SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gcleaner (Back to overview)

GCleaner


There is no description at this point.

References
2022-09-26KasperskyHaim Zigel, Oleg Kupreev, Artem Ushkov
@online{zigel:20220926:nullmixer:c623b01, author = {Haim Zigel and Oleg Kupreev and Artem Ushkov}, title = {{NullMixer: oodles of Trojans in a single dropper}}, date = {2022-09-26}, organization = {Kaspersky}, url = {https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/}, language = {English}, urldate = {2022-10-05} } NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2021-08-28abuse.chabuse.ch
@online{abusech:20210828:malwarebazaar:d3dbedb, author = {abuse.ch}, title = {{MalwareBazaar | GCleaner}}, date = {2021-08-28}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/signature/GCleaner/}, language = {English}, urldate = {2021-08-31} } MalwareBazaar | GCleaner
GCleaner
Yara Rules
[TLP:WHITE] win_gcleaner_auto (20230125 | Detects win.gcleaner.)
rule win_gcleaner_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.gcleaner."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c410 8d4dc0 e8???????? 8d4da8 e8???????? }
            // n = 6, score = 600
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   e8????????           |                     
            //   8d4da8               | lea                 ecx, [ebp - 0x58]
            //   e8????????           |                     

        $sequence_1 = { 8d8d78ffffff e8???????? 8d8d60ffffff e8???????? 6a00 }
            // n = 5, score = 600
            //   8d8d78ffffff         | lea                 ecx, [ebp - 0x88]
            //   e8????????           |                     
            //   8d8d60ffffff         | lea                 ecx, [ebp - 0xa0]
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_2 = { ffb56cfeffff 6a02 e8???????? 837dc410 8d8d70feffff 8d45b0 }
            // n = 6, score = 600
            //   ffb56cfeffff         | push                dword ptr [ebp - 0x194]
            //   6a02                 | push                2
            //   e8????????           |                     
            //   837dc410             | cmp                 dword ptr [ebp - 0x3c], 0x10
            //   8d8d70feffff         | lea                 ecx, [ebp - 0x190]
            //   8d45b0               | lea                 eax, [ebp - 0x50]

        $sequence_3 = { c745e400000000 c745e800000000 51 8d4db0 }
            // n = 4, score = 600
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   51                   | push                ecx
            //   8d4db0               | lea                 ecx, [ebp - 0x50]

        $sequence_4 = { 8d85f4feffff 50 6a04 8d85f0feffff }
            // n = 4, score = 600
            //   8d85f4feffff         | lea                 eax, [ebp - 0x10c]
            //   50                   | push                eax
            //   6a04                 | push                4
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]

        $sequence_5 = { ba07000000 3bc2 0f42d0 83fb10 }
            // n = 4, score = 600
            //   ba07000000           | mov                 edx, 7
            //   3bc2                 | cmp                 eax, edx
            //   0f42d0               | cmovb               edx, eax
            //   83fb10               | cmp                 ebx, 0x10

        $sequence_6 = { 83c408 8b4de0 c745c000000000 c745c40f000000 c645b000 85c9 }
            // n = 6, score = 600
            //   83c408               | add                 esp, 8
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   c745c000000000       | mov                 dword ptr [ebp - 0x40], 0
            //   c745c40f000000       | mov                 dword ptr [ebp - 0x3c], 0xf
            //   c645b000             | mov                 byte ptr [ebp - 0x50], 0
            //   85c9                 | test                ecx, ecx

        $sequence_7 = { c745e400000000 c745e800000000 51 8d4db0 c645fc01 e8???????? }
            // n = 6, score = 600
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   51                   | push                ecx
            //   8d4db0               | lea                 ecx, [ebp - 0x50]
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   e8????????           |                     

        $sequence_8 = { 7416 56 6a2f 53 }
            // n = 4, score = 600
            //   7416                 | je                  0x18
            //   56                   | push                esi
            //   6a2f                 | push                0x2f
            //   53                   | push                ebx

        $sequence_9 = { 0f1100 f30f7e45d8 660fd64010 8345e418 eb10 8d4dc8 51 }
            // n = 7, score = 600
            //   0f1100               | movups              xmmword ptr [eax], xmm0
            //   f30f7e45d8           | movq                xmm0, qword ptr [ebp - 0x28]
            //   660fd64010           | movq                qword ptr [eax + 0x10], xmm0
            //   8345e418             | add                 dword ptr [ebp - 0x1c], 0x18
            //   eb10                 | jmp                 0x12
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 540672
}
[TLP:WHITE] win_gcleaner_w0   (20220922 | detects GCleaner)
rule win_gcleaner_w0 {

    meta:
        author          = "Johannes Bader @viql"
        date            = "2022-05-29"
        version         = "v1.0"
        description     = "detects GCleaner"
        tlp             = "TLP:WHITE"
        malpedia_family = "win.gcleaner"
        hash1_md5       = "8151e61aec021fa04bce8a30ea052e9d"
        hash1_sha1      = "4b972d2e74a286e9663d25913610b409e713befd"
        hash1_sha256    = "868fceaa4c01c2e2ceee3a27ac24ec9c16c55401a7e5a7ca05f14463f88c180f"
        hash2_md5       = "7526665a9d5d3d4b0cfffb2192c0c2b3"
        hash2_sha1      = "13bf754b44526a7a8b5b96cec0e482312c14838c"
        hash2_sha256    = "bb5cd698b03b3a47a2e55a6be3d62f3ee7c55630eb831b787e458f96aefe631b"
        hash3_md5       = "a39e68ae37310b79c72025c6dfba0a2a"
        hash3_sha1      = "ae007e61c16514a182d21ee4e802b7fcb07f3871"
        hash3_sha256    = "c5395d24c0a1302d23f95c1f95de0f662dc457ef785138b0e58b0324965c8a84"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner"
        malpedia_rule_date = "20220922"
        malpedia_hash = ""
        malpedia_version = "20220922"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $accept = "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1"
        $accept_lang = "Accept-Language: ru-RU,ru;q=0.9,en;q=0.8" 
        $accept_charset = "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1"
        $accept_encoding = "Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0"
        
        $unkown = "<unknown>"
        $cmd1 = "\" & exit" 
        $cmd2 = "\" /f & erase "
        $cmd3 = "/c taskkill /im \""

        $anti1 = " Far "
        $anti2 = "roxifier"
        $anti3 = "HTTP Analyzer"
        $anti4 = "Wireshark"
        $anti5 = "NetworkMiner"

        $mix1 = "mixshop"
        $mix2 = "mixtwo"
        $mix3 = "mixnull"
        $mix4 = "mixazed"

    condition:
        uint16(0) == 0x5A4D and 
        15 of them
}
Download all Yara Rules