Extracted

• • Target

    6829cd3363711317c4908ab9d8cef51acb8644eee67399863b12d330af1d595c.exe

  • Size

    4.0MB

  • MD5

    0f13a22fe1b712b948c24793f084bf03

  • SHA1

    abbb2b79b88b521c304e1519844625f5b461282a

  • SHA256

    6829cd3363711317c4908ab9d8cef51acb8644eee67399863b12d330af1d595c

  • SHA512

    e401159544c133b29bb4db47b08267bc16b223895a71be20cf0ff52243c02d854372f27981e7fa9ddb2570d9c1d4d5324a874a3f9695f93179bd7ccfb73ee23a

  • SSDEEP

    98304:nutKQ6ViSOh4OA0eN2qXtOOEbVCyCGSHApKhyFbk:nu3kONYNVtOOEgyC1HEGyFA

  Score

  10^/10

  gcleanerdefense_evasiondiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2