File name:

file

Full analysis: https://app.any.run/tasks/a2b047ea-4e58-4154-b1c6-4717a2028d09
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: November 28, 2024, 16:53:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
gcleaner
loader
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

4A3BF35B9C2D6577E142DA237FF5E25B

SHA1:

5FD2B806318DAF1E5522845D562A1E978DC46F49

SHA256:

5C593A57C0028A269F29D291A478EF4A11344B77BC4267D3D90CC2E4AD8DBFF7

SSDEEP:

98304:REdX2A2BZIVo9dJ8WCyabQZvJvi0zuoxj32FzMRzu6ezJhvZFvoVWvEqYeYgZu9m:TXq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GCLEANER has been detected (SURICATA)

      • file.exe (PID: 6380)

  • SUSPICIOUS

    • Reads the BIOS version

      • file.exe (PID: 6380)

    • Reads security settings of Internet Explorer

      • file.exe (PID: 6380)

    • Connects to the server without a host name

      • file.exe (PID: 6380)

    • Executable content was dropped or overwritten

      • file.exe (PID: 6380)

    • Potential Corporate Privacy Violation

      • file.exe (PID: 6380)

    • Executes application which crashes

      • file.exe (PID: 6380)

  • INFO

    • Sends debugging messages

      • file.exe (PID: 6380)

    • Reads the computer name

      • file.exe (PID: 6380)

    • Creates files or folders in the user directory

      • file.exe (PID: 6380)

    • Checks proxy server information

      • file.exe (PID: 6380)

    • Checks supported languages

      • file.exe (PID: 6380)

    • Reads the machine GUID from the registry

      • file.exe (PID: 6380)

    • Themida protector has been detected

      • file.exe (PID: 6380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:30 12:44:08+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 359424
InitializedDataSize: 60416
UninitializedDataSize: -
EntryPoint: 0x4d2000
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 36.0.0.0
ProductVersionNumber: 6.0.0.0
FileFlagsMask: 0x765a
FileFlags: (none)
FileOS: Unknown (0x326)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Unknown (0324)
CharacterSet: Unknown (14E6)
FileVersions: 41.158.58.73
InternalName: ChickenBurger
FileDescription: Mirror
LegalCopyright: Copyright (C) 2023, Shits
ProductName: Renough
ProductVersions: 17.29.28.30
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GCLEANER file.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
4244C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6380 -s 1580C:\Windows\SysWOW64\WerFault.exe
file.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6380"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225622
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 599
Read events
3 596
Write events
3
Delete events
0

Modification events

(PID) Process:(6380) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6380) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6380) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
4
Suspicious files
11
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_file.exe_ba8a8a594ca8fa23cd1d4e3bee6863e38899ac_1ee2fc52_cebc75ac-7ab9-419d-927d-eb8c3839a31a\Report.wer
MD5:
SHA256:
6380file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\key[1].htmtext
MD5:408E94319D97609B8E768415873D5A14
SHA256:E29A4FD2CB1F367A743EA7CFD356DBD19AEB271523BBAE49D4F53257C3B0A78D
6380file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\download[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
6380file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\fuckingdllENCR[1].dllbinary
MD5:E6743949BBF24B39B25399CD7C5D3A2E
SHA256:A3B82FC46635A467CC8375D40DDBDDD71CAE3B7659D2BB5C3C4370930AE9468C
6380file.exeC:\Users\admin\AppData\Local\Temp\fVde8G23ed3KwvGe0A5R\Y-Cleaner.exeexecutable
MD5:A8CF5621811F7FAC55CFE8CB3FA6B9F6
SHA256:614A0362AB87CEE48D0935B5BB957D539BE1D94C6FDEB3FE42FAC4FBE182C10C
4244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERDEDB.tmp.WERInternalMetadata.xmlxml
MD5:28E41CEB438E5DCBD0E0B8C3BE2152AD
SHA256:ED126984212B31C0AB5E989E5E3F5403C6E3B50046C88F0FAAB8F22D88F73661
6380file.exeC:\Users\admin\AppData\Local\Temp\fVde8G23ed3KwvGe0A5R\Bunifu_UI_v1.5.3.dllexecutable
MD5:2ECB51AB00C5F340380ECF849291DBCF
SHA256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
4244WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:7D08F157893AF0D017EED337C7709C35
SHA256:646F753924666A0DC616D3CD6CD45202246083C0EC2AE1514F52A03932DE5AAE
6380file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\soft[1]executable
MD5:A8CF5621811F7FAC55CFE8CB3FA6B9F6
SHA256:614A0362AB87CEE48D0935B5BB957D539BE1D94C6FDEB3FE42FAC4FBE182C10C
6380file.exeC:\Users\admin\Desktop\Cleaner.lnkbinary
MD5:2CBFA4B8F7865C51BE97B7A675B98A74
SHA256:4A16F3FFB3BD7AAA551DE8BE537C1DBF48DFB5A863CBF2CEE064CC61F998BFEA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
36
DNS requests
17
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3280
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3280
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6380
file.exe
GET
200
185.156.72.65:80
http://185.156.72.65/files/download
unknown
malicious
6380
file.exe
GET
200
185.156.72.65:80
http://185.156.72.65/dll/download
unknown
malicious
6380
file.exe
GET
200
185.156.72.65:80
http://185.156.72.65/dll/key
unknown
malicious
6380
file.exe
GET
200
185.156.72.65:80
http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
unknown
unknown
6380
file.exe
GET
200
185.156.72.65:80
http://185.156.72.65/files/download
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3280
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3280
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
92.123.104.61:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
www.bing.com
  • 92.123.104.61
  • 92.123.104.47
  • 92.123.104.58
  • 92.123.104.59
  • 92.123.104.62
  • 92.123.104.54
  • 92.123.104.63
  • 92.123.104.51
  • 92.123.104.56
whitelisted
google.com
  • 142.250.186.46
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.74
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

PID
Process
Class
Message
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
Process
Message
file.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------