MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edb4988789cf30a7c85b813a36934724a408f7edaf18a102ab93f95a020ce511. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edb4988789cf30a7c85b813a36934724a408f7edaf18a102ab93f95a020ce511
SHA3-384 hash: 7419b87c2dba41a01a36474bc979a2285387afea01b9c183352cb41ad2c07b48549b3a23779ad5cbb860cee6df64d5a4
SHA1 hash: 9d01679a665b842fdc24c0c9f33a581f1bc03166
MD5 hash: d98d53b01b3d7c269e551819d2d2e42e
humanhash: nebraska-video-ohio-idaho
File name:file
Download: download sample
Signature GCleaner
Create hunting rule
File size:2'875'284 bytes
First seen:2023-04-13 15:44:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'514 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:zGlJfsrOGJokCs+15ENFmja91p8yPMHrIv3XwnqiwY/a7wRAoQlQuewtNsL7pWHw:qxGS100a/CvHrIYnqtY0tlRewbSNWSt
Threatray 96 similar samples on MalwareBazaar
TLSH T14FD5330302B5B837EB60EB36E9198DF49E2DFD1722B07B16B1BD060D6DEB24554443AB
TrID 48.2% (.EXE) Win32 Executable PowerBASIC/Win 9.x (148303/79/28)
35.6% (.EXE) Inno Setup installer (109740/4/30)
4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.2% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter andretavare5
Tags:exe gcleaner


Avatar
andretavare5
Sample downloaded from http://45.12.253.74/pineapple.php?pub=mixinte

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
US US
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-04-13 15:47:25 UTC
Tags:
installer gcleaner loader ransomware stop stealer vidar trojan rat redline opendir cryptbot
Link:
https://app.any.run/tasks/0522c71c-a200-499a-8647-a366e0931de3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382032/
Detection(s):
SecuriteInfo.com.TR.Spy.KGBSpy.1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Modifying a system file
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Launching a process
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77738/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
gcleaner greyware installer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6438237f07485c4f90c5fdc8/reports/2be9a199-f0b5-408f-9699-eb9983790c90/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332570
Link:
https://www.hybrid-analysis.com/sample/edb4988789cf30a7c85b813a36934724a408f7edaf18a102ab93f95a020ce511
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c444adf8-241c-4bb8-ab7d-226399ba3124
Result
Threat name:
Babuk, Clipboard Hijacker, CryptbotV2, D
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213305
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Found C&C like URL pattern
Found malware configuration
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Babuk Ransomware
Yara detected Clipboard Hijacker
Yara detected CryptbotV2
Yara detected Djvu Ransomware
Yara detected Generic MinerDownloader
Yara detected Laplas Clipper
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected ZipBomb
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 846231 Sample: file.exe Startdate: 13/04/2023 Architecture: WINDOWS Score: 100 164 45.12.253.98 CMCSUS Germany 2->164 166 xmr-eu1.nanopool.org 2->166 168 pastebin.com 2->168 220 Snort IDS alert for network traffic 2->220 222 Found malware configuration 2->222 224 Malicious sample detected (through community Yara rule) 2->224 226 28 other signatures 2->226 15 file.exe 2 2->15         started        18 iRFtD.exe 2->18         started        21 iRFtD.exe 2->21         started        23 2 other processes 2->23 signatures3 process4 file5 158 C:\Users\user\AppData\Local\...\is-1HS48.tmp, PE32 15->158 dropped 25 is-1HS48.tmp 11 25 15->25         started        204 Detected unpacking (changes PE section rights) 18->204 206 Detected unpacking (overwrites its own PE header) 18->206 208 Injects a PE file into a foreign processes 18->208 28 iRFtD.exe 18->28         started        31 iRFtD.exe 21->31         started        210 Multi AV Scanner detection for dropped file 23->210 33 iRFtD.exe 23->33         started        35 schtasks.exe 23->35         started        signatures6 process7 dnsIp8 126 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 25->126 dropped 128 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 25->128 dropped 130 C:\...\unins000.exe (copy), PE32 25->130 dropped 132 8 other files (7 malicious) 25->132 dropped 37 Rec413.exe 34 25->37         started        196 192.168.2.1 unknown unknown 28->196 198 api.2ip.ua 28->198 200 api.2ip.ua 31->200 202 api.2ip.ua 33->202 41 conhost.exe 35->41         started        file9 process10 dnsIp11 172 45.12.253.56, 49684, 80 CMCSUS Germany 37->172 174 45.12.253.72, 49685, 80 CMCSUS Germany 37->174 176 45.12.253.75, 49686, 49695, 80 CMCSUS Germany 37->176 114 C:\Users\user\AppData\Roaming\...\iRFtD.exe, PE32 37->114 dropped 116 C:\Users\user\AppData\Roaming\...\sWoSupR.exe, PE32 37->116 dropped 118 C:\Users\user\AppData\...\3PVhcukBoG.exe, PE32 37->118 dropped 120 5 other malicious files 37->120 dropped 43 iRFtD.exe 37->43         started        46 sWoSupR.exe 37->46         started        49 3PVhcukBoG.exe 37->49         started        52 2 other processes 37->52 file12 process13 dnsIp14 250 Detected unpacking (changes PE section rights) 43->250 252 Detected unpacking (overwrites its own PE header) 43->252 254 Writes a notice file (html or txt) to demand a ransom 43->254 258 2 other signatures 43->258 54 iRFtD.exe 1 16 43->54         started        150 C:\Users\user\AppData\Local\...\CLP22.exe, PE32 46->150 dropped 152 C:\Users\user\AppData\Local\...\STL32.exe, MS-DOS 46->152 dropped 154 C:\Users\user\AppData\Local\...\MNR20.exe, MS-DOS 46->154 dropped 256 Multi AV Scanner detection for dropped file 46->256 59 MNR20.exe 46->59         started        61 CLP22.exe 46->61         started        63 STL32.exe 46->63         started        160 ubypdx42.top 91.142.73.29, 49701, 80 VTSL1-ASRU Russian Federation 49->160 162 moisle05.top 5.178.2.188, 49702, 80 AZERONLINEAZ Azerbaijan 49->162 156 C:\Users\user\AppData\Roaming\...\midway.exe, PE32 49->156 dropped 65 cmd.exe 49->65         started        67 conhost.exe 52->67         started        69 taskkill.exe 52->69         started        file15 signatures16 process17 dnsIp18 178 api.2ip.ua 162.0.217.254, 443, 49687, 49688 ACPCA Canada 54->178 122 C:\Users\user\AppData\Local\...\iRFtD.exe, MS-DOS 54->122 dropped 230 Creates multiple autostart registry keys 54->230 71 iRFtD.exe 54->71         started        74 icacls.exe 54->74         started        232 Writes to foreign memory regions 59->232 234 Allocates memory in foreign processes 59->234 236 Sample uses process hollowing technique 59->236 76 AppLaunch.exe 59->76         started        78 conhost.exe 59->78         started        80 AppLaunch.exe 59->80         started        124 C:\Users\user\AppData\...\svcservice.exe, PE32 61->124 dropped 238 Multi AV Scanner detection for dropped file 61->238 240 Writes many files with high entropy 61->240 242 Injects a PE file into a foreign processes 63->242 82 AppLaunch.exe 63->82         started        85 conhost.exe 63->85         started        87 conhost.exe 65->87         started        file19 signatures20 process21 dnsIp22 228 Injects a PE file into a foreign processes 71->228 89 iRFtD.exe 25 71->89         started        94 AppLaunch.exe 76->94         started        96 conhost.exe 76->96         started        170 77.91.85.137 METREX-ASRU Russian Federation 82->170 signatures23 process24 dnsIp25 184 zexeq.com 186.182.55.44, 49690, 49693, 80 TechtelLMDSComunicacionesInteractivasSAAR Argentina 89->184 186 uaery.top 190.219.89.165, 49689, 80 CableOndaPA Panama 89->186 188 api.2ip.ua 89->188 134 C:\Users\user\AppData\Local\...\build3[1].exe, PE32 89->134 dropped 136 C:\Users\user\AppData\Local\...\build2[1].exe, PE32 89->136 dropped 138 C:\_readme.txt, ASCII 89->138 dropped 148 138 other malicious files 89->148 dropped 260 Modifies existing user documents (likely ransomware behavior) 89->260 98 build2.exe 89->98         started        101 build3.exe 89->101         started        190 github.com 140.82.121.4 GITHUBUS United States 94->190 192 raw.githubusercontent.com 185.199.111.133 FASTLYUS Netherlands 94->192 194 pastebin.com 172.67.34.170 CLOUDFLARENETUS United States 94->194 140 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 94->140 dropped 142 C:\ProgramData\Dllhost\dllhost.exe, PE32 94->142 dropped 144 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 94->144 dropped 146 C:\ProgramData\HostData\logs.uce, ASCII 94->146 dropped 262 Sample is not signed and drops a device driver 94->262 file26 signatures27 process28 file29 212 Detected unpacking (changes PE section rights) 98->212 214 Detected unpacking (overwrites its own PE header) 98->214 216 Injects a PE file into a foreign processes 98->216 104 build2.exe 98->104         started        112 C:\Users\user\AppData\Roaming\...\mstsca.exe, PE32 101->112 dropped 218 Uses schtasks.exe or at.exe to add and modify task schedules 101->218 108 schtasks.exe 101->108         started        signatures30 process31 dnsIp32 180 t.me 149.154.167.99, 443, 49697 TELEGRAMRU United Kingdom 104->180 182 195.201.251.197, 49699, 80 HETZNER-ASDE Germany 104->182 244 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 104->244 246 Tries to harvest and steal browser information (history, passwords, etc) 104->246 248 Tries to steal Crypto Currency Wallets 104->248 110 conhost.exe 108->110         started        signatures33 process34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edb4988789cf30a7c85b813a36934724a408f7edaf18a102ab93f95a020ce511/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-04-13 15:45:09 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5w2jrb4jz4ykpsc3qe5dne2hessar57nv4mkcavlsp4vuaqm4uiq._file
Verdict:
malicious
Similar samples:
1dd38e375c52c69190bebe72918c886a1a3aaf35f78cbea57df74e20b379f96c
GCleaner
3855e86e415a59e0b4a3641ca1d0620c2ebc5832bec90ba30ff017848de0f50e
GCleaner
7848d4e5adc7034e32b63d9d09414f770117f12cd1f0cd2a4643b0d5e58207d1
GCleaner
8adc44e71b06a7094eff978652e39924c499d6e6b0fb89e1603481cf7ea7c2c5
GCleaner
924b13e4fefe20d456b9d6b602d4fd9a1f20baf806919d6e97b6994bfed72912
GCleaner
c24e160a7ac7effdff8fce20a39fe043de0a57b5d5514ec2ea59fd1809822906
GCleaner
d4b1215d00377544c0f6deeb55ac22b61b242590bf0d5861d1cc5dd4ae22af8a
GCleaner
d4f6be2b386b1ded0cf214dd80e305916deefaa53d946f3dc049d8fdcda706a1
GCleaner
f62fe6646047d7c5a7b445793ab595c3f747c0daba16b2f6c1942f28067b2247
GCleaner
fc46bc8d84655018b9ca234e564fa2edf3574948084ec4c621ac3793252b5105
GCleaner
+ 86 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner discovery loader
Link:
https://tria.ge/reports/230413-s62nhscd67/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
aadff2c0c6de723f5bb666819072bd6d2a2254acb913e4ad4c9d8687edde665c
MD5 hash:
4d16ebd10110181ab803321efc67bca5
SHA1 hash:
3c3d99c31595f9ac39791331a14ad6e707774b50
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/9d29634b-2fd8-47e9-945e-9b02e612d93a/
SH256 hash:
25936ab6578a44ce9c2fc54ffa253b53a76c14a14943d055189c0e2b292acac8
MD5 hash:
9444e17254a82e805c735feb8b532f61
SHA1 hash:
9365bc35aa3c6377b1eec0221fcc4ba0dc4587e0
Link:
https://www.unpac.me/results/9d29634b-2fd8-47e9-945e-9b02e612d93a/
SH256 hash:
c9437023f18b3f9a93b549087ef0bc88d759e29a5a7a414eb96a5127bd6329d2
MD5 hash:
9298cf16c27ab6eebd104bbbe9f089eb
SHA1 hash:
4ee9edaa16562a763cffa64e2c0ef5d264be2064
Link:
https://www.unpac.me/results/9d29634b-2fd8-47e9-945e-9b02e612d93a/
SH256 hash:
f93a40868173cb5688198d2cddb15c7b8d61823dc3f171c84da67ea27c96522e
MD5 hash:
cc9554f063091a09a246c2d0708d626b
SHA1 hash:
4b7fcfc1d2e854b353fcf494e7b3f61e45859d82
Link:
https://www.unpac.me/results/9d29634b-2fd8-47e9-945e-9b02e612d93a/
SH256 hash:
edb4988789cf30a7c85b813a36934724a408f7edaf18a102ab93f95a020ce511
MD5 hash:
d98d53b01b3d7c269e551819d2d2e42e
SHA1 hash:
9d01679a665b842fdc24c0c9f33a581f1bc03166
Link:
https://www.unpac.me/results/9d29634b-2fd8-47e9-945e-9b02e612d93a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edb4988789cf30a7c85b813a36934724a408f7edaf18a102ab93f95a020ce511

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/382032/
  
URLhaus
https://urlhaus.abuse.ch/url/2509470/

Comments