General
-
Target
random.exe
-
Size
4.4MB
-
Sample
250403-hnsmsatrw4
-
MD5
0015c340d2e8a3bac775f8ff73e74188
-
SHA1
0ba20317561847b5325ddb168ec0503b5240c2ec
-
SHA256
27b042992e4ca1c4d3b2b2f33f3b869602c0d07906a34114d6a002f941e47078
-
SHA512
37aeb5f8120ee137504846e8a947b91d8e1baf636609761a470134ec35f6816939193eb03ca53f372ea824b5372cd60d1100b089393876faa2ef91295dda8d6a
-
SSDEEP
98304:ytq4CkcV1kEdVnO5eOP+//IDOLgVAzW/1FbIRWFi7z0H:sskcV1kEnO5k//IyLQmW/E0FN
Malware Config
Extracted
gcleaner
185.156.73.98
45.91.200.135
Targets
-
-
Target
random.exe
-
Size
4.4MB
-
MD5
0015c340d2e8a3bac775f8ff73e74188
-
SHA1
0ba20317561847b5325ddb168ec0503b5240c2ec
-
SHA256
27b042992e4ca1c4d3b2b2f33f3b869602c0d07906a34114d6a002f941e47078
-
SHA512
37aeb5f8120ee137504846e8a947b91d8e1baf636609761a470134ec35f6816939193eb03ca53f372ea824b5372cd60d1100b089393876faa2ef91295dda8d6a
-
SSDEEP
98304:ytq4CkcV1kEdVnO5eOP+//IDOLgVAzW/1FbIRWFi7z0H:sskcV1kEnO5k//IyLQmW/E0FN
Score10/10-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-