gcleaner | ec1d9597733789523130e23208f7cfa7ee06351e6408a4caaed333470a5e2c76 | Triage

Submit
Reports

Overview

overview

Static

static

3

c9d9a3370d...a2.exe

windows10-2004-x64

c9d9a3370d...a2.exe

windows11-21h2-x64

Sharing

Copy URL Twitter E-mail

General

Target

7837fdd84a7370d9d466f2dc04f7e959.bin
Size

4.1MB
Sample

250507-bykatswwgs
MD5

e4557f92f720b8dc5eeca5ef85120fba
SHA1

7fa221c20e0b62d10bfcca660139668d1d42589a
SHA256

ec1d9597733789523130e23208f7cfa7ee06351e6408a4caaed333470a5e2c76
SHA512

d9b66bb7094a6ff000d34a70166407746903dd080c25bb9bc809a290f150c0b7c59dd5c5ed2febe8678a746135161c5d932ce4351f83b0e0b067010860f1d5eb
SSDEEP

98304:mSHfvF0CwBLsBhs7tESIIZNuSiTZs+qYPbRr/o790P:mal0CwBoBhwtESIIZNfmZfqYPb9waP

Score

10^/10

gcleaner defense_evasion discovery loader

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

c9d9a3370d1189fa0bb4dce27e72f4c27033f05e668fb020b4cb9351a00010a2.exe

Resource

win10v2004-20250502-en

gcleaner defense_evasion discovery loader

windows10-2004-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

c9d9a3370d1189fa0bb4dce27e72f4c27033f05e668fb020b4cb9351a00010a2.exe

Resource

win11-20250502-en

gcleaner defense_evasion discovery loader

windows11-21h2-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

gcleaner

C2

45.91.200.135

Targets

- Target
  
  c9d9a3370d1189fa0bb4dce27e72f4c27033f05e668fb020b4cb9351a00010a2.exe
- Size
  
  4.1MB
- MD5
  
  7837fdd84a7370d9d466f2dc04f7e959
- SHA1
  
  e29faab66a73cfdc4c73610fb0ecc6035130158d
- SHA256
  
  c9d9a3370d1189fa0bb4dce27e72f4c27033f05e668fb020b4cb9351a00010a2
- SHA512
  
  42a49063e964eab0e397cbfaadeb25ed68f2ff0472f06cb56a4984b4a9097e5866d2952e979fd4cb438a93e9744a5761a47b6cbfbf7e99b4c1b27012f25a1ea7
- SSDEEP
  
  98304:tPGoJliMI3F5YuWkjLpqlgGtKuXdgFbZbGQw1E:teKli/5ekPsAu6zK1E
Score

10^/10

gcleaner defense_evasion discovery loader
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gcleanerdefense_evasiondiscoveryloader

behavioral2

gcleanerdefense_evasiondiscoveryloader

© 2018-2025

Terms | Privacy

	
		OSZAR »