gcleaner | b5abf9dbae00955215b4a5b71726fad90bfa64111603707e468d764c7c4ac470

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-03-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2ee4be32e821e43740b761c9af6f2b3.exe
Size

287KB
MD5

b2ee4be32e821e43740b761c9af6f2b3
SHA1

145034842e7117eb3d3fdbaf2045317e63a905a3
SHA256

b5abf9dbae00955215b4a5b71726fad90bfa64111603707e468d764c7c4ac470
SHA512

3ffa3bf94a3ab97c847096c6446ac51cd9b8feaecb820678845d147654fcdb25414611a05fe8ec5b78b22774c8bdcb72f1cf1e470ab0321123e4e4f6493436c6
SSDEEP

6144:hHiM0Z3LxnW7qh8phWwP2p+T+WKl6UeY7THlQz7yq:j0R1W7qhlwP2wAneY7THlSZ

Score

10^/10

gcleaner onlylogger loader

Malware Config

Extracted

Family

gcleaner

194.145.227.161

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 4 IoCs

resource	yara_rule
behavioral2/memory/4368-2-0x0000000003EB0000-0x0000000003EDF000-memory.dmp	family_onlylogger
behavioral2/memory/4368-3-0x0000000000400000-0x0000000002165000-memory.dmp	family_onlylogger
behavioral2/memory/4368-4-0x0000000000400000-0x0000000002165000-memory.dmp	family_onlylogger
behavioral2/memory/4368-7-0x0000000003EB0000-0x0000000003EDF000-memory.dmp	family_onlylogger

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4624	4368	WerFault.exe	85
5012	4368	WerFault.exe	85
2892	4368	WerFault.exe	85
776	4368	WerFault.exe	85
1428	4368	WerFault.exe	85
768	4368	WerFault.exe	85
1816	4368	WerFault.exe	85
3484	4368	WerFault.exe	85
2324	4368	WerFault.exe	85

C:\Users\Admin\AppData\Local\Temp\b2ee4be32e821e43740b761c9af6f2b3.exe
"C:\Users\Admin\AppData\Local\Temp\b2ee4be32e821e43740b761c9af6f2b3.exe"
1⤵
PID:4368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 620
  2⤵
  - Program crash
  PID:4624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 656
  2⤵
  - Program crash
  PID:5012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 744
  2⤵
  - Program crash
  PID:2892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 788
  2⤵
  - Program crash
  PID:776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 796
  2⤵
  - Program crash
  PID:1428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 804
  2⤵
  - Program crash
  PID:768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1004
  2⤵
  - Program crash
  PID:1816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1088
  2⤵
  - Program crash
  PID:3484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1008
  2⤵
  - Program crash
  PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4368 -ip 4368
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4368 -ip 4368
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4368 -ip 4368
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4368 -ip 4368
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4368 -ip 4368
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4368 -ip 4368
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4368 -ip 4368
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4368 -ip 4368
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4368 -ip 4368
1⤵
PID:1772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4368-1-0x00000000021D0000-0x00000000022D0000-memory.dmp

Filesize
1024KB

Download
memory/4368-2-0x0000000003EB0000-0x0000000003EDF000-memory.dmp

Filesize
188KB

Download
memory/4368-3-0x0000000000400000-0x0000000002165000-memory.dmp

Filesize
29.4MB

Download
memory/4368-4-0x0000000000400000-0x0000000002165000-memory.dmp

Filesize
29.4MB

Download
memory/4368-6-0x00000000021D0000-0x00000000022D0000-memory.dmp

Filesize
1024KB

Download
memory/4368-7-0x0000000003EB0000-0x0000000003EDF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads