Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 1970-Jan-01 00:00:00 |
Detected languages |
Korean - Korea
|
FileDescription | RylClient |
FileVersion | 1, 5, 6, 0 |
InternalName | RylClient |
LegalCopyright | Copyright (c) - 2007 Lorenzo |
OriginalFilename | Client.exe |
ProductName | Risk Your Life Client |
ProductVersion | 1, 5, 6, 0 |
Info | Matching compiler(s): |
Microsoft Visual C++ 7.1
Borland Delphi 3 -> Portions Copyright (c) 1983,97 Borland (h) Microsoft Visual C++ 6.0 - 8.0 MASM/TASM - sig1(h) Microsoft Visual C++ Microsoft Visual C++ v6.0 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Tries to detect virtualized environments:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to MD5 Uses constants related to SHA1 Microsoft's Cryptography API |
Suspicious | The PE is possibly packed. |
Section .text is both writable and executable.
Unusual section name found: Unusual section name found: Section .idata is both writable and executable. Unusual section name found: .zero Unusual section name found: .as_0002 Section .as_0002 is both writable and executable. Unusual section name found: .zero Unusual section name found: .as_0003 Section .as_0003 is both writable and executable. |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | The file contains overlay data. | 4 bytes of data starting at offset 0x360a00. |
Suspicious | No VirusTotal score. | This file has never been scanned on VirusTotal. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x100 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 10 |
TimeDateStamp | 1970-Jan-01 00:00:00 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 7.0 |
SizeOfCode | 0x2cf000 |
SizeOfInitializedData | 0xe17000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x01834CED (Section: .as_0003) |
BaseOfCode | 0x1000 |
BaseOfData | 0x2d0000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x183c000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
advapi32.dll |
CryptGetHashParam
CryptDeriveKey CryptDecrypt CryptImportKey CryptCreateHash CryptHashData CryptVerifySignatureA CryptDestroyHash CryptDestroyKey CryptAcquireContextA InitializeSecurityDescriptor SetSecurityDescriptorDacl RegQueryValueExA RegCreateKeyExA RegOpenKeyA RegDeleteValueA RegSetValueExA RegOpenKeyExA RegQueryInfoKeyA RegEnumKeyA RegCloseKey |
---|---|
dsound.dll |
DirectSoundEnumerateA
DirectSoundCreate8 |
gdi32.dll |
SetMapMode
ExtTextOutA GetTextExtentPoint32A SetDIBitsToDevice GetObjectA CreateFontA GetStockObject GetDeviceCaps CreateICA DeleteObject CreateFontIndirectA DeleteDC SelectObject SetTextColor SetBkColor SetBkMode CreateCompatibleDC CreateDIBSection SetTextAlign |
imm32.dll |
ImmSetCompositionWindow
ImmGetStatusWindowPos ImmSetStatusWindowPos ImmSetConversionStatus ImmSetOpenStatus ImmGetDefaultIMEWnd ImmGetContext ImmNotifyIME ImmReleaseContext ImmSetCompositionStringA ImmGetCandidateListA ImmGetCandidateWindow ImmSetCandidateWindow ImmGetCompositionStringA ImmGetCompositionWindow |
kernel32.dll |
LocalFree
GetCurrentThread GetCurrentProcess SetFilePointer InterlockedExchange GetACP GetLocaleInfoA GetThreadLocale GetVersionExA RaiseException GetLastError InitializeCriticalSection DeleteCriticalSection GetCommandLineA lstrlenW CreateDirectoryA GetUserDefaultLangID FindNextFileA FreeConsole SetConsoleTitleA AllocConsole LeaveCriticalSection GetCurrentThreadId GetCurrentProcessId EnterCriticalSection QueryPerformanceFrequency QueryPerformanceCounter LoadLibraryExA MapViewOfFile CreateFileMappingA CreateFileW UnmapViewOfFile HeapFree GetProcessHeap LockResource LoadResource SizeofResource FindResourceA IsProcessorFeaturePresent WriteFile IsBadStringPtrA GetLocaleInfoW SetEnvironmentVariableA IsBadCodePtr CompareStringW VirtualQuery DebugBreak IsValidCodePage IsValidLocale EnumSystemLocalesA GetUserDefaultLCID GetEnvironmentStringsW FreeEnvironmentStringsW GetEnvironmentStrings FreeEnvironmentStringsA UnhandledExceptionFilter GetStringTypeW GetStringTypeA GetModuleFileNameA IsBadWritePtr HeapCreate HeapDestroy GetOEMCP HeapSize GetFileType SetHandleCount GetTimeZoneInformation TlsGetValue TlsSetValue TlsFree SetLastError TlsAlloc GetCPInfo LCMapStringW LCMapStringA GetDateFormatA GetTimeFormatA FileTimeToSystemTime MoveFileA ExitThread GetFileAttributesA TerminateProcess GetStartupInfoA GetModuleHandleA FormatMessageA SetUnhandledExceptionFilter CreateFileA GetFileSize ReadFile CloseHandle OutputDebugStringA GlobalFree GetCurrentDirectoryA GetFullPathNameA FindFirstFileA FindClose FileTimeToLocalFileTime FileTimeToDosDateTime lstrlenA MultiByteToWideChar WideCharToMultiByte GlobalAlloc GlobalLock GlobalUnlock FreeLibrary LoadLibraryA GetProcAddress GetTickCount GetLocalTime GetSystemTimeAsFileTime HeapReAlloc GetVolumeInformationA SetEvent SetEndOfFile ResumeThread RtlUnwind InterlockedIncrement InterlockedDecrement GetPrivateProfileIntA GetPrivateProfileStringA MulDiv ReleaseSemaphore CreateSemaphoreA lstrcpyA FlushFileBuffers PeekNamedPipe GetStdHandle CreatePipe SetStdHandle DuplicateHandle HeapAlloc DeleteFileA GetDriveTypeA GetDiskFreeSpaceExA GlobalMemoryStatus lstrcmpiA VirtualProtect VirtualFree VirtualAlloc GetSystemDirectoryA IsBadReadPtr ExitProcess ReleaseMutex CreateMutexA TerminateThread Sleep GetSystemInfo CompareStringA CreateThread OpenMutexA lstrcatA OpenEventA WaitForSingleObject CreateEventA CreateProcessA WaitForMultipleObjects GetExitCodeProcess ResetEvent InterlockedCompareExchange |
oleaut32.dll |
SysAllocStringLen
SysFreeString VariantInit |
shell32.dll |
ShellExecuteA
|
shlwapi.dll |
PathFindExtensionA
PathFileExistsA |
user32.dll |
GetMessageA
PeekMessageA FindWindowA TranslateMessage SetCursorPos DrawTextA DrawTextW DispatchMessageA LoadCursorA RegisterClassA SetTimer wsprintfA PostMessageA GetKeyState GetCursorPos GetWindowRect GetClientRect SetRect CharNextA CharPrevA SendMessageA ReleaseDC GetDC GetKeyboardLayout CloseClipboard SetClipboardData EmptyClipboard OpenClipboard GetClipboardData IsClipboardFormatAvailable GetAsyncKeyState GetFocus GetSysColor IntersectRect MessageBoxA SetWindowTextA SetFocus CallWindowProcA SetWindowLongA CreateWindowExA DestroyWindow ShowCursor ChangeDisplaySettingsA EnumDisplaySettingsA PostQuitMessage DefWindowProcA SetCursor |
winmm.dll |
timeGetTime
waveOutGetDevCapsA waveOutGetNumDevs mmioAscend mmioRead mmioDescend mmioOpenA mmioGetInfo mmioCreateChunk mmioSeek mmioSetInfo mmioAdvance mmioWrite mmioClose |
ws2_32.dll |
WSACreateEvent
ntohs WSASendTo WSARecvFrom setsockopt bind WSARecv WSASocketA WSAEventSelect connect WSACloseEvent closesocket shutdown gethostbyname gethostname getsockname send WSASend WSAGetLastError WSAEnumNetworkEvents WSACleanup WSAStartup htons inet_addr htonl inet_ntoa |
d3d8.dll |
Direct3DCreate8
|
dbghelp.dll |
SymGetModuleInfo
SymSetOptions SymInitialize SymGetSymFromAddr SymFromAddr SymGetLineFromAddr StackWalk SymFunctionTableAccess SymCleanup SymSetContext SymEnumSymbols SymGetModuleBase SymGetTypeInfo |
ijl15.dll |
ijlInit
ijlWrite ijlFree |
ole32.dll |
CoUninitialize
CoSetProxyBlanket CoCreateInstance CoInitializeEx |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 1.5.6.0 |
ProductVersion | 1.5.6.0 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | UNKNOWN |
FileDescription | RylClient |
FileVersion (#2) | 1, 5, 6, 0 |
InternalName | RylClient |
LegalCopyright | Copyright (c) - 2007 Lorenzo |
OriginalFilename | Client.exe |
ProductName | Risk Your Life Client |
ProductVersion (#2) | 1, 5, 6, 0 |
Resource LangID | UNKNOWN |
---|