File name:

file

Full analysis: https://app.any.run/tasks/1eaee466-bc3d-473e-992c-ae31be14d797
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: December 10, 2024, 08:24:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
themida
gcleaner
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

5ABD444028545A70AC140F6C244F0DA8

SHA1:

5B46C706DFE9F4F443A894D746A76020A1835077

SHA256:

03704AC5905C8ED32D791115AC52F119286075A5D25E3BE6724F3B990C3F6361

SSDEEP:

98304:gueqKNNkPz5laJLPnGMkQKuA7OgUt+n1bhPMsmPGgzMc8eOLR8v63CC85V+WdU3W:fxy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GCLEANER has been detected (SURICATA)

      • file.exe (PID: 6700)

  • SUSPICIOUS

    • Reads the BIOS version

      • file.exe (PID: 6700)

    • Reads security settings of Internet Explorer

      • file.exe (PID: 6700)

    • Potential Corporate Privacy Violation

      • file.exe (PID: 6700)

    • Executes application which crashes

      • file.exe (PID: 6700)

    • Executable content was dropped or overwritten

      • file.exe (PID: 6700)

    • Connects to the server without a host name

      • file.exe (PID: 6700)

  • INFO

    • Sends debugging messages

      • file.exe (PID: 6700)

    • Themida protector has been detected

      • file.exe (PID: 6700)

    • Checks supported languages

      • file.exe (PID: 6700)

    • Reads the computer name

      • file.exe (PID: 6700)

    • Checks proxy server information

      • file.exe (PID: 6700)
      • WerFault.exe (PID: 5076)

    • Creates files or folders in the user directory

      • file.exe (PID: 6700)

    • Reads the machine GUID from the registry

      • file.exe (PID: 6700)

    • Reads the software policy settings

      • WerFault.exe (PID: 5076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:08:17 08:45:00+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 185344
InitializedDataSize: 110592
UninitializedDataSize: -
EntryPoint: 0x86b000
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 63.0.0.0
ProductVersionNumber: 54.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Patched, Private build, Special build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Czech
CharacterSet: Unknown (08E2)
FileVersions: 3.70.55.47
ProductVersions: 9.30.90.54
InternalName: Modink
CompanyName: Historiy
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GCLEANER file.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
5076C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6700 -s 628C:\Windows\SysWOW64\WerFault.exe
file.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6700"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 592
Read events
3 589
Write events
3
Delete events
0

Modification events

(PID) Process:(6700) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6700) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6700) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
4
Suspicious files
11
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5076WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_file.exe_fafd47531ab6d510499988ddace487f076f293_c8b7b6aa_dbdb80fe-45fd-4860-88da-38bcdb4d956b\Report.wer
MD5:
SHA256:
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\fuckingdllENCR[1].dllbinary
MD5:E6743949BBF24B39B25399CD7C5D3A2E
SHA256:A3B82FC46635A467CC8375D40DDBDDD71CAE3B7659D2BB5C3C4370930AE9468C
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\key[1].htmtext
MD5:408E94319D97609B8E768415873D5A14
SHA256:E29A4FD2CB1F367A743EA7CFD356DBD19AEB271523BBAE49D4F53257C3B0A78D
6700file.exeC:\Users\admin\Desktop\Cleaner.lnkbinary
MD5:5170FBCEC3D06B1116F79A97F873E9CB
SHA256:A6868DEB6B64B51A6187ED5A2938896F5EC3E5A87EA57470E0D8843827619949
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\soft[1]executable
MD5:A8CF5621811F7FAC55CFE8CB3FA6B9F6
SHA256:614A0362AB87CEE48D0935B5BB957D539BE1D94C6FDEB3FE42FAC4FBE182C10C
5076WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERFFD0.tmp.WERInternalMetadata.xmlxml
MD5:40A4375EDF735E8BDFB4A6B9137A173B
SHA256:5CB8C439E76E96A782C9A66222262BE2E318D2A87BECE42FF13724812C19B0CE
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\download[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\add[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
5076WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERFF04.tmp.dmpbinary
MD5:CFAAEF779B56B0B02763830261EE069B
SHA256:B9BC697E46B2C4E846A2E8DA7B690F82AF26274C2B067513C73D887BE5837A01
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\download[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
25
DNS requests
14
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/files/download
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/soft/download
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/files/download
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/add?substr=mixtwo&s=three&sub=emp
unknown
unknown
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/dll/key
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/dll/download
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/files/download
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/files/download
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/files/download
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
1076
svchost.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
6700
file.exe
80.82.65.70:80
IP Volume inc
NL
unknown
5340
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
244
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
244
SIHClient.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
244
SIHClient.exe
13.85.23.206:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.159.75
  • 20.190.159.0
  • 20.190.159.73
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.71
  • 40.126.31.71
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted
watson.events.data.microsoft.com
  • 20.42.73.29
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
whitelisted

Threats

PID
Process
Class
Message
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
Process
Message
file.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------