gcleaner

General

Target

bf04933d506d9325ceecaa263a5ae72bf90a53030cf52f71b30aee05a9462124
Size

4.6MB
Sample

241104-vr4knstgrk
MD5

db3dc4e85ef7ea6cba96b6f307463a12
SHA1

9834b917bccc5c7ce7df7f4238e9b6b155b04b60
SHA256

bf04933d506d9325ceecaa263a5ae72bf90a53030cf52f71b30aee05a9462124
SHA512

94cea77da4c6c5343d3775c50b55afb02b65cf3824b9997cd340b72919a46690a2dbc78183f8489bd0427ae27a6c8ac40cfadb94b85bf56dddb9d7a9d9b8323a
SSDEEP

98304:2YMTO1sE82c5GJXG698NHlrP8FbMeFlj8WBdOn31K2H7Tg3+:2YwEptKh2IeIWBqXHB

Score

10^/10

Malware Config

Extracted

Family

privateloader

C2

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

socelars

C2

http://www.hhgenice.top/

Extracted

Family

redline

Botnet

newjust

C2

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

redline

Botnet

media0421

C2

91.121.67.60:23325

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

vidar

Version

47.8

Botnet

916

C2

https://mas.to/@romashkin

Attributes

profile_id
916

Extracted

Family

gcleaner

C2

gcl-gb.biz

Targets

- Target
  
  5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684
- Size
  
  4.7MB
- MD5
  
  93f7cfd3c022ed464cdcc4a13d8f48b3
- SHA1
  
  05e9c0722bae43249cfe1b9597325a47c00da1f1
- SHA256
  
  5e66beaafe3215332b046d69dde962e87f656f9624c8bc40d448b5b226a96684
- SHA512
  
  c3b44c420ec8d28bd6df4451cdd6203cfe71cc515a8e56e4df8062ab451fbb6dfc5ed7681fad91d3f20309e0832468ac7eda0ac15d9cda9774320dc7c09b8727
- SSDEEP
  
  98304:xICvLUBsgYqbmtzs03GefVRgLECXbvgbLujlnCY:xVLUCgYqEBfrx8LALuZl
Score

10^/10

gcleaner nullmixer onlylogger privateloader redline socelars vidar 916 media0421 newjust aspackv2 discovery dropper execution infostealer loader spyware stealer
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- OnlyLogger payload
- Vidar Stealer
  stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2