Extracted

• • Target

    random.exe

  • Size

    4.3MB

  • MD5

    25f01463c15e5402fff5524d2075d64b

  • SHA1

    19a363879f86fd62e3bbfc3c817b80b11aab59f6

  • SHA256

    f18578f6f08ed309a5e3c430e0a35348ee2c7dd7330a6551a3faec6497f080bb

  • SHA512

    3a32fa38b351eb140cf24a8764cc8edc0ff30e074acb8fbf61c27ecee9b947f7cfd32ac067e14639d5551296438dfebd4ec7df70238db0e742351d59e743ace9

  • SSDEEP

    98304:YFrtRTeY3rDfaMKE0RAcSF6vdRS/VKontDCtQVEXuY1oNOspa:gtRX3rzaMKEg1cbDEQYuCqt

  Score

  10^/10

  gcleanerdefense_evasiondiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1