gcleaner | beca3d277a7f44b1505566d3b15a0108fcdb38f47ec4deb571e9917ede8acf1b

General

Target

random.exe
Size

4.5MB
MD5

d92ab77a1952b6cefd30bd521216e12f
SHA1

3289f48221df3d918db2f08e2ba035b325adf4e2
SHA256

beca3d277a7f44b1505566d3b15a0108fcdb38f47ec4deb571e9917ede8acf1b
SHA512

38b3435ca141d02eb2ff50e959b16a99e4f79cc81f21454c13eaa8e111b150d326135037221948927fd2ce4f5fd440f2d7aa7d4f2da2797b9ceb5db3400c33df
SSDEEP

98304:Zsi9Ky54MOVfvWyMkotqPb+BF8ySuU9Er3yvBqhyPCbqnnE2PF+Fld8x:am9jHkxCBmbEezCGnE2PF4v8

Score

10^/10

gcleaner socks5systemz botnet defense_evasion discovery loader

Malware Config

Extracted

Family

gcleaner

C2

185.156.73.98

45.91.200.135

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5308-115-0x0000000000780000-0x0000000000820000-memory.dmp	family_socks5systemz

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
6	5732	svchost015.exe
7	5732	svchost015.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe

Executes dropped EXE 4 IoCs

pid	Process
5732	svchost015.exe
4548	ysgkvToHMu.exe
4680	ysgkvToHMu.tmp
5308	backupmaster36.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Wine	random.exe

Loads dropped DLL 2 IoCs

pid	Process
4680	ysgkvToHMu.tmp
5308	backupmaster36.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2316	random.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 5732	2316	random.exe	82

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysgkvToHMu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ysgkvToHMu.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backupmaster36.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2316	random.exe
2316	random.exe
4680	ysgkvToHMu.tmp
4680	ysgkvToHMu.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4680	ysgkvToHMu.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 5732	2316	random.exe	82
PID 2316 wrote to memory of 5732	2316	random.exe	82
PID 2316 wrote to memory of 5732	2316	random.exe	82
PID 2316 wrote to memory of 5732	2316	random.exe	82
PID 2316 wrote to memory of 5732	2316	random.exe	82
PID 2316 wrote to memory of 5732	2316	random.exe	82
PID 2316 wrote to memory of 5732	2316	random.exe	82
PID 2316 wrote to memory of 5732	2316	random.exe	82
PID 2316 wrote to memory of 5732	2316	random.exe	82
PID 5732 wrote to memory of 4548	5732	svchost015.exe	84
PID 5732 wrote to memory of 4548	5732	svchost015.exe	84
PID 5732 wrote to memory of 4548	5732	svchost015.exe	84
PID 4548 wrote to memory of 4680	4548	ysgkvToHMu.exe	85
PID 4548 wrote to memory of 4680	4548	ysgkvToHMu.exe	85
PID 4548 wrote to memory of 4680	4548	ysgkvToHMu.exe	85
PID 4680 wrote to memory of 5308	4680	ysgkvToHMu.tmp	86
PID 4680 wrote to memory of 5308	4680	ysgkvToHMu.tmp	86
PID 4680 wrote to memory of 5308	4680	ysgkvToHMu.tmp	86

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  "C:\Users\Admin\AppData\Local\Temp\random.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5732
- - C:\Users\Admin\AppData\Roaming\q2e7NM6\ysgkvToHMu.exe
    "C:\Users\Admin\AppData\Roaming\q2e7NM6\ysgkvToHMu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\is-VBU7C.tmp\ysgkvToHMu.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-VBU7C.tmp\ysgkvToHMu.tmp" /SL5="$1401C8,3297657,54272,C:\Users\Admin\AppData\Roaming\q2e7NM6\ysgkvToHMu.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4680
    - - C:\Users\Admin\AppData\Local\BackupMaster 3.0.0.36\backupmaster36.exe
        
        "C:\Users\Admin\AppData\Local\BackupMaster 3.0.0.36\backupmaster36.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5308

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BackupMaster 3.0.0.36\backupmaster36.exe

Filesize
2.5MB

MD5
c00acb570cff41fb3d1ba4d765e46bc2

SHA1
a9abd020e1120ed608e18040a04400a21e42b7c9

SHA256
817f7da5580c9f85101f0f529826f69e52a2e44f682a856181e708cf79536753

SHA512
7fc08d674f1c18767b3ab07cb189bd4ee1cc064cadb884ea65df172e1ee490ea2adb4ffb48776f8976d9ece8a3fcf520c7ea47916e23f35be7cd3193781b3218

Download Submit
C:\Users\Admin\AppData\Local\BackupMaster 3.0.0.36\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7RMPI.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VBU7C.tmp\ysgkvToHMu.tmp

Filesize
692KB

MD5
4bc71c420f996ef0d2e1b18da37bff38

SHA1
99ffe456a7e4093cb3d05bd96a1e44d6c0e1157d

SHA256
6cfc49947535bc874f15245354685f397d9446af7374f329c5a52d72d5abd086

SHA512
9d45ade1f6ed7709c1cc2c93c2f0fe996cbc384685969ee525db29c2cac57ddce1177d937e84567fea59d6e0bbac9ee78d7e553b9f8a24894316457a90bf77c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Roaming\q2e7NM6\ysgkvToHMu.exe

Filesize
3.4MB

MD5
866c7f19804a14749a1985e2218d09e5

SHA1
aebf48580505bfd6b9bd5111e35e99a7d8fae0ac

SHA256
1103c6e7042d1278e45da78a9d42a537ba6433feb157c80012701fa3758e4119

SHA512
cd29a13c3d0df6f29697e11f3bea0bd76829a2ea6039d41e561164b6bf7c024a914e53015dc96e52781e17c05cc74f09b7a1dcdead6c46a4c34f15f5f9ab9ac9

Download Submit
memory/2316-1-0x0000000077AD4000-0x0000000077AD6000-memory.dmp

Filesize
8KB

Download
memory/2316-2-0x0000000000401000-0x0000000000461000-memory.dmp

Filesize
384KB

Download
memory/2316-3-0x0000000000400000-0x0000000000E80000-memory.dmp

Filesize
10.5MB

Download
memory/2316-4-0x0000000000400000-0x0000000000E80000-memory.dmp

Filesize
10.5MB

Download
memory/2316-13-0x0000000000400000-0x0000000000E80000-memory.dmp

Filesize
10.5MB

Download
memory/2316-0-0x0000000000400000-0x0000000000E80000-memory.dmp

Filesize
10.5MB

Download
memory/4548-34-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4548-32-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4548-83-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4680-45-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4680-85-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5308-78-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5308-103-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5308-121-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5308-115-0x0000000000780000-0x0000000000820000-memory.dmp

Filesize
640KB

Download
memory/5308-75-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5308-113-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5308-108-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5308-98-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5308-93-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5308-89-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5308-88-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/5732-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5732-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5732-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5732-22-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/5732-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5732-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5732-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads