MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4efaf8d0985471ff7b41505859fa674fbc5d289d111b209a36ff356e07a1ba2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	f4efaf8d0985471ff7b41505859fa674fbc5d289d111b209a36ff356e07a1ba2
SHA3-384 hash:	e4894b374ec571b6520c320c871d62683faa134c53383abfc7b3d83ef0d22b31a54ca934dd8885ac31f4a0f543f0f809
SHA1 hash:	3cd09281acc3e3f1abeaf46774d27b13ddbb6f1a
MD5 hash:	52f47137d0abfc11b46579e8c4ac07b2
humanhash:	victor-nine-california-florida
File name:	lapismixeleven.exe
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	3'364'640 bytes
First seen:	2025-08-01 08:16:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	35fb237fb0cbb96f5c18921de1853d20 (13 x GCleaner)
ssdeep	49152:pM3dDmSDXulavAioy3LkdMsFcqgI48WYjgyGBVX3YPX+NpSTfXZy49h:pM3dD9yavnEMsexI4OsiSSTfXZy4P
TLSH	T100F5012A76AD482FC90A4736CA0575DE88FEE94329319B4D7AD77E4CD37860CB1B1342
TrID	52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 16.8% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) 7.5% (.EXE) OS/2 Executable (generic) (2029/13) 7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	skocherhan
Tags:	176-46-158-23 exe gcleaner

skocherhan

http://176.46.158.23/setup?name=bot.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

lapismixeleven.exe

Verdict:

Malicious activity

Analysis date:

2025-08-01 08:20:37 UTC

Tags:

gcleaner loader lumma stealer auto autoit

Link:

https://app.any.run/tasks/641a6be2-411b-40df-9be9-cbb2f531b769

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/18261/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=688c780f0b4775fb21348087

Tags:

delphi cobalt emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug base64 borland_delphi expired-cert fingerprint invalid-signature keylogger packed signed

Link:

https://www.filescan.io/uploads/688c781473b8ef6f4af940c5/reports/a04b41fd-424f-4df2-aa7e-dd1857ec9ee6/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/f4efaf8d0985471ff7b41505859fa674fbc5d289d111b209a36ff356e07a1ba2

Malware family:

RealVNC

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/e75b901a-cb9d-4de0-b40e-ea05bbc262e8

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f4efaf8d0985471ff7b41505859fa674fbc5d289d111b209a36ff356e07a1ba2

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/52f47137d0abfc11b46579e8c4ac07b2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f4efaf8d0985471ff7b41505859fa674fbc5d289d111b209a36ff356e07a1ba2/

Verdict:

Malicious

Threat:

Family.GCLEANER

Link:

https://tip.neiki.dev/file/f4efaf8d0985471ff7b41505859fa674fbc5d289d111b209a36ff356e07a1ba2

Threat name:

Win32.Trojan.Gcleaner

Status:

Suspicious

First seen:

2025-08-01 08:17:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6tx27dijqvdr755ucucylh5got54luuj2ei3ecndn7zvnyd2dora._file

Result

Malware family:

gcleaner

Score:

10/10

Tags:

family:gcleaner discovery loader

Link:

https://tria.ge/reports/250801-j6t41afj6x/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

GCleaner

Gcleaner family

Malware Config

C2 Extraction:

185.156.73.98
45.91.200.135

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/298ec607-357d-4e5b-9990-fbd2d15982ee

Unpacked files

SH256 hash:

f4efaf8d0985471ff7b41505859fa674fbc5d289d111b209a36ff356e07a1ba2

MD5 hash:

52f47137d0abfc11b46579e8c4ac07b2

SHA1 hash:

3cd09281acc3e3f1abeaf46774d27b13ddbb6f1a

Link:

https://www.unpac.me/results/2c46ac02-7ca2-4b56-8a84-ca760b4fc97f/

SH256 hash:

98319dca4b6c9753c2c453bd5a65a8b24af871eeba2814717cafb4b9b19e86f1

MD5 hash:

bad066fd2ad613587f7db533c67a6633

SHA1 hash:

80c51ebf1d99c481369d69877b75c63bda8c2150

Detections:

GCleaner

Link:

https://www.unpac.me/results/2c46ac02-7ca2-4b56-8a84-ca760b4fc97f/

Parent samples :

6dec6fafe591442490190c51cdc26aba6a18620ee6331f2c77ee01d6a3e83fe4
f4efaf8d0985471ff7b41505859fa674fbc5d289d111b209a36ff356e07a1ba2
c8fcfe4f00cf5d042ec4015c6563847786fa4f01ad1c6c8ffeded44315600e57
2644f133ad541942e868ba65f4182adc6937ec9546ba1b63b092369cc47529a4
353bb7ff551cc81d11dd41b3ac03084ab2ce72a86099a6010a9ac5d6a67cc5d0
9b9a9ca1eadeef898fdd32ecc2e11d9f916793d5c07011fb40a379d2ddc01970
d6683bc30555194adaa5aa2027906b76958345ad106a76382b056053a28fcad9

SH256 hash:

0a0b083cc0e62db594b7be21088202c7fe0970d609b2847085d0bf2be8e54a5c

MD5 hash:

4ce3ce196eda86d92b68362b6269b618

SHA1 hash:

fd42ee0aca0315acac25c297f1ce33634c549559

Link:

https://www.unpac.me/results/2c46ac02-7ca2-4b56-8a84-ca760b4fc97f/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f4efaf8d0985/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f4efaf8d0985471ff7b41505859fa674fbc5d289d111b209a36ff356e07a1ba2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/18261/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample