Extracted

• • Target

    76ee1fbc71df63a30382c84fbd3ca0b2ab43dd6bd3f6af7f892fe8045141c450

  • Size

    3.8MB

  • MD5

    fb645089d2171e30a24ecfa9b7ff2214

  • SHA1

    39133adb642d160b8969a4da8f7ca1e980a14b64

  • SHA256

    76ee1fbc71df63a30382c84fbd3ca0b2ab43dd6bd3f6af7f892fe8045141c450

  • SHA512

    109d55f2a0881bbd6684728ab3894f759aa6b83cd08dfdba2a8f6be2c59ef69b15cc9454eefda71dd1b6fe3fb42284d74376919b745801543b828db310cb49fa

  • SSDEEP

    98304:09c3Mevuz04obH68GizE2FyEQvE0M01cHPGQ:dMT0hHFv4EU1oGQ

  Score

  10^/10

  gcleanerdefense_evasiondiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2