gcleaner | 0c1b5b6e71120f48e59d9d8f6eda99275b96a5fe34971337bfdaa3ebfd22dc82 | Triage

Submit
Reports

Overview

overview

Static

static

1

5655e7d538...70.exe

windows7-x64

5655e7d538...70.exe

windows10-2004-x64

Sharing

General

Target

0af3484ed04ac95e8a84d3b06c4180c0.bin
Size

395KB
Sample

230412-bkt8waab9x
MD5

ee7e5c7535817bce56a600eb4d4e270e
SHA1

96691f8d8f39a8e39fa014d33104264316d8a866
SHA256

0c1b5b6e71120f48e59d9d8f6eda99275b96a5fe34971337bfdaa3ebfd22dc82
SHA512

04a7c91ddcf74ce516a7ff9018f013cded8534ae794c3a3802700dde7ef00955e57dede3ae0c38bcd5410bc2ac47da0f378ace779fdd5f46abd4a8fe3681310c
SSDEEP

12288:cWy/9TbLuWtZ1B/bPrg6FUBpbXKPq/12Ys293k:dy/NiINngUUBZT/ZvU

Score

10^/10

gcleaner socelars evasion loader persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70.exe

Resource

win7-20230220-en

gcleaner socelars evasion loader persistence spyware stealer

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70.exe

Resource

win10v2004-20230220-en

gcleaner socelars evasion loader persistence spyware stealer

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/sadfe410/

Targets

- Target
  
  5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70.exe
- Size
  
  755KB
- MD5
  
  0af3484ed04ac95e8a84d3b06c4180c0
- SHA1
  
  15943666568f09c0751b027a42413851df2c6932
- SHA256
  
  5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70
- SHA512
  
  c4da82bacbeb4f1aa85421d99d0de53c847e720dbd686a55eec97a641464ee19411bb8e9c0959666d3ac80b3503d1dad65de5e08c91e18c620a9cecfb4bc7c05
- SSDEEP
  
  12288:VQi3oc6m6UR0Itlp1hf39Wkv8xwJld8kO:VQi4zHITpdUMkkO
Score

10^/10

gcleaner socelars evasion loader persistence spyware stealer
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

Software Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanersocelarsevasionloaderpersistencespywarestealer

behavioral2

gcleanersocelarsevasionloaderpersistencespywarestealer

© 2018-2024

Terms | Privacy