gcleaner | da3aa4333a21af0366d368a32fab87f4a724f01841d66a25612c7e4e6f077176 | Triage

Submit
Reports

Overview

overview

Static

static

3

da3aa4333a...76.exe

windows7-x64

da3aa4333a...76.exe

windows10-2004-x64

Sharing

General

Target

da3aa4333a21af0366d368a32fab87f4a724f01841d66a25612c7e4e6f077176.exe
Size

4.3MB
Sample

250327-n6rfbstly3
MD5

a70922a4fb9b8b48678531a65da13e53
SHA1

7be1773aa480ef6bddcf5752b762ccb2beb01d4a
SHA256

da3aa4333a21af0366d368a32fab87f4a724f01841d66a25612c7e4e6f077176
SHA512

d496d4c1d2299157e16864125d55888c823ffda7ebd3825c91ad8340244de156efe115972947718da4035f08caf8378b7a496d3cb7ca1e38459f5b76690aa851
SSDEEP

98304:s/el6jimtfsyZvPVYEYkg1syyYvvrCWy7ktviOdHX7Y:s/A6LXZHV7Ykg+ynvrrFiOhX7

Score

10^/10

gcleaner defense_evasion discovery loader

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

da3aa4333a21af0366d368a32fab87f4a724f01841d66a25612c7e4e6f077176.exe

Resource

win7-20241023-en

gcleaner defense_evasion discovery loader

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

da3aa4333a21af0366d368a32fab87f4a724f01841d66a25612c7e4e6f077176.exe

Resource

win10v2004-20250314-en

gcleaner defense_evasion discovery loader

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  da3aa4333a21af0366d368a32fab87f4a724f01841d66a25612c7e4e6f077176.exe
- Size
  
  4.3MB
- MD5
  
  a70922a4fb9b8b48678531a65da13e53
- SHA1
  
  7be1773aa480ef6bddcf5752b762ccb2beb01d4a
- SHA256
  
  da3aa4333a21af0366d368a32fab87f4a724f01841d66a25612c7e4e6f077176
- SHA512
  
  d496d4c1d2299157e16864125d55888c823ffda7ebd3825c91ad8340244de156efe115972947718da4035f08caf8378b7a496d3cb7ca1e38459f5b76690aa851
- SSDEEP
  
  98304:s/el6jimtfsyZvPVYEYkg1syyYvvrCWy7ktviOdHX7Y:s/A6LXZHV7Ykg+ynvrrFiOhX7
Score

10^/10

gcleaner defense_evasion discovery loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanerdefense_evasiondiscoveryloader

behavioral2

gcleanerdefense_evasiondiscoveryloader

© 2018-2025

Terms | Privacy