GCleaner

58
Global rank
33
Month rank
29
Week rank
365
IOCs

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Loader
Type
Unknown
Origin
19 September, 2019
First seen
25 September, 2023
Last seen

How to analyze GCleaner with ANY.RUN

Loader
Type
Unknown
Origin
19 September, 2019
First seen
25 September, 2023
Last seen

IOCs

IP addresses
45.12.253.75
5.12.253.98
107.182.129.235
171.22.30.106
85.31.46.167
45.139.105.171
5.12.253.724
45.12.253.564
212.192.246.217
203.159.80.49
Hashes
23ab3bf17eafcdfda7e6e8dbe813298b57c213ddc7fc91249688a85963e0d06b
37f1df1dafb5facb820daaf1f1bce77aa84b097e12b94f4e078deb73b0780fdc
68bc628a7d81fe62482cc6e60ebade1d504dfbf631539b0baa46db764d109e8b
23055a5ddc6e91c5d2de86767e0951c96debe2a78eaa00239e6e9c52d7c49927
e9aae00f52b7382b463b38496310979d66eb032642a6434a051b73f403d2eda3
ec1a2a57221452e1bec10e19afe13c7ca041cad77087b0f7260ed945ccb933b5
b2a73dcebb6db2aebf237518470be61cd9398cfa5dab9a1f79035a939fa3547e
3cdd0c8b421f43d235592c02e476b9c61341ddb653d392be9032268c515f1c27
1cd320a873c015b23f6a3e60e6d635e605fb9d9eca5b5f356fc5900a56d25e64
0f5ad69c262f126d5001c44bd15c70af016f47c05eb4d5c22e0880093e4f3146
384d7ecc84cd319c60c738ea72ea6805b6b3f55e0d55477c6794251da2fee966
82ee67c2a16400be3102e0c51138cc29118eaabcf1af2ecb6282ef79c4e1cb78
f4566e61a5e837646a63aa00784e895d353f051013f30a00bf0d6838af7addf1
221bcbb6f1e707ecaa125418195255611c4cdc8617c1df7b3733b4173d7ec2ed
97d7825ef37d313e47642ba48ad2a4421fb4b63dfcb2cf09029906939e527f04
4f3b3a58cf917cc065473b644107bedf72121fa1591335bccc4b95f331c4ac9c
f5a84bf51c4075d3dc72f3fb33a6137292b453086642a95114bdb3a5eb00195a
79c0575074f1be32a037375b0fbb27109781a43699b2e89d1a04b78762ec8f85
a50d5dee599a94b9997b0b8eef81f2a9b78e4e7180a531b00b0b2f17605704ad
3c65b17529d5a22bbcb9f726f567f3a0506f6536bc5048789fd2f11c420ffd5e
URLs
http://5.42.64.10/api/files/client/s13
http://5.42.64.10/api/files/client/s14
http://5.42.64.10/api/files/client/s12
http://5.42.64.10/api/files/client/s11
http://5.42.64.10/ip.php
http://5.42.64.10/api/files/software/s1.exe
http://5.42.64.10/api/files/client/s52
http://5.42.64.10/api/files/client/s54
http://5.42.64.10/api/files/client/s53
http://5.42.64.10/api/files/client/s51
http://5.42.64.10/api/files/software/s5.exe
http://trk.srcstat.com/postback
http://5.42.64.2/api/files/client/s53
http://5.42.64.2/api/files/client/s54
http://5.42.64.2/api/files/client/s52
http://5.42.64.2/api/files/client/s51
http://5.42.64.2/ip.php
http://5.42.64.2/api/files/client/s14
http://5.42.64.2/api/files/client/s13
http://5.42.64.2/api/files/client/s12
Last Seen at

Recent blog posts

Malware Analysis for Keeping Up with the Late...
watchers 464
comments 0
ChatGPT-powered Malware Analysis: Review Sand...
watchers 2475
comments 2
How to Hire the Right Malware Analyst for You...
watchers 663
comments 0

What is the GCleaner loader malware?

The system optimizer market has for a long time been a breeding ground for all kinds of malicious software masking as legitimate to dupe users into downloading and installing it. G-Cleaner, also known as GCleaner, is a notable example of a fake PC optimization program, appearing to be genuine at first glance. In reality, it is a loader designed with one purpose: to get hold of victims’ sensitive data.

GCleaner is a loader, which was first spotted in early 2019. It is capable of a wide variety of malicious activities depending on the payload it is equipped with. Analysts have observed it to drop malware such as AZORult, the Raccoon info stealer, Smoke Loader, RedLine Stealer, and other popular families, depending on the victim’s geographic location.

The GCleaner malware is primarily known as one of the most widespread fake Windows utilities that is intended for targeting both organizations and individuals. It attempts to capitalize on the popularity of system cleaning tools by taking advantage of people’s negligence.

The identity of the individuals responsible for developing the G-Cleaner malware remains a mystery. Nonetheless, experts in the field of cybersecurity suspect that the creation of this malicious software was the work of a highly skilled and organized criminal organization.

Technical details of the GCleaner malicious software

Once G-Cleaner is installed on a computer, it extracts a malicious file in the system's temporary files folder and downloads a payload. For instance, GCleaner often drops AZORult and RedLine, stealers that scan the system for any type of personal information, which from now on becomes known to the attackers, including:

  • Passwords;
  • Credit card details;
  • Crypto addresses.

Although each malware family may exploit different types of vulnerabilities, in most cases, the process involves hijacking the victim’s web browser and then recording their keystrokes.

GCleaner makes use of different persistence mechanisms. For instance, after installation, it creates a number of new processes running in the background. The malware also writes data to a remote process, which is typically a legitimate Windows process. This makes it difficult for antivirus software to detect and remove the malware.

GCleaner attempts to stay hidden by using rootkit capabilities, which allow it to hide its presence from the operating system. As an extra layer of protection, it implements encryption to obfuscate its code, rendering it unreadable and harder for researchers to analyze.

Anti-debugging is also on the menu, which hinders reverse engineering efforts, making it challenging for analysts to debug the code and understand how it works.

Execution process of the GCleaner malware

By utilizing ANY.RUN, we can track the entire execution path of G-Cleaner and retrieve its config automatically. Here is a sample of the malware analyzed in our sandbox.

Gcleaner's configuration extracted by ANY.RUN Gcleaner's configuration extracted by ANY.RUN

Since GCleaner is a loader, its main purpose is to download other malware families. As a result, the execution flow varies from one version to another and can include the use of different tools. Overall, after it starts, the loader simply reruns itself under a different name from one of the "Program Files" directories. After that, it mostly attempts to download malware onto the infected system. In our case, GCleaner downloaded Redline.

Gcleaner’s network traffic Gcleaner's network traffic

Some samples of GCleaner may be detected by the malware’s network traffic. To do so, just look at the network stream. If you find "itsnotmalware/count.php" there, you can be pretty sure that it is GCleaner.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution methods of the G-Cleaner malware

G-Cleaner has several channels for finding its way to users’ systems:

The most common one is through a website promoting a free optimizer. In fact, such was the first instance of this malware being discovered in 2019. The design of the page is reminiscent of those of CCleaner and other trusted providers, which is how criminals trick users into downloading malware.

Another widespread distribution method for G-Cleaner is through spam emails disguised as legitimate messages from international brands. In such cases, attackers utilize social engineering techniques to get users to install email attachments.

Alternatively, GCleaner can be masked as files not related to PC optimization. These may include game modes, patches, and other types of software.

Conclusion

G-Cleaner is a loader capable of introducing a range of malicious software onto the victim's computer. Generally, it is disseminated through fake websites advertising free PC performance optimization tools or via spam emails.

To prevent GCleaner and other malware from posing a risk to your organization’s infrastructure, you can conveniently scrutinize any questionable files using the ANY.RUN interactive malware analysis sandbox to quickly identify harmful code, study its behavior, and collect IOCs.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy