GasMaskExecutor[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

GasMaskExecutor.zip
Size

2.3MB
MD5

befefb5fe74c72a2e8f100759389a9ca
SHA1

ffe48c0d4b0c23d8bf706a321e147760b665a30d
SHA256

128f2008f6bf344054075801d511c7c78f3394a86fc4cb839dce36418fa320d0
SHA512

74b46e850a38a8de81373fdbc3b553b19bbf199fdf111d7ef24fce62496363efc04776435a2eb245bbd7b28a1e300edc82a9667b7968d82ed201dd06ca545f89
SSDEEP

49152:3tHMnrbEKKqPkQSX0GrUFJRGOq1grvT87TCJpiDUgcEMEWeTG+g:dH+8fqPrQ0YUOO3rv47e6UgRME1Thg

Score

5^/10

upx

Malware Config

Signatures

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
static1/unpack002/out.upx	autoit_exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/GasMaskExecutor/GH Injector - x64.exe	upx

Unsigned PE 7 IoCs

Checks for missing Authenticode signature.

resource
unpack001/GasMaskExecutor/CRMR.dll.bin
unpack001/GasMaskExecutor/GH Injector - x64.dll
unpack001/GasMaskExecutor/GH Injector - x64.exe
unpack002/out.upx
unpack001/GasMaskExecutor/GH Injector - x86.dll
unpack001/GasMaskExecutor/GH Injector SWHEX - x64.exe
unpack001/GasMaskExecutor/GasMask.dll

Files

GasMaskExecutor.zip
.zip
GasMaskExecutor/CRMR.dll.bin
.dll windows:6 windows x86 arch:x86

ee2fbdd745f74e86538848a50a13f9ed

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\Users\Mohammad\Desktop\2\C Menu v6\Release\Exterium.pdb

Imports

kernel32

VirtualFreeEx
DisableThreadLibraryCalls
CreateThread
GetSystemDirectoryA
RemoveVectoredExceptionHandler
GetProcAddress
MultiByteToWideChar
GlobalAlloc
GlobalFree
GlobalLock
WideCharToMultiByte
GlobalUnlock
CreateDirectoryW
FindFirstFileExW
FindNextFileW
FindClose
GetLastError
GetLocaleInfoA
QueryPerformanceFrequency
FreeLibrary
QueryPerformanceCounter
GetModuleHandleExW
GetModuleFileNameW
GetModuleHandleW
HeapSize
GetProcessHeap
FreeEnvironmentStringsW
CloseHandle
CreateRemoteThread
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
SetStdHandle
OutputDebugStringW
ReadConsoleW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
GetConsoleMode
GetConsoleOutputCP
WriteFile
FlushFileBuffers
SetFilePointerEx
GetFileSizeEx
ExitProcess
Process32Next
LoadLibraryA
CreateToolhelp32Snapshot
OpenProcess
WaitForSingleObject
TerminateProcess
WriteProcessMemory
Process32First
K32GetModuleInformation
WriteConsoleW
GetCommandLineW
VirtualAllocEx
GetFileType
GetStdHandle
ReadFile
LoadLibraryExW
TlsFree
TlsSetValue
Sleep
GetModuleHandleA
GetCurrentProcess
GetEnvironmentStringsW
VirtualProtect
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
SetLastError
HeapCreate
HeapFree
Thread32Next
Thread32First
GetCurrentThreadId
SuspendThread
ResumeThread
HeapReAlloc
HeapAlloc
HeapDestroy
GetThreadContext
GetCurrentProcessId
FlushInstructionCache
SetThreadContext
OpenThread
VirtualFree
VirtualAlloc
VirtualQuery
FormatMessageA
LocalFree
GetLocaleInfoEx
CreateFileW
FindFirstFileW
GetFileAttributesExW
AreFileApisANSI
GetFileInformationByHandleEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
SleepConditionVariableSRW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
GetSystemTimeAsFileTime
CompareStringEx
GetCPInfo
GetStringTypeW
WakeAllConditionVariable
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwind
RaiseException
InterlockedFlushSList
SetEndOfFile

user32

GetAsyncKeyState
FindWindowA
SetWindowLongW
CallWindowProcA
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
GetCursorPos
SetCursorPos
GetKeyState
GetMessageExtraInfo
LoadCursorA
ScreenToClient
GetCapture
ClientToScreen
TrackMouseEvent
GetKeyboardLayout
GetForegroundWindow
SetCapture
SetCursor
GetClientRect
IsWindowUnicode
ReleaseCapture

d3dx9_43

D3DXCreateTextureFromFileInMemoryEx

imm32

ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext
ImmSetCandidateWindow

Sections

.text
Size: 826KB - Virtual size: 825KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 161KB - Virtual size: 161KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 577KB - Virtual size: 583KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
GasMaskExecutor/GH Injector - x64.dll
.dll windows:6 windows x64 arch:x64

17f06e92accbad4bf3fd533e152297c5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

DuplicateHandle
GetCurrentProcess
GetProcessId
CreateToolhelp32Snapshot
GetLastError
Module32FirstW
Module32NextW
ReadProcessMemory
GetTempPathW
CopyFileW
QueryPerformanceCounter
WriteProcessMemory
VirtualProtectEx
GetHandleInformation
K32GetModuleBaseNameW
VirtualAllocEx
VirtualFreeEx
VirtualAlloc
GetTickCount64
VirtualFree
OpenProcess
Wow64GetThreadContext
TerminateThread
Wow64SetThreadContext
ResumeThread
Sleep
WaitForSingleObject
GetExitCodeThread
K32GetModuleInformation
OpenThread
SuspendThread
DeleteFileW
CreateProcessW
TerminateProcess
GetExitCodeProcess
GetThreadContext
SetThreadContext
QueueUserAPC
GetFileAttributesW
RtlLookupFunctionEntry
CloseHandle
GetCurrentProcessId
GetProcAddress
IsWow64Process
GetModuleHandleA
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
RtlCaptureContext

user32

PostThreadMessageW

advapi32

CreateProcessAsUserW
GetTokenInformation
DuplicateTokenEx
OpenProcessToken

msvcp140

?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??Bid@locale@std@@QEAA_KXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z
?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?uncaught_exception@std@@YA_NXZ
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?id@?$ctype@_W@std@@2V0locale@2@A
?unshift@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xlength_error@std@@YAXPEBD@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ

wtsapi32

WTSQueryUserToken

vcruntime140

memcpy
memset
__std_type_info_destroy_list
__CxxFrameHandler3
__std_terminate
strchr
__std_exception_copy
__std_exception_destroy
__C_specific_handler
_CxxThrowException
memmove

api-ms-win-crt-runtime-l1-1-0

_cexit
_invalid_parameter_noinfo_noreturn
_crt_atexit
_initterm
_initterm_e
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table

api-ms-win-crt-string-l1-1-0

_wcsicmp

api-ms-win-crt-convert-l1-1-0

atoi
mbstowcs_s

api-ms-win-crt-utility-l1-1-0

srand
rand

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file
_wrename

api-ms-win-crt-stdio-l1-1-0

fwrite
fread
fgetc
__stdio_common_vswprintf
_fseeki64
ungetc
fputwc
fputc
ungetwc
_get_stream_buffer_pointers
fclose
fgetwc
fsetpos
setvbuf
fflush
fgetpos

api-ms-win-crt-time-l1-1-0

wcsftime
_time64
_localtime64_s

api-ms-win-crt-heap-l1-1-0

free
malloc
_callnewh

Exports

Exports

InjectA
InjectW

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
GasMaskExecutor/GH Injector - x64.exe
.exe windows:5 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

UPX0
Size: - Virtual size: 1.1MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 380KB - Virtual size: 380KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 546KB - Virtual size: 548KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:5 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 673KB - Virtual size: 672KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 198KB - Virtual size: 198KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 23KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 554KB - Virtual size: 553KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
GasMaskExecutor/GH Injector - x86.dll
.dll windows:6 windows x86 arch:x86

4421f7c25c5ae269f274ae9c4ce1f649

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

DuplicateHandle
GetCurrentProcess
GetProcessId
CreateToolhelp32Snapshot
GetLastError
Module32FirstW
Module32NextW
ReadProcessMemory
GetHandleInformation
K32GetModuleBaseNameW
GetTempPathW
CopyFileW
QueryPerformanceCounter
VirtualAllocEx
WriteProcessMemory
VirtualFreeEx
VirtualProtectEx
VirtualAlloc
GetTickCount64
OpenProcess
IsWow64Process
GetThreadContext
TerminateThread
SetThreadContext
ResumeThread
WaitForSingleObject
GetExitCodeThread
OpenThread
SuspendThread
Sleep
DeleteFileW
CreateProcessW
TerminateProcess
GetExitCodeProcess
QueueUserAPC
GetFileAttributesW
SetUnhandledExceptionFilter
CloseHandle
GetCurrentProcessId
GetProcAddress
VirtualFree
GetModuleHandleA
IsProcessorFeaturePresent
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter

user32

PostThreadMessageW

advapi32

CreateProcessAsUserW
GetTokenInformation
DuplicateTokenEx
OpenProcessToken

msvcp140

?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?always_noconv@codecvt_base@std@@QBE_NXZ
?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@H@Z
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
??Bid@locale@std@@QAEIXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PAD_J@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@U_Mbstatet@@@2@XZ
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UAE@XZ
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JPB_W_J@Z
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JPA_W_J@Z
?in@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPA_W3AAPA_W@Z
?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEPA_WXZ
?out@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PB_W1AAPB_WPAD3AAPAD@Z
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAE@XZ
?getloc@ios_base@std@@QBE?AVlocale@2@XZ
?uncaught_exception@std@@YA_NXZ
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z
?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?id@?$ctype@_W@std@@2V0locale@2@A
?unshift@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z
?widen@?$ctype@_W@std@@QBE_WD@Z
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JXZ
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@_W@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QBE_WD@Z
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ
?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
?_Xlength_error@std@@YAXPBD@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ

wtsapi32

WTSQueryUserToken

vcruntime140

_except_handler4_common
memcpy
memset
__std_type_info_destroy_list
_CxxThrowException
__std_exception_destroy
__CxxFrameHandler3
__std_terminate
strchr
__std_exception_copy
memmove

api-ms-win-crt-runtime-l1-1-0

_cexit
_execute_onexit_table
_register_onexit_function
_initialize_onexit_table
_crt_atexit
_invalid_parameter_noinfo_noreturn
_initterm
_initterm_e
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment

api-ms-win-crt-string-l1-1-0

_wcsicmp

api-ms-win-crt-convert-l1-1-0

mbstowcs_s
atoi

api-ms-win-crt-utility-l1-1-0

rand
srand

api-ms-win-crt-filesystem-l1-1-0

_wrename
_lock_file
_unlock_file

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf
fsetpos
_fseeki64
fgetpos
fputwc
ungetwc
fgetwc
fflush
fwrite
fclose
fread
_get_stream_buffer_pointers
setvbuf
fgetc
fputc
ungetc

api-ms-win-crt-time-l1-1-0

_localtime64_s
wcsftime
_time64

api-ms-win-crt-heap-l1-1-0

free
_callnewh
malloc

Exports

Exports

InjectA
InjectW

Sections

.text
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
GasMaskExecutor/GH Injector Config.ini
GasMaskExecutor/GH Injector SWHEX - x64.exe
.exe windows:6 windows x64 arch:x64

75397c8591e1d3c51cbf7f7439f8dd64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetModuleFileNameW
Sleep
DeleteFileW
GetModuleHandleW
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
RtlCaptureContext

user32

GetWindowTextW
SetForegroundWindow
GetClassNameW
EnumWindows
UnhookWindowsHookEx
SetWindowsHookExA
SendMessageW
IsWindowVisible
GetWindowThreadProcessId

msvcp140

?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ

vcruntime140

__CxxFrameHandler3
__std_exception_destroy
__std_exception_copy
memmove
memcpy
memset
_CxxThrowException
__C_specific_handler
__std_terminate

api-ms-win-crt-stdio-l1-1-0

fread
fsetpos
ungetc
setvbuf
_fseeki64
_get_stream_buffer_pointers
fwrite
__p__commode
_set_fmode
fgetc
fgetpos
fclose
fflush
fputc

api-ms-win-crt-convert-l1-1-0

strtol
strtoll

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file

api-ms-win-crt-runtime-l1-1-0

_cexit
_c_exit
_exit
exit
_initterm_e
_initterm
__p___argv
_register_onexit_function
_crt_atexit
_get_initial_narrow_environment
_initialize_narrow_environment
terminate
_configure_narrow_argv
_initialize_onexit_table
_set_app_type
_invalid_parameter_noinfo_noreturn
_seh_filter_exe
__p___argc
_register_thread_local_exe_atexit_callback

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
_set_new_mode
free

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 128B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
GasMaskExecutor/GH_Inj_Log.txt
GasMaskExecutor/GasMask.dll
.dll windows:6 windows x86 arch:x86

e41edf75e3f1b2cd492ba70a839748a6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetSystemDirectoryA
LoadLibraryA
LockResource
DeleteFileA
GlobalAlloc
GlobalFree
CloseHandle
K32GetModuleInformation
CreateThread
LoadResource
SetFileAttributesA
GetProcAddress
GlobalLock
CreateFileMappingA
GetCurrentProcessId
FlushInstructionCache
WideCharToMultiByte
CreateDirectoryA
MapViewOfFile
GlobalUnlock
VirtualQuery
OpenThread
CreateDirectoryW
GetVolumeInformationW
FindFirstFileExW
GetFullPathNameW
FindNextFileW
FindClose
GetLastError
GetLogicalDriveStringsA
QueryPerformanceFrequency
FreeLibrary
QueryPerformanceCounter
DisableThreadLibraryCalls
SetEndOfFile
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
SetStdHandle
ReadConsoleW
GetTimeZoneInformation
GetCurrentDirectoryW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
GetConsoleMode
GetConsoleOutputCP
WriteFile
FlushFileBuffers
GetStdHandle
SetFilePointerEx
CreateFileA
GetFileAttributesA
Sleep
MultiByteToWideChar
CreateToolhelp32Snapshot
GetModuleHandleA
UnmapViewOfFile
ResumeThread
FindResourceA
Thread32First
Thread32Next
TerminateProcess
GetFileSizeEx
HeapSize
VirtualAlloc
GetCurrentProcess
VirtualProtect
WriteConsoleW
SizeofResource
GetModuleFileNameW
GetModuleHandleExW
ExitProcess
ReadFile
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
CompareStringEx
GetCPInfo
WakeAllConditionVariable
SleepConditionVariableSRW
GetSystemTimeAsFileTime
GetModuleHandleW
GetStringTypeW
HeapCreate
HeapFree
GetCurrentThreadId
SuspendThread
HeapReAlloc
HeapAlloc
GetThreadContext
SetThreadContext
VirtualFree
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwind
RaiseException
InterlockedFlushSList
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
GetDriveTypeW
CreateFileW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime

user32

GetCursorPos
SetClipboardData
MessageBoxA
GetKeyState
LoadCursorA
GetCapture
ClientToScreen
TrackMouseEvent
GetForegroundWindow
SetCapture
SetCursor
GetClientRect
IsWindowUnicode
ReleaseCapture
SetCursorPos
GetClipboardData
ScreenToClient
MessageBeep
GetAsyncKeyState
OpenClipboard
CloseClipboard
EmptyClipboard

d3dx9_43

D3DXCreateTextureFromFileA

shlwapi

PathFindFileNameA

imm32

ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext
ImmSetCandidateWindow

Sections

.text
Size: 753KB - Virtual size: 753KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 246KB - Virtual size: 246KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 162KB - Virtual size: 162KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
GasMaskExecutor/leaked.txt

Sharing

General

Malware Config

Signatures

Files

ee2fbdd745f74e86538848a50a13f9ed

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

d3dx9_43

imm32

Sections

.text Size: 826KB - Virtual size: 825KB

.rdata Size: 161KB - Virtual size: 161KB

.data Size: 577KB - Virtual size: 583KB

.rsrc Size: 512B - Virtual size: 248B

.reloc Size: 30KB - Virtual size: 29KB

17f06e92accbad4bf3fd533e152297c5

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

msvcp140

wtsapi32

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-heap-l1-1-0

Exports

Exports

Sections

.text Size: 51KB - Virtual size: 51KB

.rdata Size: 22KB - Virtual size: 21KB

.data Size: 2KB - Virtual size: 3KB

.pdata Size: 3KB - Virtual size: 2KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 512B - Virtual size: 180B

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 1.1MB

UPX1 Size: 380KB - Virtual size: 380KB

.rsrc Size: 546KB - Virtual size: 548KB

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 673KB - Virtual size: 672KB

.rdata Size: 198KB - Virtual size: 198KB

.data Size: 23KB - Virtual size: 44KB

.pdata Size: 26KB - Virtual size: 26KB

.rsrc Size: 554KB - Virtual size: 553KB

.reloc Size: 3KB - Virtual size: 2KB

4421f7c25c5ae269f274ae9c4ce1f649

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

msvcp140

wtsapi32

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

.text
Size: 826KB - Virtual size: 825KB

.rdata
Size: 161KB - Virtual size: 161KB

.data
Size: 577KB - Virtual size: 583KB

.rsrc
Size: 512B - Virtual size: 248B

.reloc
Size: 30KB - Virtual size: 29KB

.text
Size: 51KB - Virtual size: 51KB

.rdata
Size: 22KB - Virtual size: 21KB

.data
Size: 2KB - Virtual size: 3KB

.pdata
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 512B - Virtual size: 180B

UPX0
Size: - Virtual size: 1.1MB

UPX1
Size: 380KB - Virtual size: 380KB

.rsrc
Size: 546KB - Virtual size: 548KB

.text
Size: 673KB - Virtual size: 672KB

.rdata
Size: 198KB - Virtual size: 198KB

.data
Size: 23KB - Virtual size: 44KB

.pdata
Size: 26KB - Virtual size: 26KB

.rsrc
Size: 554KB - Virtual size: 553KB

.reloc
Size: 3KB - Virtual size: 2KB

.text
Size: 36KB - Virtual size: 36KB

.rdata
Size: 13KB - Virtual size: 12KB

.data
Size: 1024B - Virtual size: 1KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 2KB

.text
Size: 12KB - Virtual size: 11KB

.rdata
Size: 10KB - Virtual size: 10KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 512B - Virtual size: 128B

.text
Size: 753KB - Virtual size: 753KB

.rdata
Size: 246KB - Virtual size: 246KB

.data
Size: 11KB - Virtual size: 42KB

.rsrc
Size: 162KB - Virtual size: 162KB

.reloc
Size: 23KB - Virtual size: 23KB