gcleaner | 528d5676515f3fde6b5124fca33b10f2b787ac7dea9c74537ce6da68a6b684ad

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99427242576075c6bfc1038c07587b07f69b0d85149fbf0091b9a582e68a9cf1.exe
Size

334KB
MD5

60194970d3fca26d6d62ad4263a3ad62
SHA1

561eddc46818941773b0ec6fd1694da5031eb467
SHA256

99427242576075c6bfc1038c07587b07f69b0d85149fbf0091b9a582e68a9cf1
SHA512

b7982f2f128e381cefffc9aef07c8974e303789988f11d71d4a329e20fbfcca958ffc3c1eccaf68f7f8ba720fae3ad6d900cddb597bf42a5718ffeea8e501f09
SSDEEP

6144:xTgQjN1N+dwK8kYud6mHFAJQXZYG0FjPbb52qX7tNfVXVHQLIiu8cfo0/pW:2QjNr0wK9FyJkYpjR2wZGEX8cA0/M

Score

10^/10

gcleaner onlylogger loader

Malware Config

Extracted

Family

gcleaner

ppp-gl.biz

45.9.20.13

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 4 IoCs

resource	yara_rule
behavioral2/memory/4108-2-0x0000000002FA0000-0x0000000002FCF000-memory.dmp	family_onlylogger
behavioral2/memory/4108-3-0x0000000000400000-0x0000000002F1D000-memory.dmp	family_onlylogger
behavioral2/memory/4108-5-0x0000000000400000-0x0000000002F1D000-memory.dmp	family_onlylogger
behavioral2/memory/4108-7-0x0000000002FA0000-0x0000000002FCF000-memory.dmp	family_onlylogger

Program crash 11 IoCs

pid	pid_target	Process	procid_target
4568	4108	WerFault.exe	85
4416	4108	WerFault.exe	85
3996	4108	WerFault.exe	85
3628	4108	WerFault.exe	85
3680	4108	WerFault.exe	85
1628	4108	WerFault.exe	85
4672	4108	WerFault.exe	85
1836	4108	WerFault.exe	85
2088	4108	WerFault.exe	85
3404	4108	WerFault.exe	85
3880	4108	WerFault.exe	85

C:\Users\Admin\AppData\Local\Temp\99427242576075c6bfc1038c07587b07f69b0d85149fbf0091b9a582e68a9cf1.exe
"C:\Users\Admin\AppData\Local\Temp\99427242576075c6bfc1038c07587b07f69b0d85149fbf0091b9a582e68a9cf1.exe"
1⤵
PID:4108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 468
  2⤵
  - Program crash
  PID:4568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 640
  2⤵
  - Program crash
  PID:4416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 656
  2⤵
  - Program crash
  PID:3996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 804
  2⤵
  - Program crash
  PID:3628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 864
  2⤵
  - Program crash
  PID:3680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 844
  2⤵
  - Program crash
  PID:1628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 852
  2⤵
  - Program crash
  PID:4672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1104
  2⤵
  - Program crash
  PID:1836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1244
  2⤵
  - Program crash
  PID:2088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1092
  2⤵
  - Program crash
  PID:3404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1128
  2⤵
  - Program crash
  PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4108 -ip 4108
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4108 -ip 4108
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4108 -ip 4108
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4108 -ip 4108
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4108 -ip 4108
1⤵
PID:612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4108 -ip 4108
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4108 -ip 4108
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4108 -ip 4108
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4108 -ip 4108
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4108 -ip 4108
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4108 -ip 4108
1⤵
PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4108-1-0x0000000003060000-0x0000000003160000-memory.dmp

Filesize
1024KB

Download
memory/4108-2-0x0000000002FA0000-0x0000000002FCF000-memory.dmp

Filesize
188KB

Download
memory/4108-3-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4108-5-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4108-6-0x0000000003060000-0x0000000003160000-memory.dmp

Filesize
1024KB

Download
memory/4108-7-0x0000000002FA0000-0x0000000002FCF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads