General

  • Target

    file.exe

  • Size

    1MB

  • Sample

    230327-pnbslafd9t

  • MD5

    c3ac9820210102d288551f6eae5ff38e

  • SHA1

    4dc9cdfb00290e39ef9c0b8bbd10192bd9f623c2

  • SHA256

    aa1f0bddc9a79c80d9ea7b5bed05c86d41d03e558ac3471bf627b7f5d85a6cd5

  • SHA512

    cde891cd318aaed211243e7ec5a4cda70afcfb7d82f21ac0c6ffed7c129150134453da84b23f3894ecd58e69c997ed40f442fc6e2ca4728fd4553e70a2adac6b

  • SSDEEP

    49152:EGlJfsYpw5gXXar/dOdpdyy/vyT5dlLYp:5hpbHy/dAyyWPYp

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Targets

    • Target

      file.exe

    • Size

      1MB

    • MD5

      c3ac9820210102d288551f6eae5ff38e

    • SHA1

      4dc9cdfb00290e39ef9c0b8bbd10192bd9f623c2

    • SHA256

      aa1f0bddc9a79c80d9ea7b5bed05c86d41d03e558ac3471bf627b7f5d85a6cd5

    • SHA512

      cde891cd318aaed211243e7ec5a4cda70afcfb7d82f21ac0c6ffed7c129150134453da84b23f3894ecd58e69c997ed40f442fc6e2ca4728fd4553e70a2adac6b

    • SSDEEP

      49152:EGlJfsYpw5gXXar/dOdpdyy/vyT5dlLYp:5hpbHy/dAyyWPYp

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks