gcleaner | d1c967dbf7fe95032f80548880f5565775a7c5ac49d949f9387c76215244503d

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1c967dbf7fe95032f80548880f5565775a7c5ac49d949f9387c76215244503d.exe
Size

337KB
MD5

e91868e65a17366391cc1ca99baf4e09
SHA1

3ea6f38f638e19720be708bd20c597ea97fa2ac5
SHA256

d1c967dbf7fe95032f80548880f5565775a7c5ac49d949f9387c76215244503d
SHA512

34433eeb2ced89d6fa68fde18c23ad68afdd9c3621400c46549b4ed004eb53fe85bcf7bcdc0d0c2932c751fa10b58c026b07677fef72982a3ad27cfbb8690bed
SSDEEP

6144:OF4V1Ah3R66NJPYW61Ii5dUNYWb5wRt1KmJODE:Ok1AhB66NRYn556ND5YJwE

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3064	744	WerFault.exe	85
4484	744	WerFault.exe	85
1880	744	WerFault.exe	85
3372	744	WerFault.exe	85
628	744	WerFault.exe	85
4932	744	WerFault.exe	85
1928	744	WerFault.exe	85

C:\Users\Admin\AppData\Local\Temp\d1c967dbf7fe95032f80548880f5565775a7c5ac49d949f9387c76215244503d.exe
"C:\Users\Admin\AppData\Local\Temp\d1c967dbf7fe95032f80548880f5565775a7c5ac49d949f9387c76215244503d.exe"
1⤵
PID:744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 740
  2⤵
  - Program crash
  PID:3064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 748
  2⤵
  - Program crash
  PID:4484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 796
  2⤵
  - Program crash
  PID:1880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 840
  2⤵
  - Program crash
  PID:3372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 904
  2⤵
  - Program crash
  PID:628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 908
  2⤵
  - Program crash
  PID:4932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 788
  2⤵
  - Program crash
  PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 744 -ip 744
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 744 -ip 744
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 744 -ip 744
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 744 -ip 744
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 744 -ip 744
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 744 -ip 744
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 744 -ip 744
1⤵
PID:2064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-2-0x0000000001B90000-0x0000000001BBD000-memory.dmp

Filesize
180KB

Download
memory/744-1-0x0000000001BE0000-0x0000000001CE0000-memory.dmp

Filesize
1024KB

Download
memory/744-3-0x0000000000400000-0x0000000001A1F000-memory.dmp

Filesize
22.1MB

Download
memory/744-6-0x0000000001BE0000-0x0000000001CE0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads