File name:

file

Full analysis: https://app.any.run/tasks/2281ec03-5b0b-4880-bf78-c054ad8b0c76
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: December 06, 2022, 06:17:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
trojan
loader
gcleaner
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
MD5:

BDAD45DAC7BBD0CB0263A300BFC4BB63

SHA1:

2FB870F779BD536DB151C78A52BF94921AEDC35C

SHA256:

6C4AD26709B000C5B9554E392BBEC88DECD5657CF3D9472C66CD7B9CFAD81730

SSDEEP:

98304:CUMlJD2gWDSzySQEYdWS2NLaZi1a1SrzBRsSiVzDX:pMlJDNWSwf2laZi81uzBRWVX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • is-1VSRV.tmp (PID: 1292)

    • Application was dropped or rewritten from another process

      • qllVNk8LceaMDS.exe (PID: 2032)

    • G-cleaner network activity is detected

      • PrintFolders.exe (PID: 3112)

  • SUSPICIOUS

    • Reads the Internet Settings

      • PrintFolders.exe (PID: 3112)

    • Creates a directory in Program Files

      • is-1VSRV.tmp (PID: 1292)

    • Reads Microsoft Outlook installation path

      • PrintFolders.exe (PID: 3112)

    • Reads the Windows owner or organization settings

      • is-1VSRV.tmp (PID: 1292)

    • Executable content was dropped or overwritten

      • is-1VSRV.tmp (PID: 1292)

    • Drops a file with too old compile date

      • is-1VSRV.tmp (PID: 1292)

    • Uses TASKKILL.EXE to terminate process

      • cmd.exe (PID: 2580)

    • Connects to the server without a host name

      • PrintFolders.exe (PID: 3112)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2580)

    • Starts CMD.EXE for commands execution

      • PrintFolders.exe (PID: 3112)

  • INFO

    • Checks proxy server information

      • PrintFolders.exe (PID: 3112)

    • Reads the computer name

      • is-1VSRV.tmp (PID: 1292)
      • PrintFolders.exe (PID: 3112)

    • Checks supported languages

      • is-1VSRV.tmp (PID: 1292)
      • PrintFolders.exe (PID: 3112)
      • file.exe (PID: 3512)
      • qllVNk8LceaMDS.exe (PID: 2032)

    • Loads dropped or rewritten executable

      • is-1VSRV.tmp (PID: 1292)

    • Creates a file in a temporary directory

      • is-1VSRV.tmp (PID: 1292)
      • file.exe (PID: 3512)

    • Drops a file that was compiled in debug mode

      • is-1VSRV.tmp (PID: 1292)

    • Creates files in the program directory

      • is-1VSRV.tmp (PID: 1292)

    • Creates a software uninstall entry

      • is-1VSRV.tmp (PID: 1292)

    • Application was dropped or rewritten from another process

      • is-1VSRV.tmp (PID: 1292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (82.8)
.exe | Win32 Executable Delphi generic (10.7)
.exe | Win32 Executable (generic) (3.4)
.exe | Generic Win/DOS Executable (1.5)
.exe | DOS Executable Generic (1.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States
Comments: This installation was built with Inno Setup: http://www.innosetup.com
CompanyName: -
FileDescription: PrintFolders Setup
FileVersion: -
InternalName: -
OriginalFilename: -
ProductName: -
ProductVersion: -

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: -
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: 26
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
36352
36352
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60044
DATA
40960
584
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.72043
BSS
45056
3684
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
49152
2248
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.2508
.tls
53248
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
57344
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.199108
.reloc
61440
2156
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc
65536
54688
54784
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
5.75782

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.26485
5672
Latin 1 / Western European
English - United States
RT_ICON
2
5.20743
3752
Latin 1 / Western European
English - United States
RT_ICON
3
5.46677
2216
Latin 1 / Western European
English - United States
RT_ICON
4
5.74812
1736
Latin 1 / Western European
English - United States
RT_ICON
5
5.56273
1384
Latin 1 / Western European
English - United States
RT_ICON
6
4.79202
16936
Latin 1 / Western European
English - United States
RT_ICON
7
5.82124
9640
Latin 1 / Western European
English - United States
RT_ICON
8
5.89108
4264
Latin 1 / Western European
English - United States
RT_ICON
9
6.13941
2440
Latin 1 / Western European
English - United States
RT_ICON
10
6.51874
1128
Latin 1 / Western European
English - United States
RT_ICON

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start file.exe no specs file.exe is-1vsrv.tmp #GCLEANER printfolders.exe qllvnk8lceamds.exe no specs cmd.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2808"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeExplorer.EXE
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
PrintFolders Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
3512"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
Explorer.EXE
User:
admin
Company:
Integrity Level:
HIGH
Description:
PrintFolders Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1292"C:\Users\admin\AppData\Local\Temp\is-EJFCO.tmp\is-1VSRV.tmp" /SL4 $30138 "C:\Users\admin\AppData\Local\Temp\file.exe" 3450895 96256 C:\Users\admin\AppData\Local\Temp\is-EJFCO.tmp\is-1VSRV.tmp
file.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.42.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ejfco.tmp\is-1vsrv.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3112"C:\Program Files\PrintFolders\PrintFolders.exe" C:\Program Files\PrintFolders\PrintFolders.exe
is-1VSRV.tmp
User:
admin
Company:
Atr Software
Integrity Level:
HIGH
Description:
Data Recovery
Exit code:
0
Version:
1.2.3.101
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\printfolders\printfolders.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2032 C:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\qllVNk8LceaMDS.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\qllvnk8lceamds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2580"C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files\PrintFolders\PrintFolders.exe" & exitC:\Windows\System32\cmd.exePrintFolders.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\apphelp.dll
3232taskkill /im "PrintFolders.exe" /f C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
Total events
1 360
Read events
1 326
Write events
34
Delete events
0

Modification events

(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_CURRENT_USER\Software\Auapoint Software\PrintFolders
Operation:writeName:Language
Value:
eng
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.1.2-beta
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\PrintFolders
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\PrintFolders\
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
PrintFolders
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:DisplayName
Value:
PrintFolders 3.101
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PrintFolders\PrintFolders.exe
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe"
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe" /SILENT
Executable files
8
Suspicious files
4
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
1292is-1VSRV.tmpC:\Program Files\PrintFolders\is-2JBRE.tmp
MD5:
SHA256:
1292is-1VSRV.tmpC:\Program Files\PrintFolders\PrintFolders.exe
MD5:
SHA256:
3112PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ping[1].htmtext
MD5:064DB2A4C3D31A4DC6AA2538F3FE7377
SHA256:0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
3112PrintFolders.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\fuckingdllENCR[1].dllbinary
MD5:418619EA97671304AF80EC60F5A50B62
SHA256:EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
1292is-1VSRV.tmpC:\Program Files\PrintFolders\unins000.datdat
MD5:7E10D3CCA512268CB9762AF6905C3552
SHA256:78A0F696BE0013CA544CC5EA30406E051F59E47E0015E8F9A289E4EB6DFB0CB1
3512file.exeC:\Users\admin\AppData\Local\Temp\is-EJFCO.tmp\is-1VSRV.tmpexecutable
MD5:075F33DA1EE1E9C480243CAC029B3C3E
SHA256:CEC47D181CF1DAD856463FC237EAD179FFA5AB1F2AEEEC442A99EE83C7DB5CB2
1292is-1VSRV.tmpC:\Program Files\PrintFolders\unins000.exeexecutable
MD5:4C797D442BE1F6264A8EF767DF41B85A
SHA256:415E5D17EB635B23DAC030BA6AD0363507C2C4CBA9F87A206E7B9C2A5C7716D4
1292is-1VSRV.tmpC:\Program Files\PrintFolders\is-FS5T4.tmpexecutable
MD5:4C797D442BE1F6264A8EF767DF41B85A
SHA256:415E5D17EB635B23DAC030BA6AD0363507C2C4CBA9F87A206E7B9C2A5C7716D4
1292is-1VSRV.tmpC:\Program Files\PrintFolders\License.txttext
MD5:A5E8094B0CBADE929AEE07F5DA5E9429
SHA256:F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
1292is-1VSRV.tmpC:\Program Files\PrintFolders\is-V4ROA.tmpchm
MD5:204A5BF160646F9A55ED70AB6E1A07A6
SHA256:CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3112
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/ping.php
US
text
17 b
malicious
3112
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/extension.php
US
binary
92.0 Kb
malicious
3112
PrintFolders.exe
GET
200
45.139.105.171:80
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
BG
binary
1 b
malicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
malicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
malicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
malicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
malicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
malicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
malicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3112
PrintFolders.exe
107.182.129.235:80
Delis LLC
US
malicious
3112
PrintFolders.exe
45.139.105.171:80
Xdeer Limited
BG
malicious
3112
PrintFolders.exe
171.22.30.106:80
Delis LLC
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3112
PrintFolders.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2023 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
file