Extracted

• • Target

    000b8aabf249b098debf5272810ca2dda8e48f001da966ba8323dc1b3d8d0b39.exe

  • Size

    4.1MB

  • MD5

    74075a1f3749894c3feaced189e5212a

  • SHA1

    904ee457c526dcd3243353ddcc41635288653a32

  • SHA256

    000b8aabf249b098debf5272810ca2dda8e48f001da966ba8323dc1b3d8d0b39

  • SHA512

    035f99e1fd39a06e07da81b51587c11f7a758c50b2bf615d0b7b69dbeba1f0bc027e1995c05f4f39e556c648225faa1a769caf618e5846a5c103dc4d07f8e2b5

  • SSDEEP

    98304:STEXVUj7b8BS2EhLrUiYDdlVEoDX/WY/rayxR:STKi4dkUjDdfR/W8

  Score

  10^/10

  defense_evasiondiscoverygcleanerloader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2