MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6b84ffaaeb4807ccac7c778f87d0b3545841e076063c8f594141430f791f0bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6b84ffaaeb4807ccac7c778f87d0b3545841e076063c8f594141430f791f0bc
SHA3-384 hash: 6214e3122b3d021eff1c4e92c89116e040d2153ee092354a5d338ae89b3fce833161d6af0478866ff89d0fd899c93e4e
SHA1 hash: 01f6a31a417a6dcaf34546549b44a6ad49995560
MD5 hash: b0fd10ea697a84d539bea9739ac866f0
humanhash: august-arkansas-undress-missouri
File name:b0fd10ea697a84d539bea9739ac866f0.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'250'788 bytes
First seen:2021-10-25 05:05:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xyCvLUBsgdBBgeyJp5NGsI13mGcvKcj7nDiSz6J5BegQ3U2ij:xDLUCgdBiey1wsINCvKcjaSmJrp2+
Threatray 646 similar samples on MalwareBazaar
TLSH T12F1633023E9644FAC241993196888BB6E0BFC3A52F32189FF36487BDDF3D661D11E255
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
93.115.20.139:28978

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
93.115.20.139:28978 https://threatfox.abuse.ch/ioc/227127/
91.206.14.151:16764 https://threatfox.abuse.ch/ioc/237116/

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199710/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1fdd873c-eedd-49e0-a84f-a89fe65e537a
Result
Threat name:
RedLine SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875942
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 508375 Sample: 0OeX2BsbUo.exe Startdate: 25/10/2021 Architecture: WINDOWS Score: 100 60 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->60 62 88.99.66.31 HETZNER-ASDE Germany 2->62 64 4 other IPs or domains 2->64 84 Multi AV Scanner detection for domain / URL 2->84 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 90 20 other signatures 2->90 9 0OeX2BsbUo.exe 22 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\...\Thu11de6a3816c47b.exe, PE32+ 9->44 dropped 46 C:\Users\user\...\Thu11d481f27eeeb1a6.exe, PE32 9->46 dropped 48 17 other files (10 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 80 172.67.189.150 CLOUDFLARENETUS United States 12->80 82 127.0.0.1 unknown unknown 12->82 120 Adds a directory exclusion to Windows Defender 12->120 122 Disables Windows Defender (via service or powershell) 12->122 16 cmd.exe 1 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 1 12->20         started        22 7 other processes 12->22 signatures8 process9 signatures10 25 Thu118fa82eb3c.exe 4 58 16->25         started        30 Thu119088351cdaf596.exe 18->30         started        32 Thu1121cd37f6d98d.exe 20->32         started        92 Adds a directory exclusion to Windows Defender 22->92 94 Disables Windows Defender (via service or powershell) 22->94 34 Thu11d481f27eeeb1a6.exe 4 22->34         started        36 Thu11de6a3816c47b.exe 1 22->36         started        38 powershell.exe 26 22->38         started        40 2 other processes 22->40 process11 dnsIp12 66 45.142.182.152 XSSERVERNL Germany 25->66 68 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 25->68 74 8 other IPs or domains 25->74 50 C:\Users\...\ejR28DWLt2hfBqNC2f7WOet3.exe, PE32 25->50 dropped 52 C:\Users\user\...52iceProcessX64[1].bmp, PE32+ 25->52 dropped 54 C:\Users\user\AppData\...\toolspab2[1].exe, PE32 25->54 dropped 58 22 other files (6 malicious) 25->58 dropped 96 Detected unpacking (creates a PE file in dynamic memory) 25->96 98 Creates HTML files with .exe extension (expired dropper behavior) 25->98 100 Tries to harvest and steal browser information (history, passwords, etc) 25->100 102 Disable Windows Defender real time protection (registry) 25->102 70 192.236.176.198 HOSTWINDSUS United States 30->70 104 Detected unpacking (changes PE section rights) 30->104 106 Detected unpacking (overwrites its own PE header) 30->106 108 Machine Learning detection for dropped file 30->108 110 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 30->110 112 Multi AV Scanner detection for dropped file 32->112 114 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->114 116 Checks if the current machine is a virtual machine (disk enumeration) 32->116 76 2 other IPs or domains 34->76 56 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 34->56 dropped 118 Creates processes via WMI 34->118 72 208.95.112.1 TUT-ASUS United States 36->72 78 2 other IPs or domains 36->78 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6b84ffaaeb4807ccac7c778f87d0b3545841e076063c8f594141430f791f0bc/
Threat name:
Win32.Trojan.ArkeiStealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-22 01:44:32 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=424e76vowsahzswhy54pq7ilgvcyihqhmbr4r5mucqkdb54r6c6a._file
Verdict:
malicious
Similar samples:
3ef1d1af7ceef7620a20f9603a01db21e6abd5ec3302698d1a320baa8813740a
GCleaner
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
GCleaner
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
GCleaner
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
GCleaner
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
GCleaner
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
GCleaner
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
GCleaner
f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075
GCleaner
+ 636 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars botnet:chris botnet:sehrish aspackv2 backdoor infostealer stealer suricata trojan
Link:
https://tria.ge/reports/211025-fre5rageek/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
135.181.129.119:4805
194.104.136.5:46013
Unpacked files
SH256 hash:
57357e1d304ed1c4db3d22dbbd6a01327237d1fad37437db58f0a7d97a3d7ba3
MD5 hash:
42c09e2ff1923e01e6b465436b1d176f
SHA1 hash:
6fc4b58ff71392865812ba14a6b469ddec5df7d4
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
Parent samples :
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
7a9174b7ea73367dc8a37a4a6a90842662dd69c44ade96356b1d345584296da3
MD5 hash:
cf5cc1bf6fa5469a6196a1df185af6f5
SHA1 hash:
1bfbfed102ccced50c6843b3fc6abee2a76570b2
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
474941a5e7bc93a93a1d68b68147c35b863ab6613ef197d10e8ed6954695dc5c
MD5 hash:
0f358ec55cdbc00528870bc8406f726c
SHA1 hash:
3ef738cb46a6c2911154ae72756a2df1d142aa75
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
96683a3ef7fbfebcf7ff2b4ad7bc6e441b1da70446288c4b09bfcee5233b6fb3
MD5 hash:
fdd634aa80b7e5fe51fb677133845d8c
SHA1 hash:
e6873c41ba1689f88cf26963d290992664bd32a0
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
56a28c4d827dd29f2bc695a3b887ef801bda0d201b03afec7d2054f23af8ac5f
MD5 hash:
5b97d372e4d548b2197662551c208d32
SHA1 hash:
a66cc37becf755cf38731ff2b06c51726d68b93b
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
da7af5ed7e6ef9be519c5b3418286e97c7a79784e3f111d136e3ef1630af21d1
MD5 hash:
3e7496e5a607510badd8ded51c439e78
SHA1 hash:
a3e821169b55808d7bff9531384433865e061c60
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
4de1859f5e8ef9ca2a4031731245e8073d85f673e5ef1963ca3eac100c8c114e
MD5 hash:
78625c886f23e753de60f8cb04262df3
SHA1 hash:
786f78720cbe810613be9adc8cb3b02c56ef1c08
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
29affef4a9eb8446af1c5e00435450cf59d86f0b6fa6e2ef8c449d006134a043
MD5 hash:
acfa717c2559dd15e5d8ca78ac3de196
SHA1 hash:
7756a6813cda3f8bbb9f6278ddc7d0476e7d500a
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
a3311ebe25ac18fc492b82c3831060ce4321bd41dd9b1a6ded1448f2fd62d091
MD5 hash:
d6449f12167da9a3601671dae63c6349
SHA1 hash:
5e240a6005739729e2e6fcad4da57c5b00d19d1b
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
8cdf968966c076d1b4ad92b8f3c86b825e33e2f776337f55d212fff954625701
MD5 hash:
65cc9660c1f91a02291abd5e1a0d2384
SHA1 hash:
35911edd7965895f4b21899ea32d034b21f91be4
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
58a9f013f8d3186029a0207f43bb48df1b04351187788a82538aedae7293a856
MD5 hash:
2f3629dd0a9ec4df3c81f29f259f114e
SHA1 hash:
2880883083f22b3c1c9fa1ceed3eaae4672e6f7b
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d
MD5 hash:
7dc5f09dde69421bd8581b40d994ccd7
SHA1 hash:
23788ae65ec05a9e542636c6c4e1d9d6be26d05c
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
MD5 hash:
9074b165bc9d453e37516a2558af6c9b
SHA1 hash:
11db0a256a502aa87d5491438775922a34fb9aa8
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
18c5c91d5f256c8c1e24936dbee5fd7fa6b7b91a5464cbefdc1a36b6dfed27be
MD5 hash:
e49f343a65b938acd1b6d91601240b81
SHA1 hash:
dffa8a42250c65ea9b6b05e627805438e01191af
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
3714a59ab1d7c0fdd36fca10fb540eac086a07ac21e0263f9f09df36dfcb7550
MD5 hash:
604a6cd285c38b1fdd5d7b707126075c
SHA1 hash:
667351c5bf3c5dcd87bed99d93b7b38d52a568dd
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
76e14134a7a8d89f224790e14f5a4e42e1700d62be25ca90e0f3028950e88412
MD5 hash:
b23c671ccff85e3354986b3e05fad8f8
SHA1 hash:
bb9f223669f75e9ba66226556c79761a7c8df165
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
3f9871a231bcc6d29f3e7a3029d0be111de0fea66401939809209d0e028fa854
MD5 hash:
52394f76f555611734a45b66497a969e
SHA1 hash:
4ec9b85fc63e009c18d119f36367981ad24de864
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
dea50b156206589605f2b53b9011d7b70c279a175ae5bc6fff48196e47f22bf8
MD5 hash:
cf4031078367d3567a6b9b8b39c51f05
SHA1 hash:
f94a898806d4a4f5df228a6c5cee492d674596af
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
08494f2949e9a3651ba2db27cd2a13868c7d01f0ae0779eda9ecf6cc248193b0
MD5 hash:
4def84a6ca90000b6b85bbff7c20caa4
SHA1 hash:
8f4eb5803b3ddf69d424aacbdc8836423e64b8c6
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
SH256 hash:
e6b84ffaaeb4807ccac7c778f87d0b3545841e076063c8f594141430f791f0bc
MD5 hash:
b0fd10ea697a84d539bea9739ac866f0
SHA1 hash:
01f6a31a417a6dcaf34546549b44a6ad49995560
Link:
https://www.unpac.me/results/d3a9cbd5-1c89-41d6-aa7d-9a9b2ea09e56/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6b84ffaaeb4807ccac7c778f87d0b3545841e076063c8f594141430f791f0bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199710/

Comments