File name:

file

Full analysis: https://app.any.run/tasks/a2b047ea-4e58-4154-b1c6-4717a2028d09
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: November 28, 2024, 16:53:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
gcleaner
loader
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

4A3BF35B9C2D6577E142DA237FF5E25B

SHA1:

5FD2B806318DAF1E5522845D562A1E978DC46F49

SHA256:

5C593A57C0028A269F29D291A478EF4A11344B77BC4267D3D90CC2E4AD8DBFF7

SSDEEP:

98304:REdX2A2BZIVo9dJ8WCyabQZvJvi0zuoxj32FzMRzu6ezJhvZFvoVWvEqYeYgZu9m:TXq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GCLEANER has been detected (SURICATA)

      • file.exe (PID: 6380)

  • SUSPICIOUS

    • Reads the BIOS version

      • file.exe (PID: 6380)

    • Executes application which crashes

      • file.exe (PID: 6380)

    • Executable content was dropped or overwritten

      • file.exe (PID: 6380)

    • Potential Corporate Privacy Violation

      • file.exe (PID: 6380)

    • Reads security settings of Internet Explorer

      • file.exe (PID: 6380)

    • Connects to the server without a host name

      • file.exe (PID: 6380)

  • INFO

    • Checks proxy server information

      • file.exe (PID: 6380)

    • Themida protector has been detected

      • file.exe (PID: 6380)

    • Checks supported languages

      • file.exe (PID: 6380)

    • Reads the computer name

      • file.exe (PID: 6380)

    • Creates files or folders in the user directory

      • file.exe (PID: 6380)

    • Sends debugging messages

      • file.exe (PID: 6380)

    • Reads the machine GUID from the registry

      • file.exe (PID: 6380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:30 12:44:08+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 359424
InitializedDataSize: 60416
UninitializedDataSize: -
EntryPoint: 0x4d2000
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 36.0.0.0
ProductVersionNumber: 6.0.0.0
FileFlagsMask: 0x765a
FileFlags: (none)
FileOS: Unknown (0x326)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Unknown (0324)
CharacterSet: Unknown (14E6)
FileVersions: 41.158.58.73
InternalName: ChickenBurger
FileDescription: Mirror
LegalCopyright: Copyright (C) 2023, Shits
ProductName: Renough
ProductVersions: 17.29.28.30
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GCLEANER file.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
4244C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6380 -s 1580C:\Windows\SysWOW64\WerFault.exe
file.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6380"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225622
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 599
Read events
3 596
Write events
3
Delete events
0

Modification events

(PID) Process:(6380) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6380) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6380) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
4
Suspicious files
11
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_file.exe_ba8a8a594ca8fa23cd1d4e3bee6863e38899ac_1ee2fc52_cebc75ac-7ab9-419d-927d-eb8c3839a31a\Report.wer
MD5:
SHA256:
6380file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\add[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
6380file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\key[1].htmtext
MD5:408E94319D97609B8E768415873D5A14
SHA256:E29A4FD2CB1F367A743EA7CFD356DBD19AEB271523BBAE49D4F53257C3B0A78D
6380file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\download[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
6380file.exeC:\Users\admin\AppData\Local\Temp\fVde8G23ed3KwvGe0A5R\Bunifu_UI_v1.5.3.dllexecutable
MD5:2ECB51AB00C5F340380ECF849291DBCF
SHA256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
6380file.exeC:\Users\admin\AppData\Local\Temp\fVde8G23ed3KwvGe0A5R\Y-Cleaner.exeexecutable
MD5:A8CF5621811F7FAC55CFE8CB3FA6B9F6
SHA256:614A0362AB87CEE48D0935B5BB957D539BE1D94C6FDEB3FE42FAC4FBE182C10C
6380file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\fuckingdllENCR[1].dllbinary
MD5:E6743949BBF24B39B25399CD7C5D3A2E
SHA256:A3B82FC46635A467CC8375D40DDBDDD71CAE3B7659D2BB5C3C4370930AE9468C
4244WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERDF0B.tmp.xmlxml
MD5:7C54A4B523F6CE83D921577252E88699
SHA256:D63F937105305E8E7984462F1B4E6EDD92B4FC800E9D63725AE07A13787342A2
6380file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\soft[1]executable
MD5:A8CF5621811F7FAC55CFE8CB3FA6B9F6
SHA256:614A0362AB87CEE48D0935B5BB957D539BE1D94C6FDEB3FE42FAC4FBE182C10C
6380file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\download[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
36
DNS requests
17
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3280
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3280
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6380
file.exe
GET
200
185.156.72.65:80
http://185.156.72.65/dll/download
unknown
malicious
6380
file.exe
GET
200
185.156.72.65:80
http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
unknown
unknown
6380
file.exe
GET
200
185.156.72.65:80
http://185.156.72.65/dll/key
unknown
malicious
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6380
file.exe
GET
200
185.156.72.65:80
http://185.156.72.65/files/download
unknown
malicious
6380
file.exe
GET
200
185.156.72.65:80
http://185.156.72.65/files/download
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3280
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3280
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
92.123.104.61:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
www.bing.com
  • 92.123.104.61
  • 92.123.104.47
  • 92.123.104.58
  • 92.123.104.59
  • 92.123.104.62
  • 92.123.104.54
  • 92.123.104.63
  • 92.123.104.51
  • 92.123.104.56
whitelisted
google.com
  • 142.250.186.46
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.74
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

PID
Process
Class
Message
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
6380
file.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
Process
Message
file.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------