Extracted

• • Target

    random.exe

  • Size

    4.0MB

  • MD5

    ae16ff5b21a1c2d36b76c02835915c6a

  • SHA1

    093124ea4bdf7a3d6db0c5f1e1325977a7405079

  • SHA256

    464cd1111eae4547347b035a95e82747e2f32d4082414ef1de2fd03ce514c481

  • SHA512

    9204c328cfd655c67090cf79b0ebabdbd0818e31ed3001885d6f39c488c37912dc36ccbab153dea0d32e0797c43ecaf81e2bae190b7b6601ce137ac43da83320

  • SSDEEP

    98304:LNGI/om0EXNSMQJ7BHXojWYokmCMIlZWV:LwIgI9xQtB3oBN

  Score

  10^/10

  gcleanerdefense_evasiondiscoveryloaderadwarepersistenceprivilege_escalationstealer

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2