gcleaner | 7e8b5a50d2293bedc6b18645d31b14583dca445f374aa31dd6ef618623860149 | Triage

Submit
Reports

Overview

overview

Static

static

3

7e8b5a50d2...49.exe

windows7-x64

7e8b5a50d2...49.exe

windows10-2004-x64

Sharing

General

Target

7e8b5a50d2293bedc6b18645d31b14583dca445f374aa31dd6ef618623860149
Size

1.8MB
Sample

250126-s94x2swjdv
MD5

ec77f26847af428aa3d8722c41fe92b2
SHA1

f6554232b1e6e44b515b23a1024d8decc2ae35f5
SHA256

7e8b5a50d2293bedc6b18645d31b14583dca445f374aa31dd6ef618623860149
SHA512

175eb4e20942ddac2ae0c6ce4bd03dc3e2a9bc8e801b9c3aafa42c7edb011ec5f37821c29d19a200a21e748d41f83d09afbb90bcabecf07645f30aa331364431
SSDEEP

49152:qc4dfiss1xxgzti2LSiPwlgZ2D1gZeVDd7NmRvI5:qc4dfiss1AtZSyITRgUDd7Nm

Score

10^/10

gcleaner defense_evasion discovery loader

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

7e8b5a50d2293bedc6b18645d31b14583dca445f374aa31dd6ef618623860149.exe

Resource

win7-20240903-en

gcleaner defense_evasion discovery loader

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

7e8b5a50d2293bedc6b18645d31b14583dca445f374aa31dd6ef618623860149.exe

Resource

win10v2004-20241007-en

gcleaner defense_evasion discovery loader

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  7e8b5a50d2293bedc6b18645d31b14583dca445f374aa31dd6ef618623860149
- Size
  
  1.8MB
- MD5
  
  ec77f26847af428aa3d8722c41fe92b2
- SHA1
  
  f6554232b1e6e44b515b23a1024d8decc2ae35f5
- SHA256
  
  7e8b5a50d2293bedc6b18645d31b14583dca445f374aa31dd6ef618623860149
- SHA512
  
  175eb4e20942ddac2ae0c6ce4bd03dc3e2a9bc8e801b9c3aafa42c7edb011ec5f37821c29d19a200a21e748d41f83d09afbb90bcabecf07645f30aa331364431
- SSDEEP
  
  49152:qc4dfiss1xxgzti2LSiPwlgZ2D1gZeVDd7NmRvI5:qc4dfiss1AtZSyITRgUDd7Nm
Score

10^/10

gcleaner defense_evasion discovery loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanerdefense_evasiondiscoveryloader

behavioral2

gcleanerdefense_evasiondiscoveryloader

© 2018-2025

Terms | Privacy