gcleaner | 5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70 | Triage

Submit
Reports

Overview

overview

Static

static

1

file.exe

windows7-x64

file.exe

windows10-2004-x64

8

Sharing

General

Target

file.exe
Size

755KB
Sample

230410-r2e4aaac54
MD5

0af3484ed04ac95e8a84d3b06c4180c0
SHA1

15943666568f09c0751b027a42413851df2c6932
SHA256

5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70
SHA512

c4da82bacbeb4f1aa85421d99d0de53c847e720dbd686a55eec97a641464ee19411bb8e9c0959666d3ac80b3503d1dad65de5e08c91e18c620a9cecfb4bc7c05
SSDEEP

12288:VQi3oc6m6UR0Itlp1hf39Wkv8xwJld8kO:VQi4zHITpdUMkkO

Score

10^/10

gcleaner socelars evasion loader persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20230220-en

gcleaner socelars evasion loader persistence spyware stealer

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20230220-en

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/sadfe410/

Targets

- Target
  
  file.exe
- Size
  
  755KB
- MD5
  
  0af3484ed04ac95e8a84d3b06c4180c0
- SHA1
  
  15943666568f09c0751b027a42413851df2c6932
- SHA256
  
  5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70
- SHA512
  
  c4da82bacbeb4f1aa85421d99d0de53c847e720dbd686a55eec97a641464ee19411bb8e9c0959666d3ac80b3503d1dad65de5e08c91e18c620a9cecfb4bc7c05
- SSDEEP
  
  12288:VQi3oc6m6UR0Itlp1hf39Wkv8xwJld8kO:VQi4zHITpdUMkkO
Score

10^/10

gcleaner socelars evasion loader persistence spyware stealer
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Software Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

gcleanersocelarsevasionloaderpersistencespywarestealer

behavioral2

© 2018-2024

Terms | Privacy