Overview

overview

10

Static

static

10

PL/6523.exe

windows7-x64

10

PL/6523.exe

windows10-2004-x64

10

PL/Galaxy.exe

windows10-2004-x64

7

PL/Service.exe

windows7-x64

6

PL/Service.exe

windows10-2004-x64

6

PL/Une1.exe

windows10-2004-x64

7

PL/pb1115.exe

windows7-x64

7

PL/pb1115.exe

windows10-2004-x64

7

PL/setup.exe

windows7-x64

10

PL/setup.exe

windows10-2004-x64

10

PL/setup.exe

windows7-x64

10

PL/setup.exe

windows10-2004-x64

8

PL/setup331.exe

windows7-x64

7

PL/setup331.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c8a7719e5f574a0c18566216551ae6e7bdae33f3

  • Size

    13.7MB

  • Sample

    241106-wcdw5sxjhr

  • MD5

    548bdfcb86652c14659e019e9f838f42

  • SHA1

    c8a7719e5f574a0c18566216551ae6e7bdae33f3

  • SHA256

    4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5

  • SHA512

    cc9a2611d43be920d673764d89360adc530fef88b6ed773e9236241eb2f14cec751726680a07a88abeca852873252987114e14381c1645849141b55ba6bd28af

  • SSDEEP

    196608:/C7YJFaPZRe9KwX9MqDO+SSwsvAlNSzo47accS3/xm0m2nXvmdO/yguT5fR6Dma7:lg/wWqDOo0SklSm0xmdOduT5fkia8JY

Score
10/10
gcleanerprivateloadersmokeloaderbackdoordefense_evasiondiscoveryevasionexecutionloaderpersistencespywarestealertrojanvmprotect

Malware Config

Extracted

Family

privateloader

C2

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12
Attributes
  • payload_url

    https://vipsofts.xyz/files/mega.bmp

Extracted

Family

gcleaner

C2

208.67.104.97

85.31.46.167

107.182.129.235

171.22.30.106
Attributes
  • url_path

    ....!..../software.php

    ....!..../software.php

Targets

    • Target

      PL/6523.exe

    • Size

      264KB

    • MD5

      b2949b2eb9db982c3782953de8a2573f

    • SHA1

      34ff1afa580b8ca0c23d818f62aafe11e9e16fc2

    • SHA256

      ef5b55fdd770f3c9cbd4a86cc0afe70e79d4d634bd7c88d6d48e07d5a6742dca

    • SHA512

      368d9851bce5bd3aa35d41a2b64ad84f4ebe8ff7611fe4b09ca61db298ac8a5590dd11c8ca56786088c311ab7c5c83ac4da819b50cf449b50704c88b482e33d2

    • SSDEEP

      6144:9+dLV/BxVCLYAXfIeyJuzbgwu70kmiHwVfU:9a5/BxsLYAXWunnsSiv

    Score
    10/10
    smokeloaderbackdoordiscoverytrojan
    behavioral1behavioral2

    • Target

      PL/Galaxy.exe

    • Size

      261KB

    • MD5

      637b4e8a4fbef797b42d6979b652a3db

    • SHA1

      3f7c391b86c27b6414c89135d7e04d913ae151c5

    • SHA256

      27b752bc4139c9c12d1caff4bef199e7a25ee6caf06eb9897cf615f9cc9c233d

    • SHA512

      3099e1dde974a395529651f163f6e4e32478657b4530fa1f3d4e39adbb045c5ca3e8e51b35ab524ec0c03cdbaca37eb8a41c3d5b0f3ab96a8461b42c4a60e38f

    • SSDEEP

      1536:II47GyTGCwiSnmQUt0LB1Efs5gJpoBWBtjKM4le7Qc58wsa0rc3roPhQDbTp:IvGyYiSDnt1E05m9p

    Score
    7/10
    discoverypersistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral3

    • Target

      PL/Service.exe

    • Size

      400KB

    • MD5

      9519c85c644869f182927d93e8e25a33

    • SHA1

      eadc9026e041f7013056f80e068ecf95940ea060

    • SHA256

      f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

    • SHA512

      dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

    • SSDEEP

      6144:NrkuBHTtY9Jgfq80nzm5tBD2AsG8x0Ca0Hv06A0md0OUGHLzmijOceK2HSw3pXqC:NrkIT/y8T5PVsSnXOc+HSQJKLw

    Score
    6/10
    discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral4behavioral5

    • Target

      PL/Une1.exe

    • Size

      900KB

    • MD5

      c340449d532642420d4bedc2e9f7ce7c

    • SHA1

      6153df468674d2eb1680eb6bb0e1bdbc0d6856b7

    • SHA256

      a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103

    • SHA512

      c9a085e30ed056c819b992bbe34d606d9fca0704362917ad226b64d233b4800be5fb9de35150f2cdd6bc0f3f1132ac77f558f00dd27ca8d474df4a056a7ff4d3

    • SSDEEP

      12288:5S7lrM9H8y8ea2SONB3/FI3o+fQqZ/pXVrMkM0ke4jNHUJopuBXidpX1ScBl/2GE:eM9H9MMIh4qZRVgtjOoAYX1SgB74j/

    Score
    7/10
    discoverypersistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      PL/pb1115.exe

    • Size

      3.5MB

    • MD5

      04aeaa8f06b71a72b8905da20f679b10

    • SHA1

      ebfa60215fcce5a369f1b340f1232125e37f7a68

    • SHA256

      55c1cbe7368ef1eafbd435a2b570f362868bd2afda1ddbe59bcbb51b7fc63383

    • SHA512

      5c393a8e6b3327ece1555aa73111f67e4858898efbbe38ac757a96d91da26a83f0b130e18b6955796e76bd4300475e8eeec63171c8ef407a09069874f48d5774

    • SSDEEP

      98304:l1kvho0RcPjNWqCdGujwByZm94cGZ+qOUKsE:fkZtcPjNW/GowUE9W+DUK

    Score
    7/10
    spywarestealervmprotect

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral7behavioral8

    • Target

      PL/setup.exe

    • Size

      352KB

    • MD5

      ad3374b444437df5f5102ab63a45d327

    • SHA1

      65302eb15520d64565e64e9cc74fdd09fbad79ef

    • SHA256

      b3936ea34f4e0235a1715706b7736a6bf0999441c8c37f1f75b4250e7b9b9992

    • SHA512

      0e569bd15a25649b7293b539118f77ca9920e7a835acd24b75bf6f33c3de3f7e5ddcf9675a6f174af6292f39e88cb6f380f0d1165ed0f1419de41e4348ae2463

    • SSDEEP

      6144:tK/VQLDETxJSm8oMKGreTfbmBdbNB6yqpx4T50G3YilTuzbgwuds7wVfE:wNQExJjFGreDbmBNfCWdjunnp

    Score
    10/10
    gcleanerdiscoveryloader

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner
    behavioral10behavioral9

    • Target

      PL/setup.exe_

    • Size

      7.3MB

    • MD5

      8b036a5a7406f7227ac65f44e1827fca

    • SHA1

      3a8499ecca8be3f69cc7163b03f3f499bbe8276f

    • SHA256

      85250ca9f679cdfebe009b7d66e409b330b35d6021e84e2ef7ceb0d64acdeff1

    • SHA512

      91cecf5c22bd32fe5cead41884773933b49791e57e00a369818d716dea34433bb558e9feb5b2dfc37f2b4b3488c05dcc50ef1b0f267936c2945308f2e9f32b5a

    • SSDEEP

      196608:91OeU0YzI5dCR00/4+cmJ/Dwami5rf0RejcO2h4I:3OxOCClgwa70Rej2h4I

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionspywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indirect Command Execution

      Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral11behavioral12

    • Target

      PL/setup331.exe

    • Size

      2.0MB

    • MD5

      2486b7f5f41d592ec4781b54cd828f70

    • SHA1

      604009984d2f335a969ab447a61beec8661a99fe

    • SHA256

      aa0a01e35fe2110068e1934eb568f5d3a41abe4b73a64a045f9a9ab8e085114c

    • SHA512

      116cee6490ae2b631b0457c0ae328f88df74bff3b8f2b47652366cf125d22fc910733859825ed181ae547a664c15e5358c95cdd6b874c43cc426303bfd841370

    • SSDEEP

      49152:3rBfJXAEYCT6v3vX/1AkJxopk7lDiQCv3e6rNx:3rBfKEYd3v+Ioi7Rg5x

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral13behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Indirect Command Execution

1
T1202

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

5
T1012

Remote System Discovery

1
T1018

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks