GTAIV[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

GTAIV.exe
Size

12.8MB
MD5

9fa1c2a3f2932d46538bc14e715cfccc
SHA1

66d8cedfa46b5a0b9ae7b7c6a9651b2a6b3436d3
SHA256

8506977df430084f0b62176019b3dd57471e43957e50be7001d2d9d045ea18cc
SHA512

204c001ef910823626f73a2e35a16da146681aa8d990c849242aa136b96a42aee37e0d064a212d99106846f658bb648ea09f9dc84756ea7f51e154fa40d8d5d5
SSDEEP

196608:AXtzkFJx+iebk6ABmtxrXr+y+Wq/VXOvoX3:pFJH7mDrm9ea

Score

1^/10

Malware Config

Signatures

Files

GTAIV.exe
.exe windows:4 windows x86 arch:x86

1dda9f5137651a415b1ed7099f8dcf4f

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0c:56:41:0e:7a:8c:f2:6e:7f:1f:30:6f:fc:e6:70:cc
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

22/09/2008, 00:00

Not After

22/09/2009, 23:59

Subject

CN=Take-Two Interactive Software\, Inc.,OU=Rockstar Games+OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Take-Two Interactive Software\, Inc.,L=New York City,ST=New York,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

a5:25:4b:78:2e:fe:c0:97:fd:8b:81:c5:38:68:fe:54:66:72:da:43
Signer

Actual PE Digest

a5:25:4b:78:2e:fe:c0:97:fd:8b:81:c5:38:68:fe:54:66:72:da:43

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

user32

wsprintfA
PostMessageA
CharLowerBuffA
ReleaseCapture
GetParent
GetMessageA
LoadIconA
MoveWindow
RegisterClassW
CreateWindowExW
SetWindowTextA
UpdateWindow
GetWindowInfo
GetDesktopWindow
DefWindowProcW
PeekMessageA
TranslateMessage
DispatchMessageA
LoadCursorA
RegisterClassA
SetRect
MessageBoxA
EnumDisplayDevicesA
DestroyWindow
UnregisterClassA
DefWindowProcA
AdjustWindowRect
GetSystemMetrics
GetClientRect
GetWindowRect
UnhookWindowsHookEx
SetWindowsHookExA
CallNextHookEx
GetDC
ReleaseDC
GetKeyboardState
GetKeyboardLayoutNameA
LoadKeyboardLayoutA
IsWindow
GetWindowTextA
IsWindowVisible
IsWindowUnicode
GetTitleBarInfo
GetKeyboardLayout
MapVirtualKeyExA
ToAsciiEx
SetWindowLongA
SetWindowPos
GetForegroundWindow
GetWindow
SetFocus
EnableWindow
ShowCursor
IsWindowEnabled
GetActiveWindow
GetTopWindow
SetForegroundWindow
SetCapture
GetCapture
GetFocus
ShowWindow
SendMessageA
SystemParametersInfoA
FindWindowA
BringWindowToTop
SetWindowPlacement
SetActiveWindow
GetWindowPlacement
MessageBoxW

psapi

GetPerformanceInfo
EnumProcessModules
GetModuleFileNameExA
EnumProcesses

crypt32

CryptUnprotectData
CryptProtectData
CertFreeCertificateContext
CertCloseStore
CryptMsgClose
CertGetNameStringA
CryptQueryObject
CryptMsgGetParam
CertFindCertificateInStore

wininet

HttpAddRequestHeadersA
HttpSendRequestExA
HttpEndRequestA
InternetCrackUrlA
InternetCheckConnectionA
InternetGetConnectedState
InternetWriteFile
InternetReadFile
InternetQueryDataAvailable
HttpSendRequestA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA

binkw32

_BinkSetMemory@8
_BinkGetError@0
_BinkClose@4
_BinkGetSummary@8
_BinkSetVolume@12
_BinkSetSoundSystem@8
_BinkRegisterFrameBuffers@8
_BinkNextFrame@4
_BinkOpenDirectSound@4
_BinkShouldSkip@4
_BinkWait@4
_BinkGoto@12
_BinkGetFrameBuffersInfo@8
_BinkGetKeyFrame@12
_BinkOpen@8
_BinkPause@8
_BinkDoFrame@4

wintrust

WinVerifyTrust

xlive

ord5329
ord5317
ord5333
ord5318
ord5327
ord5300
ord5323
ord5326
ord69
ord5336
ord5322
ord5325
ord5328
ord5316
ord20
ord24
ord7
ord5332
ord57
ord5252
ord72
ord70
ord5305
ord5260
ord5215
ord5214
ord5312
ord5278
ord5280
ord5319
ord5324
ord5276
ord5277
ord5286
ord5281
ord5284
ord75
ord66
ord63
ord5254
ord5310
ord5311
ord5024
ord5315
ord5292
ord5022
ord1082
ord5262
ord5265
ord5261
ord5263
ord5030
ord51
ord1
ord5017
ord5016
ord5002
ord5007
ord5001
ord5005
ord5003
ord651
ord5270
ord27
ord15
ord52
ord5345
ord5344
ord5264
ord5314
ord5008
ord5335
ord5251
ord38
ord39
ord1083
ord6
ord4
ord12
ord3
ord22
ord73
ord58
ord5
ord5019
ord5018
ord5000
ord84
ord5331
ord5038
ord5034
ord5036
ord5037
ord5337
ord5035
ord5267
ord14
ord18
ord13
ord11
ord5295
ord5303
ord5294
ord26
ord9
ord5330
ord2
ord5256

d3d9

Direct3DCreate9

dinput8

DirectInput8Create

dsound

ord2
ord9
ord11

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

ws2_32

closesocket
socket
send
inet_ntoa
ntohs
gethostbyname
connect
recv
htons
htonl
inet_addr
ntohl
recvfrom
__WSAFDIsSet
select
gethostname
WSACleanup
getsockname
WSAGetLastError
sendto
shutdown

shlwapi

PathAppendA
PathFileExistsA
PathStripPathW

wmvcore

WMCreateSyncReader
WMCreateWriter
WMCreateProfileManager
WMCreateReader
WMCreateWriterFileSink

winmm

timeGetTime
waveOutSetVolume
waveOutReset
waveOutWrite
waveOutPrepareHeader
waveOutOpen
waveOutClose
timeEndPeriod
timeBeginPeriod

powrprof

CallNtPowerInformation

kernel32

GetCurrentThread
LocalAlloc
SetThreadAffinityMask
CloseHandle
OpenProcess
CreateFileMappingA
GetSystemDirectoryA
GlobalAlloc
GlobalFree
GetProcessHeap
SetEnvironmentVariableA
CompareStringW
CompareStringA
FlushFileBuffers
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
VirtualQuery
VirtualProtect
SetStdHandle
GetStringTypeW
GetStringTypeA
GetLocaleInfoA
RtlUnwind
GetConsoleMode
GetConsoleCP
LCMapStringW
LCMapStringA
RaiseException
GetModuleHandleW
HeapCreate
HeapDestroy
GetStartupInfoA
GetWindowsDirectoryA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetStdHandle
OutputDebugStringA
HeapSize
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
GetOEMCP
GetACP
GetCPInfo
GetFileType
SetUnhandledExceptionFilter
UnhandledExceptionFilter
HeapFree
HeapAlloc
HeapReAlloc
GetFullPathNameA
GetCurrentDirectoryA
GetDriveTypeA
GetTimeZoneInformation
GetSystemTimeAsFileTime
ExitProcess
TerminateThread
DuplicateHandle
OpenFile
WideCharToMultiByte
LoadLibraryW
RemoveDirectoryA
SetEndOfFile
SetFilePointer
GetFileSizeEx
CreateDirectoryA
SetFileTime
FormatMessageA
ReadFile
FileTimeToSystemTime
MoveFileA
FileTimeToLocalFileTime
SetFileAttributesA
WaitForMultipleObjects
InitializeCriticalSection
TryEnterCriticalSection
InterlockedCompareExchange
WriteFile
CreateSemaphoreA
SetThreadPriorityBoost
CreateThread
ResumeThread
ReleaseSemaphore
ReleaseMutex
GetCurrentThreadId
GetDateFormatA
GetTimeFormatA
CreateFileA
CreateMutexA
GetUserDefaultLangID
VirtualFree
VirtualAlloc
VirtualQueryEx
QueryPerformanceCounter
QueryPerformanceFrequency
InterlockedDecrement
ResetEvent
InterlockedIncrement
SetEvent
GetModuleFileNameA
ExpandEnvironmentStringsA
GetCommandLineA
FreeLibrary
GetVersionExA
LocalFree
WaitForSingleObject
SetHandleCount
lstrcpyA
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
Sleep
OpenThread
GetThreadPriority
SetThreadPriority
GlobalMemoryStatus
OpenEventA
lstrcatA
FindFirstFileA
GetFileAttributesA
FindNextFileA
FindClose
lstrlenA
MultiByteToWideChar
FoldStringW
GetLocalTime
LoadLibraryA
GetProcAddress
InterlockedExchange
InterlockedExchangeAdd
CopyFileA
GetDiskFreeSpaceExA
GetModuleHandleA
GetModuleFileNameW
SetLastError
OpenFileMappingW
MapViewOfFile
UnmapViewOfFile
HeapSetInformation
GetProcessAffinityMask
DeleteFileA
GetTickCount
GetUserDefaultUILanguage
GetLastError
CreateEventA
GlobalMemoryStatusEx
GetSystemTimes
GetSystemInfo
TerminateProcess
CreateToolhelp32Snapshot
GetCurrentProcessId
CreateProcessA
Process32Next
Process32First
GetCurrentProcess

gdi32

CreateDCA
ExtEscape
DeleteDC
GetDeviceCaps
GetStockObject

advapi32

RegCloseKey
CryptReleaseContext
CryptHashData
RegEnumKeyA
RegOpenKeyA
RegOpenKeyExA
CryptCreateHash
CryptGetHashParam
RegQueryValueExA
CryptDestroyHash
CryptAcquireContextA

shell32

SHGetFolderPathA
SHCreateDirectoryExA
ShellExecuteA

ole32

CoUninitialize
CoSetProxyBlanket
CoCreateInstance
CoInitializeEx
CoInitialize
CLSIDFromString
OleDraw
OleUninitialize
OleInitialize

oleaut32

VariantInit
SysFreeString
VariantClear
SysAllocString
SafeArrayGetVartype
SafeArrayCopy
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayCreateVector

atl80

ord42
ord41

Sections

.text
Size: 8.8MB - Virtual size: 8.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.1MB - Virtual size: 10.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 680KB - Virtual size: 676KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 772KB - Virtual size: 769KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1dda9f5137651a415b1ed7099f8dcf4f

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

0c:56:41:0e:7a:8c:f2:6e:7f:1f:30:6f:fc:e6:70:ccCertificate

Extended Key Usages

Key Usages

a5:25:4b:78:2e:fe:c0:97:fd:8b:81:c5:38:68:fe:54:66:72:da:43Signer

Headers

DLL Characteristics

File Characteristics

Imports

user32

psapi

crypt32

wininet

binkw32

wintrust

xlive

d3d9

dinput8

dsound

version

ws2_32

shlwapi

wmvcore

winmm

powrprof

kernel32

gdi32

advapi32

shell32

ole32

oleaut32

atl80

Sections

.text Size: 8.8MB - Virtual size: 8.8MB

.rdata Size: 1.5MB - Virtual size: 1.5MB

.data Size: 1.1MB - Virtual size: 10.0MB

.tls Size: 4KB - Virtual size: 1KB

.rsrc Size: 680KB - Virtual size: 676KB

.reloc Size: 772KB - Virtual size: 769KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

0c:56:41:0e:7a:8c:f2:6e:7f:1f:30:6f:fc:e6:70:cc
Certificate

a5:25:4b:78:2e:fe:c0:97:fd:8b:81:c5:38:68:fe:54:66:72:da:43
Signer

.text
Size: 8.8MB - Virtual size: 8.8MB

.rdata
Size: 1.5MB - Virtual size: 1.5MB

.data
Size: 1.1MB - Virtual size: 10.0MB

.tls
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 680KB - Virtual size: 676KB

.reloc
Size: 772KB - Virtual size: 769KB