user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/GCleaner!rfn
Trojan:Win32/GCleaner!rfn - Windows Defender threat signature analysis

Trojan:Win32/GCleaner!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/GCleaner!rfn
Classification:
Type:Trojan
Platform:Win32
Family:GCleaner
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family GCleaner

Summary:

Trojan:Win32/GCleaner!rfn is a sophisticated Trojan capable of establishing command and control (C2) communication via IP 185.156.73.73, maintaining persistence through scheduled tasks and BITS jobs, and performing system manipulation like process termination and file deletion. It leverages legitimate Windows utilities such as Mshta, PowerShell, rundll32, and regsvr32 for evasion and execution of its malicious payload.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - GCleaner.Properties.Resources (PEHSTR_EXT)
 - /f & erase (PEHSTR_EXT)
 - /c taskkill /im (PEHSTR_EXT)
 - 185.156.73.73 (PEHSTR_EXT)
 - .rsrc (PEHSTR_EXT)
 - .idata   (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 37b9c4229fe6aa6e51f8e3bdcf0ac799
5892c047a128423e4c90e6923dc5476e4ea17790b2550e87a93b4e1e9c831e9e
19/01/2026
VirusTotalDownload Sample
Filename: d78fb6b547e0d05e2775a0a5aaffd5d8
14c25ba4e521aa9dff9ef3af884cec759441d7bb48729e7f8231b2c071dc34b9
19/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected host from the network. Perform a full system scan with updated antivirus software. Review system and network logs for C2 communication to 185.156.73.73 and other indicators of compromise. Block the malicious IP address at the firewall. Due to the advanced nature of this threat, consider re-imaging the affected system.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 19/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$