Manalyze report for 90761ea58eded549f113493f5d2b3004

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2020-Oct-20 03:45:47
Detected languages	English - United States
CompanyName	Ratiborus
FileDescription	W10 Digital Activation Program + KMS38

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX v2.0 -> Markus, Laszlo & Reiser (h)` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to SHA256`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Has Internet access capabilities: URLDownloadToFileW InternetOpenW` `Can take screenshots: BitBlt GetDC`
Info	The PE is digitally signed.	`Signer: WZTeam` `Issuer: WZTeam`
Malicious	VirusTotal score: 53/71 (Scanned on 2022-08-03 08:30:44)	`Lionic: Riskware.Win32.Malicious.1!c` `tehtris: Generic.Malware` `Cynet: Malicious (score: 100)` `CAT-QuickHeal: Hacktool.Kms` `McAfee: Crack-KMS` `Cylance: Unsafe` `VIPRE: Trojan.GenericKD.44349224` `Sangfor: Hacktool.Win32.AutoKMS.mt` `K7AntiVirus: Unwanted-Program ( 004dc8ab1 )` `K7GW: Unwanted-Program ( 004dc8ab1 )` `Cybereason: malicious.58eded` `Cyren: W32/S-a7c29f8e!Eldorado` `Symantec: Trojan.Gen.MBT` `Elastic: malicious (moderate confidence)` `ESET-NOD32: a variant of Win32/HackTool.WinActivator.AA potentially unsafe` `APEX: Malicious` `Paloalto: generic.ml` `ClamAV: Win.Malware.Zpevdo-7051854-0` `BitDefender: Trojan.GenericKD.44349224` `NANO-Antivirus: Riskware.Win32.WinActivator.iaendf` `MicroWorld-eScan: Trojan.GenericKD.44349224` `Avast: FileRepMetagen [PUP]` `Rising: Hacktool.WinActivator!8.40F (CLOUD)` `Ad-Aware: Trojan.GenericKD.44349224` `Emsisoft: Trojan.GenericKD.44349224 (B)` `Comodo: Malware@#2fhkqzt393mqr` `DrWeb: Trojan.Siggen12.44904` `Zillya: Tool.WinActivator.Win32.1250` `TrendMicro: HackTool.Win32.AutoKMS.AUSYP` `McAfee-GW-Edition: Crack-KMS` `Trapmine: suspicious.low.ml.score` `FireEye: Generic.mg.90761ea58eded549` `Sophos: WZTeam Software Cracks (PUA)` `SentinelOne: Static AI - Malicious PE` `GData: Win32.Trojan.PSE.5IU0Y6` `Webroot: W32.Hacktool.Kms` `MAX: malware (ai score=100)` `Antiy-AVL: Trojan/Generic.ASMalwS.5298` `Gridinsoft: Crack.KMS.vl!c` `Arcabit: Trojan.Generic.D2A4B728` `Microsoft: HackTool:Win32/AutoKMS` `AhnLab-V3: Unwanted/Win32.HackKMS.C2079343` `Acronis: suspicious` `ALYac: Trojan.GenericKD.44349224` `Malwarebytes: AutoKMS.HackTool.Patcher.DDS` `TrendMicro-HouseCall: HackTool.Win32.AutoKMS.AUSYP` `Ikarus: PUA.HackTool.Kmsauto` `MaxSecure: Trojan.Malware.106567772.susgen` `Fortinet: Riskware/WinActivator` `BitDefenderTheta: Gen:NN.ZexaF.34582.HnMfaCyXGHki` `AVG: FileRepMetagen [PUP]` `Panda: Trj/GdSda.A` `CrowdStrike: win/grayware_confidence_100% (W)`

Hashes

MD5	`90761ea58eded549f113493f5d2b3004`
SHA1	`b3eb6d387cf4b3bc02329867ba0557df01a467c1`
SHA256	`cc66e4f46f397f8eb63a317d09ac3306c76966d035f4d2800f59b395b3b5e533`
SHA3	`bb2af4a61f9661edfddde8720f688a8c174228e20a4f4c5ad4e4b0c39dba0fb7`
SSDeep	`49152:bKZThz1Bi0GGvc1aRXiKn2w4uS+Im6ME9c8Z1TF6naM:mrzi0NEaRXz2w4uS+I71c8ZtEaM`
Imports Hash	`2a6e8c27cd939f7a9015601a417f473e`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2020-Oct-20 03:45:47
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x172000`
SizeOfInitializedData	`0x12000`
SizeOfUninitializedData	`0x37e000`
AddressOfEntryPoint	`0x004F04C0 (Section: UPX1)`
BaseOfCode	`0x37f000`
BaseOfData	`0x4f1000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x503000`
SizeOfHeaders	`0x1000`
Checksum	`0x1880fa`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x37e000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`5659f0f704b86415df868810271a10f0`
SHA1	`d5a951469697af27ba73134c5a3ea773fd9c234b`
SHA256	`95fb3fa460dc2091fdf5d945539184f990f1e1e7ae5f11faf1056add855f870a`
SHA3	`0622478428ec82fdbf4ffec8a8879af4795b595b4d4c9fab28cdcd63760e5a3b`
VirtualSize	`0x172000`
VirtualAddress	`0x37f000`
SizeOfRawData	`0x171800`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.87284`

.rsrc

MD5	`cdc3f1ce0aede183f9823eed99a2518a`
SHA1	`0cbdd50d833764e00a919ad990843d19b20fe5a4`
SHA256	`88f7fb6cdde0695365d88b8528b7f4482ec8981f46bf51061c0c7ef8f1c905e8`
SHA3	`e1b60236d99b6c4396d41345d335758db06c9b12def3e9914dd783b24c5fe9ea`
VirtualSize	`0x12000`
VirtualAddress	`0x4f1000`
SizeOfRawData	`0x11400`
PointerToRawData	`0x171a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.50467`

Imports

ADVAPI32.DLL	`IsValidSid`
COMCTL32.DLL	`ImageList_Add`
GDI32.DLL	`BitBlt`
gdiplus.dll	`GdipFree`
ICMP.DLL	`IcmpSendEcho`
IMAGEHLP.DLL	`MakeSureDirectoryPathExists`
IPHLPAPI.DLL	`GetAdaptersInfo`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
MSI.DLL	`MsiEnumProductsW`
MSVCRT.dll	`pow`
NETAPI32.DLL	`NetUserDel`
OLE32.DLL	`CoInitialize`
OLEAUT32.DLL	`SafeArrayGetDim`
SETUPAPI.DLL	`SetupIterateCabinetW`
SHELL32.DLL	`IsNetDrive`
URLMON.DLL	`URLDownloadToFileW`
USER32.DLL	`GetDC`
USERENV.DLL	`GetDefaultUserProfileDirectoryW`
WININET.DLL	`InternetOpenW`
WINMM.DLL	`timeBeginPeriod`
WINSPOOL.DRV	`SetPrinterW`
WSOCK32.DLL	`bind`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	2020-Oct-20 03:45:47
Entropy	`3.27326`
MD5	`3faba206e17a7739fde9395af30429d6`
SHA1	`f246a0ee4150bf9a374c037530357107799220a0`
SHA256	`176a25d21a29ffb94a85722207cc61168910639558e8e3151943202ebe87b4f7`
SHA3	`1c141d80cd3f48ebe43b7aef7d5f86a83e69a86dd7bb5653c6151fad184a6eda`

1 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	2020-Oct-20 03:45:47
Entropy	`1.98048`
Detected Filetype	Icon file
MD5	`38388dda6548693f4d42f2241a4218d7`
SHA1	`78bedd12a20f97e31e58742381f3d0ca1edb4715`
SHA256	`cd0991dd595a1392452a8c7ccf089e73626bc6eed1fd3f54ee4c6aa7ffbaedba`
SHA3	`9ace1e9f008d60580379cdfdcd4119706c82d52d2e5fdb9e5745fa00864cc1a8`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x188`
TimeDateStamp	2020-Oct-20 03:45:47
Entropy	`3.18521`
MD5	`4040776a1a40eb9648413947d9190fee`
SHA1	`4d9b33dfe89b760ab5c8c15fdcca7c54522a63da`
SHA256	`398ae2a6febc023ed666673fe2bfb0875e76c2641b269a8b1e3662527def4258`
SHA3	`2309f0bdb76c040c52db0efc0366c340b0c82f24e1290c37d54028f29680ebaf`

1 (#4)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x36a`
TimeDateStamp	2020-Oct-20 03:45:47
Entropy	`4.8674`
MD5	`51b64d39a55078d058a15b5e22444329`
SHA1	`b9950727e9851ea00b78c38dbfa273f10b62b5c1`
SHA256	`73be60d13be4f58a165c75b1b9706812ebf610f779501c9884dcb829229599b6`
SHA3	`4e6c684060193156f2f2b382f9362c400cefddcc2c7a2985f775e712a4a88a12`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.3.9.0
ProductVersion	1.3.9.0
FileFlags	`(EMPTY)`
FileOs	`(EMPTY)`
FileType	`VFT_UNKNOWN`
Language	UNKNOWN
CompanyName	Ratiborus
FileDescription	W10 Digital Activation Program + KMS38

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!