gcleaner | f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9
Size

752KB
Sample

230116-m2wc2sdh77
MD5

31676b02114e92e2de69d7ea17c307f1
SHA1

529374ccf0c521faf0a32279961a54142f20a44a
SHA256

f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9
SHA512

6b1ddc30454437b193fd473b20fe4a63afd55ff9912a19e3bdb0a1c25fb76ee0c3d48fc616576febd8cdaac7aa600af71847ca379fff931dbf9da0d665e1049d
SSDEEP

12288:VQi3IG+zy2Oc6m6UR0Iqpp1hf39Wkv8xwJA:VQiYG+zy2OzHIqppdUMA

Score

10^/10

gcleaner lgoogloader discovery downloader evasion loader persistence vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9.exe

Resource

win10v2004-20220812-en

gcleaner lgoogloader discovery downloader evasion loader persistence vmprotect

windows10-2004-x64

30 signatures

150 seconds

Malware Config

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Targets

- Target
  
  f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9
- Size
  
  752KB
- MD5
  
  31676b02114e92e2de69d7ea17c307f1
- SHA1
  
  529374ccf0c521faf0a32279961a54142f20a44a
- SHA256
  
  f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9
- SHA512
  
  6b1ddc30454437b193fd473b20fe4a63afd55ff9912a19e3bdb0a1c25fb76ee0c3d48fc616576febd8cdaac7aa600af71847ca379fff931dbf9da0d665e1049d
- SSDEEP
  
  12288:VQi3IG+zy2Oc6m6UR0Iqpp1hf39Wkv8xwJA:VQiYG+zy2OzHIqppdUMA
Score

10^/10

gcleaner lgoogloader discovery downloader evasion loader persistence vmprotect
- Detects LgoogLoader payload
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- LgoogLoader
  A downloader capable of dropping and executing other malware families.
  downloader lgoogloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
  persistence
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Web Service

Credential Access

Discovery

Query Registry

Software Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanerlgoogloaderdiscoverydownloaderevasionloaderpersistencevmprotect

© 2018-2024

Terms | Privacy