Overview

overview

10

Static

static

3

c6e0798bf3.exe

windows7-x64

10

c6e0798bf3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2025, 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6e0798bf3.exe

  • Size

    3.7MB

  • MD5

    467266ba67d21e7180338773c0529039

  • SHA1

    6d9c86ac604e3b3a2bdf86fdc106eda4226c3a1a

  • SHA256

    4c9e514da670422e773cac781d66a4207a31d78e7a21d30a0536bfff27a739c6

  • SHA512

    94e2f33f7198bb7d19ec87af7749957c563b8f7c9d8c11e10c4e66c1023f00ea526c7eb336ce21f1ad4d7c6c00f00ced32b90a3e0df8db5b3d1e45b13a7e3cea

  • SSDEEP

    98304:pXaGesQTmvWQrS1n8qkk4WbFTFLH8AbRakvyz0bLooZh20F:1ATmOQrSC/0FTFDNxK0PoovB

Score
10/10
gcleanerdefense_evasiondiscoveryloader

Malware Config

Extracted

Family

gcleaner

C2

185.156.73.73

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • Downloads MZ/PE file 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6e0798bf3.exe
    "C:\Users\Admin\AppData\Local\Temp\c6e0798bf3.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      2⤵
      • Downloads MZ/PE file
      • System Location Discovery: System Language Discovery
      PID:888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O5FW3LII\service[1].htm
    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    Download Submit

  • memory/888-13-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/888-11-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/888-39-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/888-24-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/888-17-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/888-8-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/888-9-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/5072-5-0x00000000009C0000-0x00000000013D0000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/5072-2-0x00000000009C1000-0x0000000000BC0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5072-6-0x00000000009C0000-0x00000000013D0000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/5072-12-0x00000000009C0000-0x00000000013D0000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/5072-0-0x00000000009C0000-0x00000000013D0000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/5072-7-0x00000000009C0000-0x00000000013D0000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/5072-1-0x0000000077AA4000-0x0000000077AA6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5072-4-0x00000000009C0000-0x00000000013D0000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/5072-3-0x00000000009C0000-0x00000000013D0000-memory.dmp

    Filesize

    10.1MB

    Download