gcleaner | 2440dfaeefc0f069fe46c217686bccb408440031a4bd96acc60ee2a52bd83b50 | Triage

Submit
Reports

Overview

overview

Static

static

3

bd49155860...ae.exe

windows10-2004-x64

bd49155860...ae.exe

windows11-21h2-x64

Sharing

Copy URL Twitter E-mail

General

Target

0716c23867ff59f7d36eae6bb3a47678.bin
Size

4.2MB
Sample

250507-bcvjnswvbs
MD5

3ecbfb72097363a5febb93dda5e576d8
SHA1

4df5e6682b3e25484daf8083e4efa3d0d3bb360c
SHA256

2440dfaeefc0f069fe46c217686bccb408440031a4bd96acc60ee2a52bd83b50
SHA512

d6d69aaa5727dc961fce84337374b3333df64ff016e4ce3061c9ecf95ad7870b1d6664c40b5ea88efd112c9e34387d622beaf810f7982c175a623270f4fc116b
SSDEEP

98304:PahLp0sRUg6hHWw8FwNuOFj1BiFWcBj5zMxvX2AFdD:op0sCg6Uw8FwFW8x2ALD

Score

10^/10

gcleaner defense_evasion discovery loader

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bd49155860e9d1bc26bf8eb98df7666a1a10fd614092c6c449cc9f54057233ae.exe

Resource

win10v2004-20250502-en

gcleaner defense_evasion discovery loader

windows10-2004-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

bd49155860e9d1bc26bf8eb98df7666a1a10fd614092c6c449cc9f54057233ae.exe

Resource

win11-20250502-en

gcleaner defense_evasion discovery loader

windows11-21h2-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

gcleaner

C2

45.91.200.135

Targets

- Target
  
  bd49155860e9d1bc26bf8eb98df7666a1a10fd614092c6c449cc9f54057233ae.exe
- Size
  
  4.2MB
- MD5
  
  0716c23867ff59f7d36eae6bb3a47678
- SHA1
  
  4b15c19725ced8ccd5f627129d5430507fa4bc6f
- SHA256
  
  bd49155860e9d1bc26bf8eb98df7666a1a10fd614092c6c449cc9f54057233ae
- SHA512
  
  ca7c3dccbd497a9edcf2ac4bc3297456dcb3ec063defbdfe2700a910f933db3a0f74021c3d95964bab5186868a7eb11ec484aaf36f54008ad168416b9b821bf3
- SSDEEP
  
  98304:6JNf2heI8D1ovmCLIhOuYZ5gpaLJrWwXW5R+kL1V:6JNfb8mUI61ZW5R+kr
Score

10^/10

gcleaner defense_evasion discovery loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanerdefense_evasiondiscoveryloader

behavioral2

gcleanerdefense_evasiondiscoveryloader

© 2018-2025

Terms | Privacy

	
		OSZAR »