gcleaner

General

Target

618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8.exe
Size

2.9MB
Sample

240107-w5ts3acfd3
MD5

478c7cd1d366a77444568d45f252abeb
SHA1

0e717c6fc62ece11a17919ce1f1cc5cdc1bc711e
SHA256

618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8
SHA512

541d2430bb2bedffd8d489bcbe77d2cdc2207b8faa88affb7312469e1fcf6de8d8b810b66906f61dd0b8ba95a04309184478bbb69cac6161e9b0b2625b2f45de
SSDEEP

49152:9gIxFNiOIkvx2ldpBGld+BvTljVvDq88tnuiRLAKDw8rE6xjHgCF8jv4IGKctXug:ycnIkElbBGld+fFqNcKRxlASSvLGKMXd

Score

10^/10

Malware Config

Extracted

Family

gcleaner

C2

194.145.227.161

Extracted

Family

redline

Botnet

Lyla

C2

95.181.172.207:56915

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

nullmixer

C2

http://hsiens.xyz/

Extracted

Family

gozi

Extracted

Family

vidar

Version

40.5

Botnet

706

C2

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Targets

- Target
  
  618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8.exe
- Size
  
  2.9MB
- MD5
  
  478c7cd1d366a77444568d45f252abeb
- SHA1
  
  0e717c6fc62ece11a17919ce1f1cc5cdc1bc711e
- SHA256
  
  618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8
- SHA512
  
  541d2430bb2bedffd8d489bcbe77d2cdc2207b8faa88affb7312469e1fcf6de8d8b810b66906f61dd0b8ba95a04309184478bbb69cac6161e9b0b2625b2f45de
- SSDEEP
  
  49152:9gIxFNiOIkvx2ldpBGld+BvTljVvDq88tnuiRLAKDw8rE6xjHgCF8jv4IGKctXug:ycnIkElbBGld+fFqNcKRxlASSvLGKMXd
Score

10^/10

gcleaner gozi nullmixer onlylogger redline sectoprat smokeloader lyla backdoor banker dropper infostealer isfb loader rat trojan vidar 706 stealer
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- OnlyLogger payload
- Vidar Stealer
  stealer
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Gozi

NullMixer

OnlyLogger

RedLine

RedLine payload

SectopRAT

SectopRAT payload

SmokeLoader

Vidar

OnlyLogger payload

Vidar Stealer

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2