Trojan.Injector.GSF
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Injector.GSF |
|---|---|
| Signature status: | Hash Mismatch |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
4ddf40a13bb31a224c2b239caa651cb7
SHA1:
9eae7d56ee4c748a6f2017f00f2c3e3b02fb3ef2
SHA256:
7646BDC19E7D22CAFE18C35D33345D02065E4206AC80EE013D04508986064D75
File Size:
1.78 MB, 1779440 bytes
|
|
MD5:
3da6b9df096feeda0b3bdb3de9bbb053
SHA1:
c056d6a38056779df6b7f85b48240cdaf54371dd
SHA256:
8C46E7FEBFE97D07B8D41D54A7392F0CB378136D47FDC65EFEF9D8AB3DCF0B77
File Size:
1.65 MB, 1654512 bytes
|
|
MD5:
fa34f56da117fe337b7d536f162e4fe5
SHA1:
87915e2ac78fa89d89f60ed4a03931cc0edb8a2f
SHA256:
D28039599DC1FE1E4B1D5CEDAE5800D42086C7972322B3316C1DBFA5665AD030
File Size:
2.47 MB, 2470536 bytes
|
|
MD5:
e481b6e876b8dfc5e210f6d7edf5162a
SHA1:
ecb6a702182a3e87315f0097c622580a4c91df5a
SHA256:
0C8FF3C614ADC6127863BDC229854D4C5B5F77E36BF578AF2EC662C7BBBA0511
File Size:
2.49 MB, 2488968 bytes
|
|
MD5:
4fed345536a5077f7698ffae3884e742
SHA1:
58a520f6d401c368a23aa76a583770158ec6bbe5
SHA256:
391BEBFE667BE40E1A1EE6CF1DF66353C0A17FE8BA78BCBE37AE09657EFA6FC0
File Size:
1.88 MB, 1877832 bytes
|
Show More
|
MD5:
0c347c00021e023a84e9641a794b5c1c
SHA1:
c197a6249917b02ce4669f1848969b55d87132d8
SHA256:
9109FFD0652D8B2BCC5870E62A44865A923133646341C19CD074175BC6B25825
File Size:
1.86 MB, 1858680 bytes
|
|
MD5:
46ec0f2235edc0a7004e1201a3fb4bb1
SHA1:
6bdfb566137e6ca50dd1e1217245b088754b1fa4
SHA256:
5C8C8D98C55A213DFCF1F4B76497276E8DF2D7A15032ADAE1CE6D91F4AA96F74
File Size:
2.20 MB, 2204808 bytes
|
|
MD5:
f83bfddc93b25633a89263b8ee6df4a8
SHA1:
625a25f95d60443b5fb92ffd1400bec51a37a56c
SHA256:
8124580668ADBF6D9CFBA43BB2F4E0075F3CA923EF4D19C52BCC34B093460ED8
File Size:
1.66 MB, 1657160 bytes
|
|
MD5:
1ca49b2378ac7a8ad757f55b4901eefe
SHA1:
58f3bcd81942048f5758a8465cde5d17058816b4
SHA256:
2848FE91A1F2332732FCEF31297C492E54190C26433C26FB276BFF2AF3219BB1
File Size:
1.79 MB, 1790792 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| voidtools | DigiCert SHA2 Assured ID Code Signing CA | Hash Mismatch |
| EasyAntiCheat Oy | GlobalSign Code Signing Root R45 | Hash Mismatch |
| Pagebites, Inc. | SSL.com Code Signing Intermediate CA RSA R1 | Hash Mismatch |
| F.lux Software LLC | Sectigo Public Code Signing Root R46 | Hash Mismatch |
File Traits
- 2+ executable sections
- golang
- HighEntropy
- Installer Version
- No Version Info
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 512 |
|---|---|
| Potentially Malicious Blocks: | 154 |
| Whitelisted Blocks: | 358 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
x
x
x
0
x
0
x
0
0
0
0
0
0
x
0
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
x
0
x
x
x
0
x
0
0
0
0
0
x
0
0
0
x
0
x
x
x
0
0
0
0
x
0
x
x
x
0
0
x
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
x
x
x
x
0
x
x
0
x
0
x
0
0
0
x
x
0
x
0
x
x
x
0
0
x
0
0
0
0
0
0
0
x
0
0
x
x
0
0
0
0
0
x
0
x
0
x
x
x
0
x
0
0
x
0
x
0
x
x
0
x
0
0
x
x
x
x
0
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
x
x
0
0
x
0
x
x
x
x
0
x
0
x
0
0
0
0
0
x
x
x
x
0
0
x
x
x
0
x
x
0
x
x
0
x
0
x
x
0
0
0
0
0
x
0
x
x
0
x
0
0
x
0
0
x
0
0
x
0
0
0
0
x
x
0
0
0
0
0
x
0
0
x
0
x
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
x
x
0
0
0
0
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
x
0
x
x
x
0
0
0
0
x
x
0
x
x
0
0
0
0
0
0
x
0
x
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.GHW
- GoBot
- GoBot.B
- Injector.GSF
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Network Winsock2 |
|
