gs_agnt[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

gs_agnt.exe
Size

813KB
MD5

c705043c43edd59b9159a664e61ed4ef
SHA1

23744104082927e5b3e2158dc30de9176c180b7a
SHA256

cf6ea7459544dd0ad9c988f2d6d5513582a93800449b4e0a321d67429e2bb27f
SHA512

1186cba2b82034422788c0379218c4712f6339280054cd0d989b82efc8444a552d17cd28fc7b815614a195110a784a3301a77083618374d062e16a2e0c0f528c
SSDEEP

24576:r7g3TyUd41DCG5fufFeW31a5+X9KeGk0I+uM3:rU9AuN73goNKeGk0r13

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
gs_agnt.exe

Files

gs_agnt.exe
.exe windows:4 windows x64 arch:x64

fd32aa3c59e50dba55bab807770541dd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

getservbyname
WSACreateEvent
WSASetLastError
WSASocketA
WSADuplicateSocketA
setsockopt
getsockopt
getpeername
send
ntohs
getservbyport
gethostbyaddr
htons
gethostname
htonl
inet_ntoa
gethostbyname
inet_addr
shutdown
closesocket
WSACleanup
select
__WSAFDIsSet
recv
WSAStartup
WSAWaitForMultipleEvents
WSAGetOverlappedResult
WSAResetEvent
WSARecv
WSAGetLastError
WSASetEvent

netapi32

NetLocalGroupGetMembers
NetApiBufferFree

userenv

LoadUserProfileA
UnloadUserProfile

kernel32

ExpandEnvironmentStringsA
GetEnvironmentStrings
CloseHandle
GetSystemTimeAsFileTime
WriteConsoleInputA
CreateEventA
ResumeThread
GetACP
GetOEMCP
GetConsoleCP
GetConsoleOutputCP
UnmapViewOfFile
SetConsoleCtrlHandler
SetErrorMode
WriteConsoleInputW
FreeLibrary
GetProcAddress
LoadLibraryA
GetSystemDirectoryA
OutputDebugStringA
GlobalFree
GlobalAlloc
SetEndOfFile
ReadFile
SetFilePointer
GetFileSize
CreateFileA
WaitForMultipleObjects
CreateThread
SetConsoleCursorInfo
SetConsoleMode
WriteConsoleOutputW
GetMailslotInfo
SetConsoleTitleA
GetConsoleTitleA
CreateNamedPipeA
TerminateProcess
ConnectNamedPipe
DisconnectNamedPipe
PeekConsoleInputA
WriteConsoleA
GetExitCodeProcess
GetOverlappedResult
CancelIo
OpenEventA
CreateMailslotA
SetNamedPipeHandleState
GetComputerNameA
DeleteFileA
DuplicateHandle
OpenProcess
MapViewOfFile
WideCharToMultiByte
HeapFree
HeapAlloc
RtlUnwindEx
HeapReAlloc
MoveFileA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlCaptureContext
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
GetCommandLineA
GetProcessHeap
GetCPInfo
IsValidCodePage
GetModuleHandleA
FlsGetValue
TlsAlloc
FlsSetValue
TlsFree
lstrlenA
GetCurrentThreadId
TlsSetValue
FlsAlloc
LCMapStringA
LCMapStringW
RtlVirtualUnwind
WriteFile
ExitProcess
GetTimeZoneInformation
SetHandleCount
GetFileType
GetStartupInfoA
HeapSetInformation
HeapCreate
GetModuleFileNameA
GetFileAttributesA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
FlushFileBuffers
WriteConsoleW
CreateProcessA
CompareStringA
CompareStringW
SetEnvironmentVariableA
GetVersion
CreateFileMappingA
OpenFileMappingA
Process32Next
CreateToolhelp32Snapshot
SetConsoleScreenBufferSize
SetConsoleWindowInfo
GetLargestConsoleWindowSize
FindNextFileA
GetVolumeInformationA
DeviceIoControl
TlsGetValue
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
GetEnvironmentVariableA
GetLocalTime
SearchPathA
CreateSemaphoreA
OpenSemaphoreA
ReleaseSemaphore
GetLastError
SetEvent
SetLastError
LocalAlloc
LocalFree
CreateMutexA
Sleep
WaitForSingleObject
ReleaseMutex
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
MultiByteToWideChar
GetConsoleMode
GenerateConsoleCtrlEvent
GetCurrentProcess
lstrcmpA
WriteConsoleOutputA
SetConsoleActiveScreenBuffer
SetStdHandle
WriteConsoleOutputCharacterA
GetConsoleCursorInfo
GetCurrentProcessId
ReadConsoleOutputW
ReadConsoleOutputA
GetConsoleScreenBufferInfo
FillConsoleOutputCharacterA
FillConsoleOutputAttribute
SetConsoleCursorPosition
CreateConsoleScreenBuffer
FindFirstFileA
FlsFree
FindClose
GetStdHandle
GetVersionExA
HeapSize

user32

MapVirtualKeyA
wsprintfA
CharToOemA
OemKeyScan
VkKeyScanA

winspool.drv

SetPrinterA
GetPrinterA
OpenPrinterA
ClosePrinter
EnumJobsA
SetJobA

advapi32

RegQueryInfoKeyA
RegEnumValueA
RegLoadKeyA
LookupAccountSidA
RegCreateKeyExA
RegSetValueExA
RegisterEventSourceA
DeregisterEventSource
ReportEventA
CryptImportKey
CryptGetHashParam
LookupAccountNameA
GetKernelObjectSecurity
GetSecurityDescriptorDacl
GetAclInformation
InitializeAcl
GetAce
AddAce
AddAccessAllowedAce
SetKernelObjectSecurity
CryptAcquireContextA
CryptReleaseContext
CryptDestroyKey
CryptDecrypt
CryptEncrypt
CryptCreateHash
CryptHashData
GetTokenInformation
GetLengthSid
CopySid
IsValidSid
GetSidIdentifierAuthority
GetSidSubAuthorityCount
CryptDeriveKey
DuplicateTokenEx
SetTokenInformation
CreateProcessAsUserA
LogonUserA
RegQueryValueExA
RegCloseKey
RegOpenKeyExA
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegUnLoadKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
GetSidSubAuthority
CryptDestroyHash

wininet

InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetCloseHandle

Sections

.text
Size: 573KB - Virtual size: 573KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 112KB - Virtual size: 111KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 94KB - Virtual size: 346KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fd32aa3c59e50dba55bab807770541dd

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

netapi32

userenv

kernel32

user32

winspool.drv

advapi32

wininet

Sections

.text Size: 573KB - Virtual size: 573KB

.rdata Size: 112KB - Virtual size: 111KB

.data Size: 94KB - Virtual size: 346KB

.pdata Size: 30KB - Virtual size: 30KB

.rsrc Size: 1KB - Virtual size: 1KB

.text
Size: 573KB - Virtual size: 573KB

.rdata
Size: 112KB - Virtual size: 111KB

.data
Size: 94KB - Virtual size: 346KB

.pdata
Size: 30KB - Virtual size: 30KB

.rsrc
Size: 1KB - Virtual size: 1KB