Extracted

• • Target

    65cc8d207a93c8e87ce2a561117be7a12cb2967b04729f6eb32f9902b7c2d793

  • Size

    3.8MB

  • MD5

    9f03374ea8f2a037797f43e257c1d276

  • SHA1

    9a55bfe4fad9f5db1c26ed79e0d4578a2fa498d6

  • SHA256

    65cc8d207a93c8e87ce2a561117be7a12cb2967b04729f6eb32f9902b7c2d793

  • SHA512

    250340a3c96fa7e0d5250dbde388658309e978e5a9cda45b30f70fa73382cdfd049653d0c53cd1e32f3950fcf428bd6f91e9df5bfb1fc36750fb762152a02c12

  • SSDEEP

    98304:MXue6JjjNJ2QicJuw/CZeFw0k/9avRutlMgrDaW8:que8L8cb/wm3k24tRyW8

  Score

  10^/10

  gcleanerdefense_evasiondiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2