The ThreatFox: GCleaner IOCs rule detects potential adversary activity associated with the GCleaner malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before significant data loss or system disruption occurs.
IOC Summary
Malware Family: GCleaner Total IOCs: 3 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 0ca01817ecdf07b17f89b5e8a070e541c5dd922b | payload | 2026-06-11 | 95% |
| md5_hash | c843d4538bb0f0c1b31e057ec7d8d8c1 | payload | 2026-06-11 | 95% |
| sha256_hash | d049d136b7c8aaf342ffd924e09d23b2ca168552b3a6b3cf68913657b68fdf37 | payload | 2026-06-11 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - GCleaner
let malicious_hashes = dynamic(["0ca01817ecdf07b17f89b5e8a070e541c5dd922b", "c843d4538bb0f0c1b31e057ec7d8d8c1", "d049d136b7c8aaf342ffd924e09d23b2ca168552b3a6b3cf68913657b68fdf37"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A system administrator is running a scheduled maintenance job that uses a tool like CCleaner or Disk Cleanup which may have similar IOCs due to similar file names or behaviors.
Filter/Exclusion: Exclude processes associated with known legitimate maintenance tools (e.g., ccleaner.exe, cleanmgr.exe) or filter by process name using process.name != "ccleaner.exe" AND process.name != "cleanmgr.exe".
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Microsoft Defender or Malwarebytes is performing a scan and temporarily creates files or uses network connections that match GCleaner IOCs.
Filter/Exclusion: Exclude processes associated with antivirus tools (e.g., MsMpEng.exe, mbam.exe) using process.name != "MsMpEng.exe" AND process.name != "mbam.exe".
Scenario: Scheduled Backup or Sync Job
Description: A backup tool like Veeam, Acronis, or a cloud sync service (e.g., OneDrive, Dropbox) is executing a scheduled job that involves file operations or network traffic matching GCleaner IOCs.
Filter/Exclusion: Exclude processes related to backup or sync tools (e.g., veeam.exe, onedrive.exe, dropbox.exe) using process.name != "veeam.exe" AND process.name != "onedrive.exe" AND process.name != "dropbox.exe".
Scenario: Software Update or Patch Deployment
Description: A patching tool like Windows Update, WSUS, or third-party tools like Patch Manager is deploying updates and may trigger IOCs due to temporary file creation or network communication.
*Filter/Exclusion