File name:	064b2be32919cb0fbf3167406d1ee84a.exe
Full analysis:	https://app.any.run/tasks/1d9e1747-27ef-4541-9879-b73da0456eb6
Verdict:	Malicious activity
Threats:	GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 16:57:51
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	gcleaner loader telegram stealer lumma inno installer delphi
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	064B2BE32919CB0FBF3167406D1EE84A
SHA1:	461F8FC65A2AE9813A74A0C955F24D123182D49A
SHA256:	A8F98112B9AE05DA6D4768BA8376F8A816B5D80CB1B497B873E8C26F9430F05B
SSDEEP:	98304:zyKbaIG6kMUeWe68//uQ/pPFvzRYLUBuCGJRMjBWQMAXiz5vo4D1Ax1TYoxE155y:alMPAw553

.exe	\|	Win32 Executable (generic) (42.6)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.9)
.exe	\|	DOS Executable Generic (18.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	599040
InitializedDataSize:	5204480
UninitializedDataSize:	-
EntryPoint:	0xa10000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	2.0.4.0
ProductVersionNumber:	2.0.4.0
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileVersion:	2, 0, 4, 0
InternalName:	A2Master
LegalCopyright:	Copyright В© 1999-2010 Gladiators Software
OriginalFileName:	A2Master.exe
ProductName:	Aston2
ProductVersion:	2, 0, 4, 0


(PID) Process:	(8060) svchost015.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(8060) svchost015.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(8060) svchost015.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5892) WrRAeguS28poo.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 5.5.8 (a)
(PID) Process:	(5892) WrRAeguS28poo.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Users\admin\AppData\Local\Renaming Group Files 5.4
(PID) Process:	(5892) WrRAeguS28poo.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Local\Renaming Group Files 5.4\
(PID) Process:	(5892) WrRAeguS28poo.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:	write	Name:	Inno Setup: Icon Group
Value: (Default)
(PID) Process:	(5892) WrRAeguS28poo.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:	write	Name:	Inno Setup: User
Value: admin
(PID) Process:	(5892) WrRAeguS28poo.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:	write	Name:	Inno Setup: Language
Value: English
(PID) Process:	(5892) WrRAeguS28poo.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:	write	Name:	DisplayName
Value: Renaming Group Files 5.4

PID	Process	Filename		Type
7432	064b2be32919cb0fbf3167406d1ee84a.exe	C:\Users\admin\AppData\Local\Temp\svchost015.exe		executable
		MD5:B826DD92D78EA2526E465A34324EBEEA	SHA256:7824B50ACDD144764DAC7445A4067B35CF0FEF619E451045AB6C1F54F5653A5B
5892	WrRAeguS28poo.tmp	C:\Users\admin\AppData\Local\Renaming Group Files 5.4\uninstall\is-KIQF3.tmp		executable
		MD5:EA258FC63B1417666DB137C33EA726AB	SHA256:07643082B8BCED03E89A14F946D9BF92C3B65A20369F30AD7F335BC189B33816
5892	WrRAeguS28poo.tmp	C:\Users\admin\AppData\Local\Temp\is-J964P.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5892	WrRAeguS28poo.tmp	C:\Users\admin\AppData\Local\Renaming Group Files 5.4\is-FH8GK.tmp		executable
		MD5:EAE56B896A718C3BC87A4253832A5650	SHA256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
5892	WrRAeguS28poo.tmp	C:\Users\admin\AppData\Local\Renaming Group Files 5.4\uninstall\unins000.exe		executable
		MD5:EA258FC63B1417666DB137C33EA726AB	SHA256:07643082B8BCED03E89A14F946D9BF92C3B65A20369F30AD7F335BC189B33816
5892	WrRAeguS28poo.tmp	C:\Users\admin\AppData\Local\Renaming Group Files 5.4\is-PB3T8.tmp		executable
		MD5:A73EE126B2E6D43182D4C3482899D338	SHA256:06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763
5892	WrRAeguS28poo.tmp	C:\Users\admin\AppData\Local\Renaming Group Files 5.4\is-JLR7S.tmp		executable
		MD5:A7F201C0B9AC05E950ECC55D4403EC16	SHA256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
5892	WrRAeguS28poo.tmp	C:\Users\admin\AppData\Local\Renaming Group Files 5.4\libEGL.dll		executable
		MD5:EAE56B896A718C3BC87A4253832A5650	SHA256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
6048	WrRAeguS28poo.exe	C:\Users\admin\AppData\Local\Temp\is-TJDV9.tmp\WrRAeguS28poo.tmp		executable
		MD5:F44DBA72492636B15E5DEE7554E6C52D	SHA256:A54D412CFC3001CB7DCA5FE08621D0614F1920071E511B11A44392A7DB8EAC0A
8060	svchost015.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\info[1].htm		text
		MD5:FE9B08252F126DDFCB87FB82F9CC7677	SHA256:E63E7EBE4C2DB7E61FFC71AF0675E870BCDE0A9D8916E5B3BE0CB252478030BF

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6656	RUXIMICS.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
8060	svchost015.exe	GET	200	185.156.73.98:80	http://185.156.73.98/success?substr=mixthree&s=three&sub=none	unknown	—	—	unknown
8060	svchost015.exe	GET	200	185.156.73.98:80	http://185.156.73.98/info	unknown	—	—	malicious
8060	svchost015.exe	GET	200	185.156.73.98:80	http://185.156.73.98/update	unknown	—	—	malicious
8060	svchost015.exe	GET	200	185.156.73.98:80	http://185.156.73.98/service	unknown	—	—	malicious
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	20.74.47.205:443	https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T165808Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=5cb0ba2969474af5ad88f13ff8867db4&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967737&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358267&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2	unknown	binary	2.95 Kb	whitelisted
8060	svchost015.exe	GET	200	185.156.73.98:80	http://185.156.73.98/service	unknown	—	—	malicious
—	—	POST	200	40.126.31.1:443	https://login.live.com/RST2.srf	unknown	xml	1.35 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6656	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	unknown
3216	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6656	RUXIMICS.exe	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	unknown
6544	svchost.exe	40.126.31.131:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
google.com	172.217.16.206	whitelisted
crl.microsoft.com	2.19.11.120 2.19.11.105 23.48.23.176 23.48.23.188 23.48.23.185 23.48.23.191 23.48.23.143 23.48.23.177 23.48.23.134 23.48.23.138 23.48.23.137	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
login.live.com	40.126.31.131 20.190.159.2 20.190.159.131 20.190.159.0 20.190.159.130 40.126.31.3 40.126.31.2 20.190.159.73	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
arc.msn.com	20.31.169.57	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
t.me	149.154.167.99	whitelisted

PID	Process	Class	Message
8060	svchost015.exe	A Network Trojan was detected	LOADER [ANY.RUN] GCleaner HTTP Header
8060	svchost015.exe	A Network Trojan was detected	LOADER [ANY.RUN] GCleaner HTTP Header
8060	svchost015.exe	A Network Trojan was detected	LOADER [ANY.RUN] GCleaner HTTP Header
8060	svchost015.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
8060	svchost015.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
8060	svchost015.exe	Misc activity	ET INFO EXE - Served Attached HTTP
8060	svchost015.exe	A Network Trojan was detected	LOADER [ANY.RUN] GCleaner HTTP Header
8060	svchost015.exe	A Network Trojan was detected	LOADER [ANY.RUN] GCleaner HTTP Header
—	—	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile

General Info

064b2be32919cb0fbf3167406d1ee84a.exe

064B2BE32919CB0FBF3167406D1EE84A

461F8FC65A2AE9813A74A0C955F24D123182D49A

A8F98112B9AE05DA6D4768BA8376F8A816B5D80CB1B497B873E8C26F9430F05B

98304:zyKbaIG6kMUeWe68//uQ/pPFvzRYLUBuCGJRMjBWQMAXiz5vo4D1Ax1TYoxE155y:alMPAw553

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GENERIC has been found (auto)

GCLEANER has been detected (SURICATA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

LUMMA mutex has been found

SUSPICIOUS

Reads the BIOS version

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Connects to the server without a host name

Process drops legitimate windows executable

The process drops C-runtime libraries

Starts POWERSHELL.EXE for commands execution

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Potential Corporate Privacy Violation

Searches for installed software

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Creates files or folders in the user directory

Checks proxy server information

The sample compiled with english language support

Reads the machine GUID from the registry

Creates a software uninstall entry

Changes the registry key values via Powershell

Creates files in the program directory

Reads the software policy settings

Detects InnoSetup installer (YARA)

Compiled with Borland Delphi (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests