Extracted

• • Target

    21dc740db5d2a51343530deaf4859d811ef3dbecbb7bb8394a5fb6355e7a852c.exe

  • Size

    1.9MB

  • MD5

    d1381747e84a8da71142388f0dc803c7

  • SHA1

    f60380e4addeb9500e85a52b905f940fc2294d74

  • SHA256

    21dc740db5d2a51343530deaf4859d811ef3dbecbb7bb8394a5fb6355e7a852c

  • SHA512

    3c25a6cd672e1418fb892c884d54390d590624d71fe9fa2d984f1c9bc490d8c0a87a8fe3c1dbc80ca69d6f580892a48e280c870acede4faefb8e6a0fbf30d643

  • SSDEEP

    49152:SUoof0X9n1kIkj0CDZkfnBnUU5eQ9v+2f3f2iYOP:SUog0NnpQ0c8KU5AEf27

  Score

  10^/10

  gcleanerdiscoveryevasionloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2