Manalyze report for f677ca4d16b22270eefee3934b8268b4

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2007-Mar-17 10:50:38
Detected languages	Korean - Korea
Comments
CompanyName	WebZen
FileDescription	main
FileVersion	`1, 2, 20, 0`
InternalName	main
LegalCopyright	Copyright ? 2002
LegalTrademarks
OriginalFilename	main.exe
PrivateBuild
ProductName	WebZen mu main
ProductVersion	`1, 0, 0, 1`
SpecialBuild

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ v6.0 DLL` `Microsoft Visual C++ 6.0 - 8.0` `MASM/TASM - sig1(h)` `Microsoft Visual C++` `Microsoft Visual C++ v6.0` `Microsoft Visual C++ v5.0/v6.0 (MFC)`
Info	Interesting strings found in the binary:	`Contains domain names: PCGameHacks.com connect.globalmuonline.com connect.muchina.com connectcs.muonline.com connection.muonline.com cs.muonline.jp globalmuonline.com muchina.com muonline.com muonline.jp`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExA GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot FindWindowA` `Code injection capabilities (PowerLoader): GetWindowLongA FindWindowA` `Can access the registry: RegisterHotKey RegDeleteKeyA RegDeleteValueA RegEnumValueA RegSetValueExA RegCreateKeyExA RegOpenKeyExA RegQueryValueExA RegCloseKey` `Possibly launches other programs: WinExec CreateProcessA ShellExecuteA` `Uses Microsoft's cryptographic API: CryptGetHashParam CryptDeriveKey CryptDecrypt CryptImportKey CryptCreateHash CryptHashData CryptVerifySignatureA CryptDestroyHash CryptDestroyKey CryptReleaseContext CryptAcquireContextA` `Can create temporary files: GetTempPathA CreateFileA` `Uses functions commonly found in keyloggers: GetAsyncKeyState CallNextHookEx` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Leverages the raw socket API to access the Internet: gethostbyname WSAAsyncSelect setsockopt socket shutdown recv WSASend WSAStartup WSACleanup send WSAGetLastError inet_addr htons connect closesocket` `Manipulates other processes: Process32Next OpenProcess Process32First` `Can take screenshots: GetDC FindWindowA CreateCompatibleDC BitBlt` `Reads the contents of the clipboard: GetClipboardData`
Malicious	VirusTotal score: 3/73 (Scanned on 2024-07-04 00:28:02)	`Rising: Trojan.Fuery!8.EAFB (RDMK:cmRtazqp/Txbx7H9SBvgd8+40csg)` `VBA32: BScope.Trojan.KillFiles` `tehtris: Generic.Malware`

Hashes

MD5	`f677ca4d16b22270eefee3934b8268b4`
SHA1	`ebbfe10819d30e4591941503ac65368c732a0f3e`
SHA256	`e4714fdf18dec99d368eddac8d6cc6218e74c498c9c905e27f46c7b71ee7d128`
SHA3	`24adfdaf9a7702b3bc1234ceee0cc82c193abb60511c144e0d7264f9789ece76`
SSDeep	`98304:KvM5Dz2uXW+omXry0lliVs0iDDbLMT8tw4Cgzhqh82XeZj4:Vn2uXW+omXry0lliVs0iDDbLMTk8gzh`
Imports Hash	`110775a9009d2cab2949c8f0a3e4f476`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x118`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2007-Mar-17 10:50:38
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x302000`
SizeOfInitializedData	`0x771b000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x002EBE15 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x303000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`6.1`
ImageVersion	`0.0`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x7a1e000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`199c95c0f572454214fdf7058d8bda66`
SHA1	`71e7836e9b7fad8c746fbf48f3e377146505ff64`
SHA256	`cc4669f23f5865ac0e2f561b59689eb4d5e2f64ce9d0ded0072cd182a3299361`
SHA3	`976acf8c1fe073aa00549ac2b7904841a1435ebb38198919d60d55324c97e2e7`
VirtualSize	`0x301142`
VirtualAddress	`0x1000`
SizeOfRawData	`0x302000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.62244`

.rdata

MD5	`df5e006693175ea5c303f9e60339b23f`
SHA1	`28b7cb35a79c0e115905cee99495d2db2f08bae8`
SHA256	`724ac40887b790a3e624fa3216c512c6e59168008c44e3d9ae9915b25140c989`
SHA3	`c4b3fdcf30b0700148963933444e690505f46ab7e4c5c75c0fdd316fc9c92e55`
VirtualSize	`0xf0be`
VirtualAddress	`0x303000`
SizeOfRawData	`0x10000`
PointerToRawData	`0x303000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.26822`

.data

MD5	`2df0a7544c907e2893566a31b18c3bb1`
SHA1	`c7a7954c29597270db111ae013102e799a76fe95`
SHA256	`41ae0cb6a345885d0025e150c6f6228ef343b4b3e3511d049d0fd7dae5458af4`
SHA3	`99fd097ffa82366d3aca04fcd5763b1426eadff04124b58afd9fce023e1ce967`
VirtualSize	`0x7708000`
VirtualAddress	`0x313000`
SizeOfRawData	`0x20000`
PointerToRawData	`0x313000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.48372`

.rsrc

MD5	`fa2aa94f08fa8dac07e4f70439169b25`
SHA1	`0b25ea2978079c7a341b473de696df2c1f65b854`
SHA256	`47f0e97bb671d2bc4da52a8eb6f68abc39c41b1f93365708c9598baf8d90f87a`
SHA3	`6a79b0916f8c6beeeb174b064a307e8e5b4eec2a067f57a3b6c3b93eb2423404`
VirtualSize	`0x2050`
VirtualAddress	`0x7a1b000`
SizeOfRawData	`0x3000`
PointerToRawData	`0x333000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.15609`

Imports

IMM32.dll	`ImmGetCompositionStringA` `ImmGetCompositionWindow` `ImmSetCompositionWindow` `ImmGetOpenStatus` `ImmGetDefaultIMEWnd` `ImmGetConversionStatus` `ImmSetConversionStatus` `ImmGetContext` `ImmGetDescriptionA` `ImmGetIMEFileNameA` `ImmReleaseContext` `ImmSetOpenStatus`
DSOUND.dll	`#1` `#2`
OPENGL32.dll	`glColor3f` `glEnd` `glVertex3fv` `glTexCoord2f` `glBegin` `glColor3fv` `glGetIntegerv` `glGetString` `glAlphaFunc` `glFogf` `glFogfv` `glEnable` `glDisable` `glClearColor` `glTexImage2D` `glBindTexture` `glVertex3f` `glDepthMask` `glPolygonMode` `glFrontFace` `glStencilFunc` `glColorMask` `glVertex2f` `glDepthFunc` `glStencilOp` `glTexParameteri` `glTexEnvf` `glPixelStorei` `glDeleteTextures` `glIsTexture` `glColor4ub` `glLoadIdentity` `glMatrixMode` `glPopMatrix` `glClear` `glTranslatef` `glRotatef` `glPushMatrix` `wglDeleteContext` `wglMakeCurrent` `wglCreateContext` `glScalef` `glGenTextures` `glTexEnvi` `glReadPixels` `glGetFloatv` `glBlendFunc` `glViewport` `glFogi` `glFlush` `glColor4f`
GLU32.dll	`gluOrtho2D` `gluPerspective`
WINMM.dll	`mmioAscend` `mmioOpenA` `mmioClose` `timeGetTime` `mmioDescend` `mmioRead` `timeGetDevCaps` `timeBeginPeriod` `mmioWrite` `timeEndPeriod`
KERNEL32.dll	`CreateMutexA` `TerminateThread` `CreateThread` `OpenMutexA` `EnterCriticalSection` `LeaveCriticalSection` `lstrcatA` `OpenEventA` `ReleaseMutex` `GetComputerNameA` `lstrcmpA` `ExitProcess` `VirtualAlloc` `VirtualFree` `VirtualProtect` `LoadLibraryExA` `GetTempFileNameA` `GetTempPathA` `HeapFree` `GetProcessHeap` `HeapAlloc` `GetFileInformationByHandle` `GetCurrentThreadId` `GetTickCount` `Sleep` `lstrlenA` `CloseHandle` `WriteFile` `SetFilePointer` `CreateFileA` `DeleteFileA` `ReadFile` `GetLocalTime` `GetSystemDirectoryA` `lstrcmpiA` `GetVersionExA` `QueryPerformanceCounter` `SetProcessAffinityMask` `SetThreadPriority` `SetPriorityClass` `GetProcessAffinityMask` `GetThreadPriority` `GetPriorityClass` `GetCurrentThread` `GetCurrentProcess` `QueryPerformanceFrequency` `DuplicateHandle` `FreeLibrary` `GetProcAddress` `LoadLibraryA` `GlobalMemoryStatus` `GlobalUnlock` `GlobalLock` `GetCommandLineA` `GetFileSize` `GetLastError` `GetPrivateProfileStringA` `GetCurrentDirectoryA` `CopyFileA` `SetFileAttributesA` `Process32Next` `TerminateProcess` `OpenProcess` `Process32First` `CreateToolhelp32Snapshot` `WinExec` `FindClose` `FindFirstFileA` `GetModuleFileNameA` `IsBadReadPtr` `WaitForSingleObject` `CreateEventA` `CreateProcessA` `WaitForMultipleObjects` `GetExitCodeProcess` `GetModuleHandleA` `ResetEvent` `ResumeThread` `SetEndOfFile` `DeleteCriticalSection` `InitializeCriticalSection` `SetEvent` `WideCharToMultiByte` `CreateFileMappingA` `UnmapViewOfFile` `MapViewOfFile` `FindNextFileA` `RemoveDirectoryA` `GetFileAttributesA` `CreateDirectoryA` `GetThreadContext` `lstrcpynA` `GetCurrentProcessId` `Module32First` `Module32Next` `SetUnhandledExceptionFilter` `IsValidLocale` `IsValidCodePage` `GetLocaleInfoA` `EnumSystemLocalesA` `GetUserDefaultLCID` `SetHandleCount` `GetFileType` `UnhandledExceptionFilter` `FreeEnvironmentStringsA` `FreeEnvironmentStringsW` `GetEnvironmentStrings` `LCMapStringW` `GetEnvironmentStringsW` `GetEnvironmentVariableA` `HeapDestroy` `HeapCreate` `IsBadWritePtr` `IsBadCodePtr` `GetStringTypeA` `GetStringTypeW` `CompareStringA` `CompareStringW` `SetEnvironmentVariableA` `SetConsoleCtrlHandler` `GetLocaleInfoW` `SetStdHandle` `CreatePipe` `GetStdHandle` `PeekNamedPipe` `FlushFileBuffers` `lstrcpyA` `InterlockedExchange` `RtlUnwind` `InterlockedDecrement` `InterlockedIncrement` `GetTimeZoneInformation` `GetSystemTime` `GetStartupInfoA` `GetVersion` `GetSystemTimeAsFileTime` `RaiseException` `TlsSetValue` `TlsAlloc` `TlsFree` `SetLastError` `TlsGetValue` `HeapReAlloc` `HeapSize` `GetCPInfo` `GetACP` `GetOEMCP` `FatalAppExitA` `MultiByteToWideChar` `LCMapStringA` `OutputDebugStringA`
USER32.dll	`SetWindowLongA` `GetFocus` `UnregisterHotKey` `RegisterHotKey` `GetAsyncKeyState` `GetKeyboardLayout` `GetKeyboardLayoutNameA` `OpenClipboard` `SendMessageA` `wsprintfA` `GetWindowRect` `SetWindowPos` `CallNextHookEx` `UnhookWindowsHookEx` `SetWindowsHookExA` `GetDesktopWindow` `MessageBoxA` `CallWindowProcA` `GetWindowLongA` `GetCaretPos` `GetWindowTextA` `SetWindowTextA` `ShowWindow` `ReleaseDC` `GetDC` `CreateWindowExA` `CloseClipboard` `SetFocus` `IsWindowVisible` `GetScrollPos` `SetScrollPos` `SetTimer` `FindWindowA` `ShowCursor` `SystemParametersInfoA` `ReleaseCapture` `SetCapture` `DefWindowProcA` `PostQuitMessage` `EndPaint` `BeginPaint` `DestroyWindow` `RegisterClassA` `LoadCursorA` `LoadIconA` `SetForegroundWindow` `GetSystemMetrics` `AdjustWindowRect` `IsIconic` `DispatchMessageA` `TranslateMessage` `GetMessageA` `PeekMessageA` `PostMessageA` `GetClipboardData` `UpdateWindow` `EnumDisplaySettingsA` `SetCursorPos` `KillTimer` `SetRect` `OffsetRect` `PtInRect` `GetDoubleClickTime` `ScreenToClient` `GetCursorPos` `GetActiveWindow` `IntersectRect` `wvsprintfA` `ChangeDisplaySettingsA`
GDI32.dll	`SetBkColor` `SetPixelFormat` `ChoosePixelFormat` `CreateFontA` `SetBkMode` `SwapBuffers` `SelectObject` `TextOutA` `DeleteObject` `DeleteDC` `CreateDIBSection` `CreateCompatibleDC` `BitBlt` `GetTextExtentPointA` `GetTextExtentPoint32A` `SetTextColor` `GetStockObject`
ADVAPI32.dll	`InitializeSecurityDescriptor` `RegDeleteKeyA` `CryptGetHashParam` `CryptDeriveKey` `CryptDecrypt` `CryptImportKey` `CryptCreateHash` `CryptHashData` `CryptVerifySignatureA` `CryptDestroyHash` `CryptDestroyKey` `CryptReleaseContext` `SetSecurityDescriptorDacl` `RegDeleteValueA` `RegEnumValueA` `CryptAcquireContextA` `RegSetValueExA` `RegCreateKeyExA` `RegOpenKeyExA` `RegQueryValueExA` `GetUserNameA` `RegCloseKey`
SHELL32.dll	`ShellExecuteA`
ole32.dll	`CoUninitialize` `CoCreateInstance` `CoInitialize`
WS2_32.dll	`gethostbyname` `WSAAsyncSelect` `setsockopt` `socket` `shutdown` `recv` `WSASend` `WSAStartup` `WSACleanup` `send` `WSAGetLastError` `inet_addr` `htons` `connect` `closesocket`
VERSION.dll	`VerQueryValueA` `GetFileVersionInfoSizeA` `GetFileVersionInfoA`
wzAudio.dll	`wzAudioStop` `wzAudioPlay` `wzAudioGetStreamOffsetRange` `wzAudioDestroy` `wzAudioOption` `wzAudioCreate`

Delayed Imports

1

Type	`RT_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.07176`
MD5	`46bd0e570128820855709b0ef7baedf1`
SHA1	`e3a00e970a62c66795522d5638fd07feb0ec9cee`
SHA256	`419f856569df391049fe54baa3eaba23333af684d468b3db54032b1ae99da84a`
SHA3	`273d3ff86bc30ad79810481368f1ef676f2541739920ac15a65e4afa13cde7c5`

2

Type	`RT_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.70736`
MD5	`9326002520adbb64c0e22cfe4b56ef9f`
SHA1	`23fb80ddf56393ca578790aab88b93c089a06537`
SHA256	`e17119d66f71f8a055295d5f87c9c2cca081bbd83904fe01ab6bdc6381c6e191`
SHA3	`eb013a7517ae50bb603f8250befe6b486888245afa87edb5ce2cd7c5faf202db`

3

Type	`RT_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.91116`
MD5	`5b3f8baf6ed52b5f2a5c88c5001736fa`
SHA1	`c9b4a610997f92be3f21c555f4b517308cac47c0`
SHA256	`ae3c6b324c9eaa11bde5b44c15c87968f088fec942f9b483b75741da8fce6813`
SHA3	`d7d179d7618467f6554a6a91a8d6c1966a8025551b1f1208fb792e72039b9bac`

4

Type	`RT_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.67625`
MD5	`8a36e0ba48ea6216c985b760e8601777`
SHA1	`79ed19e9df7265a95acdac0945fe4e887095c78e`
SHA256	`f8e4fc643d9f8874d5180c8f75795d3cdf10c5344390a42320d3a3f5bcc3e07d`
SHA3	`1bcb14873608eb156ee667c93b68e3328363931b0c9f75d27e4696081e6c14fb`

101

Type	`RT_GROUP_ICON`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x3e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.70237`
Detected Filetype	Icon file
MD5	`7a5323bc7bc1f8b5d24ac4563187979e`
SHA1	`0cf74ff14e9af6df11b035640c019fb5acd9f38f`
SHA256	`30318b36a5012a6a445f593ce7966ba1a0c19d9e74a8009c94903e019fd12a27`
SHA3	`21e12534926c86bf2785d56922f6e48dce8230252a7023bdf1f9549c5177b8ed`

1 (#2)

Type	`RT_VERSION`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x334`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.28833`
MD5	`e8dc942ed4c08075d71ca94332110644`
SHA1	`8b5090265226eed7460611dc8ba997d3cba8ad57`
SHA256	`777ef0b5a62a223e17c631fdc4c4080a2fbcd806a3c50d32c0ffa6d96d0cbee0`
SHA3	`5f19fdf1c5ce4276c69c26bd477e3c56afa77fa312de9f8ed903c14a664d619f`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.2.20.0
ProductVersion	1.0.0.1
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	Korean - Korea
Comments
CompanyName	WebZen
FileDescription	main
FileVersion (#2)	1, 2, 20, 0
InternalName	main
LegalCopyright	Copyright ? 2002
LegalTrademarks
OriginalFilename	main.exe
PrivateBuild
ProductName	WebZen mu main
ProductVersion (#2)	1, 0, 0, 1
SpecialBuild

Resource LangID	Korean - Korea

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x6578ef78`
Unmarked objects	`0`
Linker (VC++ 6.0 SP5 imp/exp build 8447)	`2`
12 (7291)	`4`
14 (7299)	`42`
C objects (VS98 SP6 build 8804)	`163`
C++ objects (8047)	`3`
C++ objects (VC++ 6.0 SP5 build 8804)	`10`
C objects (VS98 build 8168)	`44`
C++ objects (9178)	`1`
Imports (9210)	`2`
Total imports	`364`
19 (8034)	`25`
C++ objects (VS98 SP6 build 8804)	`191`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

f677ca4d16b22270eefee3934b8268b4

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1

2

3

4

101

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors