MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcfe0e26e945ba5fbde5d01cad9bcb66b2c9623bc8cdc627e9c886e32fde6134. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcfe0e26e945ba5fbde5d01cad9bcb66b2c9623bc8cdc627e9c886e32fde6134
SHA3-384 hash: 332822b398c8f194aca205229da58726fc133777aa66fef3c060557f97e169eaee0bec8148cfffe81a0c2b220667b57f
SHA1 hash: e9f9c12864ed0c7360bbe94760e5d1172e66d17d
MD5 hash: 5b0a7253de15bf159141d624fea88528
humanhash: india-avocado-single-timing
File name:5B0A7253DE15BF159141D624FEA88528.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:388'608 bytes
First seen:2021-08-08 16:25:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e01aba115e2809fc1e1e81e4276a146 (1 x RedLineStealer, 1 x RaccoonStealer, 1 x GCleaner)
ssdeep 6144:EMoDVV7WRRKZ/tDTuHHV2Y/IGwNLcW6g/AE/rPz9+X:gr7W3KDDTyV2yInJPz
Threatray 195 similar samples on MalwareBazaar
TLSH T1FA84BF30AA90C035F0B722F84AB9D36C792D7EA0A73051CB52D53AEE56356E9EC30757
dhash icon 96714cbc74dcf166 (5 x GCleaner)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://gc-prtnrs.top/decision.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://gc-prtnrs.top/decision.php https://threatfox.abuse.ch/ioc/166045/

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5B0A7253DE15BF159141D624FEA88528.exe
Verdict:
Malicious activity
Analysis date:
2021-08-08 16:36:55 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/c3f7fdc6-029d-4aac-99e1-f661cc9d4868

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gcleaner
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177273/
Detection(s):
Win.Malware.Generic-9882834-0
Create hunting rule

Win.Malware.Generic-9882961-0
Create hunting rule

Win.Malware.Generic-9883181-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Sending a UDP request
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3379e9ee-fae4-4c70-85b0-d8d2b3c39eb2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/828846
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcfe0e26e945ba5fbde5d01cad9bcb66b2c9623bc8cdc627e9c886e32fde6134/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 03:35:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3221c7c857b80fab3818cf1ea9435cef9626d84bd308d7a365e4e5089e5ef413
GCleaner
4272379ced0fed89dfc74a080cd17269b34bef293cbfe4bd424abd500bf367fa
GCleaner
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
GCleaner
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
GCleaner
c49db28c90989f14866faa6781fc5e6531c8a63d3c3f3d245b4c4d752ce5ebf0
GCleaner
cbcd57dd83369317946567dba9624dedbf2ce33acc796b2ba6f4c57b7d3cf49a
GCleaner
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
GCleaner
+ 185 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210808-r752znw2qs/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M1
Unpacked files
SH256 hash:
3b309236695517c2e06ff8af3f5c073e1b8e8c99768f5141f4cf9e704050dfdb
MD5 hash:
048d3824dae9ba8c0b48a841c56f2e24
SHA1 hash:
8da82b6a497c97a5512009ef57b4d25f77c57dc1
Link:
https://www.unpac.me/results/a3260e17-e01d-4df6-83a0-a77d34680f5c/
SH256 hash:
fcfe0e26e945ba5fbde5d01cad9bcb66b2c9623bc8cdc627e9c886e32fde6134
MD5 hash:
5b0a7253de15bf159141d624fea88528
SHA1 hash:
e9f9c12864ed0c7360bbe94760e5d1172e66d17d
Link:
https://www.unpac.me/results/a3260e17-e01d-4df6-83a0-a77d34680f5c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcfe0e26e945ba5fbde5d01cad9bcb66b2c9623bc8cdc627e9c886e32fde6134

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177273/

Comments