gcleaner

General

Target

9086416aaa1529917f98ecfc89d73a3d792a11e6407bcf8ef16480a54f917350
Size

4.7MB
Sample

241105-1bgc4ayjhw
MD5

2b9f2c5abe9c33eac04244007ff4f14b
SHA1

6207bcb5d925b0ceb24c71e32abb621a22db95d2
SHA256

9086416aaa1529917f98ecfc89d73a3d792a11e6407bcf8ef16480a54f917350
SHA512

baf91c080ceb6233d4f5e6f9d4a46fa95d154c171ef200896ea405a309b764835944945ff1e855a3c3eea0be891a50ed6eca7f065c55285ee0b2083d39693fa5
SSDEEP

98304:ni512lfY+JuHjMdgBmljuL5svcSm1oWQWNamqUvo6kNH9z1p//rEx:9lfY+WY2kY5KcS9WNNoNH3J/rEx

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.hhgenice.top/

Extracted

Family

privateloader

C2

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

redline

Botnet

media0421

C2

91.121.67.60:23325

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

vidar

Version

47.9

Botnet

916

C2

https://mas.to/@kirpich

Attributes

profile_id
916

Extracted

Family

gcleaner

C2

gcl-gb.biz

Targets

- Target
  
  fd8d6820ebf0327175f81c0fe37385f6a6b7aa85721a3175f5f8790f8d78b74a
- Size
  
  4.8MB
- MD5
  
  6f934618840ba5e783ab399f01dd0682
- SHA1
  
  68887c655d3681ba9147a9f3b56f47acb96a742e
- SHA256
  
  fd8d6820ebf0327175f81c0fe37385f6a6b7aa85721a3175f5f8790f8d78b74a
- SHA512
  
  0e94b756a61e05787e5c0d081432bb90fdc7666e1775823e48c201ab3063bd00bfd6406dac88deecf24fbb7498106dbfbd0f713098c7e6c22a4941d4e332731c
- SSDEEP
  
  98304:xWCvLUBsgLEW8KLfyWpsZ9Z9boUB4vV07Xuj3WHARCV4gdFoL6qlNlIZLA+:xfLUCgLEWtwOUivVqXRaCagdi6qzlIZ9
Score

10^/10

gcleaner nullmixer onlylogger privateloader redline socelars vidar 916 media0421 aspackv2 discovery dropper execution infostealer loader spyware stealer
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Nullmixer family
  nullmixer
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Onlylogger family
  onlylogger
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Privateloader family
  privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Socelars payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- OnlyLogger payload
- Vidar Stealer
  stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2