General
-
Target
PJQQT_file.exe
-
Size
1.9MB
-
Sample
241205-zg39da1lgy
-
MD5
99a31354f39549f085e6ffc213da9332
-
SHA1
35bc861303e0085349919376dc3ecd87f2c00264
-
SHA256
e8004da7a3c79934e0234cf767e38363368899050858a81dfd31b2010395d40c
-
SHA512
fb38c1e4126c9ced52b40977ba67eab30b698c481c3bb1107b45b656e02a20839d977d4f0ec0de384c6cc465c19870849cef219a7d0a109fa2b21aaa3a6de4b1
-
SSDEEP
49152:f/F1FCaosiD+BvKbfDXbPDM6nfx4YeuQryF:nFmn+lebDDM6fxDQE
Malware Config
Extracted
gcleaner
92.63.197.221
45.91.200.135
Targets
-
-
Target
PJQQT_file.exe
-
Size
1.9MB
-
MD5
99a31354f39549f085e6ffc213da9332
-
SHA1
35bc861303e0085349919376dc3ecd87f2c00264
-
SHA256
e8004da7a3c79934e0234cf767e38363368899050858a81dfd31b2010395d40c
-
SHA512
fb38c1e4126c9ced52b40977ba67eab30b698c481c3bb1107b45b656e02a20839d977d4f0ec0de384c6cc465c19870849cef219a7d0a109fa2b21aaa3a6de4b1
-
SSDEEP
49152:f/F1FCaosiD+BvKbfDXbPDM6nfx4YeuQryF:nFmn+lebDDM6fxDQE
Score10/10-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-