[TheMinister]

Hello everyone, i had GTA 4 Cracked ,everything cool but i checked the cracks files and findout that they are sus!. for me i think its false Flag  for many reasons ,but i wanted to make sure and ask peoples who had this files before or peoples who can test better.is those DLLs safe ? considering they are made 4 years ago tho.
Files of GTA IV crack (from Prophet) : https://gofile.io/d/asGPRH  (558 kb File + i removed the .exe cracks they are safe)

Scans: https://www.virustotal.com/gui/file/d1dc.../detection

and : https://www.virustotal.com/gui/file/7527...fc/details

looking forward of your opinions.

[Drako]

This looks like a job for @"miso" since he's skilled at analyzing files, but here are a few of my observations. If the files really are infected I suspect they've been infected with the Cerberus RAT, and have also been crypted with an open source obfuscator. Based on detections like "Gen:Variant.Cerbu.76118", "Win32:Trojan-gen", and "VirTool:Win32/Obfuscator.f5993fec" I can conclude that. And since this is a possible remote access tool, I highly doubt whoever created the RAT server is still operating with that same DNS and port.

If you've already ran the program and see nothing abnormal like files you don't remember creating, strange system processes, system slowdowns, system or program crashing on your system, it should be safe to keep using this crack. If this is or was a virus, that would be a different story since virus' spread on their own without the need for human control.

[TheMinister]

This looks like a job for @"miso" since he's skilled at analyzing files, but here are a few of my observations. If the files really are infected I suspect they've been infected with the Cerberus RAT, and have also been crypted with an open source obfuscator. Based on detections like "Gen:Variant.Cerbu.76118", "Win32:Trojan-gen", and "VirTool:Win32/Obfuscator.f5993fec" I can conclude that. And since this is a possible remote access tool, I highly doubt whoever created the RAT server is still operating with that same DNS and port.

If you've already ran the program and see nothing abnormal like files you don't remember creating, strange system processes, system slowdowns, system or program crashing on your system, it should be safe to keep using this crack. If this is or was a virus, that would be a different story since virus' spread on their own without the need for human control.

thanks for reply, i didn't run the program on my pc, and those DLLs are C++ i don't know how to check C++ DLLs yet . and yes your point is good this is 4 years old at least by the hash submission, rarely that the file is infected and the DNS is still running because this is Skidrow's website version since 2016. i still need a detailed opinion about those C++ DLLs.

[Dismas]

This looks like a job for @"miso" since he's skilled at analyzing files, but here are a few of my observations. If the files really are infected I suspect they've been infected with the Cerberus RAT, and have also been crypted with an open source obfuscator. Based on detections like "Gen:Variant.Cerbu.76118", "Win32:Trojan-gen", and "VirTool:Win32/Obfuscator.f5993fec" I can conclude that. And since this is a possible remote access tool, I highly doubt whoever created the RAT server is still operating with that same DNS and port.

If you've already ran the program and see nothing abnormal like files you don't remember creating, strange system processes, system slowdowns, system or program crashing on your system, it should be safe to keep using this crack. If this is or was a virus, that would be a different story since virus' spread on their own without the need for human control.

This is actually a good point. I'm certain a lot of cracked applications from 4+ years ago still work, but the malware on them is likely well past a functioning state. Not that you'd want to run the programs, but there might not be any consequences.

[miso]

can't really show concluent proof that its malicious due to the VMProtect version used, but it very likely is.

- The .exes just loads the DLLs, they arent obfuscated
- DLLs seems to check if they've been loaded with the right app.

[TheMinister]

can't really show concluent proof that its malicious due to the VMProtect version used, but it very likely is.

- The .exes just loads the DLLs, they arent obfuscated
- DLLs seems to check if they've been loaded with the right app.

thank you for the effort miso, which app you use to read the DLLs ?

[miso]

can't really show concluent proof that its malicious due to the VMProtect version used, but it very likely is.

- The .exes just loads the DLLs, they arent obfuscated
- DLLs seems to check if they've been loaded with the right app.

thank you for  the effort miso, which app you use to read the DLLs ?

private app, can't say the name for multiple reasons

you probably can just use some hex editor or string viewer, it'll probably have the same effect

[TheMinister]

you probably can just use some hex editor or string viewer, it'll probably have the same effect

i searched sinister.ly with no result on string viewer , any suggestion ? also no one has proof that those DLLs are meant to be bad right ?

[TheMinister]

i did some digging , the game doesn't add any files in appdata or registry etc. it has suspecious IP calls and some DNS arpa calls:
239.255.255.250 port: 1900 UDP
224.0.0.251 port: 41
www.rockstargames.com
tv.rockstargames.com
DNS: DNS host : c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa
the first IP address Could be used for C&C calls at that time. use virustotal for the IPs!

[miso]

i did some digging , the game doesn't add any files in appdata or registry etc. it has suspecious IP calls and some DNS arpa calls:
239.255.255.250 port: 1900 UDP
224.0.0.251 port:  41
www.rockstargames.com
tv.rockstargames.com
DNS: DNS host : c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa
the first IP address Could be used for C&C calls at that time. use virustotal for the IPs!

heres a decent one