Overview

overview

10

Static

static

1

OitFiles450.exe

windows7-x64

10

OitFiles450.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/02/2023, 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OitFiles450.exe

  • Size

    1.9MB

  • MD5

    9a78d8ecea8ffc07a876d89890834c52

  • SHA1

    b2696d7a7157ad116e0e562f3bac8f7bb7878784

  • SHA256

    2e5b1d28e107e94110199d3351934fd4a81fb740322a85eeb2a0944ee7a29b16

  • SHA512

    6270bf4172a432e15a4db1cdfb16ca3bacd1ea04bf4794f8d73789b372326243327132f9ed33f336d4aba47f878ee4cd403d2c3d0a1a68b285208d3258073e8c

  • SSDEEP

    24576:mU0h+mosggSWGkj9Z/9Hy1LYclZf7ii1UqTTRfiTvoCwGLem:J1mosggSWGkTQiQf7lPnRovEAZ

Score
10/10
gcleanerloader

Malware Config

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OitFiles450.exe
    "C:\Users\Admin\AppData\Local\Temp\OitFiles450.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Users\Admin\AppData\Roaming\{6e1ce040-6208-11ed-b5ce-806e6f6e6963}\Ebm8Yk6ntE.exe
      2⤵
      • Executes dropped EXE
      PID:1676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\{6e1ce040-6208-11ed-b5ce-806e6f6e6963}\Ebm8Yk6ntE.exe
    Filesize

    72KB

    MD5

    3fb36cb0b7172e5298d2992d42984d06

    SHA1

    439827777df4a337cbb9fa4a4640d0d3fa1738b7

    SHA256

    27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

    SHA512

    6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\{6e1ce040-6208-11ed-b5ce-806e6f6e6963}\Ebm8Yk6ntE.exe
    Filesize

    72KB

    MD5

    3fb36cb0b7172e5298d2992d42984d06

    SHA1

    439827777df4a337cbb9fa4a4640d0d3fa1738b7

    SHA256

    27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

    SHA512

    6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

    Download Submit

  • memory/3440-132-0x0000000000400000-0x00000000013E8000-memory.dmp

    Filesize

    15.9MB

    Download

  • memory/3440-133-0x0000000000400000-0x00000000013E8000-memory.dmp

    Filesize

    15.9MB

    Download

  • memory/3440-137-0x0000000000400000-0x00000000013E8000-memory.dmp

    Filesize

    15.9MB

    Download