BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

GCleaner

58
Global rank
35 infographic chevron month
Month rank
31 infographic chevron week
Week rank
471
IOCs

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Loader
Type
Unknown
Origin
19 September, 2019
First seen
14 July, 2024
Last seen

How to analyze GCleaner with ANY.RUN

Type
Unknown
Origin
19 September, 2019
First seen
14 July, 2024
Last seen

IOCs

IP addresses
5.42.65.85
5.42.65.115
185.172.128.90
45.12.253.75
5.12.253.98
107.182.129.235
171.22.30.106
85.31.46.167
45.139.105.171
203.159.80.49
5.12.253.724
45.12.253.564
212.192.246.217
Hashes
ec4a3b4195a3e96b2368b55ebb4c3c64e07a2d84e8f5b8a501b0547473ebf9d9
f88b778d7c3819667ad835b83140d188c47d6897be4aa0ec7fc8ba16eb5490bd
16468700b0a3e499513e7ccee0c95a3665df63f3cc657e48e073b4e07a798e1a
06b1f0c7bcebfc00a38b2fecc85de193cf598a7029196dd12bd1226e65db6b2e
319961e3cd13d871dfff907b115251383fdfe8755978b90ad1522204cf4ccc69
83c7a2ea21f2ed292da8d5e98b72e25aaa91aa28efcc9018910d7ee885311bc4
5f21d74f2ad986423d4a3f060a94a7006b43ad6227c3ce28b8b5018259c07397
31af520b509141499eff433c6cd1dd38761fb8098017c90316c7e11d7a123643
ff3c094e8f2413f96a54cf28bc668d6fa9c4235c481885086a5d7aa690dedfc8
627f8951741dd0a34884569a76db355c1100d5cba269d65731fd410ef2690fe0
8bcef7f2318c046a3e75cd30dc002ebbf60d55c669a73e861c2bf1bb76dc9010
77cac05970b8cfd47ac809c66777bf097ee0f708e68b119f21530a13ad7f0fbe
59f274f2113921e1019dd34cf272aff148ae72543555d062ee014d72d122d184
e45ae863fdd2a9389257e4b4175a8937c77e2f2ac04741aa23106082d269750f
3c2d75bb161819f1eb3a289d45e1efafff664df94e23e12cc1d5fde2135ae75c
63a9c63d504d9b57650f8a21c6211ba7995287f4bee3297833194501deebdef5
91ebf3d6754fa3615c27f003cadc820d0f22d15eb43c1991da905d50f871805d
80e0fad3bd2c2640bcb4aa073e7195a8fac77ac92b1085ca71cf975da3de6f9d
ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f
b5060a812c76a050304de3fd25542775644a816a1ea4d36f9c850106fb2e7452
URLs
http://185.172.128.90/cpa/ping.php
http://185.172.128.90/cpa/name.php
http://185.172.128.69/advdlc.php
http://185.172.128.69/batushka/inte.exe
http://185.172.128.69/download.php
http://5.42.64.56/installer/setup.php
http://5.42.64.56/dll/key.php
http://5.42.64.56/dll/download.php
http://5.42.65.64/advdlc.php
http://5.42.65.64/download.php
http://5.42.65.115/advdlc.php
http://5.42.65.115/download.php
http://5.42.65.115/batushka/inte.exe
http://5.42.64.3/installer/setup.php
http://5.42.64.3/dll/key.php
http://5.42.65.115/
http://5.42.65.115/icons/text.gif
http://5.42.65.115/icons/folder.gif
http://5.42.65.115/files/
http://5.42.65.115/getsizes.php
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 148
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 158
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1628
comments 0

What is the GCleaner loader malware?

The system optimizer market has for a long time been a breeding ground for all kinds of malicious software masking as legitimate to dupe users into downloading and installing it. G-Cleaner, also known as GCleaner, is a notable example of a fake PC optimization program, appearing to be genuine at first glance. In reality, it is a loader designed with one purpose: to get hold of victims’ sensitive data.

GCleaner is a loader, which was first spotted in early 2019. It is capable of a wide variety of malicious activities depending on the payload it is equipped with. Analysts have observed it to drop malware such as AZORult, the Raccoon info stealer, Smoke Loader, RedLine Stealer, and other popular families, depending on the victim’s geographic location.

The GCleaner malware is primarily known as one of the most widespread fake Windows utilities that is intended for targeting both organizations and individuals. It attempts to capitalize on the popularity of system cleaning tools by taking advantage of people’s negligence.

The identity of the individuals responsible for developing the G-Cleaner malware remains a mystery. Nonetheless, experts in the field of cybersecurity suspect that the creation of this malicious software was the work of a highly skilled and organized criminal organization.

Technical details of the GCleaner malicious software

Once G-Cleaner is installed on a computer, it extracts a malicious file in the system's temporary files folder and downloads a payload. For instance, GCleaner often drops AZORult and RedLine, stealers that scan the system for any type of personal information, which from now on becomes known to the attackers, including:

  • Passwords;
  • Credit card details;
  • Crypto addresses.

Although each malware family may exploit different types of vulnerabilities, in most cases, the process involves hijacking the victim’s web browser and then recording their keystrokes.

GCleaner makes use of different persistence mechanisms. For instance, after installation, it creates a number of new processes running in the background. The malware also writes data to a remote process, which is typically a legitimate Windows process. This makes it difficult for antivirus software to detect and remove the malware.

GCleaner attempts to stay hidden by using rootkit capabilities, which allow it to hide its presence from the operating system. As an extra layer of protection, it implements encryption to obfuscate its code, rendering it unreadable and harder for researchers to analyze.

Anti-debugging is also on the menu, which hinders reverse engineering efforts, making it challenging for analysts to debug the code and understand how it works.

Execution process of the GCleaner malware

By utilizing ANY.RUN, we can track the entire execution path of G-Cleaner and retrieve its config automatically. Here is a sample of the malware analyzed in our sandbox.

Gcleaner's configuration extracted by ANY.RUN Gcleaner's configuration extracted by ANY.RUN

Since GCleaner is a loader, its main purpose is to download other malware families. As a result, the execution flow varies from one version to another and can include the use of different tools. Overall, after it starts, the loader simply reruns itself under a different name from one of the "Program Files" directories. After that, it mostly attempts to download malware onto the infected system. In our case, GCleaner downloaded Redline.

Gcleaner’s network traffic Gcleaner's network traffic

Some samples of GCleaner may be detected by the malware’s network traffic. To do so, just look at the network stream. If you find "itsnotmalware/count.php" there, you can be pretty sure that it is GCleaner.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution methods of the G-Cleaner malware

G-Cleaner has several channels for finding its way to users’ systems:

The most common one is through a website promoting a free optimizer. In fact, such was the first instance of this malware being discovered in 2019. The design of the page is reminiscent of those of CCleaner and other trusted providers, which is how criminals trick users into downloading malware.

Another widespread distribution method for G-Cleaner is through spam emails disguised as legitimate messages from international brands. In such cases, attackers utilize social engineering techniques to get users to install email attachments.

Alternatively, GCleaner can be masked as files not related to PC optimization. These may include game modes, patches, and other types of software.

Conclusion

G-Cleaner is a loader capable of introducing a range of malicious software onto the victim's computer. Generally, it is disseminated through fake websites advertising free PC performance optimization tools or via spam emails.

To prevent GCleaner and other malware from posing a risk to your organization’s infrastructure, you can conveniently scrutinize any questionable files using the ANY.RUN interactive malware analysis sandbox to quickly identify harmful code, study its behavior, and collect IOCs.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy