The ThreatFox: GCleaner IOCs rule detects potential adversary activity associated with the GCleaner malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that may have evaded initial detection mechanisms.
IOC Summary
Malware Family: GCleaner Total IOCs: 14 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://212[.]192[.]246[.]217/access.php | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://45[.]9[.]20[.]13/partner/loot.php | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://37[.]0[.]8[.]39/access.php | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://the-flash-man.com/Installer_HwtcxtRp5S8kqr2V9ysBB7Utrt/UltraMediaBurner.exe | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://hsiens.xyz/addInstall.php | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://194[.]145[.]227[.]161/partner.php | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://194[.]145[.]227[.]161/dlc/sharing.php | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://cleaner-partners.ltd/check.php | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://cleaner-partners.ltd/stats/save.php | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://mazama.xyz/addInstall.php | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://appwebstat.biz/stats/1.php | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://appwebstat.biz/connection | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://onlinehueplet.com/77_1.exe | botnet_cc | 2026-06-08 | 100% |
| url | hxxp://gc-distribution.biz/pub.php | botnet_cc | 2026-06-08 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - GCleaner
let malicious_urls = dynamic(["http://212.192.246.217/access.php", "http://45.9.20.13/partner/loot.php", "http://37.0.8.39/access.php", "http://the-flash-man.com/Installer_HwtcxtRp5S8kqr2V9ysBB7Utrt/UltraMediaBurner.exe", "http://hsiens.xyz/addInstall.php", "http://194.145.227.161/partner.php", "http://194.145.227.161/dlc/sharing.php", "http://cleaner-partners.ltd/check.php", "http://cleaner-partners.ltd/stats/save.php", "http://mazama.xyz/addInstall.php", "http://appwebstat.biz/stats/1.php", "http://appwebstat.biz/connection", "http://onlinehueplet.com/77_1.exe", "http://gc-distribution.biz/pub.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Maintenance Task
Description: A system administrator is running a scheduled maintenance task that uses a tool known to be on the ThreatFox GCleaner IOC list, such as msiexec.exe or schtasks.exe.
Filter/Exclusion: Exclude processes associated with known system maintenance tools or scheduled jobs using process.name or process.parent_process_name matching schtasks.exe, taskhost.exe, or msiexec.exe.
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Malwarebytes or Bitdefender is performing a full system scan and triggering the GCleaner IOC rule due to its own internal scanning mechanisms.
Filter/Exclusion: Exclude processes with process.name matching mbam.exe, bitdefender.exe, or avgnt.exe using a process name filter.
Scenario: Legitimate Software Deployment via SCCM
Description: A software deployment via System Center Configuration Manager (SCCM) is using a package that includes a tool flagged by the GCleaner IOC list, such as setup.exe or msiexec.exe.
Filter/Exclusion: Exclude processes initiated by SCCM using process.parent_process_name matching smsts.exe or ccmexec.exe.
Scenario: User-Initiated Software Installation
Description: A user is installing a legitimate application (e.g., 7-Zip, WinRAR, or Java Runtime Environment) that includes a file or process matching a GCleaner IOC.
Filter/Exclusion: Exclude processes initiated by user interaction using process.user or process.command_line containing known legitimate installers.
Scenario: False Positive from Threat Intelligence Feed
Description: The GCleaner IOC list