gcleaner | bbd1d4f59d12009824733b2767f1b082dc5c755521cdf8af8ec72f59bca58bfd | Triage

Submit
Reports

Overview

overview

Static

static

3

b6953a13e1...df.exe

windows10-2004-x64

b6953a13e1...df.exe

windows11-21h2-x64

Sharing

General

Target

9e404c18e6649e87003fb78f26bd2a3a.bin
Size

4.1MB
Sample

250507-bxad8swwft
MD5

90850634c7e9b5ac34f332050f27cbc9
SHA1

71985dff0b371afa0a8325af647e0888238084c7
SHA256

bbd1d4f59d12009824733b2767f1b082dc5c755521cdf8af8ec72f59bca58bfd
SHA512

f1c897208d0bc63d1684989e38444b8a9fa35f2d0943e57305569c4cc4f47a30765b763b150393840c4967a0d02065bffe10e985c747091041fe50b59c97a511
SSDEEP

98304:yKFAGzP7ihTC5YfRUu6F33luUP4EjHnyi0ESHmfSTi76D/X7:yKaAiH2F1uULDnyOPfSTi76zL

Score

10^/10

gcleaner defense_evasion discovery loader

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

b6953a13e1a34a0b9a6d859c78ab439d4fe4b8e2e8bcc8ad4aafdfaeddb83cdf.exe

Resource

win10v2004-20250502-en

gcleaner defense_evasion discovery loader

windows10-2004-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

b6953a13e1a34a0b9a6d859c78ab439d4fe4b8e2e8bcc8ad4aafdfaeddb83cdf.exe

Resource

win11-20250502-en

gcleaner defense_evasion discovery loader

windows11-21h2-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

gcleaner

C2

45.91.200.135

Targets

- Target
  
  b6953a13e1a34a0b9a6d859c78ab439d4fe4b8e2e8bcc8ad4aafdfaeddb83cdf.exe
- Size
  
  4.2MB
- MD5
  
  9e404c18e6649e87003fb78f26bd2a3a
- SHA1
  
  7e4f1ef092c927f1cc60a76be3b83e1df526782f
- SHA256
  
  b6953a13e1a34a0b9a6d859c78ab439d4fe4b8e2e8bcc8ad4aafdfaeddb83cdf
- SHA512
  
  d60dc8813d3dacd89878006a5b3fffea18434efcd07c4872089816641aac0f6ec552d320e612f1bd933a0d9c34d9f654348d09952fe8e279bd21ad36637b5b92
- SSDEEP
  
  98304:1VwWOnG41cVrTM6l13qkzrUvL5f3mS7e2xVON3e/s8NHcqAT/P1X:L76GRrZvAL5PmS7e2/OGs8NcTX
Score

10^/10

gcleaner defense_evasion discovery loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanerdefense_evasiondiscoveryloader

behavioral2

gcleanerdefense_evasiondiscoveryloader

© 2018-2025

Terms | Privacy

	
		OSZAR »