Extracted

• • Target

    bd6938a3e6bfd792f546742d669b6157.exe

  • Size

    4.5MB

  • MD5

    bd6938a3e6bfd792f546742d669b6157

  • SHA1

    9a69167c0d4d32ef6660faaa8ef6244ace7b29d9

  • SHA256

    0c5789417d3d30ec72050cd456c8d46e5239ec9744f3db60fcc25e3725dc4228

  • SHA512

    2fc768ff242ce51743c2ad9988f3e82bf8211d27926a8b134b3a938fcbe23c64c837668e9744ef450e663719972bd864e3d28e614403c97746172e4bc6f627ed

  • SSDEEP

    98304:LIj07OvfaLdcWM4tNZ6lVGlY4l9bNfpIt1xiMyf8NzkkpO+guem/:LClKhc+IreYenfpIt1xiMyfkJ/

  Score

  10^/10

  gcleanerdefense_evasiondiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2