Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

GCleaner

43
Global rank
25 infographic chevron month
Month rank
28 infographic chevron week
Week rank
0
IOCs

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Loader
Type
Unknown
Origin
19 September, 2019
First seen
22 September, 2025
Last seen

How to analyze GCleaner with ANY.RUN

Type
Unknown
Origin
19 September, 2019
First seen
22 September, 2025
Last seen

IOCs

IP addresses
212.192.246.217
203.159.80.49
107.182.129.235
171.22.30.106
85.31.46.167
45.139.105.171
85.208.136.148
185.156.73.23
45.12.253.56
45.12.253.75
5.12.253.724
5.12.253.98
45.12.253.564
185.172.128.90
5.42.65.85
5.42.65.115
80.66.75.114
80.82.65.70
185.156.73.73
Hashes
807b49537ce43f3ff6ef81047abe2a5dc097c66db89706ab1ce95ca44fcc3bce
7dc82ab3f67cfc883b0003562a67936b00870776d0a2c157425284772f3a64d4
c05d88fb8c554647d81614af7e349d8fdb62b5cd74032851e3f9f6bacbd40840
898a4a330c335f4d917f28dbd99ebf68928cefa97a4f9e6be89c15d77d794e46
9f28da4bff089416d5ce9db630ec5af733925a7feb5bc1dfbccbe2525ce5ad4f
8ec576ddd5ac76cdc35aeeba67ee062c9ed33eafbbbf97a25a65d4076e99591b
ec4a3b4195a3e96b2368b55ebb4c3c64e07a2d84e8f5b8a501b0547473ebf9d9
88a1526188f551a5666d7314ffe9a7bdde4cd5f438d78aafe8883c609cefe911
60da6ce55330f4f38e98b39bf07cf75fdabd80296429f1538c48d5df499d48d2
343175dcf013f7ded62c2c5b6c61e827660912eb58b4cd13889595b438dc1199
d1cbecdbd6cfb139284af70ad04dac1322cdff40c91b9f8872943e6af894a785
f29aa4270d0bfc8d8e3781500ade8881c84b47e0409271cc7e7f3130d71f5dc0
9077528d311bce83f07a94c5bcc2af2661cf0532be94c2fc34699da18770df8b
3cfa4da808c0e86bbadeb713a2710078151b2de3404d4224612aa220d76c2923
6bd5b1d7737856bf00fb0d15837b58a189a4c36b9628610e47086dd665fb2daa
e4831adf2f6b16068e6a769569e405232822476f1e01c643cfc9bbb5411a071e
bae1b67a9523966105eb93ad67f1e66380e90afd01baa355373a51c7528eb312
ebc654caded547bc8e5bc90bb3cb3c863d3bbf5794350b8e4a62287f5a48856a
4d06a7daf8090b1ecf6008c16057ab8bf40021254f1055c56825633f8db83ce6
0e7e6473a8a924640088dea5df76adcab081e2c6e01ca674d4df54c5a80abee3
Domains
80.82.65.70
185.156.73.23
80.66.75.114
85.208.136.148
backgroundtasks.info
URLs
http://carambasti.info/stat_os.php
http://carambasti.info/function/v2tmp/reporozofnc.php
http://carambasti.info/wp-content/uploads/2019/10
http://appwebstat.biz/stats/1.php
http://appwebstat.biz/info.php
http://appwebstat.biz/connection
http://ads-memory.biz/partner/hooker.php
http://appwebstat.biz/stats/done.php
http://appwebstat.biz/stats/backend.php
http://45.12.253.72/default/stuk.php
http://45.12.253.72/default/puk.php
http://45.12.253.74/pineapple.php
http://45.12.253.56/advertisting/plus.php
http://45.12.253.75/dll.php
http://212.192.246.217/access.php
http://45.9.20.13/partner/loot.php
http://37.0.8.39/access.php
http://the-flash-man.com/Installer_HwtcxtRp5S8kqr2V9ysBB7Utrt/UltraMediaBurner.exe
http://hsiens.xyz/addInstall.php
http://194.145.227.161/partner.php
Last Seen at
Last Seen at

Recent blog posts

post image
Efficient SOC: How to Detect and Solve Incide...
watchers 555
comments 0
post image
ANY.RUN & Palo Alto Networks Cortex XSOAR...
watchers 654
comments 0
post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 4059
comments 0

What is the GCleaner loader malware?

The system optimizer market has for a long time been a breeding ground for all kinds of malicious software masking as legitimate to dupe users into downloading and installing it. G-Cleaner, also known as GCleaner, is a notable example of a fake PC optimization program, appearing to be genuine at first glance. In reality, it is a loader designed with one purpose: to get hold of victims’ sensitive data.

GCleaner is a loader, which was first spotted in early 2019. It is capable of a wide variety of malicious activities depending on the payload it is equipped with. Analysts have observed it to drop malware such as AZORult, the Raccoon info stealer, Smoke Loader, RedLine Stealer, and other popular families, depending on the victim’s geographic location.

The GCleaner malware is primarily known as one of the most widespread fake Windows utilities that is intended for targeting both organizations and individuals. It attempts to capitalize on the popularity of system cleaning tools by taking advantage of people’s negligence.

The identity of the individuals responsible for developing the G-Cleaner malware remains a mystery. Nonetheless, experts in the field of cybersecurity suspect that the creation of this malicious software was the work of a highly skilled and organized criminal organization.

Technical details of the GCleaner malicious software

Once G-Cleaner is installed on a computer, it extracts a malicious file in the system's temporary files folder and downloads a payload. For instance, GCleaner often drops AZORult and RedLine, stealers that scan the system for any type of personal information, which from now on becomes known to the attackers, including:

  • Passwords;
  • Credit card details;
  • Crypto addresses.

Although each malware family may exploit different types of vulnerabilities, in most cases, the process involves hijacking the victim’s web browser and then recording their keystrokes.

GCleaner makes use of different persistence mechanisms. For instance, after installation, it creates a number of new processes running in the background. The malware also writes data to a remote process, which is typically a legitimate Windows process. This makes it difficult for antivirus software to detect and remove the malware.

GCleaner attempts to stay hidden by using rootkit capabilities, which allow it to hide its presence from the operating system. As an extra layer of protection, it implements encryption to obfuscate its code, rendering it unreadable and harder for researchers to analyze.

Anti-debugging is also on the menu, which hinders reverse engineering efforts, making it challenging for analysts to debug the code and understand how it works.

Execution process of the GCleaner malware

By utilizing ANY.RUN, we can track the entire execution path of G-Cleaner and retrieve its config automatically. Here is a sample of the malware analyzed in our sandbox.

Gcleaner's configuration extracted by ANY.RUN Gcleaner's configuration extracted by ANY.RUN

Since GCleaner is a loader, its main purpose is to download other malware families. As a result, the execution flow varies from one version to another and can include the use of different tools. Overall, after it starts, the loader simply reruns itself under a different name from one of the "Program Files" directories. After that, it mostly attempts to download malware onto the infected system. In our case, GCleaner downloaded Redline.

Gcleaner’s network traffic Gcleaner's network traffic

Some samples of GCleaner may be detected by the malware’s network traffic. To do so, just look at the network stream. If you find "itsnotmalware/count.php" there, you can be pretty sure that it is GCleaner.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution methods of the G-Cleaner malware

G-Cleaner has several channels for finding its way to users’ systems:

The most common one is through a website promoting a free optimizer. In fact, such was the first instance of this malware being discovered in 2019. The design of the page is reminiscent of those of CCleaner and other trusted providers, which is how criminals trick users into downloading malware.

Another widespread distribution method for G-Cleaner is through spam emails disguised as legitimate messages from international brands. In such cases, attackers utilize social engineering techniques to get users to install email attachments.

Alternatively, GCleaner can be masked as files not related to PC optimization. These may include game modes, patches, and other types of software.

Conclusion

G-Cleaner is a loader capable of introducing a range of malicious software onto the victim's computer. Generally, it is disseminated through fake websites advertising free PC performance optimization tools or via spam emails.

To prevent GCleaner and other malware from posing a risk to your organization’s infrastructure, you can conveniently scrutinize any questionable files using the ANY.RUN interactive malware analysis sandbox to quickly identify harmful code, study its behavior, and collect IOCs.

HAVE A LOOK AT

Fog Ransomware screenshot
Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
MassLogger screenshot
MassLogger
masslogger
MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
Wshrat screenshot
Wshrat
wshrat rat trojan
WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.
Read More
Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More