MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fad4ad2b20d69fe58683c50e3f69e0278c37eae9f12cf81e44243a146361c082. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

GCleaner

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	fad4ad2b20d69fe58683c50e3f69e0278c37eae9f12cf81e44243a146361c082
SHA3-384 hash:	695bec355d86caea87a725d7ec5ce4fa16f54de32efe346d2cd1b2424f5326daedd0e5b42b03aeafbaa441e3142e2867
SHA1 hash:	cab3cc48d7050165c60845de3cba1857ea8dfd22
MD5 hash:	410700904dcc4cc2c936724bfc00977f
humanhash:	ceiling-hotel-march-autumn
File name:	file
Download:	download sample
Signature	GCleaner Create hunting rule
File size:	260'608 bytes
First seen:	2024-01-06 09:31:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	eb99f38f11bafb1e60757d45e64c1308 (1 x GCleaner)
ssdeep	3072:4RUwLSpOkAmPU4kSf4B52qurkLaZ52KQ+ZLfXSNfNgcVH9AdIYXZd5BJRKXv9:4iwLqAm89Sf4z2qMkQUieNl9A/JRTs
Threatray	33 similar samples on MalwareBazaar
TLSH	T19B444A0782E67F81E9668B729E7EC6F8761EF5504F59736922389B2F04B01B3C263711
TrID	34.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.8% (.EXE) InstallShield setup (43053/19/16) 18.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 6.3% (.EXE) Win64 Executable (generic) (10523/12/4) 3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon	00000c084c104804 (1 x GCleaner)
Reporter	andretavare5
Tags:	exe gcleaner

andretavare5

Sample downloaded from https://vk.com/doc418490229_670431374?hash=Ol6z8YE0hsaJU9G29262dwW5IHGzqxqrF8fR5vavz4z&dl=j6HLNtCuTpw5v6JM6P7qbvwPzLs1LWFhZ6uRZDpp83L&api=1&no_preview=1#twointe

Intelligence

File Origin

# of uploads :

# of downloads :

446

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/469715/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin packed shell32

Link:

https://www.filescan.io/uploads/65991dd75d1422b2080d2874/reports/a2f16a4d-cde1-440f-a15e-666e68573364/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/fad4ad2b20d69fe58683c50e3f69e0278c37eae9f12cf81e44243a146361c082

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/50f557bf-bcf4-4f18-8348-2c22f6d24499

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1370743

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fad4ad2b20d69fe58683c50e3f69e0278c37eae9f12cf81e44243a146361c082

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fad4ad2b20d69fe58683c50e3f69e0278c37eae9f12cf81e44243a146361c082/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2024-01-06 09:32:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7lkk2kza22p6lbudyuhd62pae6gdp2xj6ewpqhseeq5biy3bycba._file

Verdict:

malicious

GCleaner

404afd3c18b203aa9ce9f8f5f9b7a813fda0d2a322252cd28e002e142080a4f7

GCleaner

629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb

GCleaner

85e7587a2013104dae85c32865728f1176a555502c4c594faf7ebf68ae2773f1

GCleaner

a894df972f961b115a6567cc0769f235e211fd15ca89dbe2a03cee66507bfdbf

GCleaner

fad4ad2b20d69fe58683c50e3f69e0278c37eae9f12cf81e44243a146361c082

GCleaner

+ 23 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240106-lg2hwsdfh6/

Unpacked files

SH256 hash:

866e50488fc0109747f2e38d1b1172b7b1953cc6a927fa4ffba5eec95834d32c

MD5 hash:

843ccd86d55c67473a9be6319ed8832f

SHA1 hash:

ca52f04a02d63586c92138f028c9c664d8134359

Link:

https://www.unpac.me/results/597e3a38-32e7-4f7a-8c84-fb9679123454/

SH256 hash:

fad4ad2b20d69fe58683c50e3f69e0278c37eae9f12cf81e44243a146361c082

MD5 hash:

410700904dcc4cc2c936724bfc00977f

SHA1 hash:

cab3cc48d7050165c60845de3cba1857ea8dfd22

Link:

https://www.unpac.me/results/597e3a38-32e7-4f7a-8c84-fb9679123454/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fad4ad2b20d69fe58683c50e3f69e0278c37eae9f12cf81e44243a146361c082

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_gcleaner_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2746359/

Cape

https://www.capesandbox.com/analysis/469715/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample