Overview

overview

10

Static

static

3

2c64e6aee2...18.exe

windows7-x64

10

2c64e6aee2...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2c64e6aee29459606dfd69622358426b191691be473468f1b7399cc5ae4d5a18

  • Size

    1.8MB

  • Sample

    250126-pefeesslgj

  • MD5

    9a7dc7723e3500fe3d8c4fed49237053

  • SHA1

    c7ad09ba1ba2cdfbdad7e33586ef1a6c75f25702

  • SHA256

    2c64e6aee29459606dfd69622358426b191691be473468f1b7399cc5ae4d5a18

  • SHA512

    0ad6e00f7ea03355e63a69d79ab4a541c69b2ef27eb7b46a314adb61da1dd725884049705ee685f0c7bf025b7fa4c4be3abb85d904ac646d525c7c50df5bbee6

  • SSDEEP

    24576:dsAIR+ABtG8Ul3XGM5cwtXjCJiAEKH/g59jHYMgw26kMbLEaEeYNEVOCXNWWF55E:dsnR96fXGUnR5p4HmM9NpCkWGNKGn

Score
10/10
gcleanerdefense_evasiondiscoveryloader

Malware Config

Targets

    • Target

      2c64e6aee29459606dfd69622358426b191691be473468f1b7399cc5ae4d5a18

    • Size

      1.8MB

    • MD5

      9a7dc7723e3500fe3d8c4fed49237053

    • SHA1

      c7ad09ba1ba2cdfbdad7e33586ef1a6c75f25702

    • SHA256

      2c64e6aee29459606dfd69622358426b191691be473468f1b7399cc5ae4d5a18

    • SHA512

      0ad6e00f7ea03355e63a69d79ab4a541c69b2ef27eb7b46a314adb61da1dd725884049705ee685f0c7bf025b7fa4c4be3abb85d904ac646d525c7c50df5bbee6

    • SSDEEP

      24576:dsAIR+ABtG8Ul3XGM5cwtXjCJiAEKH/g59jHYMgw26kMbLEaEeYNEVOCXNWWF55E:dsnR96fXGUnR5p4HmM9NpCkWGNKGn

    Score
    10/10
    gcleanerdefense_evasiondiscoveryloader

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks