gcleaner | f3dbe218bac2da1fabff8364428a0548f03e2c93442082d2c0ed1b2686040e32 | Triage

Submit
Reports

Overview

overview

Static

static

1

trainerv_7VxI5OpA.exe

windows7-x64

trainerv_7VxI5OpA.exe

windows10-2004-x64

7

Sharing

General

Target

trainerv_7VxI5OpA.exe
Size

4.3MB
Sample

230406-tvalbsdh37
MD5

3a0c3723ddc9efd1b7d584e10312576b
SHA1

c695283f4205420f3d9812a6c4b7eb1f4b484063
SHA256

f3dbe218bac2da1fabff8364428a0548f03e2c93442082d2c0ed1b2686040e32
SHA512

b6a645802e9b90e6a0eda5e40e7b48dea2c80c76f59640b50c27c72e78115e31fd161ab98401740a0404382dddcf4d543ff99746bd68363dac61817a3e54e0d2
SSDEEP

98304:QcPNiPea8mdie9Ohxt1rqaAA6YHxkjWvCK90w4LlY/+IbFEmFusXct:xNiPezmdie9MxtgdA6YHuWvB90wklq+V

Score

10^/10

gcleaner bootkit discovery loader persistence

Static task

static1

Behavioral task

behavioral1

Sample

trainerv_7VxI5OpA.exe

Resource

win7-20230220-en

gcleaner bootkit discovery loader persistence

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

trainerv_7VxI5OpA.exe

Resource

win10v2004-20230220-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

gcleaner

C2

85.31.45.39

85.31.45.250

85.31.45.251

85.31.45.88

Targets

- Target
  
  trainerv_7VxI5OpA.exe
- Size
  
  4.3MB
- MD5
  
  3a0c3723ddc9efd1b7d584e10312576b
- SHA1
  
  c695283f4205420f3d9812a6c4b7eb1f4b484063
- SHA256
  
  f3dbe218bac2da1fabff8364428a0548f03e2c93442082d2c0ed1b2686040e32
- SHA512
  
  b6a645802e9b90e6a0eda5e40e7b48dea2c80c76f59640b50c27c72e78115e31fd161ab98401740a0404382dddcf4d543ff99746bd68363dac61817a3e54e0d2
- SSDEEP
  
  98304:QcPNiPea8mdie9Ohxt1rqaAA6YHxkjWvCK90w4LlY/+IbFEmFusXct:xNiPezmdie9MxtgdA6YHuWvB90wklq+V
Score

10^/10

gcleaner bootkit discovery loader persistence
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Bootkit

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Security Software Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanerbootkitdiscoveryloaderpersistence

behavioral2

© 2018-2024

Terms | Privacy