MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f88b778d7c3819667ad835b83140d188c47d6897be4aa0ec7fc8ba16eb5490bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f88b778d7c3819667ad835b83140d188c47d6897be4aa0ec7fc8ba16eb5490bd
SHA3-384 hash: d6f847162cfd44197455410647c52e232b6e3722baa19771cd649a98c15f2eb43dd5e0b9ff84eacd44879dee765ca38c
SHA1 hash: d892a79c0ce6e13c7de423044835b6e64a948bf4
MD5 hash: f7fde7947578965cc58bea9dcf0aaa9c
humanhash: potato-april-zebra-michigan
File name:f7fde7947578965cc58bea9dcf0aaa9c
Download: download sample
Signature GCleaner
Create hunting rule
File size:312'320 bytes
First seen:2023-04-24 05:39:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 83f7b03b4e2f4d598c9968669b5cc91e (3 x Amadey, 3 x Stop, 2 x GCleaner)
ssdeep 3072:qOGy3s8ny3sfXz4GlXSwmjhJA6IuJ8AqXrkydWaqSx53tKe4KTFhZOrV:JGShcsfszVh7IuJnqX3dJbtKePYr
Threatray 6'481 similar samples on MalwareBazaar
TLSH T18D64F151BCE1DC76E97A317488378A962A7FBCD10A158946B2BC378B6D323C15E31387
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 36f0e8e8e8e8e032 (1 x GCleaner)
Reporter zbetcheckin
Tags:32 exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
509
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
f7fde7947578965cc58bea9dcf0aaa9c
Verdict:
Malicious activity
Analysis date:
2023-04-24 05:41:52 UTC
Tags:
loader ransomware stop gcleaner stealer vidar trojan opendir cryptbot
Link:
https://app.any.run/tasks/df5b0213-dba8-4efc-b992-31983d242cc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/384413/
Detection(s):
Sanesecurity.Malware.29231.BadIN.UNOFFICIAL
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/81151/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64461634809528e43aab00e1/reports/89d61564-6181-4478-a5a1-ad860e14838b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f88b778d7c3819667ad835b83140d188c47d6897be4aa0ec7fc8ba16eb5490bd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3f8fb7b-93bd-41a1-ac75-ee0a02c4909f
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1219692
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f88b778d7c3819667ad835b83140d188c47d6897be4aa0ec7fc8ba16eb5490bd/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-04-23 05:53:47 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7cfxpdl4hamwm6wygw4dcqgrrdch22exxzfkb3d7zc5bn22usc6q._file
Verdict:
malicious
Similar samples:
25a2a5069c502b7aafebbdf26a2d80225774f39f537f2d1b03e3099300d6b3f9
GCleaner
780ed40282d7d392080687d1e32bc017f63ffab0c0fb020d1dcf3bf7c4c186da
GCleaner
9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6
GCleaner
99c174299dbb2e0fc5a2fa4bab7bfbc95b7ce2c510fc043a5a4a952a61d28ffe
GCleaner
b11f4d0513f8394544e1b1244b6eb46c8219034afe039fd0dc891ca4f463f9f0
GCleaner
ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f
GCleaner
f5a84bf51c4075d3dc72f3fb33a6137292b453086642a95114bdb3a5eb00195a
GCleaner
+ 6'471 additional samples on MalwareBazaar
Result
Malware family:
gcleaner
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner loader
Link:
https://tria.ge/reports/230424-gcwdvshh98/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Deletes itself
GCleaner
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
df6cb15b95538d0e7598c8d1642a0c1087ac05d2a43cf7f185038c916ffdafac
MD5 hash:
dee3299fa1f6e024e8a80b55b88778d6
SHA1 hash:
4583c0559136037e81e9a71f572850915edaaad0
Detections:
Nymaim
Create hunting rule
win_nymaim_g0
Create hunting rule
win_gcleaner_w0
Create hunting rule
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/69c12e4a-8d52-439e-8106-f1e058a46383/
SH256 hash:
f88b778d7c3819667ad835b83140d188c47d6897be4aa0ec7fc8ba16eb5490bd
MD5 hash:
f7fde7947578965cc58bea9dcf0aaa9c
SHA1 hash:
d892a79c0ce6e13c7de423044835b6e64a948bf4
Link:
https://www.unpac.me/results/69c12e4a-8d52-439e-8106-f1e058a46383/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f88b778d7c3819667ad835b83140d188c47d6897be4aa0ec7fc8ba16eb5490bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_gcleaner_de41
Create hunting rule
Author:Johannes Bader
Description:detects GCleaner
Rule name:win_gcleaner_w0
Create hunting rule
Author:Johannes Bader @viql
Description:detects GCleaner

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GCleaner

Executable exe f88b778d7c3819667ad835b83140d188c47d6897be4aa0ec7fc8ba16eb5490bd

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/384413/

Comments


Avatar
zbet commented on 2023-04-24 05:39:52 UTC

url : hxxp://45.12.253.74/pineapple.php?pub=mixkis/