Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
08/11/2024, 06:43 UTC
General
-
Target
08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe
-
Size
351KB
-
MD5
73f7ae135b1bf7d5f6b496db53b126e9
-
SHA1
6bdddb2c1ad14066378620ea1ead917f237b2053
-
SHA256
08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff
-
SHA512
6b1d1ff84c401c2b6d55318479f2ddabd011d7589d3b14cedf75041a2a800eeba0cc550680c71ff39258a4b0250dc6f0d5cebc556afa832bfb8648debc90dd23
-
SSDEEP
6144:oVmHUktMXuPRRcSbMSa53KT39Z8wephq7ioVTOTDCDvOkiuosFglBp1:oVlXcyNKrH8wepwtVTOPMOk9Ef
Score
10/10
Malware Config
Extracted
Family
gcleaner
C2
gcc-partners.in
Signatures
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Onlylogger family
-
OnlyLogger payload 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes
-
C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe"C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe"1⤵
- System Location Discovery: System Language Discovery
Network
-
DNSapi.ip.sbRemote address:8.8.8.8:53Requestapi.ip.sbIN AResponseapi.ip.sbIN CNAMEapi.ip.sb.cdn.cloudflare.netapi.ip.sb.cdn.cloudflare.netIN A172.67.75.172api.ip.sb.cdn.cloudflare.netIN A104.26.13.31api.ip.sb.cdn.cloudflare.netIN A104.26.12.31 -
GEThttp://api.ip.sb/geoipRemote address:172.67.75.172:80RequestGET /geoip HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: api.ip.sb
ResponseHTTP/1.1 301 Moved Permanently
Date: Fri, 08 Nov 2024 06:44:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://api.ip.sb/geoip
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zrYVnHygSE1RJ9lX8ACqOycBbLP9jsZboVcGqrdxiLRcjH38Z%2FiDVNC7Cfnh4TM44qIfWmc6IoTn5FOLzkudIvX3HmpbZ4sSVg9gpexjjG6KBAuRv3XVAPQHBQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8df397cd2e537199-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=34170&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=113&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
GEThttps://api.ip.sb/geoipRemote address:172.67.75.172:443RequestGET /geoip HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: api.ip.sb
ResponseHTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 06:44:10 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
Cache-Control: no-cache
access-control-allow-origin: *
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rAqrUvK1qu4tltQtlDZrMTlnVimFX7Pere4Ao62KBu36elghiUvmmSUBnnL0ipd2fOSrwmx2ueI9xsLkrrDlAkpvmVxOb0vCYnYfB6zQTVO8T5uK3u6X59KYvQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 8df397cfdf9e7749-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=50042&sent=7&recv=7&lost=0&retrans=0&sent_bytes=4511&recv_bytes=396&delivery_rate=161509&cwnd=254&unsent_bytes=0&cid=b1543e20c7223027&ts=274&x=0"
-
DNSfreegeoip.appRemote address:8.8.8.8:53Requestfreegeoip.appIN AResponsefreegeoip.appIN A104.21.73.97freegeoip.appIN A172.67.160.84
-
GEThttp://freegeoip.app/jsonRemote address:104.21.73.97:80RequestGET /json HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: freegeoip.app
ResponseHTTP/1.1 301 Moved Permanently
Date: Fri, 08 Nov 2024 06:44:11 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 08 Nov 2024 07:44:11 GMT
Location: http://ipbase.com/json
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Z9T6p%2FyBCg4ATBoCwKuapRARluextfA0GzzuYPPkSTgQm65l8xLjX5qfGGWIPhQhJuEi9P85OriNXeh%2BF5bcIDtXdZ117MuC5xR573MkIQw5sd%2BS2QCfyZdNFeZGRw7"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8df397d10da89437-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=33466&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=116&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
DNSipbase.comRemote address:8.8.8.8:53Requestipbase.comIN AResponseipbase.comIN A104.21.85.189ipbase.comIN A172.67.209.71
-
GEThttp://ipbase.com/jsonRemote address:104.21.85.189:80RequestGET /json HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: ipbase.com
ResponseHTTP/1.1 301 Moved Permanently
Date: Fri, 08 Nov 2024 06:44:11 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 08 Nov 2024 07:44:11 GMT
Location: https://ipbase.com/json
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m6dreDssHaF3NgJivTEaEFhppbub5PBUUiFiZaXP%2Bx0BLJ21vGs6Msww8dhEDTFJRRFrUJMlC6PuXyPi6R16%2F7HCEeoGljbYEBcLeS5CGFbZgzORdGYNDEkykwXM"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8df397d1cf7571ce-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=33378&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=113&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
-
GEThttps://ipbase.com/jsonRemote address:104.21.85.189:443RequestGET /json HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: ipbase.com
ResponseHTTP/1.1 404 Not Found
Date: Fri, 08 Nov 2024 06:44:11 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Age: 14361
Cache-Control: public,max-age=0,must-revalidate
Cache-Status: "Netlify Edge"; hit
Vary: Accept-Encoding
X-Nf-Request-Id: 01JC588800JBYBCE39TPSKK0Y9
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BirAd1YsOmM%2BuYnB1LVQYdnuK7OeQjFbU9%2FIl4lmIWB1R2T%2BJeamXQT75OsveLVpvXzyJhhOFXGkLMgS7e9zcZ2KKXBTM0n2vGZvQ5PHGa3CKTuKBC%2Btvtd6Hgue"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8df397d31b1ccd4c-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=41064&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=397&delivery_rate=86857&cwnd=253&unsent_bytes=0&cid=680322b561f2e12f&ts=168&x=0"
-
DNSgcc-partners.inRemote address:8.8.8.8:53Requestgcc-partners.inIN AResponse
-
172.67.75.172:80http://api.ip.sb/geoiphttp
HTTP Request
GET http://api.ip.sb/geoipHTTP Response
301 -
172.67.75.172:443https://api.ip.sb/geoiptls, http
HTTP Request
GET https://api.ip.sb/geoipHTTP Response
200 -
104.21.73.97:80http://freegeoip.app/jsonhttp
HTTP Request
GET http://freegeoip.app/jsonHTTP Response
301 -
104.21.85.189:80http://ipbase.com/jsonhttp
HTTP Request
GET http://ipbase.com/jsonHTTP Response
301 -
104.21.85.189:443https://ipbase.com/jsontls, http
HTTP Request
GET https://ipbase.com/jsonHTTP Response
404
-
8.8.8.8:53api.ip.sbdns
DNS Request
api.ip.sb
DNS Response
172.67.75.172104.26.13.31104.26.12.31
-
8.8.8.8:53freegeoip.appdns
DNS Request
freegeoip.app
DNS Response
104.21.73.97172.67.160.84
-
8.8.8.8:53ipbase.comdns
DNS Request
ipbase.com
DNS Response
104.21.85.189172.67.209.71
-
8.8.8.8:53gcc-partners.indns
DNS Request
gcc-partners.in
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67.8MB
-
Filesize
288KB
-
Filesize
280KB
-
Filesize
67.8MB
-
Filesize
67.8MB
-
Filesize
288KB