MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff83807006950b99eddcf7b5924e3eb4704c116cf19984585590fd92aa62309b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff83807006950b99eddcf7b5924e3eb4704c116cf19984585590fd92aa62309b
SHA3-384 hash: ac0b56cb8b48f2acc2e93e51ad7dcde60acc922ee6bef17aea7e9c0b5198bbf5f02b24cd386c3bbaeeb95db69782a7d9
SHA1 hash: 891c7c94f9462b18e5a2b6881983585e6b41e8ba
MD5 hash: 449bd69cfcf8c2756ffa0b836acda264
humanhash: mississippi-charlie-william-sixteen
File name:449bd69cfcf8c2756ffa0b836acda264.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:1'766'679 bytes
First seen:2023-05-31 07:56:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/3GqKWpKic6QL3E2vVsjECUAQT45deRV9RH:sBuZrEUiwKIy029s4C1eH9N
Threatray 1 similar samples on MalwareBazaar
TLSH T10485CF3FF268A13EC46A1B3245B39310997BBA61B81A8C1E47FC344DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe gcleaner

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
449bd69cfcf8c2756ffa0b836acda264.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-31 08:00:38 UTC
Tags:
installer
Link:
https://app.any.run/tasks/1352ffa4-ede1-4471-b015-2a061354d3d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393943/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.21773.7029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88774/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6476fdcf9f24e991a79dbe3a/reports/48f7ac60-6cab-48aa-aa0c-1cf83e3d3416/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332545
Link:
https://www.hybrid-analysis.com/sample/ff83807006950b99eddcf7b5924e3eb4704c116cf19984585590fd92aa62309b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6c05b1ab-59b0-4682-86fc-70015194177b
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad.mine
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1245837
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found strings related to Crypto-Mining
Infects executable files (exe, dll, sys, html)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878855 Sample: VSiqfvLPjE.exe Startdate: 31/05/2023 Architecture: WINDOWS Score: 64 140 Snort IDS alert for network traffic 2->140 142 Malicious sample detected (through community Yara rule) 2->142 144 Antivirus detection for URL or domain 2->144 146 4 other signatures 2->146 14 msiexec.exe 2->14         started        18 VSiqfvLPjE.exe 2 2->18         started        20 VC_redist.x64.exe 2->20         started        process3 file4 114 C:\Windows\System32\vcruntime140_1.dll, PE32+ 14->114 dropped 116 C:\Windows\System32\vcruntime140.dll, PE32+ 14->116 dropped 118 C:\Windows\System32\vcomp140.dll, PE32+ 14->118 dropped 122 45 other files (22 malicious) 14->122 dropped 158 Infects executable files (exe, dll, sys, html) 14->158 120 C:\Users\user\AppData\...\VSiqfvLPjE.tmp, PE32 18->120 dropped 160 Obfuscated command line found 18->160 22 VSiqfvLPjE.tmp 3 27 18->22         started        27 VC_redist.x64.exe 20->27         started        signatures5 process6 dnsIp7 126 45.12.253.74, 49698, 80 CMCSUS Germany 22->126 128 www.trestarshop.com 45.86.230.85, 443, 49694, 49695 RAINBOW-HKRainbownetworklimitedHK Russian Federation 22->128 130 4 other IPs or domains 22->130 80 C:\Users\user\AppData\Local\Temp\...\s3.exe, PE32 22->80 dropped 82 C:\Users\user\AppData\Local\Temp\...\s2.exe, PE32 22->82 dropped 84 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 22->84 dropped 86 3 other files (1 malicious) 22->86 dropped 148 Performs DNS queries to domains with low reputation 22->148 29 s2.exe 22->29         started        33 s1.exe 14 22->33         started        36 s0.exe 2 22->36         started        38 VC_redist.x64.exe 27->38         started        file8 signatures9 process10 dnsIp11 104 C:\Users\user\AppData\Local\Temp\...\s2.tmp, PE32 29->104 dropped 150 Obfuscated command line found 29->150 40 s2.tmp 29->40         started        124 45.12.253.56, 49702, 80 CMCSUS Germany 33->124 152 Multi AV Scanner detection for dropped file 33->152 154 Detected unpacking (changes PE section rights) 33->154 156 Detected unpacking (overwrites its own PE header) 33->156 44 cmd.exe 33->44         started        46 WerFault.exe 9 33->46         started        48 WerFault.exe 9 33->48         started        52 7 other processes 33->52 106 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 36->106 dropped 50 s0.tmp 26 19 36->50         started        108 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 38->108 dropped file12 signatures13 process14 dnsIp15 132 99.84.88.30, 443, 49709 AMAZON-02US United States 40->132 134 api.joinmassive.com 99.84.88.78, 443, 49705, 49708 AMAZON-02US United States 40->134 136 aka.ms 104.83.112.120, 443, 49706 AKAMAI-ASUS United States 40->136 88 C:\Users\user\...\vc_redist.x64.exe (copy), PE32 40->88 dropped 90 C:\Users\user\AppData\Local\...\is-NDUSE.tmp, PE32 40->90 dropped 92 C:\Users\user\AppData\...\PEInjector.dll, PE32 40->92 dropped 94 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 40->94 dropped 54 vc_redist.x64.exe 40->54         started        57 conhost.exe 44->57         started        59 taskkill.exe 44->59         started        138 192.168.2.1 unknown unknown 46->138 96 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 50->96 dropped 98 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->98 dropped 100 C:\...\unins000.exe (copy), PE32 50->100 dropped 102 7 other files (none is malicious) 50->102 dropped file16 process17 file18 78 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 54->78 dropped 61 vc_redist.x64.exe 54->61         started        process19 file20 110 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 61->110 dropped 112 C:\Windows\Temp\...\wixstdba.dll, PE32 61->112 dropped 64 VC_redist.x64.exe 61->64         started        process21 file22 74 C:\ProgramData\...\VC_redist.x64.exe, PE32 64->74 dropped 67 VC_redist.x64.exe 64->67         started        process23 process24 69 VC_redist.x64.exe 67->69         started        file25 76 C:\Windows\Temp\...\wixstdba.dll, PE32 69->76 dropped 72 VC_redist.x64.exe 69->72         started        process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff83807006950b99eddcf7b5924e3eb4704c116cf19984585590fd92aa62309b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-31 07:57:06 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=76bya4agsufzt3o4662zetr6wryeyelm6gmyiwcvsd6zfktcgcnq._file
Verdict:
malicious
Similar samples:
361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327
GCleaner
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230531-js9yasea7z/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/d8ef128c-69be-45bc-aaf4-660b6ce119b3/
SH256 hash:
00ed5a44828c7dce158f6f679415fc34dcfe9e7c826e6b4b04da34992b783da4
MD5 hash:
326cf2acf0c5fdf4ff1783d1a2a7e51d
SHA1 hash:
496b1e1feb8c30e1be1590d05b9168c2992e62f6
Link:
https://www.unpac.me/results/d8ef128c-69be-45bc-aaf4-660b6ce119b3/
SH256 hash:
ff83807006950b99eddcf7b5924e3eb4704c116cf19984585590fd92aa62309b
MD5 hash:
449bd69cfcf8c2756ffa0b836acda264
SHA1 hash:
891c7c94f9462b18e5a2b6881983585e6b41e8ba
Link:
https://www.unpac.me/results/d8ef128c-69be-45bc-aaf4-660b6ce119b3/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff8380700695/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff83807006950b99eddcf7b5924e3eb4704c116cf19984585590fd92aa62309b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_gcleaner_de41
Create hunting rule
Author:Johannes Bader
Description:detects GCleaner
Rule name:win_gcleaner_w0
Create hunting rule
Author:Johannes Bader @viql
Description:detects GCleaner

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/393943/

Comments