MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eede323c8bd0370140dd9be6fbb92c82cef64210171325352f3e96e7026d3bfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



GCleaner


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments

SHA256 hash: eede323c8bd0370140dd9be6fbb92c82cef64210171325352f3e96e7026d3bfe
SHA3-384 hash: b7e1aaac7e0df5942ef1ed1aa050ecc8a4caae766913667942906a06401ea888f9e2d5a6a4e1b3230c7c156912713de0
SHA1 hash: adfd78e5d0ff90d4d9212f69a4cb5bf95256f463
MD5 hash: 043ecb65c4d4003504dc1d2324bdc7d0
humanhash: georgia-aspen-low-skylark
File name:Setup.exe
Download: download sample
Signature GCleaner
File size:672'528 bytes
First seen:2026-07-13 01:38:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b214386fa7f97d3d3252c87b8bce8333 (3 x GCleaner)
ssdeep 12288:D+ZPf6yIvNeNF682QTY8ZO5NQW41vMPALj7w:69f0YKsTR0zQWsIR
Threatray 2'372 similar samples on MalwareBazaar
TLSH T1B7E48E22A2E0C437D2621E7D9D1FE3ED9836BE102D2994462BD45D4C7EF8E837966343
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 399998ecd4d46c0e (573 x Quakbot, 311 x GCleaner, 137 x ArkeiStealer)
Reporter aachum
Tags:exe gcleaner unluckytool-com


Avatar
iamaachum
https://gsmtoolpack.com/Setup.rar

GCleaner C2: 158.94.209.95

Intelligence


File Origin
# of uploads :
1
# of downloads :
209
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
97.4%
Tags:
cobalt delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Deleting a recently created file
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 borland_delphi expired-cert fingerprint installer-heuristic invalid-signature keylogger packed signed
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-12T23:05:00Z UTC
Last seen:
2026-07-14T09:16:00Z UTC
Hits:
~10
Result
Threat name:
Amadey, CryptOne, GCleaner, Vidar
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Detected unpacking (creates a PE file in dynamic memory)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Hijacks the control flow in another process
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell create lnk in startup
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected CryptOne packer
Yara detected GCleaner
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1941300 Sample: Setup.exe Startdate: 13/07/2026 Architecture: WINDOWS Score: 100 134 geminyw.xyz 2->134 136 45.91.200.135 PODAONLV Netherlands 2->136 138 14 other IPs or domains 2->138 184 Suricata IDS alerts for network traffic 2->184 186 Found malware configuration 2->186 188 Antivirus detection for URL or domain 2->188 192 19 other signatures 2->192 14 Setup.exe 2->14         started        17 H2TestDrive.exe 2->17         started        19 svchost.exe 2->19         started        21 7 other processes 2->21 signatures3 190 Performs DNS queries to domains with low reputation 134->190 process4 dnsIp5 218 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->218 220 Hijacks the control flow in another process 14->220 222 Contains functionality to inject code into remote processes 14->222 232 4 other signatures 14->232 24 svchost.exe 49 14->24         started        224 Antivirus detection for dropped file 17->224 226 Multi AV Scanner detection for dropped file 17->226 228 Unusual module load detection (module proxying) 17->228 230 Changes security center settings (notifications, updates, antivirus, firewall) 19->230 29 MpCmdRun.exe 19->29         started        140 127.0.0.1 unknown unknown 21->140 signatures6 process7 dnsIp8 146 158.94.209.95, 49700, 49714, 80 OMEGATECH-ASSC Netherlands 24->146 148 drive.usercontent.google.com 142.251.167.132, 443, 49699 GOOGLE-GoogleLLCUS United States 24->148 120 C:\Users\user\AppData\...\17MYeQpqioIt.exe, PE32 24->120 dropped 122 C:\Users\user\AppData\...\08REsPkOv9MRb.exe, PE32+ 24->122 dropped 124 C:\Users\user\AppData\...\K3IZtd8LL.exe, PE32+ 24->124 dropped 126 15 other malicious files 24->126 dropped 204 System process connects to network (likely due to code injection or exploit) 24->204 206 Unusual module load detection (module proxying) 24->206 31 TizOOy44mA.exe 24->31         started        36 17MYeQpqioIt.exe 2 24->36         started        38 Lbk9VwNzfj.exe 24->38         started        42 13 other processes 24->42 40 conhost.exe 29->40         started        file9 signatures10 process11 dnsIp12 150 faab.sa 192.250.239.85 WHG-LONGB United Kingdom 31->150 152 dum.paptogel.net 104.21.41.228 CLOUDFLARENET-CloudflareIncUS Canada 31->152 154 telegram.me 149.154.167.99, 443, 49716 TELEGRAMVG United Kingdom 31->154 94 C:\Users\user\AppData\Local\...\f1eb122e.exe, PE32 31->94 dropped 96 C:\Users\user\AppData\Local\...\e1eda99e.exe, PE32+ 31->96 dropped 164 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->164 166 Tries to harvest and steal ftp login credentials 31->166 168 Tries to harvest and steal browser information (history, passwords, etc) 31->168 182 2 other signatures 31->182 44 cmd.exe 31->44         started        46 cmd.exe 31->46         started        98 C:\Users\user\AppData\...\17MYeQpqioIt.tmp, PE32 36->98 dropped 48 17MYeQpqioIt.tmp 18 20 36->48         started        170 Tries to steal Mail credentials (via file / registry access) 38->170 172 Tries to steal Crypto Currency Wallets 38->172 174 Unusual module load detection (module proxying) 38->174 176 Tries to steal from password manager 38->176 100 C:\Users\user\AppData\Local\...\pUrm9U7uP.tmp, PE32 42->100 dropped 102 C:\Users\user\AppData\...\Fw8sSbv0sO9N.tmp, PE32 42->102 dropped 104 C:\Users\user\AppData\Local\...\Bwale.exe, PE32 42->104 dropped 178 Detected unpacking (creates a PE file in dynamic memory) 42->178 180 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->180 51 Bwale.exe 42->51         started        54 pUrm9U7uP.tmp 42->54         started        56 Fw8sSbv0sO9N.tmp 42->56         started        58 9 other processes 42->58 file13 signatures14 process15 file16 60 e1eda99e.exe 44->60         started        63 conhost.exe 44->63         started        65 conhost.exe 46->65         started        67 f1eb122e.exe 46->67         started        106 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 48->106 dropped 108 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->108 dropped 110 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 48->110 dropped 116 22 other malicious files 48->116 dropped 69 h2testdrive.exe 18 48->69         started        194 Antivirus detection for dropped file 51->194 196 Multi AV Scanner detection for dropped file 51->196 198 Detected unpacking (creates a PE file in dynamic memory) 51->198 200 Unusual module load detection (module proxying) 51->200 112 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 54->112 dropped 114 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 56->114 dropped signatures17 process18 dnsIp19 208 Suspicious powershell command line found 60->208 210 Tries to detect sandboxes and other dynamic analysis tools (window names) 60->210 212 Adds a directory exclusion to Windows Defender 60->212 214 3 other signatures 60->214 73 powershell.exe 60->73         started        142 196.251.121.77 Hero-TelecomsZA Turkey 69->142 144 64.89.160.142 GHOSTYNETWORKSUS Luxembourg 69->144 118 C:\ProgramData\H2TestDrive\H2TestDrive.exe, PE32 69->118 dropped 75 powershell.exe 69->75         started        file20 signatures21 process22 file23 79 e1eda99e.exe 73->79         started        83 conhost.exe 73->83         started        128 C:\Users\user\AppData\...\oH2TestDrive32.lnk, MS 75->128 dropped 216 Powershell creates an autostart link 75->216 85 conhost.exe 75->85         started        signatures24 process25 file26 130 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 79->130 dropped 132 C:\Windows\System32\drivers\etc\hosts, ASCII 79->132 dropped 156 Modifies the context of a thread in another process (thread injection) 79->156 158 Modifies the hosts file 79->158 160 Adds a directory exclusion to Windows Defender 79->160 162 4 other signatures 79->162 87 powershell.exe 79->87         started        90 cmd.exe 79->90         started        signatures27 process28 signatures29 202 Loading BitLocker PowerShell Module 87->202 92 conhost.exe 87->92         started        process30
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Trojan.Yogi
Status:
Malicious
First seen:
2026-07-13 01:39:34 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Result
Malware family:
socks5systemz
Score:
  10/10
Tags:
family:gcleaner family:remus_stealer family:socks5systemz botnet discovery installer loader spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect Socks5Systemz Payload
Family: GCleaner
Family: Remus
Family: Socks5Systemz
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
185.156.73.98
45.91.200.135
http://tzpx.courses:4437
http://geminyw.xyz:5003
http://carogra.biz:4219
Unpacked files
SH256 hash:
eede323c8bd0370140dd9be6fbb92c82cef64210171325352f3e96e7026d3bfe
MD5 hash:
043ecb65c4d4003504dc1d2324bdc7d0
SHA1 hash:
adfd78e5d0ff90d4d9212f69a4cb5bf95256f463
SH256 hash:
657072befb35bcef4565ebfa936f5cf2c3c9ffc92f59a9ab6bf3c7d581777a2f
MD5 hash:
388cfc267d55a3d30c8e6990833902a2
SHA1 hash:
d2d43abfa0dd09f0120fa083ea8905ee0b9778cd
Detections:
GCleaner
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Author:malware-lu
Rule name:Borland
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
Rule name:Suspicious_Process
Author:Security Research Team
Description:Suspicious process creation
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe eede323c8bd0370140dd9be6fbb92c82cef64210171325352f3e96e7026d3bfe

(this sample)

  
Delivery method
Distributed via web download

Comments