Overview

overview

10

Static

static

3

0b79fbf16b...89.exe

windows7-x64

10

0b79fbf16b...89.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0b79fbf16b76bd0ff14e9d079e40e889.exe

  • Size

    380KB

  • Sample

    230525-e7nw6age2v

  • MD5

    0b79fbf16b76bd0ff14e9d079e40e889

  • SHA1

    eca7116292f3437102b06c7f2b78e32fa6ae69a5

  • SHA256

    e99574f67e511e9b940c788de58592b02542972981f69ebe2806d876e01135fb

  • SHA512

    6bebbd4cc5b7ecfa7f90ea1f65ba83c74f9be14080e12cca30026067627914e5a9e0809cbb79aec4081c1498757201022eedfcef26a47d4cbe9f03dbcf79f26d

  • SSDEEP

    6144:x/QiQXCfkm+ksmpk3U9j0IT2OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3fP6m6UR0IT2lL//plmW9bTXeVhD4

Score
10/10
ffdroidergcleanerevasionloaderpersistencestealervmprotect

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://xptv1.com/wp-content/uploads/debug2.ps1

Targets

    • Target

      0b79fbf16b76bd0ff14e9d079e40e889.exe

    • Size

      380KB

    • MD5

      0b79fbf16b76bd0ff14e9d079e40e889

    • SHA1

      eca7116292f3437102b06c7f2b78e32fa6ae69a5

    • SHA256

      e99574f67e511e9b940c788de58592b02542972981f69ebe2806d876e01135fb

    • SHA512

      6bebbd4cc5b7ecfa7f90ea1f65ba83c74f9be14080e12cca30026067627914e5a9e0809cbb79aec4081c1498757201022eedfcef26a47d4cbe9f03dbcf79f26d

    • SSDEEP

      6144:x/QiQXCfkm+ksmpk3U9j0IT2OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3fP6m6UR0IT2lL//plmW9bTXeVhD4

    Score
    10/10
    gcleanerevasionloaderpersistenceffdroiderstealervmprotect

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks