citizen-scripting-lua54[.]dll

Sharing

Copy URL

Twitter E-mail

General

Target

citizen-scripting-lua54.dll
Size

2.3MB
MD5

ea825479182f32a34268705e1c998aae
SHA1

5cc5e2b6447557cfdbbbe2d1b0ace63867ac08eb
SHA256

230fb7a0dfd5ab6a525debd919288854ffd057ecdd5a06558ce9f4041d2e0ea6
SHA512

2a582a1d620508467df565d3cb6ede330511b53ec14272c42ca31c75f7249ea352a4cf8ef61a9102278e5549ea24f995cc4a0f6af9a418bf6d22d91ddcee0814
SSDEEP

24576:0zKtOWrzbqebqaEc/tEpEKZaElF2KVemZvL9weeSmPvKvef0FmISPos+IleWgg3u:IWrzJbqaEc/ET229BLufVeW5v10j

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
citizen-scripting-lua54.dll

Files

citizen-scripting-lua54.dll
.dll windows:6 windows x64 arch:x64

487d8990c3792f97fd2ded8c1197dc6c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\gl\builds\cfx-fivem-3\.build-cache\bin\server\windows\release\dbg\citizen-scripting-lua54.pdb

Imports

kernel32

GetCurrentProcess
RtlCaptureContext
OutputDebugStringA
GetFullPathNameW
CloseHandle
GetCurrentThread
GetSystemInfo
GetNativeSystemInfo
GetProcessAffinityMask
ReleaseSemaphore
WaitForSingleObjectEx
CreateSemaphoreExW
TlsAlloc
LoadLibraryW
TlsFree
SetEvent
GetModuleFileNameA
LoadLibraryExA
GetLastError
FreeLibrary
FormatMessageA
VirtualFree
VirtualAlloc
GetLargePageMinimum
LocalFree
GetLocaleInfoEx
TerminateProcess
GetProcAddress
GetModuleHandleW
InitializeSListHead
DisableThreadLibraryCalls
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsDebuggerPresent
CreateEventW
ResetEvent
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
AcquireSRWLockExclusive
AreFileApisANSI
MultiByteToWideChar
WideCharToMultiByte
InitOnceBeginInitialize
InitOnceComplete
ReleaseSRWLockExclusive

user32

MessageBoxW

citizen-scripting-core

?EnterScope@ProfilerComponent@fx@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_J@Z
?ExitScope@ProfilerComponent@fx@@QEAAX_J@Z
?GetMetaField@ScriptNativeContext@invoker@fx@@SAPEAXW4MetaField@23@@Z
?GetPointerField@ScriptNativeContext@invoker@fx@@SAPEAXW4MetaField@23@_K@Z
?PushMetaPointer@ScriptNativeContext@invoker@fx@@QEAAXPEAE@Z
?ScriptError@ScriptNativeContext@invoker@fx@@QEBAXPEBD@Z
?ScriptingFilesystemAllowWrite@fx@@YA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?Invoke@ScriptNativeContext@invoker@fx@@QEAAXXZ
?FromHash@ScriptNativeHandler@invoker@fx@@SAAEBV123@_K@Z

citizen-resources-core

?OnInitializeInstance@ResourceManager@fx@@2V?$fwEvent@PEAVResourceManager@fx@@@@A
?GetCurrent@ResourceManager@fx@@SAPEAV12@_N@Z

vfs-core

?ExtensionCtl@Device@vfs@@UEAA_NHPEAX_K@Z
?GetModifiedTime@Device@vfs@@UEAA_JAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?GetLength@ZipFile@vfs@@UEAA_K_K@Z
?GetLength@ZipFile@vfs@@UEAA_KAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?GetAttributes@Device@vfs@@UEAAIAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?RemoveDirectoryW@Device@vfs@@UEAA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?CreateDirectoryW@Device@vfs@@UEAA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?RenameFile@Device@vfs@@UEAA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z
?RemoveFile@Device@vfs@@UEAA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?CloseBulk@ZipFile@vfs@@UEAA_N_K@Z
?Close@ZipFile@vfs@@UEAA_N_K@Z
?Seek@ZipFile@vfs@@UEAA_K_K_JH@Z
?WriteBulk@Device@vfs@@UEAA_K_K0PEBX0@Z
?Write@Device@vfs@@UEAA_K_KPEBX0@Z
?ReadBulk@ZipFile@vfs@@UEAA_K_K0PEAX0@Z
?Read@ZipFile@vfs@@UEAA_K_KPEAX0@Z
?Create@Device@vfs@@UEAA_KAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N1@Z
?OpenBulk@ZipFile@vfs@@UEAA_KAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PEA_K@Z
?Open@ZipFile@vfs@@UEAA_KAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N1@Z
??1ZipFile@vfs@@UEAA@XZ
?Mount@vfs@@YAXV?$fwRefContainer@VDevice@vfs@@@@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?FindNext@ZipFile@vfs@@UEAA_N_KPEAUFindData@2@@Z
??0ZipFile@vfs@@QEAA@XZ
?ReadToEnd@Stream@vfs@@QEAA?AV?$vector@EV?$allocator@E@std@@@std@@XZ
?OpenRead@vfs@@YA?AV?$fwRefContainer@VStream@vfs@@@@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?Flush@Stream@vfs@@QEAA_NXZ
?Write@Stream@vfs@@QEAA_KPEBX_K@Z
?GetLength@Stream@vfs@@QEAA_KXZ
?Seek@Stream@vfs@@QEAA_K_JH@Z
?Read@Stream@vfs@@QEAA_KPEAX_K@Z
??1Stream@vfs@@UEAA@XZ
??0Stream@vfs@@QEAA@V?$fwRefContainer@VDevice@vfs@@@@_K@Z
?FindDevice@vfs@@YA?AV?$fwRefContainer@VDevice@vfs@@@@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEAV34@@Z
?GetDevice@vfs@@YA?AV?$fwRefContainer@VDevice@vfs@@@@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?Close@Stream@vfs@@QEAAXXZ
?Flush@ZipFile@vfs@@UEAA_N_K@Z
?OpenBulk@Device@vfs@@UEAA_KAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PEA_K@Z
?ReadBulk@Device@vfs@@UEAA_K_K0PEAX0@Z
?FindClose@ZipFile@vfs@@UEAAX_K@Z
?CloseBulk@Device@vfs@@UEAA_N_K@Z
?GetLength@Device@vfs@@UEAA_KAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?GetLength@Device@vfs@@UEAA_K_K@Z
?SetPathPrefix@Device@vfs@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
??1Device@vfs@@UEAA@XZ
??0Device@vfs@@QEAA@XZ
?OpenArchive@ZipFile@vfs@@QEAA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?SetPathPrefix@ZipFile@vfs@@UEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?FindFirst@ZipFile@vfs@@UEAA_KAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PEAUFindData@2@@Z
?GetAbsolutePath@ZipFile@vfs@@UEBA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ

scripting-server

?GetNativeHandler@ScriptEngine@fx@@SA?AV?$function@$$A6AXAEAVScriptContext@fx@@@Z@std@@_K@Z

msvcp140

?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?id@?$numpunct@D@std@@2V0locale@2@A
??1facet@locale@std@@MEAA@XZ
_Mtx_init_in_situ
_Mtx_destroy_in_situ
_Mtx_lock
_Mtx_unlock
?_Throw_C_error@std@@YAXH@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
??0facet@locale@std@@IEAA@_K@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAHH@Z
?_Xout_of_range@std@@YAXPEBD@Z
_Query_perf_counter
_Query_perf_frequency
?_Xbad_function_call@std@@YAXXZ
_Thrd_yield
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
??Bid@locale@std@@QEAA_KXZ
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
??1_Locinfo@std@@QEAA@XZ

vcruntime140_1

__CxxFrameHandler4

vcruntime140

strrchr
longjmp
memset
memmove
memcpy
memcmp
__C_specific_handler
_CxxThrowException
__std_terminate
strstr
strchr
_purecall
__std_exception_destroy
__std_exception_copy
__intrinsic_setjmp
__current_exception_context
__current_exception
memchr
__std_type_info_destroy_list

api-ms-win-crt-stdio-l1-1-0

ungetc
_popen
__stdio_common_vsprintf
tmpfile
__stdio_common_vfprintf
tmpnam
__acrt_iob_func
feof
getc
_pclose
__stdio_common_vsprintf_s
fflush
clearerr
fwrite
fopen
__stdio_common_vsnprintf_s
ferror
freopen
_ftelli64
fread
_fseeki64
setvbuf
fclose

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e
_invalid_parameter_noinfo_noreturn
strerror
_crt_atexit
_cexit
_execute_onexit_table
_register_onexit_function
_errno
terminate
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll
abort
exit
system

api-ms-win-crt-math-l1-1-0

atan
atan2
erff
atan2f
nearbyintf
asinhf
expm1f
modf
atanf
_hypotf
_dpcomp
log10
_fdpcomp
ceil
ceilf
floor
copysignf
fdim
cos
cosf
modff
_fdsign
ilogbf
remainderf
fdimf
cosh
_ldclass
coshf
tgamma
log2
fmax
atanh
log1pf
expm1
atanhf
exp
cbrtf
_fdclass
log1p
expf
floorf
fma
fmodf
log
lgammaf
asinf
scalbn
log10f
trunc
_dclass
log2f
nextafter
logf
powf
acosh
ilogb
copysign
fmin
remainder
tgammaf
roundf
logb
ldexp
exp2f
sin
sinf
frexp
sinh
exp2
fmaxf
sinhf
round
erfc
hypot
pow
sqrt
fminf
erfcf
sqrtf
nextafterf
cbrt
tan
logbf
tanf
erf
scalbnf
tanh
lgamma
asinh
nearbyint
asin
tanhf
_dsign
_ldsign
acosf
fmod
acos
acoshf
truncf

api-ms-win-crt-heap-l1-1-0

free
realloc
_callnewh
calloc
malloc
_aligned_malloc
_aligned_free

api-ms-win-crt-string-l1-1-0

islower
strspn
strpbrk
strcmp
toupper
isgraph
isupper
strcoll
iscntrl
isalpha
strncmp
isalnum
strncat
ispunct
isxdigit
isdigit
isspace
tolower

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
setlocale
localeconv

api-ms-win-crt-time-l1-1-0

clock
_time64
_gmtime64
_localtime64
strftime
_mktime64
_difftime64

api-ms-win-crt-utility-l1-1-0

rand

api-ms-win-crt-filesystem-l1-1-0

remove
rename

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-convert-l1-1-0

strtod

advapi32

OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges

Exports

Exports

?GetCitizenLibs@LuaScriptRuntime@fx@@SAPEBUluaL_Reg@@XZ
?GetLuaLibs@LuaScriptRuntime@fx@@SAPEBUluaL_Reg@@XZ
?lua_fx_opendebug@fx@@YAHPEAUlua_State@@@Z
?lua_fx_openio@fx@@YAHPEAUlua_State@@@Z
?lua_fx_openos@fx@@YAHPEAUlua_State@@@Z
?lua_rpmalloc_free@LuaStateHolder@fx@@CAXPEAX@Z
?lua_rpmalloc_state@LuaStateHolder@fx@@CAPEAUlua_State@@AEAPEAX@Z
?pUndumpHook@@3P6AHPEBD_K@ZEA
CreateComponent

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 248KB - Virtual size: 247KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 77KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

487d8990c3792f97fd2ded8c1197dc6c

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

citizen-scripting-core

citizen-resources-core

vfs-core

scripting-server

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-convert-l1-1-0

advapi32

Exports

Exports

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 248KB - Virtual size: 247KB

.data Size: 21KB - Virtual size: 28KB

.pdata Size: 77KB - Virtual size: 76KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 9KB - Virtual size: 8KB

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 248KB - Virtual size: 247KB

.data
Size: 21KB - Virtual size: 28KB

.pdata
Size: 77KB - Virtual size: 76KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 9KB - Virtual size: 8KB