gcleaner

General

Target

generator-klyuchey-k_KwNinVHB.zip
Size

12.6MB
Sample

230213-m9189scg75
MD5

f0b4229701333b73b4cb782d71d23eec
SHA1

a878e5a59b81f1597d79851a0abf767a58557ba0
SHA256

4afe381653783906385556cec9f16ca31309bfcb7873b2e2ed36bd01d8903d25
SHA512

dcd5596370e7a7795791b7e62d64fa0c19a2fb6ccb42ce7f0eb8b2bd1dfef00313ae7d989c29608b6963fba4fb4235444a8761ff624075f79a2329e58aa9401c
SSDEEP

196608:pKM5aUpAI6rSLKSu9gqUd09yHwP9CoB8GPyf2WSCJi/lefYJ13IuLutNp6h3VlU:gWP8eBuCHI98GPJWm9egHIuLufQVlU

Score

10^/10

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.51

45.12.253.92

45.12.253.89

45.12.253.55

Targets

- Target
  
  .............exe
- Size
  
  5.8MB
- MD5
  
  288d7d66024b6562feeb4d6baed41849
- SHA1
  
  cb9efb823a462d1afc8057839fecd224d661102a
- SHA256
  
  7dfffd124e41f73e266f806951457060dfff9950caca0fcd1c542ff5e9a21e34
- SHA512
  
  1793b4c153f4277d65cf99b2758c586f4a59234760916280deab35ae69bd48b3584ba76474243ac67efb98c052b4e9a184c16b93b10ea92292eac46224cf334a
- SSDEEP
  
  98304:LX44Xe8aIUM7LhfXMObVARKlsZjLusEBHYCzg1OnW/T+1zS2owMVMowF:7VXeNIUuWObuRKIu5Y0CozSnw7bF
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  generator-klyuchey-k_KwNinVHB.exe
- Size
  
  7.2MB
- MD5
  
  ac97f37709a9827ddfa5d685ac5f911f
- SHA1
  
  ace9ad324f73b37ed6554a299162406a46312440
- SHA256
  
  4212a0bf712ad3e5eb4bd84bc5680db559b5a1a96ed54c891d96633f7937b2e7
- SHA512
  
  852ea8f6ae6054ae6ced98d0a377db15375475fe77adaa067495f9c704c1cd92d1dc2bc98f4cfd1ea49d2542be8f9a98a436f60c23d44134a988fb8da3eaa03e
- SSDEEP
  
  196608:2QNKxKnyPYScalEF9o9SD9DI0pEHNDcDZHDe:yxKnHSYnoIZI0pEt4HDe
Score

10^/10

gcleaner discovery evasion loader spyware stealer trojan
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral3 behavioral4