gcleaner | ff1dfb3b095711ef14d6c851b481c9dcdbe729f3d8e4d98e96dcd023994dd252 | Triage

Submit
Reports

Overview

overview

Static

static

3

ff1dfb3b09...52.exe

windows7-x64

ff1dfb3b09...52.exe

windows10-2004-x64

Sharing

General

Target

ff1dfb3b095711ef14d6c851b481c9dcdbe729f3d8e4d98e96dcd023994dd252.exe
Size

4.3MB
Sample

250326-xlfyja1tcy
MD5

822bdae421dda6ee16d7e01dff664cd1
SHA1

fb152c51f97dc57d7ee2c17bb445ac9eae350708
SHA256

ff1dfb3b095711ef14d6c851b481c9dcdbe729f3d8e4d98e96dcd023994dd252
SHA512

586e14ed872eaecf3c8beea1fff86104c62e1e0e697020f2351a8ff1cc800b2615c00e36f1f3e679e575fb23a90bfb9b8fa92d9fc264a9715d39cf23610b9852
SSDEEP

98304:RQhQ0D5pqM3vUVMuWNp8ZjPCiNgQFczoFzRPVl3OXYt:RqQ2AgvUyuWNAWM1OoFoX

Score

10^/10

gcleaner defense_evasion discovery loader

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ff1dfb3b095711ef14d6c851b481c9dcdbe729f3d8e4d98e96dcd023994dd252.exe

Resource

win7-20241010-en

gcleaner defense_evasion discovery loader

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

ff1dfb3b095711ef14d6c851b481c9dcdbe729f3d8e4d98e96dcd023994dd252.exe

Resource

win10v2004-20250314-en

gcleaner defense_evasion discovery loader

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  ff1dfb3b095711ef14d6c851b481c9dcdbe729f3d8e4d98e96dcd023994dd252.exe
- Size
  
  4.3MB
- MD5
  
  822bdae421dda6ee16d7e01dff664cd1
- SHA1
  
  fb152c51f97dc57d7ee2c17bb445ac9eae350708
- SHA256
  
  ff1dfb3b095711ef14d6c851b481c9dcdbe729f3d8e4d98e96dcd023994dd252
- SHA512
  
  586e14ed872eaecf3c8beea1fff86104c62e1e0e697020f2351a8ff1cc800b2615c00e36f1f3e679e575fb23a90bfb9b8fa92d9fc264a9715d39cf23610b9852
- SSDEEP
  
  98304:RQhQ0D5pqM3vUVMuWNp8ZjPCiNgQFczoFzRPVl3OXYt:RqQ2AgvUyuWNAWM1OoFoX
Score

10^/10

gcleaner defense_evasion discovery loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanerdefense_evasiondiscoveryloader

behavioral2

gcleanerdefense_evasiondiscoveryloader

© 2018-2025

Terms | Privacy