gcleaner | 249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa

Analysis

max time kernel
291s
max time network
282s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 22:23

Target

249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe
Size

244KB
MD5

769e0302e6b36acf906004593712f7aa
SHA1

6c4f341be036649b60b836aa612d8c8afefcf881
SHA256

249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa
SHA512

93a834588d79662128ebd9aa26a537c0e76252f1534b49d50d8c88c512572052a6a0c5474918f9dd7dad94ee537038144fc91b165e5b8863204cb58f4871f2e8
SSDEEP

6144:u5XRONVSWItRyL0W4m3StFqBEXKbOys5gO9:mO/xd0JhHqyKbOn

Score

10^/10

gcleaner loader

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28
PID 1740 wrote to memory of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28
PID 1740 wrote to memory of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28
PID 1740 wrote to memory of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28
PID 1740 wrote to memory of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28
PID 1740 wrote to memory of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28
PID 1740 wrote to memory of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28
PID 1740 wrote to memory of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28
PID 1740 wrote to memory of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28
PID 1740 wrote to memory of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28
PID 1740 wrote to memory of 2740	1740	249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe	28

C:\Users\Admin\AppData\Local\Temp\249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe
"C:\Users\Admin\AppData\Local\Temp\249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe
  "C:\Users\Admin\AppData\Local\Temp\249db40c80e79fe5789cf2a312a1e9f9d3c7bc7475a805ebbc2af450f17de8aa.exe"
  2⤵
  PID:2740

memory/1740-2-0x0000000002CD0000-0x0000000002DD0000-memory.dmp

Filesize
1024KB

Download
memory/1740-3-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2740-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download