Windows
Analysis Report
gta_sa.exe
Overview
General Information
Detection
Score: | 23 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
- System is w10x64
- gta_sa.exe (PID: 2504 cmdline:
"C:\Users\ user\Deskt op\gta_sa. exe" MD5: E7697A085336F974A4A6102A51223960)
- cleanup
Click to jump to signature section
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: | memstr_68087084-d |
System Summary |
---|
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Classification label: |
Source: | Key opened: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Input Capture | 1 Security Software Discovery | Remote Services | 1 Input Capture | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false | high |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1559582 |
Start date and time: | 2024-11-20 17:30:10 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 32s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | gta_sa.exe |
Detection: | SUS |
Classification: | sus23.winEXE@1/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: gta_sa.exe
File type: | |
Entropy (8bit): | 7.428002861421193 |
TrID: |
|
File name: | gta_sa.exe |
File size: | 14'405'632 bytes |
MD5: | e7697a085336f974a4a6102a51223960 |
SHA1: | 0df50d56ef9e304c8d59366afa9aa5c71159261d |
SHA256: | 8c609f108ad737deffbd0d17c702f5974d290c4379de742277b809f80350da1c |
SHA512: | 2abc0796fa3f4e194c7714ea15e6fea0ce34adee467adfb6ad96d56470718f7ae7c11dbe38f91699bd933a29edf7b0cf62bcdcc742df58a2aeb2b518e5c90d41 |
SSDEEP: | 393216:CDNnPxT4+Xkn6x9ayhgvdQ65jvA2mqQ+:Uni+io9uvdQgA9q |
TLSH: | A9E612577600C097EA4330724806FC967791CE745F7796A37B8CBE2E29B2694D8372E2 |
File Content Preview: | MZ......................@...................................@...).x.e.@..D<.......h.}.................(.b.'......'H.&)...t..F..I.-a?"\....`..pD%M..VV-...gY1(.>k.3...{@8d=>..tY z......GX.x.......(.....j.h.................f..G0. .....:.........X.4.*.@...%.. |
Icon Hash: | 8e87878e9c8caeb7 |
Entrypoint: | 0x12ffe40 |
Entrypoint Section: | .init |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x4270F18A [Thu Apr 28 14:22:02 2005 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | c07fc76a0773659fb8c5e6b5013914ea |
Instruction |
---|
push eax |
push ss |
pop ss |
pushfd |
mov eax, dword ptr [esp] |
test ah, 00000001h |
je 00007FB384F0FCE7h |
mov ecx, 000007BEh |
xor eax, eax |
je 00007FB384F0FCE3h |
call 00007FB39B415582h |
pop ss |
pushfd |
mov eax, dword ptr [esp] |
test ah, 00000001h |
je 00007FB384F0FCE7h |
mov ecx, 000007BEh |
xor eax, eax |
je 00007FB384F0FCE3h |
call 00007FB3088D5582h |
in al, dx |
and al, C7h |
inc esp |
and al, 20h |
ficomp word ptr [eax+44C7132Ch] |
and al, 1Ch |
pushfd |
add al, byte ptr [eax] |
add byte ptr [ecx-46E7DBB4h], cl |
adc dh, bh |
das |
add ecx, eax |
dec esp |
and al, 20h |
add byte ptr [ecx-74EBDBBCh], cl |
add dword ptr [eax+20244401h], edx |
nop |
add ecx, 04h |
lea esi, dword ptr [esi] |
dec word ptr [esp+1Ch] |
nop |
jne 00007FB384F0FCCDh |
or byte ptr [esp+20h], 00000001h |
mov ecx, dword ptr [esp+24h] |
mov eax, dword ptr [esp+20h] |
mov dword ptr [esp+20h], ecx |
xchg edi, edi |
mov ecx, dword ptr [esp+18h] |
mov dword ptr [esp+24h], eax |
mov eax, dword ptr [esp+14h] |
add esp, 20h |
nop |
popfd |
jnbe 00007FB384F0FCF3h |
add dword ptr [esp], 012ADEEAh |
add dword ptr [esp], 000510C3h |
jmp 00007FB384F0FCDCh |
push eax |
push ss |
pop ss |
pushfd |
mov eax, dword ptr [esp] |
test ah, 00000001h |
je 00007FB384F0FCE7h |
mov ecx, 000007BEh |
xor eax, eax |
je 00007FB384F0FCE3h |
call 00007FB39B415582h |
pop ss |
pushfd |
mov eax, dword ptr [esp] |
test ah, 00000001h |
je 00007FB384F0FCE7h |
mov ecx, 000000BEh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1157e12 | 0xdc | .securom |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8b0000 | 0x520 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1156368 | 0x1c | .securom |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x115757a | 0x44c | .securom |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x4a1ee0 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x455cda | 0x456000 | 759a86ec888aca835be83bebb36c1cc1 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
_rwcseg | 0x457000 | 0x451 | 0x1000 | 0c2f94cf9c1c85e37a8d1a6d9c1cd35b | False | 0.28955078125 | data | 2.941959439091133 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x458000 | 0x4b29c | 0x4c000 | db7d4d54315fd5a8a7976f276eddfc9f | False | 0.3458444695723684 | OpenPGP Public Key | 5.541613871037211 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x4a4000 | 0x3f9434 | 0x40000 | 8995715a053ef41f4333bdf7d75bea65 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
_TEXT_HA | 0x89e000 | 0x10a82 | 0x11000 | febc8925ffd3776de6530510bfa64292 | False | 0.5987333409926471 | data | 6.540908103945562 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
_rwdseg | 0x8af000 | 0x8 | 0x1000 | 620f0b67a91f7f74151bc5be745b7110 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x8b0000 | 0x520 | 0x1000 | 646afd3f5531f001cd9b81d0f834f78f | False | 0.166259765625 | data | 1.5415565362664405 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.text | 0x8b1000 | 0x649b20 | 0x64a000 | f062b900278a4650741b3bb5d8d42279 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.init | 0xefb000 | 0x58b0 | 0x6000 | cb55fba15addd8f19db1a0801a1a6435 | False | 0.3461100260416667 | data | 6.101240107284273 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.data | 0xf01000 | 0x2543c4 | 0x255000 | 878547f1485a698402473d89664a5c14 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.securom | 0x1156000 | 0x21000 | 0x21000 | 7f9a63689422c0be83e02b065491d857 | False | 0.5552201704545454 | data | 6.467953452624957 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x8b0220 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors | English | Great Britain | 0.5443548387096774 |
RT_DIALOG | 0x8b00f0 | 0x12e | data | English | Great Britain | 0.6158940397350994 |
RT_GROUP_ICON | 0x8b0508 | 0x14 | data | English | Great Britain | 1.2 |
DLL | Import |
---|---|
WINMM.dll | timeEndPeriod, timeGetTime, timeBeginPeriod, timeGetDevCaps |
vorbisfile.dll | ov_open_callbacks, ov_clear, ov_time_total, ov_time_tell, ov_read, ov_info, ov_time_seek |
WS2_32.dll | recv, send, closesocket, htons, inet_addr, connect, WSAGetLastError, WSAStartup, WSACleanup, socket |
EAX.DLL | |
KERNEL32.dll | VirtualProtect, GetOEMCP, GetACP, IsBadCodePtr, IsBadReadPtr, GetStringTypeW, GetStringTypeA, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetCPInfo, GetDateFormatA, VirtualQuery, GetTickCount, GetModuleHandleA, GetProcAddress, LoadLibraryA, GetFileSize, CloseHandle, LocalFree, WaitForSingleObjectEx, GetOverlappedResult, WaitForSingleObject, ReleaseSemaphore, SetFilePointer, GetLastError, ReadFile, SetLastError, CreateFileA, ResumeThread, SetThreadPriority, GetThreadPriority, GetCurrentThread, CreateThread, LocalAlloc, CreateSemaphoreA, GetDiskFreeSpaceA, Sleep, QueryPerformanceCounter, InterlockedIncrement, InterlockedDecrement, lstrcpyA, lstrcatA, lstrlenA, DeleteCriticalSection, SuspendThread, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, MultiByteToWideChar, DeleteFileA, TerminateThread, FindClose, FindNextFileA, GetFileAttributesA, FindFirstFileA, FreeLibrary, QueryPerformanceFrequency, OutputDebugStringA, GetLocalTime, CreateDirectoryA, GetUserDefaultLCID, SetStdHandle, CreateEventA, GetVolumeInformationA, GetDriveTypeA, GetLogicalDriveStringsA, SetErrorMode, GlobalMemoryStatus, GetVersionExA, GetCommandLineA, GetFullPathNameA, WideCharToMultiByte, lstrcmpiA, GetSystemInfo, IsProcessorFeaturePresent, LockResource, LoadResource, SizeofResource, FindResourceA, FindResourceW, MapViewOfFile, CreateFileMappingA, CreateFileW, UnmapViewOfFile, ReleaseMutex, CreateMutexA, GetCurrentProcessId, GetSystemDirectoryA, GetModuleFileNameA, FreeEnvironmentStringsA, UnhandledExceptionFilter, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetFileType, GetStdHandle, SetHandleCount, FlushFileBuffers, LCMapStringW, LCMapStringA, WriteFile, FatalAppExitA, SetUnhandledExceptionFilter, HeapSize, TlsAlloc, TlsGetValue, TlsSetValue, GetCurrentThreadId, TlsFree, GetStartupInfoA, HeapReAlloc, HeapAlloc, HeapFree, GetSystemTimeAsFileTime, GetCurrentProcess, TerminateProcess, ExitProcess, RtlUnwind, RaiseException, InterlockedExchange, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetConsoleCtrlHandler, GetTimeFormatA, CompareStringA, CompareStringW, SetEnvironmentVariableA, GetTimeZoneInformation, SetEndOfFile, GetLocaleInfoW, GetCurrentDirectoryA, GetSystemDefaultLCID, SetCurrentDirectoryA, GetEnvironmentStrings, CompareFileTime, SetFileAttributesA, CopyFileA, WaitNamedPipeA, SetNamedPipeHandleState, GetShortPathNameA, FileTimeToSystemTime, GetWindowsDirectoryA, GetUserDefaultLangID, CreateProcessA, GetTempPathA, DeviceIoControl, FormatMessageA, GetLogicalDrives, SetPriorityClass, GetPriorityClass, QueryDosDeviceA, lstrcmpA |
USER32.dll | wsprintfA, IsIconic, GetWindowLongA, GetMenu, AdjustWindowRectEx, SystemParametersInfoA, DestroyWindow, SetWindowLongA, ShowWindow, LoadIconA, LoadCursorA, RegisterClassA, ReleaseCapture, GetWindowPlacement, SetTimer, ClipCursor, PostQuitMessage, SetCursor, SetCapture, DefWindowProcA, MapVirtualKeyA, UpdateWindow, GetKeyState, FindWindowA, SetForegroundWindow, PeekMessageA, DispatchMessageA, TranslateMessage, GetKeyboardLayout, DialogBoxParamA, EndDialog, GetDlgItem, SetFocus, SendMessageA, SetWindowPos, AdjustWindowRect, CreateWindowExA, ShowCursor, GetWindowRect, MessageBoxA, SetWindowTextA, ClientToScreen, SetCursorPos, GetClientRect, SendDlgItemMessageA, GetWindowTextA, GetParent, GetClassNameA, FindWindowExA, EnumWindows, LoadCursorFromFileA, SetSystemCursor, LoadImageA, CopyImage, GetForegroundWindow, DialogBoxIndirectParamA |
GDI32.dll | DeleteObject |
ADVAPI32.dll | RegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegSetValueExA, OpenThreadToken, OpenProcessToken, GetTokenInformation, AllocateAndInitializeSid, EqualSid, RegEnumKeyExA, ControlService, QueryServiceStatus, OpenSCManagerA, CreateServiceA, OpenServiceA, StartServiceA, DeleteService, CloseServiceHandle, RegQueryValueA, RegFlushKey, RegDeleteValueA, RevertToSelf |
ole32.dll | CoCreateInstance, CoInitialize, CoUninitialize |
VERSION.dll | GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | Great Britain |
Target ID: | 0 |
Start time: | 11:31:05 |
Start date: | 20/11/2024 |
Path: | C:\Users\user\Desktop\gta_sa.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 14'405'632 bytes |
MD5 hash: | E7697A085336F974A4A6102A51223960 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |