PUP.Gamehack.DT
Table of Contents
Analysis Report
General information
| Family Name: | PUP.Gamehack.DT |
|---|---|
| Signature status: | Self Signed |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
55e14937124246393c06cc9a774d261b
SHA1:
feca39f9adfb6c3870167e252ef7f11df193449f
SHA256:
BC44CC0C361C559960A44C5AD6CE0B4C825399B77B026CBA1EC82FEF9A6A9EA4
File Size:
363.01 KB, 363008 bytes
|
|
MD5:
1cbf5b319bbd371d6bfeef1483416b14
SHA1:
c61d1fb8e7ccfc54d11d6a03a191e3f45bfa5ad1
SHA256:
28CEB1E98C24687C0D505A845C993A00B629FCCE4591AFA7323D1EF112D8FF5C
File Size:
723.88 KB, 723880 bytes
|
|
MD5:
fb073f9ea0961fa523a19e9dc1dc1864
SHA1:
4c2de8001060b1b94d206b7a7227cdfd5fb4e52e
SHA256:
2660AC156407C7D87AAD73E7328C45063CB28600C5B47A8D33397C3CC038E62A
File Size:
588.29 KB, 588288 bytes
|
|
MD5:
7de574cbe8921a8f66680639530d67ee
SHA1:
d5edc417cd0c75324f313aac52e241883bda6bf8
SHA256:
8DE302CF7A81DF930C08BA1986757375FB43A1F278CD76AFBAF3432291001FBF
File Size:
482.73 KB, 482728 bytes
|
|
MD5:
91d6aa1d3d5523f53d1c272c3d6d390a
SHA1:
88d7ccc8be76609081488980dcaf9c014751d38b
SHA256:
6801902D0A01BC56BA299C1644356443E7E405D4DCFE487D2E0C7CF8DCE4CF5E
File Size:
370.76 KB, 370760 bytes
|
Show More
|
MD5:
5e4979b8a7c6ec30218a4769f5deaf12
SHA1:
3822f49999bf5932082b8b46c6522931d83ccca3
SHA256:
7534D1CD6D1E825F1BFCF332FE7A96F746E66FAEE0F56699529BA117DCD951B5
File Size:
660.99 KB, 660992 bytes
|
|
MD5:
d3babcf0be421178b7df51567a3cc2ef
SHA1:
7491570dc4d789198a009b1b0de9b19415d84c35
SHA256:
B265DEF86679AFD4A0FE55648B160E85CCA868D36D4A5C1BE60539E5EC2A15CF
File Size:
327.24 KB, 327240 bytes
|
|
MD5:
e88a5037dff2046c0bce8fcc28cee311
SHA1:
1d0720bc8ccf496a42df3628ceb99ce267810a31
SHA256:
D87298D0EF73B151D5D2C6BFE01B48810D36D57BA566A2159DE78795B80FBC21
File Size:
351.14 KB, 351144 bytes
|
|
MD5:
274a54fb141e8dc74305cf439c99c0fe
SHA1:
671eb318560eac9370cecd297a8d367730d8ab48
SHA256:
AB22C05146712A69F942AC06589C0A2E4B725385B693260F7CEE6B1DE1AB3B8C
File Size:
331.85 KB, 331848 bytes
|
|
MD5:
6b498aacf553ac0ea81f9016c8bc4c2f
SHA1:
859d61d2a4e38087d3758e40c926b82ca416903a
SHA256:
3DC8A1FBE8A9377A08BE4B112019B2715AAF7398F3DDD73D6632132E40B63AE9
File Size:
351.14 KB, 351144 bytes
|
|
MD5:
0275dd83e8b8e863aec52f9471241951
SHA1:
3813266d21642171f1a77bb5e03caed863033610
SHA256:
F1E27565C1B6C6D489A8D5DA03B62223C7F3059C05359A9D8D0E3DFC2FE7D564
File Size:
351.14 KB, 351144 bytes
|
|
MD5:
437e2e45eb186ecaa86197f3d7b5c522
SHA1:
6ee7278702efcdbb5b2cb4cc62aef7c4c7bc59b8
SHA256:
0FCF7262088DE00F247EC1ACD73712F831381F176AB020FFD64ABE7C36A48243
File Size:
342.95 KB, 342952 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File has TLS information
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | GSE |
| File Description | GSE |
| File Version | 1, 0, 0, 2 |
| Internal Name | GSE |
| Legal Copyright | Copyright (C) 2021 GSE |
| Original Filename | steam.exe |
| Product Name | GSE |
| Product Version | 1, 0, 0, 2 |
| Source Control I D | 8563863 |
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| GSE | GSE | Self Signed |
File Traits
- fptable
- HighEntropy
- WriteProcessMemory
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,199 |
|---|---|
| Potentially Malicious Blocks: | 27 |
| Whitelisted Blocks: | 1,172 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
2
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
1
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.KPF
- Downloader.UA
- Gamehack.DT
- PSW.Agent.PF
- PSWDump.C
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
