GLS[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

GLS.exe
Size

370KB
MD5

213932ea3d2139fbb9e52ba5936df3b2
SHA1

0f18c34caffdb243075f3774e6edd293bfba9229
SHA256

207192675473a607eedc53fde93a5f6e8dd7ddfef110fc9a1252c58f57476a29
SHA512

8797b0104c57e39fdb069e52aa9fe665e32a3e68427d2b422bac72c2568df3c0fbbc8d6f5fdae5a5dab38ce1faf6dbad0bc8487a15da312b575259876b2d7b5f
SSDEEP

6144:B4Irx5Q1TJ6y9ow2qGb+osCSrm/kvDIhFckqUTnbpUYOAz6LMR:toTIy9owBGb+7CSC/kvUhFqUTn1UTM

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
GLS.exe

Files

GLS.exe
.exe windows x64

24c9aafc4e8a63fab70aaee5c1efb605

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

CloseHandle
FreeConsole
Beep
WinExec
CreateDirectoryA
FreeLibrary
InitializeSListHead
Sleep
GetCurrentProcessId
GetModuleHandleW
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
CreateFileA
GetModuleHandleA
QueryPerformanceCounter
GetCurrentThreadId
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
GetSystemTimeAsFileTime

user32

GetClientRect
DispatchMessageA
GetWindowRect
DestroyWindow
SetWindowPos
ShowWindow
GetAsyncKeyState
DefWindowProcA
CreateWindowExA
TranslateMessage
PeekMessageA
UnregisterClassA
PostQuitMessage
GetDesktopWindow
RegisterClassExA
UpdateWindow
GetKeyState
CloseClipboard
LoadCursorA
ScreenToClient
SetCursor
SetCapture
GetForegroundWindow
IsChild
ClientToScreen
GetCapture
EmptyClipboard
GetClipboardData
SetClipboardData
SetCursorPos
GetCursorPos
OpenClipboard
ReleaseCapture

comdlg32

GetOpenFileNameA

shell32

ShellExecuteA

d3d9

Direct3DCreate9

msvcp140

?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?uncaught_exceptions@std@@YAHXZ
_Xtime_get_ticks
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
_Query_perf_frequency
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
_Thrd_sleep
_Query_perf_counter

imm32

ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

fwpuclnt

FwpmEngineOpen0
FwpmFilterDeleteById0
FwpmFilterAdd0

vcruntime140

strstr
__C_specific_handler
_CxxThrowException
__current_exception
__current_exception_context
memset
memcpy
memcmp
__std_exception_destroy
__std_exception_copy
memchr
memmove

api-ms-win-crt-stdio-l1-1-0

__p__commode
__stdio_common_vsprintf
_wfopen
fseek
__acrt_iob_func
_set_fmode
__stdio_common_vsscanf
ftell
_fseeki64
fread
fsetpos
ungetc
setvbuf
fgetpos
fwrite
fgetc
fclose
fflush
fputc
_get_stream_buffer_pointers

api-ms-win-crt-heap-l1-1-0

_set_new_mode
_callnewh
malloc
free

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file
remove

api-ms-win-crt-convert-l1-1-0

atoi
mbstowcs

api-ms-win-crt-runtime-l1-1-0

exit
terminate
_invalid_parameter_noinfo_noreturn
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
_beginthreadex
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
_wassert
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback

api-ms-win-crt-string-l1-1-0

strcmp
strncpy

api-ms-win-crt-utility-l1-1-0

rand
qsort

api-ms-win-crt-math-l1-1-0

sinf
fmodf
sqrtf
acosf
cosf
ceilf
__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

vcruntime140_1

__CxxFrameHandler4

Sections

.text
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 80KB - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 524B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

24c9aafc4e8a63fab70aaee5c1efb605

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

comdlg32

shell32

d3d9

msvcp140

imm32

fwpuclnt

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

vcruntime140_1

Sections

.text Size: 272KB - Virtual size: 272KB

.rdata Size: 80KB - Virtual size: 80KB

.data Size: 2KB - Virtual size: 3KB

.pdata Size: 12KB - Virtual size: 12KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 1024B - Virtual size: 524B

.text
Size: 272KB - Virtual size: 272KB

.rdata
Size: 80KB - Virtual size: 80KB

.data
Size: 2KB - Virtual size: 3KB

.pdata
Size: 12KB - Virtual size: 12KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 1024B - Virtual size: 524B