f3a6091165fe1a212d85
a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39
6306356060c0d04116e7d1a59af7960cdfea8606429e2ffac14bc930efaf032a
1641ef6e4857c7ea1b96dcbbd9ce5f62358e2868a91ce10e0360da52dee92806
SH256 hash:
e43527558b3c86ee60badbfc76fe825136abd935181a71f753d3fa8288e3d04d
MD5 hash:
b6d7196e1f35cb27c415e70aff17ff77
SHA1 hash:
74625a04a2e031cda81ba99ea82f4b46cd6f7e72
Link:
https://www.unpac.me/results/9665d38d-6922-4ca2-a592-33380c780309/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e43527558b3c86ee60badbfc76fe825136abd935181a71f753d3fa8288e3d04d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe e43527558b3c86ee60badbfc76fe825136abd935181a71f753d3fa8288e3d04d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/344980/

Comments


Avatar
zbet commented on 2022-12-10 11:12:59 UTC

url : hxxp://95.214.24.96/load.php?pub=mixfive/