Extracted

• • Target

    43c564b5f2587149259e538dbdceef713c9463b0f930072b93fa1f3e4c1fad20.exe

  • Size

    5.7MB

  • MD5

    147f838d39e79dace6bd1ffe69de4720

  • SHA1

    9e500d620c60e9ca88dd55934d638ca474c3745a

  • SHA256

    43c564b5f2587149259e538dbdceef713c9463b0f930072b93fa1f3e4c1fad20

  • SHA512

    2b6c5fb52b7152d1fb3ef33f10e8faaf7022eb4882a308cc15d1dc9d88d6ee19faf193989faea8fb49cfd25baf3fde1d97af279155a1dfbe39ceb0be62b0e480

  • SSDEEP

    49152:naxHF9VoG6Dq4nk7B+Tn6td243jg3Un4/Rwskpghk8jlhK:aZFYHk7YIQ43gUQwdghk8jlh

  Score

  10^/10

  gcleanerdefense_evasiondiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2