File name:

file

Full analysis: https://app.any.run/tasks/1eaee466-bc3d-473e-992c-ae31be14d797
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: December 10, 2024, 08:24:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
themida
gcleaner
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

5ABD444028545A70AC140F6C244F0DA8

SHA1:

5B46C706DFE9F4F443A894D746A76020A1835077

SHA256:

03704AC5905C8ED32D791115AC52F119286075A5D25E3BE6724F3B990C3F6361

SSDEEP:

98304:gueqKNNkPz5laJLPnGMkQKuA7OgUt+n1bhPMsmPGgzMc8eOLR8v63CC85V+WdU3W:fxy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GCLEANER has been detected (SURICATA)

      • file.exe (PID: 6700)

  • SUSPICIOUS

    • Reads the BIOS version

      • file.exe (PID: 6700)

    • Reads security settings of Internet Explorer

      • file.exe (PID: 6700)

    • Executable content was dropped or overwritten

      • file.exe (PID: 6700)

    • Executes application which crashes

      • file.exe (PID: 6700)

    • Potential Corporate Privacy Violation

      • file.exe (PID: 6700)

    • Connects to the server without a host name

      • file.exe (PID: 6700)

  • INFO

    • Checks supported languages

      • file.exe (PID: 6700)

    • Themida protector has been detected

      • file.exe (PID: 6700)

    • Sends debugging messages

      • file.exe (PID: 6700)

    • Checks proxy server information

      • file.exe (PID: 6700)
      • WerFault.exe (PID: 5076)

    • Reads the computer name

      • file.exe (PID: 6700)

    • Creates files or folders in the user directory

      • file.exe (PID: 6700)

    • Reads the machine GUID from the registry

      • file.exe (PID: 6700)

    • Reads the software policy settings

      • WerFault.exe (PID: 5076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:08:17 08:45:00+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 185344
InitializedDataSize: 110592
UninitializedDataSize: -
EntryPoint: 0x86b000
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 63.0.0.0
ProductVersionNumber: 54.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Patched, Private build, Special build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Czech
CharacterSet: Unknown (08E2)
FileVersions: 3.70.55.47
ProductVersions: 9.30.90.54
InternalName: Modink
CompanyName: Historiy
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GCLEANER file.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
5076C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6700 -s 628C:\Windows\SysWOW64\WerFault.exe
file.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6700"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 592
Read events
3 589
Write events
3
Delete events
0

Modification events

(PID) Process:(6700) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6700) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6700) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
4
Suspicious files
11
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5076WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_file.exe_fafd47531ab6d510499988ddace487f076f293_c8b7b6aa_dbdb80fe-45fd-4860-88da-38bcdb4d956b\Report.wer
MD5:
SHA256:
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\key[1].htmtext
MD5:408E94319D97609B8E768415873D5A14
SHA256:E29A4FD2CB1F367A743EA7CFD356DBD19AEB271523BBAE49D4F53257C3B0A78D
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\download[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\download[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\add[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\dll[1]executable
MD5:2ECB51AB00C5F340380ECF849291DBCF
SHA256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
6700file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\fuckingdllENCR[1].dllbinary
MD5:E6743949BBF24B39B25399CD7C5D3A2E
SHA256:A3B82FC46635A467CC8375D40DDBDDD71CAE3B7659D2BB5C3C4370930AE9468C
6700file.exeC:\Users\admin\AppData\Local\Temp\fe0efuw2eJevE1e\Y-Cleaner.exeexecutable
MD5:A8CF5621811F7FAC55CFE8CB3FA6B9F6
SHA256:614A0362AB87CEE48D0935B5BB957D539BE1D94C6FDEB3FE42FAC4FBE182C10C
5076WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:F0CF5B1794ECA7CD73F9C020DAAB8EF2
SHA256:2AF00EDCE7EF3266897E52DC81E8DE3B7A079028C0F1F96EAFF9E38AD342F617
5076WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\file.exe.6700.dmpbinary
MD5:365D89A0ACCC7AFF9AF5DB87FE0EDF13
SHA256:8AFF4BC004F6D1564AF0A73D93BBD0F89ED120AF8139904296D1F94C2996A729
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
25
DNS requests
14
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/add?substr=mixtwo&s=three&sub=emp
unknown
unknown
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/dll/key
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/dll/download
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/files/download
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/files/download
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/files/download
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/files/download
unknown
malicious
6700
file.exe
GET
200
80.82.65.70:80
http://80.82.65.70/files/download
unknown
malicious
244
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
1076
svchost.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
6700
file.exe
80.82.65.70:80
IP Volume inc
NL
unknown
5340
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
244
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
244
SIHClient.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
244
SIHClient.exe
13.85.23.206:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.159.75
  • 20.190.159.0
  • 20.190.159.73
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.71
  • 40.126.31.71
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted
watson.events.data.microsoft.com
  • 20.42.73.29
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
whitelisted

Threats

PID
Process
Class
Message
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6700
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
Process
Message
file.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------