gbak[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

gbak.exe
Size

348KB
MD5

d2065b956a9165228010c25a29d1a728
SHA1

b4707d3b2adbfda04bccf945728336bca1c1a17e
SHA256

f64bf9fb2105b10ff70f6a04ffc82f088393f44dd48e365220057d4e5af5cfe2
SHA512

f1eac8d766a5aa6dc0364bd6bce2b09514e7a1e0d16fba473931cf453e75a592152f32c43da00203ff1547cbc4706fa5256694d05a4de377dcb7d6d9a5466d14
SSDEEP

6144:7vM++ZVBKCbg1c3eXJ63zPgrpPVUiY1+dOEfBCN1:7r0Vr2lZ63Erp2j+BBu1

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
gbak.exe

Files

gbak.exe
.exe windows:4 windows x64 arch:x64

c22fb72fbe5bdd6d6840da4c63dc65b2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

ntohl
htonl

kernel32

CloseHandle
DeleteFileA
SetTapePosition
SetFilePointer
FlushFileBuffers
GetTapeParameters
CreateFileA
GetStdHandle
ReadFile
GetLastError
TlsGetValue
TlsSetValue
TlsFree
TlsAlloc
GetSystemInfo
VirtualAlloc
VirtualFree
WriteFile
SleepEx
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
Sleep
FindNextFileA
FindFirstFileA
FindClose
GetVersion
LoadLibraryA
GetProcAddress
GetCurrentProcess
GetModuleFileNameA
lstrcmpA
lstrlenA
QueryPerformanceFrequency
QueryPerformanceCounter
GetConsoleMode
SetConsoleMode
LocalFree
LocalAlloc
FreeLibrary
GetEnvironmentVariableA
OpenThread
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetCurrentThreadId

fbclient

ord162
ord169
ord165
ord122
ord280
ord140
ord259
ord176
ord166
ord116
ord168
ord156
ord83
ord158
ord1
ord37
ord225
ord228
ord226
ord153
ord173
ord103
ord128
ord186
ord120
ord138
ord174
ord229
ord115
ord160
ord42
ord44
ord51
ord250
ord144
ord145
ord118
ord119
ord113
ord139
ord152
ord108
fb_interpret
ord114
ord227

msvcr80

isalpha
isdigit
memcpy
fflush
__iob_func
_CxxThrowException
__CxxFrameHandler3
fclose
fopen
_errno
strstr
fgets
fprintf
sprintf
atoi
strncmp
printf
strncpy
_snprintf
??0exception@std@@QEAA@AEBQEBDH@Z
?what@exception@std@@UEBAPEBDXZ
??1exception@std@@UEAA@XZ
memmove
??0exception@std@@QEAA@AEBV01@@Z
_vsnprintf
abort
toupper
getc
isprint
strchr
_getcwd
_write
ferror
fwrite
_access
__C_specific_handler
_unlock
_encode_pointer
__dllonexit
_lock
_onexit
_decode_pointer
_amsg_exit
__getmainargs
_XcptFilter
_exit
_cexit
exit
__initenv
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_commode
_fmode
__set_app_type
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QEAAXXZ
__crt_debugger_hook
_time64
_ctime64
memcmp
memset
_purecall
_strnicmp
_isatty
_fileno
vfprintf
_get_osfhandle

user32

CharLowerBuffA
CharUpperBuffA

advapi32

RegOpenKeyExA
RegCloseKey
RegQueryValueExA

Sections

.text
Size: 248KB - Virtual size: 247KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c22fb72fbe5bdd6d6840da4c63dc65b2

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

kernel32

fbclient

msvcr80

user32

advapi32

Sections

.text Size: 248KB - Virtual size: 247KB

.rdata Size: 80KB - Virtual size: 79KB

.data Size: 1KB - Virtual size: 3KB

.pdata Size: 15KB - Virtual size: 15KB

.rsrc Size: 2KB - Virtual size: 2KB

.text
Size: 248KB - Virtual size: 247KB

.rdata
Size: 80KB - Virtual size: 79KB

.data
Size: 1KB - Virtual size: 3KB

.pdata
Size: 15KB - Virtual size: 15KB

.rsrc
Size: 2KB - Virtual size: 2KB