gcleaner | c5308205d4d84ddc2a96194fcc509522ada976c3f5ee60e4208008ede1935359

General

Target

32f7fa32fafc74bb0b26089e37a7fde1.exe
Size

8.0MB
MD5

32f7fa32fafc74bb0b26089e37a7fde1
SHA1

f608bb9d9ba24bc86db2436e612bb84f31be2e97
SHA256

c5308205d4d84ddc2a96194fcc509522ada976c3f5ee60e4208008ede1935359
SHA512

1f31bdced9547fe0a29357b182a9a74e951ecefa17122d978e78cde6b1ea5b1cdf58f902508869f5590955cd23501e92aa0aac216226afed08c33655e02302d7
SSDEEP

98304:IT5sez3ygCjCjSmJNb/KyVdBAJ1Jbho2a6FmI3oqmG:IyeDycSmJNb//rMJbI6P3e

Score

10^/10

gcleaner lumma socks5systemz botnet discovery loader spyware stealer

Malware Config

Extracted

Family

gcleaner

C2

185.156.73.98

45.91.200.135

Extracted

Family

lumma

C2

https://proenhann.digital/thnb

https://jawdedmirror.run/ewqd

https://changeaie.top/geps

https://lonfgshadow.live/xawi

https://liftally.top/xasj

https://nighetwhisper.top/lekd

https://salaccgfa.top/gsooz

https://zestmodp.top/zeda

https://owlflright.digital/qopy

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4836-117-0x0000000002390000-0x0000000002430000-memory.dmp	family_socks5systemz

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Downloads MZ/PE file 2 IoCs

flow	pid	Process
3	3524	svchost015.exe
3	3524	svchost015.exe

Executes dropped EXE 5 IoCs

pid	Process
3524	svchost015.exe
4660	dA4AUOK9RS.exe
6060	dA4AUOK9RS.tmp
4836	ntfs2fat32converter102.exe
3328	s6L7bQg7Z.exe

Loads dropped DLL 2 IoCs

pid	Process
6060	dA4AUOK9RS.tmp
4836	ntfs2fat32converter102.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4336 set thread context of 3524	4336	32f7fa32fafc74bb0b26089e37a7fde1.exe	79

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32f7fa32fafc74bb0b26089e37a7fde1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dA4AUOK9RS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dA4AUOK9RS.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntfs2fat32converter102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s6L7bQg7Z.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
6060	dA4AUOK9RS.tmp
6060	dA4AUOK9RS.tmp
3328	s6L7bQg7Z.exe
3328	s6L7bQg7Z.exe
3328	s6L7bQg7Z.exe
3328	s6L7bQg7Z.exe
3328	s6L7bQg7Z.exe
3328	s6L7bQg7Z.exe
3328	s6L7bQg7Z.exe
3328	s6L7bQg7Z.exe
3328	s6L7bQg7Z.exe
3328	s6L7bQg7Z.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	3328	s6L7bQg7Z.exe
Token: SeImpersonatePrivilege	3328	s6L7bQg7Z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
6060	dA4AUOK9RS.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 3524	4336	32f7fa32fafc74bb0b26089e37a7fde1.exe	79
PID 4336 wrote to memory of 3524	4336	32f7fa32fafc74bb0b26089e37a7fde1.exe	79
PID 4336 wrote to memory of 3524	4336	32f7fa32fafc74bb0b26089e37a7fde1.exe	79
PID 4336 wrote to memory of 3524	4336	32f7fa32fafc74bb0b26089e37a7fde1.exe	79
PID 4336 wrote to memory of 3524	4336	32f7fa32fafc74bb0b26089e37a7fde1.exe	79
PID 4336 wrote to memory of 3524	4336	32f7fa32fafc74bb0b26089e37a7fde1.exe	79
PID 4336 wrote to memory of 3524	4336	32f7fa32fafc74bb0b26089e37a7fde1.exe	79
PID 4336 wrote to memory of 3524	4336	32f7fa32fafc74bb0b26089e37a7fde1.exe	79
PID 4336 wrote to memory of 3524	4336	32f7fa32fafc74bb0b26089e37a7fde1.exe	79
PID 3524 wrote to memory of 4660	3524	svchost015.exe	80
PID 3524 wrote to memory of 4660	3524	svchost015.exe	80
PID 3524 wrote to memory of 4660	3524	svchost015.exe	80
PID 4660 wrote to memory of 6060	4660	dA4AUOK9RS.exe	81
PID 4660 wrote to memory of 6060	4660	dA4AUOK9RS.exe	81
PID 4660 wrote to memory of 6060	4660	dA4AUOK9RS.exe	81
PID 6060 wrote to memory of 4836	6060	dA4AUOK9RS.tmp	82
PID 6060 wrote to memory of 4836	6060	dA4AUOK9RS.tmp	82
PID 6060 wrote to memory of 4836	6060	dA4AUOK9RS.tmp	82
PID 3524 wrote to memory of 3328	3524	svchost015.exe	83
PID 3524 wrote to memory of 3328	3524	svchost015.exe	83
PID 3524 wrote to memory of 3328	3524	svchost015.exe	83

C:\Users\Admin\AppData\Local\Temp\32f7fa32fafc74bb0b26089e37a7fde1.exe
"C:\Users\Admin\AppData\Local\Temp\32f7fa32fafc74bb0b26089e37a7fde1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  "C:\Users\Admin\AppData\Local\Temp\32f7fa32fafc74bb0b26089e37a7fde1.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Roaming\L6vKzVYQTu\dA4AUOK9RS.exe
    "C:\Users\Admin\AppData\Roaming\L6vKzVYQTu\dA4AUOK9RS.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\is-SK3IJ.tmp\dA4AUOK9RS.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SK3IJ.tmp\dA4AUOK9RS.tmp" /SL5="$60272,3470653,54272,C:\Users\Admin\AppData\Roaming\L6vKzVYQTu\dA4AUOK9RS.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:6060
    - - C:\Users\Admin\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exe
        
        "C:\Users\Admin\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4836
- - C:\Users\Admin\AppData\Roaming\egFYyvfOv\s6L7bQg7Z.exe
    "C:\Users\Admin\AppData\Roaming\egFYyvfOv\s6L7bQg7Z.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3328

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exe

Filesize
3.1MB

MD5
6ac5078fc3c5177d6e45251a0e889475

SHA1
98c4ccf0649dfe9f728baefab8a30db04eeed923

SHA256
a582b80bf55b1444f5bf62c25922670f9c4b19b8d6544e804effbda5faf17757

SHA512
a7dbf5436b3a48c2f0e7569a7dbd82af7b3ed2786ad5ff79c270eb186ffb7328d3c235d6182cddff6b4de98b8c63c5f3fe3c77c1145571a1b072682e179302ea

Download Submit
C:\Users\Admin\AppData\Local\NTFS to FAT32 Converter 1.0.2\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P8RPQ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SK3IJ.tmp\dA4AUOK9RS.tmp

Filesize
692KB

MD5
4979d6d3415ef991208e0e4b04c0474d

SHA1
e09f89c0f12445498d9be797e1739efab179bef4

SHA256
2ee54bea24e54db46dc1f439dc7afb9bd4aa4b9209ed8ad679d1d73c9408f597

SHA512
81d7478b362b3e57625cb96e10cf50598694ba77f923f4aa4d324c4c5dd4593a75b14bbfafda152451c7de90890d4d69651ccc835528037375b22b6857345939

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Roaming\L6vKzVYQTu\dA4AUOK9RS.exe

Filesize
3.5MB

MD5
76435e8885559a7c3ef955de05646970

SHA1
9a897889383e55a66c215bbc2b341996a46081b0

SHA256
635fac03fcdd04822beb4740cdd544d887cd3039b67009cc90bdacc6c4bcdacb

SHA512
713b27c8c593e9f3a02e9b7e183ae0dd6e8b0e44a23b7214e86f2dc91eae60c8c9134e544f076ca12c1fe33ca6057bccd97d019ae840e070839711117a18cc72

Download Submit
C:\Users\Admin\AppData\Roaming\egFYyvfOv\s6L7bQg7Z.exe

Filesize
8.6MB

MD5
9208c64cf054174e106794f95a8e0d76

SHA1
2b0b858c8bc80ff9f73e1d2319f35b9e96012442

SHA256
77ad7a901bc60e62ab7c59c4697d43ee212cd18b602960c16a18972022db4780

SHA512
035416fbb1ffb445c3c3663d3d2ecd5aeeb79db4664990dab28de1086e144fc6b53ac3d07e1c7756ea9bc2dbb9e04828b8799a9d81ef31e65f3f331eb99e24e3

Download Submit
memory/3328-90-0x0000000000F80000-0x0000000000F83000-memory.dmp

Filesize
12KB

Download
memory/3328-91-0x0000000002780000-0x00000000027E2000-memory.dmp

Filesize
392KB

Download
memory/3524-82-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3524-15-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3524-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3524-80-0x0000000000570000-0x000000000063E000-memory.dmp

Filesize
824KB

Download
memory/3524-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3524-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3524-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3524-72-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3524-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4336-9-0x0000000000400000-0x0000000000C0E000-memory.dmp

Filesize
8.1MB

Download
memory/4336-2-0x0000000004D80000-0x000000000551D000-memory.dmp

Filesize
7.6MB

Download
memory/4336-0-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/4660-79-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4660-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4660-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4836-86-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4836-113-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-140-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-85-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-67-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-87-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-101-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-105-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-109-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-71-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-117-0x0000000002390000-0x0000000002430000-memory.dmp

Filesize
640KB

Download
memory/4836-118-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-124-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-128-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-132-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/4836-136-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/6060-84-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads