Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

GCleaner

54
Global rank
18 infographic chevron month
Month rank
26 infographic chevron week
Week rank
0
IOCs

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Loader
Type
Unknown
Origin
19 September, 2019
First seen
11 February, 2025
Last seen

How to analyze GCleaner with ANY.RUN

Type
Unknown
Origin
19 September, 2019
First seen
11 February, 2025
Last seen

IOCs

IP addresses
45.12.253.56
5.42.65.85
5.42.65.115
185.172.128.90
45.12.253.75
5.12.253.98
107.182.129.235
171.22.30.106
85.31.46.167
45.139.105.171
203.159.80.49
5.12.253.724
45.12.253.564
212.192.246.217
Domains
185.156.73.23
85.208.136.148
80.66.75.114
80.82.65.70
URLs
http://185.156.73.23/add
http://185.156.73.23/soft/download
http://185.156.73.23/files/download
http://185.156.73.23/dll/key
http://185.156.73.23/dll/download
http://45.12.253.56/advertisting/plus.php
http://185.156.73.23/name
http://85.208.136.148/onemore.php
http://80.66.75.114/name
http://80.82.65.70/add
http://80.82.65.70/soft/download
http://80.82.65.70/files/download
http://80.82.65.70/dll/download
http://80.82.65.70/dll/key
http://80.82.65.70/name
http://92.63.197.221/add
http://92.63.197.221/name
http://92.63.197.221/soft/download
http://92.63.197.221/files/download
http://92.63.197.221/dll/download
Last Seen at
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

What is the GCleaner loader malware?

The system optimizer market has for a long time been a breeding ground for all kinds of malicious software masking as legitimate to dupe users into downloading and installing it. G-Cleaner, also known as GCleaner, is a notable example of a fake PC optimization program, appearing to be genuine at first glance. In reality, it is a loader designed with one purpose: to get hold of victims’ sensitive data.

GCleaner is a loader, which was first spotted in early 2019. It is capable of a wide variety of malicious activities depending on the payload it is equipped with. Analysts have observed it to drop malware such as AZORult, the Raccoon info stealer, Smoke Loader, RedLine Stealer, and other popular families, depending on the victim’s geographic location.

The GCleaner malware is primarily known as one of the most widespread fake Windows utilities that is intended for targeting both organizations and individuals. It attempts to capitalize on the popularity of system cleaning tools by taking advantage of people’s negligence.

The identity of the individuals responsible for developing the G-Cleaner malware remains a mystery. Nonetheless, experts in the field of cybersecurity suspect that the creation of this malicious software was the work of a highly skilled and organized criminal organization.

Technical details of the GCleaner malicious software

Once G-Cleaner is installed on a computer, it extracts a malicious file in the system's temporary files folder and downloads a payload. For instance, GCleaner often drops AZORult and RedLine, stealers that scan the system for any type of personal information, which from now on becomes known to the attackers, including:

  • Passwords;
  • Credit card details;
  • Crypto addresses.

Although each malware family may exploit different types of vulnerabilities, in most cases, the process involves hijacking the victim’s web browser and then recording their keystrokes.

GCleaner makes use of different persistence mechanisms. For instance, after installation, it creates a number of new processes running in the background. The malware also writes data to a remote process, which is typically a legitimate Windows process. This makes it difficult for antivirus software to detect and remove the malware.

GCleaner attempts to stay hidden by using rootkit capabilities, which allow it to hide its presence from the operating system. As an extra layer of protection, it implements encryption to obfuscate its code, rendering it unreadable and harder for researchers to analyze.

Anti-debugging is also on the menu, which hinders reverse engineering efforts, making it challenging for analysts to debug the code and understand how it works.

Execution process of the GCleaner malware

By utilizing ANY.RUN, we can track the entire execution path of G-Cleaner and retrieve its config automatically. Here is a sample of the malware analyzed in our sandbox.

Gcleaner's configuration extracted by ANY.RUN Gcleaner's configuration extracted by ANY.RUN

Since GCleaner is a loader, its main purpose is to download other malware families. As a result, the execution flow varies from one version to another and can include the use of different tools. Overall, after it starts, the loader simply reruns itself under a different name from one of the "Program Files" directories. After that, it mostly attempts to download malware onto the infected system. In our case, GCleaner downloaded Redline.

Gcleaner’s network traffic Gcleaner's network traffic

Some samples of GCleaner may be detected by the malware’s network traffic. To do so, just look at the network stream. If you find "itsnotmalware/count.php" there, you can be pretty sure that it is GCleaner.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution methods of the G-Cleaner malware

G-Cleaner has several channels for finding its way to users’ systems:

The most common one is through a website promoting a free optimizer. In fact, such was the first instance of this malware being discovered in 2019. The design of the page is reminiscent of those of CCleaner and other trusted providers, which is how criminals trick users into downloading malware.

Another widespread distribution method for G-Cleaner is through spam emails disguised as legitimate messages from international brands. In such cases, attackers utilize social engineering techniques to get users to install email attachments.

Alternatively, GCleaner can be masked as files not related to PC optimization. These may include game modes, patches, and other types of software.

Conclusion

G-Cleaner is a loader capable of introducing a range of malicious software onto the victim's computer. Generally, it is disseminated through fake websites advertising free PC performance optimization tools or via spam emails.

To prevent GCleaner and other malware from posing a risk to your organization’s infrastructure, you can conveniently scrutinize any questionable files using the ANY.RUN interactive malware analysis sandbox to quickly identify harmful code, study its behavior, and collect IOCs.

HAVE A LOOK AT

DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More
Sliver screenshot
Sliver
sliver
Sliver is an open-source command-and-control (C2) framework that has been increasingly adopted by threat actors as an alternative to tools like Cobalt Strike. Developed by security firm Bishop Fox, Sliver was initially intended for legitimate security testing and red teaming exercises. However, its robust features and open-source nature have made it attractive to malicious actors seeking to control compromised systems.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More