a2929a61e4d63dd3c15749b2b7ed74ae

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 1970-Mar-07 10:30:28
Detected languages English - United Kingdom

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to security software:
  • msinfo32.exe
Tries to detect virtualized environments:
  • b3 eb 36 e4 4f 52 ce 11 9f 53 00 20 af 0b a7 70
  • d1 29 06 e3 e5 27 ce 11 87 5d 00 60 8c b7 80 66
May have dropper capabilities:
  • CurrentControlSet\Services
Contains another PE executable:
  • This program cannot be run in DOS mode.
Contains domain names:
  • http://www.rockstargames.com
  • http://www.rockstargames.com/sanandreas
  • http://www.rockstarnorth.com
  • http://www.securom.com
  • http://www.securom.com/link_to_faq
  • rockstargames.com
  • rockstarnorth.com
  • securom.com
  • www.rockstargames.com
  • www.rockstarnorth.com
  • www.securom.com
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to DES
Suspicious The PE is possibly packed. Unusual section name found: _rwcseg
Unusual section name found: _TEXT_HA
Unusual section name found: _rwdseg
Section .text is both writable and executable.
Section .data is both writable and executable.
Unusual section name found: .dev1
Section .dev1 is both writable and executable.
Unusual section name found: .dev2
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Functions which can be used for anti-debugging purposes:
  • FindWindowA
Code injection capabilities (PowerLoader):
  • GetWindowLongA
  • FindWindowA
Can access the registry:
  • RegCloseKey
  • RegCreateKeyExA
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegOpenKeyA
  • RegSetValueExA
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Leverages the raw socket API to access the Internet:
  • #16
  • #19
  • #3
  • #9
  • #11
  • #4
  • #111
  • #115
  • #116
  • #23
Enumerates local disk drives:
  • GetVolumeInformationA
  • GetDriveTypeA
  • GetLogicalDriveStringsA
Malicious VirusTotal score: 3/66 (Scanned on 2020-08-20 14:35:54) Bkav: W32.AIDetectVM.malware2
FireEye: Generic.mg.a2929a61e4d63dd3
APEX: Malicious

Hashes

MD5 a2929a61e4d63dd3c15749b2b7ed74ae
SHA1 3a184bf69104e52e8396261432d9324211ef74bc
SHA256 af63c3b85c5a30a1fb4318ede6add911933ccc63ddac2f57eb63b7fbe212b8e2
SHA3 8a06f1d63b696972b81b66ac29b1f1178d94cdaa8970104fb53c0c041b8a7bb8
SSDeep 196608:B/DilPG7k1Cv4CJmV/UT5c2dFmSfyL3cC5kjzC5TnZHCtpAdjOAZ/ss:B/ulPG7wCACJmV/UTa0pLPMZ/X
Imports Hash 40e136b25c083bd1c043fd89de8b4fd5

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x138

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 11
TimeDateStamp 1970-Mar-07 10:30:28
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 7.0
SizeOfCode 0x458000
SizeOfInitializedData 0x45a000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00425330 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x459000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x20e0000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 28142b397a344e71f992449b67a8d7fd
SHA1 ed0f66b8da275c3e596273ecab7ccbd29c21b699
SHA256 53ae4dc5154c9fa26add945821373a402257cfd64495f5cab0398f2ae1985d93
SHA3 176345a1237f2b38dd4cee94c44f055d9162c441556e6bf55cf69650d0e180c2
VirtualSize 0x457000
VirtualAddress 0x1000
SizeOfRawData 0x45656a
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.69957

_rwcseg

MD5 f83d20b9c53f03555f49f20473281380
SHA1 da3c31bc554f634a13fbf80a5c16cb14ede53450
SHA256 680c50f5b14681ecd6c6cc49fc9422231228a6c27f6db848c6b6d3e64458acae
SHA3 803dcd419ed3e1044bf010f6c97a9a025769974322949acaf7cf6d2fdd0f561c
VirtualSize 0x1000
VirtualAddress 0x458000
SizeOfRawData 0x451
PointerToRawData 0x458000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 4.93956

.rdata

MD5 6ce3cbdbc0f898ea9ebfe43f50b4a490
SHA1 3ca8fe6a1baa1856f8501895032b73a9f1b9ff11
SHA256 3ae04ebd979e1281a0f916e4390035ba15fb3ce91aa90cbe1c2f6de47a404b09
SHA3 04d8a91effdaeebc886e86bb839f149f53befc598c8078e685f392413b3c37fa
VirtualSize 0x4c000
VirtualAddress 0x459000
SizeOfRawData 0x4b2b4
PointerToRawData 0x459000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.59106

.data

MD5 82f9db78e8480c0b3f40835cada2aca3
SHA1 fe916f9eea7f9b6fe16af8006138670adb28dd35
SHA256 a9ee3281d8c3a3db29fbfba78604388f10b1e43f572f0f2b0c298cb25eee2600
SHA3 8673553be1bd9dc63040497535085a84bec46f696f5033afffe2f412ecb0d65b
VirtualSize 0x3fb000
VirtualAddress 0x4a5000
SizeOfRawData 0x41558
PointerToRawData 0x4a5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.83253

_TEXT_HA

MD5 66493140ee2c08e11feec07efbc2be24
SHA1 9feef46f2211b61fe8f4046029022f9bf7b5c69d
SHA256 55dce9b25c3f5599d4c8850c577ab3bd72d1554549840bd8ffb4d30050579248
SHA3 d10ebb821c672a21505283137670f4bf21d3612387909d349bdbc9a96c27ba5d
VirtualSize 0x11000
VirtualAddress 0x8a0000
SizeOfRawData 0x10a82
PointerToRawData 0x4e7000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.6357

_rwdseg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x1000
VirtualAddress 0x8b1000
SizeOfRawData 0
PointerToRawData 0x8b1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc

MD5 38b317a39f3c40f22118a557328881c5
SHA1 ee57ca7fd7d39d3c0e0a7db6ac03c1afff0a6781
SHA256 da1000fec47ba2535fcaea3835c918b6382716dfb32485fc83f9a61d6f8faa19
SHA3 07baa2e852030117a935fba5f0b5f686525f3be4e74f8daee7c26a09ae080ccf
VirtualSize 0x1000
VirtualAddress 0x8b2000
SizeOfRawData 0x1000
PointerToRawData 0x4f8000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.67488

.text (#2)

MD5 4c82413fd45ef2a7e08263eec66fb6dc
SHA1 349b6bf730dd5fa4e14a1ac08299a5ce08958c84
SHA256 b7b520df349f91cc8185dde5c07e8e27d1ed4bdb6b9cf68fae0435dd4caff450
SHA3 c44af2b5864c142978fa0fcb2c782ab6b0f583498513654004c246a0f5e77d3f
VirtualSize 0x528000
VirtualAddress 0x8b3000
SizeOfRawData 0x51ad70
PointerToRawData 0x4f9000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.4431

.data (#2)

MD5 9bf65b736dd25c397492bfd76a33d618
SHA1 a3e228ad2c5a00a72dc020b19713f84d2adf33bc
SHA256 6c1ebf106b5988e357744bee6d4925bbe35ea66ec50d124b98ba56911cfb1f73
SHA3 80692caaac60fc6893e41bb45d2bc508209645189e01a03ce2a6641130b7ee07
VirtualSize 0x2b8000
VirtualAddress 0xddb000
SizeOfRawData 0x2b6b66
PointerToRawData 0xa14000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.43323

.dev1

MD5 18a49707f2a486b59326f43cea56b030
SHA1 a11b717f1a626621a8040e41a1e830e56e455d27
SHA256 f2095024370d20010f067a3394f3ed25b6f45ddb4d8f76407476253e1787621c
SHA3 ea246551bdd4b65ce4bb642dd21b0dfd5c9d63f04d4b2060dbddcd57515a7ede
VirtualSize 0xc4d000
VirtualAddress 0x1093000
SizeOfRawData 0x9270c
PointerToRawData 0xccb000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.00527

.dev2

MD5 fcc4e59844ee66de2b55d6e5f6005199
SHA1 8576e4be11d2db6bd645a63b49e7ee82682dc0bd
SHA256 a21fa98b4f6416c118aec5869adc7789b6403b4697aa5e28f3fe2185065e9082
SHA3 92e9e196ba7e381a8ce18a40a121b00e5af64cebbfb7617f9a6ba36980d0a07c
VirtualSize 0x400000
VirtualAddress 0x1ce0000
SizeOfRawData 0x1b5000
PointerToRawData 0xd5e000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.5627

Imports

WINMM.dll timeEndPeriod
timeGetTime
timeBeginPeriod
timeGetDevCaps
vorbisfile.dll ov_open_callbacks
ov_clear
ov_time_total
ov_time_tell
ov_read
ov_info
ov_time_seek
WS2_32.dll #16
#19
#3
#9
#11
#4
#111
#115
#116
#23
EAX.DLL #6
KERNEL32.dll VirtualProtect
GetOEMCP
GetACP
IsBadCodePtr
IsBadReadPtr
GetStringTypeW
GetStringTypeA
IsValidCodePage
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetCPInfo
GetDateFormatA
VirtualQuery
GetTickCount
GetModuleHandleA
GetProcAddress
LoadLibraryA
GetFileSize
CloseHandle
LocalFree
WaitForSingleObjectEx
GetOverlappedResult
WaitForSingleObject
ReleaseSemaphore
SetFilePointer
GetLastError
ReadFile
SetLastError
CreateFileA
ResumeThread
SetThreadPriority
GetThreadPriority
GetCurrentThread
CreateThread
LocalAlloc
CreateSemaphoreA
GetDiskFreeSpaceA
Sleep
QueryPerformanceCounter
InterlockedIncrement
InterlockedDecrement
lstrcatA
lstrcpyA
lstrlenA
DeleteCriticalSection
SuspendThread
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
MultiByteToWideChar
DeleteFileA
TerminateThread
FindClose
FindNextFileA
GetFileAttributesA
FindFirstFileA
FreeLibrary
QueryPerformanceFrequency
OutputDebugStringA
GetLocalTime
CreateDirectoryA
GetUserDefaultLCID
SetStdHandle
CreateEventA
GetVolumeInformationA
GetDriveTypeA
GetLogicalDriveStringsA
SetErrorMode
GlobalMemoryStatus
GetVersionExA
GetCommandLineA
GetFullPathNameA
WideCharToMultiByte
lstrcmpiA
GetSystemInfo
IsProcessorFeaturePresent
LockResource
LoadResource
SizeofResource
FindResourceA
FindResourceW
MapViewOfFile
CreateFileMappingA
CreateFileW
UnmapViewOfFile
ReleaseMutex
CreateMutexA
GetCurrentProcessId
GetSystemDirectoryA
GetModuleFileNameA
FreeEnvironmentStringsA
UnhandledExceptionFilter
IsBadWritePtr
VirtualAlloc
VirtualFree
HeapCreate
HeapDestroy
GetFileType
GetStdHandle
SetHandleCount
FlushFileBuffers
LCMapStringW
LCMapStringA
WriteFile
FatalAppExitA
SetUnhandledExceptionFilter
HeapSize
TlsAlloc
TlsGetValue
TlsSetValue
GetCurrentThreadId
TlsFree
GetStartupInfoA
HeapReAlloc
HeapAlloc
HeapFree
GetSystemTimeAsFileTime
GetCurrentProcess
TerminateProcess
ExitProcess
RtlUnwind
RaiseException
InterlockedExchange
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetConsoleCtrlHandler
GetTimeFormatA
CompareStringA
CompareStringW
SetEnvironmentVariableA
GetTimeZoneInformation
SetEndOfFile
GetLocaleInfoW
GetCurrentDirectoryA
GetSystemDefaultLCID
SetCurrentDirectoryA
GetEnvironmentStrings
USER32.dll wsprintfA
IsIconic
GetWindowLongA
GetMenu
AdjustWindowRectEx
SystemParametersInfoA
DestroyWindow
SetWindowLongA
ShowWindow
LoadIconA
LoadCursorA
RegisterClassA
ReleaseCapture
GetWindowPlacement
SetTimer
ClipCursor
PostQuitMessage
SetCursor
SetCapture
DefWindowProcA
MapVirtualKeyA
UpdateWindow
GetKeyState
FindWindowA
SetForegroundWindow
PeekMessageA
DispatchMessageA
TranslateMessage
GetKeyboardLayout
DialogBoxParamA
EndDialog
GetDlgItem
SetFocus
SendMessageA
SetWindowPos
AdjustWindowRect
CreateWindowExA
ShowCursor
GetWindowRect
MessageBoxA
SetWindowTextA
ClientToScreen
SetCursorPos
GetClientRect
GDI32.dll DeleteObject
ADVAPI32.dll RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegOpenKeyA
RegSetValueExA
ole32.dll CoCreateInstance
CoInitialize
CoUninitialize
d3d9.dll (delay-loaded) Direct3DCreate9

Delayed Imports

Attributes 0x1
Name d3d9.dll
ModuleHandle 0x89ce7c
DelayImportAddressTable 0x4e6554
DelayImportNameTable 0x4a2fb0
BoundDelayImportTable 0x4a2ff8
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

1

Type RT_ICON
Language English - United Kingdom
Codepage UNKNOWN
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.26682
MD5 fc68ba237e908cf829e29de0836713bc
SHA1 ded3095a8dce64c5a8bbe44d505d4c0c44cb836f
SHA256 55f26b64c0b072c8b33b6e250b1a13e6e351f46fef2975f93542ff7c2b94d1e6
SHA3 89c60cddf73385b46656eca556a9e9e1e796334b131487dcdc13d34529dc74b4

104

Type RT_DIALOG
Language English - United Kingdom
Codepage UNKNOWN
Size 0x138
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.01767
MD5 d9c6ead0dce188b414c310eed365a020
SHA1 c4ed7497b2e64cdc961c7722ae307ae7beed4f1f
SHA256 a72f36872f57d8a298ff6c28230e54cb4c71b6d35ce265d3803f378139d9773b
SHA3 42b2c93bfc3d9409bbdf6564e62eeccde961ecf1955f0f22b6de240798d748eb

100

Type RT_GROUP_ICON
Language English - United Kingdom
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.16096
Detected Filetype Icon file
MD5 42cf62b780813706e75fb9f2b2e8c258
SHA1 a022d5c1cfdd8aace0089f3e72f2eedd41bda464
SHA256 a0c9d012e2bf6b2fe05c2d97cb5594d97cf2f539e97935c12abd7a3562f4d9bf
SHA3 0aafc8e3d8b6bde595537da4ffe0efc5fe53f01dafe336a2a5828b6a71283d3c

Version Info

IMAGE_DEBUG_TYPE_UNKNOWN

Characteristics 0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x5ca67d0
Unmarked objects 0
39 (9162) 8
ASM objects (VS2002 (.NET) build 9466) 49
C objects (VS2002 (.NET) build 9466) 165
Linker (VC++ 6.0 SP5 imp/exp build 8447) 2
C objects (VS98 build 8168) 5
Linker (VS98 build 8168) 2
C objects (9178) 5
Imports (9210) 15
Total imports 218
42 (8803) 3
18 (8444) 6
C++ objects (9178) 48
48 (9044) 121
Unmarked objects (#2) 2
C++ objects (VS2002 (.NET) build 9466) 469
Resource objects (VS2002 (.NET) build 9466) 1
Linker (VS2002 (.NET) build 9466) 1

Errors

[*] Warning: Section _rwdseg has a size of 0! [!] Error: Yara error: ERROR_TOO_MANY_MATCHES