MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebef7dcb2d186e10e2ab8da7c5eb75da1461ed684bf90c3abd54afa27ef79874. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	ebef7dcb2d186e10e2ab8da7c5eb75da1461ed684bf90c3abd54afa27ef79874
SHA3-384 hash:	25b639aea320e12ca425d973fd35d7ec0a7e67115ae5d50d607682c97079d8692e97a2530d269a01780d2f30a8f55966
SHA1 hash:	ad391e33c4b2fd9000c51e376fa58cff587c1a05
MD5 hash:	15518175e0aba5ab6592aff3d4349b9a
humanhash:	wolfram-twelve-lactose-maine
File name:	15518175e0aba5ab6592aff3d4349b9a.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	417'792 bytes
First seen:	2022-07-14 06:35:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5fe47884083bab0c3389c69805e59188 (11 x Smoke Loader, 4 x RedLineStealer, 3 x Loki)
ssdeep	12288:71YEoElfZywUjjyFC4K1lgzdVLfG7lnGHNT:XBZIjjyg516dVL+lnY
TLSH	T1E594C000BA90D435F4B712F44AB6D228B93E7EA1972454CF62E43AEE97346E0ED31747
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	0ef0d8c8d8c8c8e8 (1 x GCleaner)
Reporter	abuse_ch
Tags:	exe gcleaner

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Nymaim

Link:

https://www.capesandbox.com/analysis/288552/

Detection(s):

Win.Packed.Crypterx-9954995-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Sending an HTTP GET request

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a tool to kill processes

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62cfb9a18dab2096b997e0f5/reports/650da5c6-630d-4c12-a7c9-9914299006f0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Nymaim, Raccoon Stealer v2

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1031693

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ebef7dcb2d186e10e2ab8da7c5eb75da1461ed684bf90c3abd54afa27ef79874/

Threat name:

Win32.Trojan.MintZard

Status:

Malicious

First seen:

2022-07-14 06:38:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 41 (53.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5pxx3szndbxbbyvlrwt4l23v3ikgd3lijp4qyov5ksx2e7xxtb2a._file

Verdict:

malicious

Result

Malware family:

nymaim

Score:

10/10

Tags:

family:nymaim trojan

Link:

https://tria.ge/reports/220714-hcj69saddl/

Behaviour

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks computer location settings

Deletes itself

NyMaim

Malware Config

C2 Extraction:

45.141.237.3
31.210.20.149
212.192.241.16

Unpacked files

SH256 hash:

24fb26cf1a1694c045a8bd48b86b2cc026b00960d0aa022670bca7e718313d85

MD5 hash:

5a89f9889d5ce2eecebf296c97b7dcd0

SHA1 hash:

51a8fb4460799abd78a6f350a1dcc126514063bf

Detections:

win_nymaim_g0

Link:

https://www.unpac.me/results/649f27fe-b98d-489d-ad39-3e68243277ca/

Parent samples :

3a63d841127db00b33801e3adea64957fed311ed975c859b94268ae0691753f9
18611dcae62b67c4c20668fc9c2a68951771ab8f98106324a0ad00bc3a0fc88a
1d7adfdf90ca831a45425d3efd6ce639f2fece4f48f5b0a55d7fc5a645b9acc4
e1db3adcc4c401e8c97ac2e611646ab215343319b265c86346dff8b4e2bf905d
afb05f48bbae2b98bac394587d1352b9e5569e930d695230b21b73669be9c535
92af5f6f914082eaa1235c9ad0a2826db0beead07c3b25795829f7da90f83d59
371592f94e67f272e53786a8643058131f7d48edea6c709b6a7c4731ec6d2839
ba190bed2c9d862bae6ff089259090d300df3a253d1094314cc679af8ad890b2
bbc5780d11e999375d901fa9ebd8c3b4c9b3eff78513aa20774000ebd84e5b1c
a61814efa6a532d5e946f145a5452da57326e3b048a26afd9882237af674a7aa
b0b7af84e61ce5805ad317b113981aee691d96cbca0970a4db6d7777f4706b58
6f5943433e4cd2d3a1021f376334be10b3dd81757a5f30e928e12f5dc8cf154a
ebef7dcb2d186e10e2ab8da7c5eb75da1461ed684bf90c3abd54afa27ef79874
168db9afbe5c293f3ec6cabb476242e81add823382a5879ab78ecf7af6035f2a
1b0978a0a98bd88a39ecf38e36ed18b3d96a1db98eec62f7e5257e2bf7a4a153
ca0d985323d0497a5261faefad130b084d1084c28f748d964f1e5d4aaaf351d7

SH256 hash:

ebef7dcb2d186e10e2ab8da7c5eb75da1461ed684bf90c3abd54afa27ef79874

MD5 hash:

15518175e0aba5ab6592aff3d4349b9a

SHA1 hash:

ad391e33c4b2fd9000c51e376fa58cff587c1a05

Link:

https://www.unpac.me/results/649f27fe-b98d-489d-ad39-3e68243277ca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ebef7dcb2d186e10e2ab8da7c5eb75da1461ed684bf90c3abd54afa27ef79874

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	win_gcleaner_de41 Create hunting rule
Author:	Johannes Bader
Description:	detects GCleaner

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

exe ebef7dcb2d186e10e2ab8da7c5eb75da1461ed684bf90c3abd54afa27ef79874

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2212368/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/288552/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample