Extracted

• • Target

    SecuriteInfo.com.Win32.Evo-gen.13160.23898.exe

  • Size

    4.2MB

  • MD5

    80278280110781487921eba083f79e2e

  • SHA1

    8ed2d3e0c9e78b1575ff2886558398a4074e6838

  • SHA256

    4d3aa14948f97ff46c917176defbfe0d2d4ba8d277be6244733dde8b65ce78cd

  • SHA512

    041f940f8cadd4f489db1479d1e7d434a69ef78bbc7573fd91da27ed3200d283a7b6ed0c8f0ccc9aaf38a936d5b037c531e2cd9cc4d6fab91dadb571662f1a92

  • SSDEEP

    98304:/gmfbyBs6/1HRcz2zZwpw2fx9Yv5USDHmhmX:/5+BIKz+pZxSDR

  Score

  10^/10

  gcleanerdefense_evasiondiscoveryloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2