General
-
Target
685c88c2a8dc769e84c19d2ec43ddc6fdfb509ad3bf73af21e3dc50b67d43b1c.exe
-
Size
3.8MB
-
Sample
250225-flh98awrs4
-
MD5
8245b0de0c4386a3e4c61f74ece03f25
-
SHA1
b92330b2b9e7cb9aead89d1d89d7871f5e27ff85
-
SHA256
685c88c2a8dc769e84c19d2ec43ddc6fdfb509ad3bf73af21e3dc50b67d43b1c
-
SHA512
9890738255e7d1f3ef2c5e424a775886ce183fa10f699f177f153a0d67aa342c38d1f9ab7aea4f0e74af86b92f9e15c80af5ff28773d042987e057e5bdaaad63
-
SSDEEP
98304:VTHEgTcY0SbWN8G9Dqz7dIJcDvP/nkn4HnxjpeDOVXJakL:aSWN8Aqz7SakWnPeiVXzL
Malware Config
Extracted
gcleaner
185.156.73.73
Targets
-
-
Target
685c88c2a8dc769e84c19d2ec43ddc6fdfb509ad3bf73af21e3dc50b67d43b1c.exe
-
Size
3.8MB
-
MD5
8245b0de0c4386a3e4c61f74ece03f25
-
SHA1
b92330b2b9e7cb9aead89d1d89d7871f5e27ff85
-
SHA256
685c88c2a8dc769e84c19d2ec43ddc6fdfb509ad3bf73af21e3dc50b67d43b1c
-
SHA512
9890738255e7d1f3ef2c5e424a775886ce183fa10f699f177f153a0d67aa342c38d1f9ab7aea4f0e74af86b92f9e15c80af5ff28773d042987e057e5bdaaad63
-
SSDEEP
98304:VTHEgTcY0SbWN8G9Dqz7dIJcDvP/nkn4HnxjpeDOVXJakL:aSWN8Aqz7SakWnPeiVXzL
Score10/10-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-