gcleaner | bf6fdd3402123b0dd36bde8b02088d44c7d2efb8210ac4d74a3212fd3c152513

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf6fdd3402123b0dd36bde8b02088d44c7d2efb8210ac4d74a3212fd3c152513.exe
Size

1.8MB
MD5

66b3d124f444985db79ed851a54fc293
SHA1

bb5e12cd94a685e40d89f3470a2b7550b59d34c0
SHA256

bf6fdd3402123b0dd36bde8b02088d44c7d2efb8210ac4d74a3212fd3c152513
SHA512

943f0a4db7e4d23c5025695ba598b4b411284dd5720616b470d830fbff055b80d251c0540f682badfbe5af69b80274d4c08da23b03538f7e750c2888b41c3e75
SSDEEP

24576:J1mp5mO2KUfHHVlvw7WjJvEzI5g/WLK8wYyj0ejLFAAxO4w4uRshW:JEp5mO2tHHuWdMgef8BD4wN

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

85.31.45.39

85.31.45.250

85.31.45.251

85.31.45.88

Attributes

url_path
/b.php

/d.php

/d.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	bf6fdd3402123b0dd36bde8b02088d44c7d2efb8210ac4d74a3212fd3c152513.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	bf6fdd3402123b0dd36bde8b02088d44c7d2efb8210ac4d74a3212fd3c152513.exe

C:\Users\Admin\AppData\Local\Temp\bf6fdd3402123b0dd36bde8b02088d44c7d2efb8210ac4d74a3212fd3c152513.exe
"C:\Users\Admin\AppData\Local\Temp\bf6fdd3402123b0dd36bde8b02088d44c7d2efb8210ac4d74a3212fd3c152513.exe"
1⤵
- Modifies system certificate store
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-0-0x0000000000400000-0x00000000013CE000-memory.dmp

Filesize
15.8MB

Download
memory/1672-1-0x0000000000400000-0x00000000013CE000-memory.dmp

Filesize
15.8MB

Download
memory/1672-2-0x0000000000400000-0x00000000013CE000-memory.dmp

Filesize
15.8MB

Download
memory/1672-15-0x0000000000400000-0x00000000013CE000-memory.dmp

Filesize
15.8MB

Download