SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gcleaner (Back to overview)

GCleaner

There is no description at this point.

References
2022-09-26KasperskyHaim Zigel, Oleg Kupreev, Artem Ushkov
@online{zigel:20220926:nullmixer:c623b01, author = {Haim Zigel and Oleg Kupreev and Artem Ushkov}, title = {{NullMixer: oodles of Trojans in a single dropper}}, date = {2022-09-26}, organization = {Kaspersky}, url = {https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/}, language = {English}, urldate = {2022-10-05} } NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2021-08-28abuse.chabuse.ch
@online{abusech:20210828:malwarebazaar:d3dbedb, author = {abuse.ch}, title = {{MalwareBazaar | GCleaner}}, date = {2021-08-28}, organization = {abuse.ch}, url = {https://bazaar.abuse.ch/browse/signature/GCleaner/}, language = {English}, urldate = {2021-08-31} } MalwareBazaar | GCleaner
GCleaner
Yara Rules
[TLP:WHITE] win_gcleaner_w0 (20220922 | detects GCleaner)
rule win_gcleaner_w0 {

    meta:
        author          = "Johannes Bader @viql"
        date            = "2022-05-29"
        version         = "v1.0"
        description     = "detects GCleaner"
        tlp             = "TLP:WHITE"
        malpedia_family = "win.gcleaner"
        hash1_md5       = "8151e61aec021fa04bce8a30ea052e9d"
        hash1_sha1      = "4b972d2e74a286e9663d25913610b409e713befd"
        hash1_sha256    = "868fceaa4c01c2e2ceee3a27ac24ec9c16c55401a7e5a7ca05f14463f88c180f"
        hash2_md5       = "7526665a9d5d3d4b0cfffb2192c0c2b3"
        hash2_sha1      = "13bf754b44526a7a8b5b96cec0e482312c14838c"
        hash2_sha256    = "bb5cd698b03b3a47a2e55a6be3d62f3ee7c55630eb831b787e458f96aefe631b"
        hash3_md5       = "a39e68ae37310b79c72025c6dfba0a2a"
        hash3_sha1      = "ae007e61c16514a182d21ee4e802b7fcb07f3871"
        hash3_sha256    = "c5395d24c0a1302d23f95c1f95de0f662dc457ef785138b0e58b0324965c8a84"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner"
        malpedia_rule_date = "20220922"
        malpedia_hash = ""
        malpedia_version = "20220922"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $accept = "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1"
        $accept_lang = "Accept-Language: ru-RU,ru;q=0.9,en;q=0.8" 
        $accept_charset = "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1"
        $accept_encoding = "Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0"
        
        $unkown = "<unknown>"
        $cmd1 = "\" & exit" 
        $cmd2 = "\" /f & erase "
        $cmd3 = "/c taskkill /im \""

        $anti1 = " Far "
        $anti2 = "roxifier"
        $anti3 = "HTTP Analyzer"
        $anti4 = "Wireshark"
        $anti5 = "NetworkMiner"

        $mix1 = "mixshop"
        $mix2 = "mixtwo"
        $mix3 = "mixnull"
        $mix4 = "mixazed"

    condition:
        uint16(0) == 0x5A4D and 
        15 of them
}
Download all Yara Rules