gcleaner | 36817a1de37ed7fafdf164917f921ee160eea6d9c0a247e1d902cb5e575ae951 | Triage

Sharing

General

Target

82d1397fb388fe6e4b7c66b0ae4bdbe4.bin
Size

1.8MB
Sample

241206-byrd5ssrfx
MD5

85e5ba436f4901d5ebe596e503c32f5e
SHA1

04d18d5672c32daff7e23cd45d4da5ac1236c266
SHA256

36817a1de37ed7fafdf164917f921ee160eea6d9c0a247e1d902cb5e575ae951
SHA512

a28bcec9aada9e70dc346a03bc66a720971e88fa3de43f1ab359adec49f028099844ccf37eed429eec596f538e1085c2cda1cff80e9c4f8f70cab06505904059
SSDEEP

49152:T8uz1VTVmA/VbNYeC6b9XasCcnR5S6RYIHUZ4MRGUUB1Ic:jzrtVbNYeC65KsC76ODRwIc

Score

10^/10

gcleaner discovery evasion loader

Malware Config

Extracted

Family

gcleaner

C2

92.63.197.221

45.91.200.135

Targets

- Target
  
  b3bab1d09ce9738f8bcf2c838086eaf628715df4fe99ef26c7c85b6e9b9a6443.exe
- Size
  
  1.9MB
- MD5
  
  82d1397fb388fe6e4b7c66b0ae4bdbe4
- SHA1
  
  d979b5399d577b53b63b428c4a35abd30d6cc9de
- SHA256
  
  b3bab1d09ce9738f8bcf2c838086eaf628715df4fe99ef26c7c85b6e9b9a6443
- SHA512
  
  47de07a2595067569a1ded7dd330f81817334d9442997cf25af977ecac04df5827d4475145cca0f8cf457002d147bed789cc2fc24d275fcff129d14a41b0531a
- SSDEEP
  
  24576:mIPfh5ny0qcJlPZ9zeoaIa8OtKCzgqf7K2GWvFj4O3VOSk7+FXSeWHG4c10VADA7:mafh5YiEoaVOqf7GsBxreHGU+n8I4+X
Score

10^/10

gcleaner discovery evasion loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanerdiscoveryevasionloader

behavioral2

gcleanerdiscoveryevasionloader