gcleaner

General

Target

Driver Easy Pro Crack.zip
Size

1.5MB
Sample

230318-wk9zjsdb77
MD5

534420721b0963ae04a5a043f409d25a
SHA1

0a9db5a5b814eb86fd0b106b324c6ce693c748a3
SHA256

8b57ba1b6222d9061bc7548874aa1a7dfc846e79b0c0d2b64dfb62900337ae1b
SHA512

da2a370bb50fdee6f0783c1ceb9dd30482321ae1d8a83e4e8814cab1964af85ada694d329c2b13a38f0141a3c6d7913a05bcaea15ec3c2fd61c4b582c33b2176
SSDEEP

24576:TAzIloOCbojRJ049RX4PO856Oo/lFTp453YGRfpAuta7CEiVDN2jL6:cDKVq49RUb56r/3TpQXxAVGXDE6

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://neutropharma.com/wp/wp-content/debug2.ps1

Extracted

Family

raccoon

Botnet

cf8e11f4b26a8b6523ebca1d025854f5

C2

http://109.234.39.45/

rc4.plain

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Targets

- Target
  
  Driver Easy Pro Crack.exe
- Size
  
  1.7MB
- MD5
  
  004c3aa112c49b35f9cafc4e2ba164e8
- SHA1
  
  cfcd2539fc5edfb8d36877d082ec65e6f918814c
- SHA256
  
  af03c1abaef7a6da4aedc600e8b92bf82fca6ae4b9c1efc628caf5d0f21acb37
- SHA512
  
  b6f0003e295583337f80f6611db21caa1c3b5345117fab42f952b87f5bac0ec45c7ef6d72f8f75d183444e0640b4a1a84b636af5ab6a8cdfdbfa0e39cc684e98
- SSDEEP
  
  24576:dJr8tE+AIWnUuzbkCEIz4Kvb/bIVYjmOIvm0ZDzMYxSGcDqhSALxG1yNtVPDc3IC:dJ4gFsMv/IIv0ZDgYQvDD+5PDcY07
Score

10^/10

gcleaner pseudomanuscrypt raccoon cf8e11f4b26a8b6523ebca1d025854f5 evasion loader persistence stealer trojan spyware
- Detects PseudoManuscrypt payload
  loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- PseudoManuscrypt
  PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
  loader pseudomanuscrypt
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- Blocklisted process makes network request
- Downloads MZ/PE file
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  INSTRUCTIONS.url
- Size
  
  130B
- MD5
  
  d6243a727322924914fb86362ba8d8f5
- SHA1
  
  e4b33f5ed4c3e49567bc0aa558fa44fa04b19af4
- SHA256
  
  50058400d54c609fe44cc936c76dd56261a80f1e7bccb57ba7aa149199aa542a
- SHA512
  
  583c4e87627d8030a64801056e303bb5186ae2c7945818b517facc00652672be5a268a415e333e1a2b388bc76efa0638c8412eb0e435fecd77a60edd0b5aa892
Score

6^/10

evasion trojan
- Checks whether UAC is enabled
  evasion trojan
behavioral3 behavioral4