gcleaner | ecf9ba893ee75379749c3a029acfa8006d38ab8ab05e4b0dc74fc011a2898680

Analysis

max time kernel
123s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 06:19

Target

3c1bd74c1feeaafb8c8af97920eb1dd9.exe
Size

250KB
MD5

3c1bd74c1feeaafb8c8af97920eb1dd9
SHA1

6c92427dadcb86fa0d5a56986be677a7f154f133
SHA256

ecf9ba893ee75379749c3a029acfa8006d38ab8ab05e4b0dc74fc011a2898680
SHA512

5b05fec34e269c61d6497fd9a0c9d580380bf95190abef62f630ebf1703493a3cea6a9e79e1bbf63b413ccaba112b6d40274bc97e3402c507a7aa6e49ab71fc7
SSDEEP

6144:GttWA9GXp30qKUmSyEB8Sfm0HwhZU9sI5/:GbWA9Kx/m8fec

Score

10^/10

Family

gcleaner

194.145.227.161

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 4 IoCs

resource	yara_rule
behavioral2/memory/4696-2-0x0000000002F50000-0x0000000002F80000-memory.dmp	family_onlylogger
behavioral2/memory/4696-3-0x0000000000400000-0x0000000002CCE000-memory.dmp	family_onlylogger
behavioral2/memory/4696-7-0x0000000002F50000-0x0000000002F80000-memory.dmp	family_onlylogger
behavioral2/memory/4696-18-0x0000000000400000-0x0000000002CCE000-memory.dmp	family_onlylogger

Program crash 7 IoCs

pid	pid_target	Process	procid_target
232	4696	WerFault.exe	67
4292	4696	WerFault.exe	67
2092	4696	WerFault.exe	67
2872	4696	WerFault.exe	67
3020	4696	WerFault.exe	67
3752	4696	WerFault.exe	67
4608	4696	WerFault.exe	67

C:\Users\Admin\AppData\Local\Temp\3c1bd74c1feeaafb8c8af97920eb1dd9.exe
"C:\Users\Admin\AppData\Local\Temp\3c1bd74c1feeaafb8c8af97920eb1dd9.exe"
1⤵
PID:4696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 636
  2⤵
  - Program crash
  PID:232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 656
  2⤵
  - Program crash
  PID:4292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 764
  2⤵
  - Program crash
  PID:2092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 784
  2⤵
  - Program crash
  PID:2872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 848
  2⤵
  - Program crash
  PID:3020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1012
  2⤵
  - Program crash
  PID:3752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1072
  2⤵
  - Program crash
  PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4696 -ip 4696
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4696 -ip 4696
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4696 -ip 4696
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4696 -ip 4696
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4696 -ip 4696
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4696 -ip 4696
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4696 -ip 4696
1⤵
PID:1540

memory/4696-1-0x0000000003030000-0x0000000003130000-memory.dmp

Filesize
1024KB

Download
memory/4696-2-0x0000000002F50000-0x0000000002F80000-memory.dmp

Filesize
192KB

Download
memory/4696-3-0x0000000000400000-0x0000000002CCE000-memory.dmp

Filesize
40.8MB

Download
memory/4696-5-0x0000000003030000-0x0000000003130000-memory.dmp

Filesize
1024KB

Download
memory/4696-7-0x0000000002F50000-0x0000000002F80000-memory.dmp

Filesize
192KB

Download
memory/4696-18-0x0000000000400000-0x0000000002CCE000-memory.dmp

Filesize
40.8MB

Download