MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA3-384 hash: 0f04cf53d588e135d6d01d3c99867a2e93aed0608efd247d0c3f8e9165c65126e8d87502e2f2b9b4df2bf96a9ec6ba6c
SHA1 hash: 9dd9080df32b375f39df6470136a5bb107829eba
MD5 hash: 2d257873ee0ae75c9b89bd340e3e3da6
humanhash: sweet-neptune-eleven-alpha
File name:2d257873ee0ae75c9b89bd340e3e3da6.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:370'688 bytes
First seen:2023-07-02 06:04:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fdd8fed97401c5bf665e967df246697a (2 x GCleaner, 1 x Smoke Loader, 1 x Tofsee)
ssdeep 3072:aYCP40soI6S4OjdPhhFZzWUE6itRd8iEmP7WLig/ZT4rNXeCLshvYJREGKm3aGjR:g4V6IV7ErRlEakMJXbsqQjmKJuF25V8
Threatray 55 similar samples on MalwareBazaar
TLSH T166748E4396E13EF0E9354B72EF2FCAE8760DF2544E09776422289A2F04B90B2D573756
TrID 59.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
15.0% (.EXE) Win64 Executable (generic) (10523/12/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 36f0c8c8c8c8e860 (4 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/405143/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/94740/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed xpack
Link:
https://www.filescan.io/uploads/64a113583d1253262b2d1e25/reports/aeae738b-9ee6-4f01-97cf-a45c648cdd2d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b314e233-b60c-4cd1-8b20-4b52a9c14eb9
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1264901
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-06-30 13:56:28 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
31 of 37 (83.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=63hyadke74spyhi4a3glbx3alrkyl5lp2ba5gnnf7ykwfcq6squa._file
Verdict:
malicious
Similar samples:
0875f2085b2f40b96db96d317cfdd1d870541182d4200de33fae9cbefaf07797
GCleaner
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65
GCleaner
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
GCleaner
51f7cb2bce2460bec286f14978cb796e6858be4335c10401a1fb9e54893cca92
GCleaner
5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011
GCleaner
60da6ce55330f4f38e98b39bf07cf75fdabd80296429f1538c48d5df499d48d2
GCleaner
68af9af3506c7a35ef60026b6662cbc1fda0b36007a6eb48a974e4d7574db21f
GCleaner
de8385440c23789f44c418bdf2e30578559b1c6b142c820f081f81280d1c0888
GCleaner
+ 45 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/230702-gsljlabh7s/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
b98acf1c6f5edc3a6eb80f9d5cc07eb8e2cc0f25f6d63e5f79a1090876e2d588
MD5 hash:
31bd047f848d0efc202b7406960872fe
SHA1 hash:
13b3409430b62ce3fee441f7eca58d827df47005
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/16c65639-19cf-417d-b75e-272b15697f82/
Parent samples :
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65
60da6ce55330f4f38e98b39bf07cf75fdabd80296429f1538c48d5df499d48d2
f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e
a75c766167a44c78f3824d28780078cf2cc31522a55372958cefd5f3f093e4c1
c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3
dcba1aa4b4d92b68713b03f12985b0b0689055b3921e0273506d23f7e675ff52
e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
ee366039716c1ca70c1c1744faaf2aeeae8d780c6bbd438cc0c1fef3f7a57cc7
SH256 hash:
f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
MD5 hash:
2d257873ee0ae75c9b89bd340e3e3da6
SHA1 hash:
9dd9080df32b375f39df6470136a5bb107829eba
Link:
https://www.unpac.me/results/16c65639-19cf-417d-b75e-272b15697f82/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2666413/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/405143/

Comments