gcleaner | 6c58b3c0b8fcd06a58d67e5936423b0f6389b52d2b85c135d1393c521fd8b473 | Triage

Submit
Reports

Overview

overview

Static

static

3

6c58b3c0b8...73.exe

windows7-x64

6c58b3c0b8...73.exe

windows10-2004-x64

Sharing

General

Target

6c58b3c0b8fcd06a58d67e5936423b0f6389b52d2b85c135d1393c521fd8b473
Size

1.9MB
Sample

250125-y4fk6azrek
MD5

cbd13cc154965e4c804a55031154c924
SHA1

d39e12ed7bfbb407cd0ded85951cb179e3012c0c
SHA256

6c58b3c0b8fcd06a58d67e5936423b0f6389b52d2b85c135d1393c521fd8b473
SHA512

408be386c62ef25bbaaf70a35d7b41aa77b20ac831b590332a5d543dcbf65ec30bdccf49606cc7ead07cf914b2927759b706e7c0b2ca1f561a3c62bf145ad582
SSDEEP

49152:FQw0mXvswij07jcW2o60EO6OptIpw4IMR:FQekwiw7ga7pepIMR

Score

10^/10

gcleaner defense_evasion discovery loader

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6c58b3c0b8fcd06a58d67e5936423b0f6389b52d2b85c135d1393c521fd8b473.exe

Resource

win7-20240903-en

gcleaner defense_evasion discovery loader

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

6c58b3c0b8fcd06a58d67e5936423b0f6389b52d2b85c135d1393c521fd8b473.exe

Resource

win10v2004-20241007-en

gcleaner defense_evasion discovery loader

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  6c58b3c0b8fcd06a58d67e5936423b0f6389b52d2b85c135d1393c521fd8b473
- Size
  
  1.9MB
- MD5
  
  cbd13cc154965e4c804a55031154c924
- SHA1
  
  d39e12ed7bfbb407cd0ded85951cb179e3012c0c
- SHA256
  
  6c58b3c0b8fcd06a58d67e5936423b0f6389b52d2b85c135d1393c521fd8b473
- SHA512
  
  408be386c62ef25bbaaf70a35d7b41aa77b20ac831b590332a5d543dcbf65ec30bdccf49606cc7ead07cf914b2927759b706e7c0b2ca1f561a3c62bf145ad582
- SSDEEP
  
  49152:FQw0mXvswij07jcW2o60EO6OptIpw4IMR:FQekwiw7ga7pepIMR
Score

10^/10

gcleaner defense_evasion discovery loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanerdefense_evasiondiscoveryloader

behavioral2

gcleanerdefense_evasiondiscoveryloader

© 2018-2025

Terms | Privacy