General
-
Target
random.exe
-
Size
4.5MB
-
Sample
250404-kmpwlswkt3
-
MD5
4dda58c062265854e9b2addb627ef7fc
-
SHA1
a26dec00306759644c87949d931133e493e84b2b
-
SHA256
bf8552047caf21ebb7ac56b721ef51c094d734caae091ac7620140f382a9098f
-
SHA512
204d41fbe849c3dfa9f58cf6bdfa33945ebafac983601ba508f96da549bf810e68ed64bad2535fcf622fb30e6c53c14c2e21e187e054fb356e3eb2e87889abad
-
SSDEEP
98304:bEWi00C8RjFFCsOiTRp42ELxE0VbNo3Ado1VG6O6rxgudWB9:bPC/bO+p4xF/VZo3A6HG6OWxguo9
Malware Config
Extracted
gcleaner
185.156.73.98
45.91.200.135
Targets
-
-
Target
random.exe
-
Size
4.5MB
-
MD5
4dda58c062265854e9b2addb627ef7fc
-
SHA1
a26dec00306759644c87949d931133e493e84b2b
-
SHA256
bf8552047caf21ebb7ac56b721ef51c094d734caae091ac7620140f382a9098f
-
SHA512
204d41fbe849c3dfa9f58cf6bdfa33945ebafac983601ba508f96da549bf810e68ed64bad2535fcf622fb30e6c53c14c2e21e187e054fb356e3eb2e87889abad
-
SSDEEP
98304:bEWi00C8RjFFCsOiTRp42ELxE0VbNo3Ado1VG6O6rxgudWB9:bPC/bO+p4xF/VZo3A6HG6OWxguo9
Score10/10-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-