Threat Score100/100 MALICIOUS [#evasive] Hybrid-Analysis (CrowdStrike SandBox)

=GlassWire Installer is identified as 100/100 malicious by Hybrid-Analysis (CrowdStrike) 's sandbox,.

Bit concenred about this , I’m fairly paranoid about my security , and I ran the installer sha256’s though VirtusTotal,
and it said it was probably clean but i noticed a bunch of YARA and Sigma rules that it was observed triggering and a bunch of files
and ips that it had flagged so i uploaded it to Hybrid Analysis, did it twice actually just to confirm the link and checksums
Idk Im used to Hybrid Aanlysis coming back with 20% confdience and it turnining out to be right.
It’s not being ambigious at all here. Either theres’ something being packed and injected in the download (unlikely) or possiblty your installers are contaminated. It was also surprising and concerning to note that neither had seen the file before.

Also your installer is unsigned?? Something is wrong here…

[VirusTotal - File - 558406e5e1ee53465817975455697a9186a66cae2d652e37c0717d2d1315d187]

My original file :
[Name: GlassWireSetup.exe]
Size: 74214016 bytes (70 MiB)
SHA256: 558406e5e1ee53465817975455697a9186a66cae2d652e37c0717d2d1315d187
Downloaded Jan 29 1:00AM PST from link on glasswire[dot]com webpage at:

Hybrid Analysis Details :

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for ‘GlassWireSetup.exe’.

Threat Score: 100/100
AV Detection: Marked as clean[#evasive]

Malicious 17
Suspicious 65
Notable 90

GlassWireSetup.exe [unsigned executable]

This report is generated from a file or URL submitted to this webservice on January 29th 2023 05:50:06 (UTC)
with action script Heavy Anti-Evasion "Guest System: Windows 10 64 bit, Professional, 10.0 (build 16299),
Report generated by [Falcon Sandbox][ Overview]

hybrid-analysis[dot]com(/)sample(/)558406e5e1ee53465817975455697a9186a66cae2d652e37c0717d2d1315d187 [ Sample (71MiB)]
[ Hash Not Seen Before]

Risk Assessment


Found a string that may be used as part of an injection method
Hooks API calls


Scans for artifacts that may help identify the target


Drops executable files to the application program directory (%ProgramData%)
Installs hooks/patches the running process
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process


Contains ability to retrieve information about the current system
Queries firmware table information (may be used to fingerprint/evade)
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Queries the display settings of system associated file extensions
Queries the installation properties of user installed products
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the system/video BIOS version
Reads the windows installation language
Scans for artifacts that may help identify the target


Contains ability to adjust token privileges
Contains ability to change service configuration
Contains ability to check if a debugger is running
Input file contains API references not part of its Import Address Table (IAT)
Marks file for deletion
PE file has a section name known to be used by a packer/protector
References security related windows services
Sets the ‘ThreadHideFromDebugger’ thread data structure


Contains ability to enumerate volumes

MITRE ATT&CK™ Techniques Detection

This report has 122 indicators that were mapped to 63 attack techniques and 10 tactics. [View all details]


Not all malicious and suspicious indicators are displayed,

  • Malicious Indicators 17

  • Anti-Detection/Stealthyness

    • [Creates a process in suspended mode (likely for process injection)
    • [Detected Rundll32 process execution]
    • [Queries firmware table information (may be used to fingerprint/evade)]
  • Environment Awareness

    • [Reads the system/video BIOS version]
  • General

    • [The analysis extracted a file that was identified as malicious]
    • [The analysis spawned a process that was identified as malicious]
    • [Writes data to a remote process]
  • Network Related

    • [Making HTTPS connections using insecure TLS/SSL version]
    • [Scans for artifacts that may help identify the target]
  • System Security

    • [References security related windows services]
  • Unusual Characteristics

    • [Contains ability to reboot/shutdown the operating system]
    • [Spawns a lot of processes]
  • Hiding 5 Malicious Indicators

    • All indicators are available only in the private webservice or standalone version]
  • Suspicious Indicators 65

  • Anti-Reverse Engineering

    • [PE file has unusual entropy sections]
    • [Sets the ‘ThreadHideFromDebugger’ thread data structure]
  • General

    • [Reads configuration files)]
  • Installation/Persistence

    • [Drops executable files]
    • [Modifies auto-execute functionality by setting/creating a value in the registry]
    • [The input sample dropped/contains a certificate file]
    • [Writes a PE file header to disc]
  • Network Related

    • [Calls an API typically used to download the file from the URL]
    • [Found potential IP address in binary/memory]
    • [Process binds to unusual ports]
  • Ransomware/Banking

    • [Checks warning level of secure to non-secure traffic redirection]
  • Remote Access Related

    • [Contains indicators of bot communication commands]
  • Spyware/Information Retrieval

    • [Calls an API typically used for keylogging ]
    • [Calls an API typically used to retrieve information about the current system]
    • [Contains ability to retrieve the command-line string for the current process]
    • [Found an instant messenger related domain]
  • System Destruction

    • [Marks file for deletion]
    • [Opens file with deletion access rights]
  • System Security

    • [Modifies proxy settings]
  • Unusual Characteristics

    • [CRC value set in PE header does not match actual value]
    • [Entrypoint in PE header is within an uncommon section]
    • [Imports suspicious APIs]
    • [Installs hooks/patches the running process]
  • Hiding 42 Suspicious Indicators

    • All indicators are available only in the private webservice or standalone version
  • Informative 90

  • Anti-Detection/Stealthyness

    • [Calls an API typically used to load a resource in memory]
    • [Calls an API typically used to remove a directory]
  • Anti-Reverse Engineering

    • [Contains ability to register a top-level exception handler (API string)]
    • [Contains ability to register a top-level exception handler (often used as anti-debugging trick)]
    • [PE file contains zero-size sections]
  • Cryptographic Related

    • [Contains ability to perform encryption (API string)
  • Environment Awareness

    • [Calls an API possibly used to retrieve a handle to the foreground window]
    • [Calls an API typically used to get product type]
    • [Calls an API typically used to get system version information]
    • [Calls an API typically used to open an existing named mutex object]
    • [Contains ability to enumerate files inside a directory]
    • [Contains ability to query machine time]
    • [Contains ability to query the machine version]
    • [Contains ability to read software policies]
    • [Contains ability to retreive system language (API string)]
    • [Contains ability to retrieve the contents of the STARTUPINFO structure (API string)]
    • [Makes a code branch decision directly after an API that is environment aware]
    • [Possibly tries to detect the
    • [Queries volume information of an entire harddrive]
    • [Reads the active computer name]
    • [Reads the cryptographic machine GUID]
    • [Reads the registry for installed applications]
  • External Systems

    • [Sample was identified as clean by Antivirus engines]
  • General

    • [Accesses Software Policy Settings]
    • [Accesses System Certificates Settings]
    • [An application crash occurred]
    • [Calls an API typically used to copy file from one location to another
    • [Calls an API typically used to create a directory]
    • [Calls an API typically used to create a process]
    • [Calls an API typically used to create an instance of a named pipe]
    • [Contains ability to dynamically determine API calls]
    • [Contains ability to dynamically load libraries]
    • [Contains ability to modify processes thread functionality (API string)]
    • [Contains export functions]
    • [Contains registry location strings]
    • [Creates mutants]
    • [Drops files marked as clean]
    • [Found API related strings]
    • [Found named pipe like strings]
    • [Loads rich edit control libraries]
    • [Overview of unique CLSIDs touched in registry]
    • [PE file contains executable sections]
    • [PE file contains writable sections]
    • [PE file entrypoint instructions]
    • [PE file has a big raw size section]
    • [PE file has a big virtual size section]
    • [PE file has a high image base]
    • [Possibly use system binaries]
    • [Process launched with changed environment]
    • [Reads Windows Trust Settings]
    • [References url in command line]
    • [Scanning for window names]
    • [Spawns new processes]
    • [Spawns new processes that are not known child processes]
    • [The input sample is signed with a certificate]
    • [The input sample is signed with a valid certificate]
  • Installation/Persistence

    • [Contains ability to lookup the windows account name]
    • [Dropped files]
    • [Touches files in program files directory]
    • [Touches files in the Windows directory]
    • [Tries to access non-existent files]
  • Network Related

    • [Found potential URL in binary/memory]
    • [Imports windows networking related APIs]
  • Ransomware/Banking

    • [Contains ability to update the user profile (API string)]
  • Spyware/Information Retrieval

    • [Calls an API possibly used to take screenshots]
    • [Calls an API typically used for taking snapshot of the specified processes]
    • [Calls an API’s typically used for searching a directory for a files]
    • [Contains ability to detect sandbox (mouse cursor movement)]
    • [Contains ability to enumerate files on disk (API string)]
    • [Contains ability to retrieve information about operating system (API string)]
    • [Contains ability to retrieve information about the current system (API string)]
    • [Contains ability to retrieve the NetBIOS name of the local computer (API string)]
    • [Contains ability to retrieve the fully qualified path of module (API string) ]
    • [Contains ability to retrieve the name of the user associated with the current thread (API string)]
    • [Contains ability to retrieve the specified system metric or system configuration setting (API string)]
    • [Found registry key string for installed applications]
    • [Imports GetCommandLine API]
    • [Read system defined device setup information from registry]
  • System Security

    • [Contains ability to enable or disable privileges in the specified access token (API string)]
    • [Contains ability to obtains specified information about the security of a file or directory (API string)]
    • [Contains ability to use security policy setting (API string)]
    • [Creates or modifies windows services]
    • [Imports system security related APIs]
  • Unusual Characteristics

    • [Drops executable files inside temp directory]
    • [Drops files inside appdata director]
    • [Matched Compiler/Packer signature]
    • [Reads information about supported languages]


Filename GlassWireSetup.exe
Size 71MiB (74214016 bytes)

Type peexe executable
Description PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Architecture WINDOWS
SHA256 558406e5e1ee53465817975455697a9186a66cae2d652e37c0717d2d1315d187

Hi @Grateful_Noumena,

I would like to reassure you that this is 100% a false positive. Installers are normally appended with an origin tag to help us understand from which website people download our software from.

You can download a “clean” version of the installer from here: GlassWire Software Version Changes List