Extracted

• • Target

    3c9b4123d9f1f2287c85c45351985b73e010a0930e62b8f6921b6f637fc39d2c.exe

  • Size

    4.0MB

  • MD5

    144a3d70dc42db576f46a82fb2ffd132

  • SHA1

    3abd5b0744371c9e3a1458add64a299339578bf1

  • SHA256

    3c9b4123d9f1f2287c85c45351985b73e010a0930e62b8f6921b6f637fc39d2c

  • SHA512

    1d44fc4d65e0a153ebf098bf8f32de6fc4e5708f99b2a7fd7d12be1a8d3e8e3e61bdd3710e554f9e5547e17912bd9e76ef33465a8fca32b7454de60685e9afec

  • SSDEEP

    98304:8eacETp6K2SFl+NGEYfIXZVUQBMxFWtzzgAyjFv:8mGqYAJVU4gWtY3Fv

  Score

  10^/10

  gcleanerdefense_evasiondiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2