gcleaner | 5531490b3951e8793cb6ee449f75d6fb0b5c1347d1197ccda7ff1b9b15cf9661 | Triage

Submit
Reports

Overview

overview

Static

static

1

FL1.exe

windows7-x64

FL1.exe

windows10-2004-x64

Sharing

General

Target

FL1.exe
Size

380KB
Sample

230411-w2zvxafh41
MD5

d4310c99d42ad36aed4679860c1c368b
SHA1

547b0af6d1f0abcea19160d361c4f2e605c3b864
SHA256

5531490b3951e8793cb6ee449f75d6fb0b5c1347d1197ccda7ff1b9b15cf9661
SHA512

41b789467abb3758c50ba8c4410684cb204ccebdc7a972a9ed94b57d63c89352f1333e44ea0f4ca27aa1a29ed6d0ef32f4e4f336ac29ec9ec43256bbc270040c
SSDEEP

6144:x/QiQXCvJm+ksmpk3U9jW1U4P9b4OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZogE:pQi3vs6m6URA3Ph4lL//plmW9bTXeVh8

Score

10^/10

gcleaner socelars evasion loader persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

FL1.exe

Resource

win7-20230220-en

gcleaner socelars evasion loader persistence spyware stealer

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

FL1.exe

Resource

win10v2004-20230220-en

gcleaner socelars evasion loader persistence spyware stealer

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/sadfe410/

Targets

- Target
  
  FL1.exe
- Size
  
  380KB
- MD5
  
  d4310c99d42ad36aed4679860c1c368b
- SHA1
  
  547b0af6d1f0abcea19160d361c4f2e605c3b864
- SHA256
  
  5531490b3951e8793cb6ee449f75d6fb0b5c1347d1197ccda7ff1b9b15cf9661
- SHA512
  
  41b789467abb3758c50ba8c4410684cb204ccebdc7a972a9ed94b57d63c89352f1333e44ea0f4ca27aa1a29ed6d0ef32f4e4f336ac29ec9ec43256bbc270040c
- SSDEEP
  
  6144:x/QiQXCvJm+ksmpk3U9jW1U4P9b4OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZogE:pQi3vs6m6URA3Ph4lL//plmW9bTXeVh8
Score

10^/10

gcleaner socelars evasion loader persistence spyware stealer
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Software Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

gcleanersocelarsevasionloaderpersistencespywarestealer

behavioral2

gcleanersocelarsevasionloaderpersistencespywarestealer

© 2018-2024

Terms | Privacy