GH3[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

GH3.exe
Size

6.7MB
MD5

8b38b231bf569a739b82b17420e90184
SHA1

37383076d72831cd9bdbfada193424c9ed957015
SHA256

801f8a522651a479d63a9ff5fbde5be949ba0b7ad2ec0e5fb1d92ab1a8ef2154
SHA512

bd85c75a2600622cdb80be1d8a298064cf4ee399befaaae2e8da742c69a37cadcc7cc476fe358d13e4eff848fa14dd9c8cc47249e9aadb7aa0ef23143fe36941
SSDEEP

98304:qQjLoRlhzPR6QUnszOdOpuVL5/955LXur4amNqIBi0AYL4l:qQQfhrR6kUlZXnBi0Ae4l

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
GH3.exe

Files

GH3.exe
.exe windows x86

e846d39b22f3def32ef49f28200fcdb4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

d3dx9_35

D3DXMatrixMultiply
D3DXCreateTextureFromFileInMemoryEx
D3DXVec3TransformCoord
D3DXSaveTextureToFileInMemory
D3DXCreateVolumeTextureFromFileInMemoryEx
D3DXCreateCubeTextureFromFileInMemoryEx
D3DXMatrixLookAtRH
D3DXMatrixOrthoRH

kernel32

GetTickCount
Sleep
QueryPerformanceFrequency
QueryPerformanceCounter
CloseHandle
ReleaseMutex
WaitForSingleObject
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
FlushFileBuffers
VirtualQuery
GetModuleFileNameW
SetFilePointer
GetLocaleInfoW
IsValidLocale
EnumSystemLocalesA
GetUserDefaultLCID
GetStringTypeW
GetStringTypeA
GetLocaleInfoA
GetConsoleMode
GetConsoleCP
FreeLibrary
VirtualAlloc
LoadLibraryA
CreateMutexA
GetCurrentProcessId
VirtualFree
HeapCreate
HeapDestroy
GetFileType
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
IsValidCodePage
GetOEMCP
GetACP
GetModuleFileNameA
GetStdHandle
SetLastError
TlsFree
HeapReAlloc
HeapSize
GetCPInfo
LCMapStringW
LCMapStringA
ExitProcess
GetProcAddress
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
RaiseException
GetStartupInfoA
GetProcessHeap
HeapAlloc
GetVersionExA
HeapFree
RtlUnwind
MultiByteToWideChar
InterlockedDecrement
WideCharToMultiByte
InterlockedIncrement
SignalObjectAndWait
InterlockedExchange
InterlockedExchangeAdd
GetExitCodeThread
ExitThread
CreateThread
SetThreadPriority
ResumeThread
ReadFile
GetFileAttributesExA
SetFilePointerEx
CreateFileA
GetFileSize
RemoveDirectoryA
CreateDirectoryA
SetEndOfFile
WriteFile
GetOverlappedResult
DeleteFileA
CancelIo
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLocalTime
CreateSemaphoreA
DebugBreak
GetCommandLineA
GetSystemTimeAsFileTime
TlsAlloc
GetModuleHandleA
GetCurrentThreadId
TlsGetValue
OutputDebugStringA
LeaveCriticalSection
EnterCriticalSection
TryEnterCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
FindNextFileA
GetLastError
FindFirstFileA
InitializeCriticalSection
TlsSetValue
ReleaseSemaphore
GlobalMemoryStatus

awl

?GetConfigString@Win@Aspyr@@YAPADPBDPAD0@Z
?GetLanguage@Win@Aspyr@@YAPADPAD@Z
?SetConfigString@Win@Aspyr@@YAXPBD0@Z
?GetPathTemp@Win@Aspyr@@YAPADPAD@Z
?GetFullVersion@Win@Aspyr@@YAPADPAD@Z
?GetPathInstall@Win@Aspyr@@YAPADPAD@Z
?ShowErrorMessage@Win@Aspyr@@YAXW4Error@12@@Z
?IsActive@Win@Aspyr@@YA_NXZ
?ExitProcess@Win@Aspyr@@YAXI@Z
?GetConfigNumber@Win@Aspyr@@YANPB_WN@Z
?TerminateProcess@Win@Aspyr@@YAXI@Z
?GetDirectInputObjectName@Win@Aspyr@@YAPA_WPAUIUnknown@@KPA_W@Z
?Init@Win@Aspyr@@YA?AW4Error@12@W4Mode@12@@Z
?GetConfigNumber@Win@Aspyr@@YANPBDN@Z
?SetConfigNumber@Win@Aspyr@@YAXPBDN@Z
?SetConfigNumber@Win@Aspyr@@YAXPB_WN@Z
?GetPathUserVisible@Win@Aspyr@@YAPADPAD@Z
?GetPathUserNonVisible@Win@Aspyr@@YAPADPAD@Z
?GetTitle@Win@Aspyr@@YAPA_WPA_W@Z
?DefWindowProcA@Win@Aspyr@@YAJPAUHWND__@@IIJ@Z

ws2_32

WSAStartup
WSACleanup
gethostbyname
socket
recv
inet_addr
inet_ntoa
setsockopt
ioctlsocket
recvfrom
ntohs
sendto
htons
bind
WSAGetLastError
closesocket
htonl
select
__WSAFDIsSet
accept
listen
send
connect
WSAAsyncSelect
gethostname
getsockname

d3d9

Direct3DCreate9

xinput1_3

ord2
ord5
ord4

mac3r

?Initialize@CMassiveClientCore@MassiveAdClient3@@SAPAV12@PAU__MAD_MASSIVE_INIT_STRUCT@2@@Z
?SetImpression@CMassiveAdObjectSubscriber@MassiveAdClient3@@QAEXPAU_MAD_Impression@2@@Z
?EnterZone@CMassiveClientCore@MassiveAdClient3@@SAHPBD@Z
?FlushImpressions@CMassiveClientCore@MassiveAdClient3@@SAHXZ
??1CMassiveAdObjectSubscriber@MassiveAdClient3@@QAE@XZ
??0CMassiveAdObjectSubscriber@MassiveAdClient3@@QAE@PBD@Z
?ExitZone@CMassiveClientCore@MassiveAdClient3@@SAHPBD@Z
?Shutdown@CMassiveClientCore@MassiveAdClient3@@SAHHI@Z
?Tick@CMassiveClientCore@MassiveAdClient3@@SAHH@Z

binkw32

_BinkWait@4
_BinkShouldSkip@4
_BinkNextFrame@4
_BinkControlBackgroundIO@8
_BinkGoto@12
_BinkSetFrameRate@8
_BinkSetIOSize@4
_BinkSetSoundTrack@8
_BinkOpen@8
_BinkGetError@0
_BinkSetVolume@12
_BinkGetFrameBuffersInfo@8
_BinkDoFrame@4
_BinkRegisterFrameBuffers@8
_BinkClose@4
_BinkSetMemory@8
_BinkPause@8
_BinkGetRealtime@12
_BinkOpenDirectSound@4
_BinkOpenWaveOut@4
_BinkSetSoundSystem@8

fmodex

?setPaused@Channel@FMOD@@QAG?AW4FMOD_RESULT@@_N@Z
?stop@Channel@FMOD@@QAG?AW4FMOD_RESULT@@XZ
?setPosition@Channel@FMOD@@QAG?AW4FMOD_RESULT@@II@Z
FMOD_Memory_GetStats
?release@ChannelGroup@FMOD@@QAG?AW4FMOD_RESULT@@XZ
?createChannelGroup@System@FMOD@@QAG?AW4FMOD_RESULT@@PBDPAPAVChannelGroup@2@@Z
?getMasterChannelGroup@System@FMOD@@QAG?AW4FMOD_RESULT@@PAPAVChannelGroup@2@@Z
?addGroup@ChannelGroup@FMOD@@QAG?AW4FMOD_RESULT@@PAV12@@Z
?setChannelGroup@Channel@FMOD@@QAG?AW4FMOD_RESULT@@PAVChannelGroup@2@@Z
?addDSP@ChannelGroup@FMOD@@QAG?AW4FMOD_RESULT@@PAVDSP@2@@Z
?close@System@FMOD@@QAG?AW4FMOD_RESULT@@XZ
?getLength@Sound@FMOD@@QAG?AW4FMOD_RESULT@@PAII@Z
?getOpenState@Sound@FMOD@@QAG?AW4FMOD_RESULT@@PAW4FMOD_OPENSTATE@@PAIPA_N@Z
?addDSP@Channel@FMOD@@QAG?AW4FMOD_RESULT@@PAVDSP@2@@Z
?getNumSubSounds@Sound@FMOD@@QAG?AW4FMOD_RESULT@@PAH@Z
?lockDSP@System@FMOD@@QAG?AW4FMOD_RESULT@@XZ
?unlockDSP@System@FMOD@@QAG?AW4FMOD_RESULT@@XZ
?release@Sound@FMOD@@QAG?AW4FMOD_RESULT@@XZ
?createStream@System@FMOD@@QAG?AW4FMOD_RESULT@@PBDIPAUFMOD_CREATESOUNDEXINFO@@PAPAVSound@2@@Z
?getSubSound@Sound@FMOD@@QAG?AW4FMOD_RESULT@@HPAPAV12@@Z
?getFormat@Sound@FMOD@@QAG?AW4FMOD_RESULT@@PAW4FMOD_SOUND_TYPE@@PAW4FMOD_SOUND_FORMAT@@PAH2@Z
?setFrequency@Channel@FMOD@@QAG?AW4FMOD_RESULT@@M@Z
?setSpeakerLevels@Channel@FMOD@@QAG?AW4FMOD_RESULT@@W4FMOD_SPEAKER@@PAMH@Z
?getSpeakerMode@System@FMOD@@QAG?AW4FMOD_RESULT@@PAW4FMOD_SPEAKERMODE@@@Z
?update@System@FMOD@@QAG?AW4FMOD_RESULT@@XZ
?setCallback@Channel@FMOD@@QAG?AW4FMOD_RESULT@@W4FMOD_CHANNEL_CALLBACKTYPE@@P6G?AW43@PAUFMOD_CHANNEL@@0HII@ZH@Z
?getFrequency@Channel@FMOD@@QAG?AW4FMOD_RESULT@@PAM@Z
?release@System@FMOD@@QAG?AW4FMOD_RESULT@@XZ
?setLoopCount@Channel@FMOD@@QAG?AW4FMOD_RESULT@@H@Z
?playSound@System@FMOD@@QAG?AW4FMOD_RESULT@@W4FMOD_CHANNELINDEX@@PAVSound@2@_NPAPAVChannel@2@@Z
?setLoopCount@Sound@FMOD@@QAG?AW4FMOD_RESULT@@H@Z
?createSound@System@FMOD@@QAG?AW4FMOD_RESULT@@PBDIPAUFMOD_CREATESOUNDEXINFO@@PAPAVSound@2@@Z
?setParameter@DSP@FMOD@@QAG?AW4FMOD_RESULT@@HM@Z
?createDSPByType@System@FMOD@@QAG?AW4FMOD_RESULT@@W4FMOD_DSP_TYPE@@PAPAVDSP@2@@Z
?getParameter@DSP@FMOD@@QAG?AW4FMOD_RESULT@@HPAMPADH@Z
?release@DSP@FMOD@@QAG?AW4FMOD_RESULT@@XZ
?remove@DSP@FMOD@@QAG?AW4FMOD_RESULT@@XZ
?getWaveData@Channel@FMOD@@QAG?AW4FMOD_RESULT@@PAMHH@Z
FMOD_System_Create
?getOutputHandle@System@FMOD@@QAG?AW4FMOD_RESULT@@PAPAX@Z
?getOutput@System@FMOD@@QAG?AW4FMOD_RESULT@@PAW4FMOD_OUTPUTTYPE@@@Z
?setStreamBufferSize@System@FMOD@@QAG?AW4FMOD_RESULT@@II@Z
?getStreamBufferSize@System@FMOD@@QAG?AW4FMOD_RESULT@@PAI0@Z
?setFileSystem@System@FMOD@@QAG?AW4FMOD_RESULT@@P6G?AW43@PBDHPAIPAPAX2@ZP6G?AW43@PAX4@ZP6G?AW43@44I14@ZP6G?AW43@4I4@ZH@Z
?init@System@FMOD@@QAG?AW4FMOD_RESULT@@HIPAX@Z
?setAdvancedSettings@System@FMOD@@QAG?AW4FMOD_RESULT@@PAUFMOD_ADVANCEDSETTINGS@@@Z
?setDSPBufferSize@System@FMOD@@QAG?AW4FMOD_RESULT@@IH@Z
?getDSPBufferSize@System@FMOD@@QAG?AW4FMOD_RESULT@@PAIPAH@Z
?setSpeakerMode@System@FMOD@@QAG?AW4FMOD_RESULT@@W4FMOD_SPEAKERMODE@@@Z
?getDriverCaps@System@FMOD@@QAG?AW4FMOD_RESULT@@HPAIPAH1PAW4FMOD_SPEAKERMODE@@@Z
?setOutput@System@FMOD@@QAG?AW4FMOD_RESULT@@W4FMOD_OUTPUTTYPE@@@Z
?getNumDrivers@System@FMOD@@QAG?AW4FMOD_RESULT@@PAH@Z
?getPosition@Channel@FMOD@@QAG?AW4FMOD_RESULT@@PAII@Z

dinput8

DirectInput8Create

iphlpapi

GetAdaptersInfo

user32

SetFocus
ShowWindow
SetWindowTextW
SetCursor
GetKeyboardState
ToAscii
CreateWindowExA
GetSystemMetrics
RegisterClassA
CharLowerBuffA
GetKeyState
PeekMessageA
DispatchMessageA

gdi32

GetStockObject

advapi32

CryptAcquireContextA
CryptGenRandom
CryptReleaseContext

shell32

SHCreateDirectoryExA
SHFileOperationA

ole32

CoSetProxyBlanket
CoCreateInstance
CoInitialize
CoUninitialize

oleaut32

SysAllocString
SysFreeString

Sections

.text
Size: 5.0MB - Virtual size: 5.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 851KB - Virtual size: 850KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 599KB - Virtual size: 4.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

HATRED
Size: 259KB - Virtual size: 258KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e846d39b22f3def32ef49f28200fcdb4

Headers

File Characteristics

Imports

d3dx9_35

kernel32

awl

ws2_32

d3d9

xinput1_3

mac3r

binkw32

fmodex

dinput8

iphlpapi

user32

gdi32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 5.0MB - Virtual size: 5.0MB

.rdata Size: 851KB - Virtual size: 850KB

.data Size: 599KB - Virtual size: 4.1MB

.rsrc Size: 25KB - Virtual size: 24KB

HATRED Size: 259KB - Virtual size: 258KB

.text
Size: 5.0MB - Virtual size: 5.0MB

.rdata
Size: 851KB - Virtual size: 850KB

.data
Size: 599KB - Virtual size: 4.1MB

.rsrc
Size: 25KB - Virtual size: 24KB

HATRED
Size: 259KB - Virtual size: 258KB