gcleaner

Umbrella label used by MalwareBazaar and OpenCTI for a cluster of Windows droppers / bundlers that drop varied payloads (stealers, miners, PUPs). In this corpus, dropped-by-gcleaner appears across ~29 samples assigned to disparate families (euone, bb5file, uniqfile, us0file, usfile, salatstealer, masslogger, eu0file). This suggests gcleaner is a multi-payload distribution infrastructure rather than a single malware family.

Build Stack

Heterogeneous — observed droppers include Delphi (see euone), .NET, and scripted variants. No consistent compiler fingerprint.

Deployment / TTPs

• Installation: Often masquerades as system "cleaner" or "optimizer" software.
• Drop behaviour: Downloads or embeds secondary payloads at runtime.
• Attribution: Tags overlap with offloader and dropped-by-offloader OpenCTI labels.

Notable Analyses

• euone — Delphi VCL droplet; lone euone-labelled sample in this corpus.
• See also /intel/analyses/d46e2b499e86af660a5778b64eea5738a5fea32b693dc078b0d2067abf176aec.html — false-positive assessment of a dropped-by-gcleaner-tagged legitimate mspaint.exe (Windows 8.1 RTM). Demonstrates how the gcleaner umbrella label can over-tag benign system binaries when they are bundled in distribution archives.

Capabilities

• multi-payload-dropper
• system-optimizer-social-engineering

References

• OpenCTI label: gcleaner / dropped-by-gcleaner / dropped-by-offloader