PUP.Gamehack.GFDA
Table of Contents
Analysis Report
General information
| Family Name: | PUP.Gamehack.GFDA |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
99291e66eb3d20020bb3db9b0420329e
SHA1:
96b4bde6984326ba23e3fffed754d5aa41991c41
SHA256:
63019F8C68B6D5B906993D7D4D044AB870934EE2A888CB94F8C61577BD0FEF18
File Size:
45.06 KB, 45056 bytes
|
|
MD5:
1b80f27a0f5c1aa65a89966b68bc72c5
SHA1:
d060f456e011fb343b6890125bb493777c641e4c
SHA256:
24135624A25E440BCC7F2099248FF58DE6AAC02E33D0123D61AF12362CAD87A4
File Size:
503.30 KB, 503296 bytes
|
|
MD5:
3a93b1900bff76ef7e85b01dd2e8a143
SHA1:
1a1efd37e28254d3256abe2ece1ac8e91ffede10
SHA256:
B7C78616582E3E1173082B5113B4276F67C41BA269172F1540E93672B8279ECF
File Size:
11.26 KB, 11264 bytes
|
|
MD5:
e5b6197e1ff92199d6728349965c27b9
SHA1:
f95bed999b777fc07f728630626317146acae8af
SHA256:
2B278870557AD642A3ABAF866641882BCA84DBC8ACD95414E8BC6A8FCC0AC89C
File Size:
503.30 KB, 503296 bytes
|
|
MD5:
00fa68dde529f6be362cc36b28ca9dc9
SHA1:
c742b7592585b5667334bcf055a23d5281d6ba93
SHA256:
37F6AC6F52F4CB9847D38FF7F7E98B124B92AA175E6165EBEE7A8512FDEB79C5
File Size:
503.30 KB, 503296 bytes
|
Show More
|
MD5:
4f05848cea0addaeb8163cd872b482bf
SHA1:
b50c711c11b8b34b6ddeaf2c71f73a1fc492ef9c
SHA256:
7BDE3A0F5A94EF69BAAACEE11B1C4B7BE15037857D16FC0803370D8E44971ECD
File Size:
503.30 KB, 503296 bytes
|
|
MD5:
1ee5549145d6dfc9847284aa7c13716c
SHA1:
74ffd97cf654b4ad508218e8fb1bd56a500b6bf4
SHA256:
0CED59512BEC382BCFA88D446F2D842FD8A25E61F0B5F15823A49EC0616AD7D6
File Size:
3.15 MB, 3146240 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have security information
- File has exports table
- File is .NET application
- File is 32-bit executable
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
Show More
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version | 1.6.6.0 |
| File Version | 1.6.6 |
| Internal Name | Client.exe |
| Original Filename | Client.exe |
| Product Version | 1.6.6 |
File Traits
- dll
- fptable
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,097 |
|---|---|
| Potentially Malicious Blocks: | 571 |
| Whitelisted Blocks: | 264 |
| Unknown Blocks: | 262 |
Visual Map
?
0
0
0
0
?
?
?
?
0
x
x
0
0
0
0
0
x
0
x
0
x
0
0
0
x
x
x
x
x
x
0
x
0
x
x
0
0
x
x
0
x
x
x
0
x
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
0
x
x
?
?
0
0
x
0
x
x
0
0
0
0
?
0
0
0
0
0
0
0
x
0
0
0
?
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
?
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
?
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
x
x
0
x
x
0
0
0
0
0
0
0
0
?
?
0
0
0
0
x
x
0
0
0
0
x
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
?
0
0
0
0
?
0
0
0
x
0
0
0
0
0
0
0
x
0
x
x
0
0
0
0
0
0
0
x
0
x
x
0
x
0
0
0
x
0
0
?
?
?
0
?
?
0
?
0
x
0
x
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
?
?
0
0
0
x
0
0
0
0
0
?
?
0
x
x
x
x
0
0
0
0
0
x
0
x
x
x
x
x
x
x
?
?
?
?
?
?
x
x
?
x
x
?
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
0
0
0
0
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
?
?
?
x
?
x
x
x
?
?
x
?
?
x
x
?
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
?
0
?
x
?
?
x
x
?
?
?
?
?
x
?
?
?
?
?
?
x
x
x
x
x
?
?
?
x
x
0
?
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
?
?
x
?
x
x
x
x
?
?
?
?
x
x
x
x
x
?
?
x
?
?
?
x
x
x
x
x
?
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
?
?
?
?
?
x
?
x
x
x
x
x
?
?
?
x
x
x
x
x
x
?
?
?
?
?
x
x
x
x
x
x
?
?
?
?
?
x
?
x
?
?
?
0
?
x
?
x
x
x
x
x
x
x
x
x
?
?
x
x
x
x
x
?
x
x
x
x
x
x
x
?
?
x
x
x
x
?
0
?
x
?
?
?
?
x
0
0
?
?
x
?
?
x
?
?
?
x
x
x
x
x
x
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
x
x
x
x
x
x
x
x
x
x
x
x
?
x
x
x
x
?
?
?
?
?
?
?
?
?
x
x
?
x
x
x
x
x
x
x
x
x
?
?
?
?
?
?
x
?
?
?
?
x
?
x
?
?
?
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
?
?
x
x
x
x
x
x
?
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
?
?
x
?
?
x
x
x
x
x
x
x
x
x
?
x
?
?
x
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
x
x
x
x
?
?
?
?
?
?
?
?
?
x
x
?
?
?
?
?
0
0
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
x
x
x
x
x
x
x
0
x
?
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
x
x
x
x
x
x
x
x
x
x
x
0
x
?
0
x
x
x
x
0
?
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
0
x
0
x
x
x
?
?
?
?
?
?
?
?
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
?
x
x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- DefendNot.A
- MSIL.Quasar.CA
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| User Data Access |
|
| Encryption Used |
|
| Other Suspicious |
|
| Anti Debug |
|
