Manalyze report for 81f84a27c49ddd56c799d935787becb989a6e5b8e000e76e21c82b6cde4c42ff

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2016-Sep-03 10:28:04
TLS Callbacks	2 callback(s) detected.

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: microsoft.com redmond.microsoft.com steveb1.redmond.microsoft.com`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to AES` `Microsoft's Cryptography API`
Info	The PE contains common functions which appear in legitimate applications.	`Uses Microsoft's cryptographic API: CryptAcquireContextW CryptCreateHash CryptDestroyHash CryptDestroyKey CryptGetHashParam CryptHashData CryptImportKey CryptSetHashParam`
Malicious	VirusTotal score: 38/70 (Scanned on 2023-04-17 21:15:39)	`Lionic: Hacktool.Win32.KMSAuto.3!c` `MicroWorld-eScan: Application.Hacktool.KMSAuto.BP` `CAT-QuickHeal: Hacktool.Hacktool` `McAfee: GenericRXPA-ZN!CC470D06E9AF` `Malwarebytes: HackTool.AutoKMS` `Zillya: Tool.KMSAuto.Win32.1562` `Sangfor: Hacktool.Win32.KMSAuto.V1dn` `K7GW: Unwanted-Program ( 0055fea61 )` `K7AntiVirus: Unwanted-Program ( 0055fea61 )` `ESET-NOD32: Win32/HackKMS.AQ potentially unsafe` `Kaspersky: HEUR:HackTool.Win32.KMSAuto.gen` `BitDefender: Application.Hacktool.KMSAuto.BP` `NANO-Antivirus: Riskware.Win32.KMSAuto.inferm` `Avast: FileRepPup [PUP]` `Emsisoft: Application.Hacktool.KMSAuto.BP (B)` `VIPRE: Application.Hacktool.KMSAuto.BP` `TrendMicro: HackTool.Win32.AutoKMS.AUSZP` `McAfee-GW-Edition: GenericRXPA-ZN!CC470D06E9AF` `FireEye: Application.Hacktool.KMSAuto.BP` `Sophos: Generic Reputation PUA (PUA)` `GData: Application.Hacktool.KMSAuto.BP` `Jiangmin: HackTool.KMSAuto.ga` `Webroot: W32.Hacktool.Kms` `Antiy-AVL: HackTool/Win32.KMSAuto` `Gridinsoft: Hack.Win32.HackKMS.vb` `Xcitium: Malware@#wl6k05o3bayb` `Arcabit: Application.Hacktool.KMSAuto.BP` `ZoneAlarm: HEUR:HackTool.Win32.KMSAuto.gen` `AhnLab-V3: Unwanted/Win.KMSAuto.C5385382` `ALYac: Application.Hacktool.KMSAuto.BP` `MAX: malware (ai score=100)` `Cylance: unsafe` `TrendMicro-HouseCall: HackTool.Win32.AutoKMS.AUSZP` `Rising: PUA.HackKMS!8.185 (CLOUD)` `Ikarus: PUA.HackKMS` `MaxSecure: Trojan.Malware.74832183.susgen` `AVG: FileRepPup [PUP]` `DeepInstinct: MALICIOUS`

Hashes

MD5	`cc470d06e9afc9a7c0b395274b02ac88`
SHA1	`8a7c21cd0e565c77fb78d33ad57fd4ab9d9439f4`
SHA256	`81f84a27c49ddd56c799d935787becb989a6e5b8e000e76e21c82b6cde4c42ff`
SHA3	`e54803c9e462e3880ac448b7ea3e40d82991faa0f2d5850f8af95baa09bc361a`
SSDeep	`1536:hHaozqmRAC/xI0FTZIUdVmejDYbfr/WRo9pCmA/PPNjr3eB6GuqVW:hJzqmh/RTZbkeHqs`
Imports Hash	`673c5e187fe261326b80553fafbb99b2`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`8`
TimeDateStamp	2016-Sep-03 10:28:04
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DEBUG_STRIPPED` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`2.0`
SizeOfCode	`0x7400`
SizeOfInitializedData	`0xe400`
SizeOfUninitializedData	`0x600`
AddressOfEntryPoint	`0x000014E0 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x9000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`1.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x15000`
SizeOfHeaders	`0x400`
Checksum	`0x1bae0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x200000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`2d4c9a31482bcb34d68a37025c920366`
SHA1	`6297917b189f708db46e9d0c5a54b94cee8cc27a`
SHA256	`b24362d8901473cd169e4c07724fd3305ac135d4871adebe016c0d37f5a26e6e`
SHA3	`f4e117e60b0f18614c42fc953c64bbfe67afa9a7375dbb1d682e5e79c34a1a85`
VirtualSize	`0x7384`
VirtualAddress	`0x1000`
SizeOfRawData	`0x7400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.1994`

.data

MD5	`589b3ea140abafecde24b87985182fac`
SHA1	`8002a03658cd318b7aaff6c3357d2cd76bd282a9`
SHA256	`ab1becb38d201c99d4021da3ba99b0ea0d763816053ce3ee010d0a3f5593892b`
SHA3	`b4a681b58a7ed19d6d4cfcfedac2a18e12c3866546d7b979f332615cac145d3e`
VirtualSize	`0x304`
VirtualAddress	`0x9000`
SizeOfRawData	`0x400`
PointerToRawData	`0x7800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.674321`

.rdata

MD5	`a5c5eb563734e549593444a68b943323`
SHA1	`e9c9128f8dda715135b325f5c1fd12915f62fa19`
SHA256	`637bbd1c949e87e6dfe19009ff6399a59017dfd2e924570bc961515922ce07bf`
SHA3	`f751a8dfc4e6b56bf61f8ea681eff9d1bf3dfc0986600546f617a627b35faf8f`
VirtualSize	`0x5224`
VirtualAddress	`0xa000`
SizeOfRawData	`0x5400`
PointerToRawData	`0x7c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.2975`

.bss

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x448`
VirtualAddress	`0x10000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_2048BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_8BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.idata

MD5	`3230e0a7fc761f5f0cdc8fef8477d0a9`
SHA1	`2d9193087509c17340c26bc8a4bb106f489c9f2a`
SHA256	`20058ebad855eb9e2e8d199aca855406ec9fc3be2926fe1c89524ebfc3fc0d92`
SHA3	`9352bd6c9f130e88f0de8786c2e65213df120affd8ed1270f59654f697aa8dbb`
VirtualSize	`0xc60`
VirtualAddress	`0x11000`
SizeOfRawData	`0xe00`
PointerToRawData	`0xd000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.86477`

.CRT

MD5	`0d1250160651746feac089d3545cb97d`
SHA1	`5119c0c4f11f041b4a041e599ad1329f6e8f2530`
SHA256	`cfc31e08852dca1903858093dfcd6a0912a4b655808a3ce686948d041fcc96e4`
SHA3	`8f2896ec39d10ba2b2af77a9e3104ba4edb2b1cb8341aa49938a4a0697e8b96c`
VirtualSize	`0x34`
VirtualAddress	`0x12000`
SizeOfRawData	`0x200`
PointerToRawData	`0xde00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.254511`

.tls

MD5	`77f8fa53e1262c2a887bc6cf83954ccb`
SHA1	`8642520da07114ab44990480f95c18bc82c9b921`
SHA256	`78b5c9d375055e16bac6ac115606d884e6ce7141a7a3000b5df709c0ced6dc66`
SHA3	`09a212291ad5fcf39750fe21c8a5595f9141464008fb2f4734a992dd3fd15f7b`
VirtualSize	`0x20`
VirtualAddress	`0x13000`
SizeOfRawData	`0x200`
PointerToRawData	`0xe000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.200582`

.rsrc

MD5	`453bf9539da0409d5e398a1970f399c3`
SHA1	`3ee580cf7a87f8875914342d9ceb1885cacefea7`
SHA256	`35eee64f36203337f26de25f5c8db07bfc114e582af2cfa2009ba2b46b8493ac`
SHA3	`8a4a8af0cd07a22cf9248ca982e53ff46a7cc5897f328cf4a9f3e57d3d1afcad`
VirtualSize	`0x4e8`
VirtualAddress	`0x14000`
SizeOfRawData	`0x600`
PointerToRawData	`0xe200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_ALIGN_1024BYTES` `IMAGE_SCN_ALIGN_16BYTES` `IMAGE_SCN_ALIGN_1BYTES` `IMAGE_SCN_ALIGN_256BYTES` `IMAGE_SCN_ALIGN_2BYTES` `IMAGE_SCN_ALIGN_32BYTES` `IMAGE_SCN_ALIGN_4096BYTES` `IMAGE_SCN_ALIGN_4BYTES` `IMAGE_SCN_ALIGN_512BYTES` `IMAGE_SCN_ALIGN_64BYTES` `IMAGE_SCN_ALIGN_8192BYTES` `IMAGE_SCN_ALIGN_MASK` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.78258`

Imports

ADVAPI32.dll	`CryptAcquireContextW` `CryptCreateHash` `CryptDestroyHash` `CryptDestroyKey` `CryptGetHashParam` `CryptHashData` `CryptImportKey` `CryptSetHashParam`
DNSAPI.DLL	`DnsQuery_UTF8` `DnsRecordListFree`
KERNEL32.dll	`DeleteCriticalSection` `EnterCriticalSection` `FormatMessageA` `GetComputerNameExA` `GetConsoleScreenBufferInfo` `GetCurrentProcess` `GetCurrentProcessId` `GetCurrentThreadId` `GetLastError` `GetModuleHandleA` `GetProcAddress` `GetStartupInfoA` `GetStdHandle` `GetSystemTimeAsFileTime` `GetTickCount` `GetTimeZoneInformation` `InitializeCriticalSection` `LeaveCriticalSection` `QueryPerformanceCounter` `SetUnhandledExceptionFilter` `Sleep` `TerminateProcess` `TlsGetValue` `UnhandledExceptionFilter` `VirtualProtect` `VirtualQuery`
msvcrt.dll	`__argv` `__dllonexit` `__getmainargs` `__initenv` `_cexit` `__lconv_init` `__set_app_type` `__setusermatherr` `_acmdln` `_amsg_exit` `_errno` `_fmode` `_initterm` `_iob` `_lock` `_onexit` `_setjmp3` `_stat` `_stricmp` `_strnicmp` `_unlink` `_unlock` `_vsnprintf` `time` `localtime` `gmtime` `isupper` `abort` `calloc` `exit` `fclose` `ferror` `fflush` `fgets` `fopen` `fprintf` `fputc` `fputs` `free` `fwrite` `getenv` `islower` `isspace` `longjmp` `malloc` `memcmp` `memcpy` `memmove` `printf` `putchar` `puts` `qsort` `rand` `rename` `signal` `sprintf` `srand` `strcat` `strchr` `strcmp` `strcpy` `strerror` `strftime` `strlen` `strncat` `strncmp` `strncpy` `strrchr` `strtol` `toupper` `vfprintf`
RPCRT4.dll	`NdrClientCall2` `RpcBindingFree` `RpcBindingFromStringBindingA` `RpcStringBindingComposeA` `RpcStringFreeA`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x48f`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.13793`
MD5	`5aa04ce935e78505e230765e85c34355`
SHA1	`6c93b8c5fde8be4b2231dca6b8ec513cdc82c991`
SHA256	`a73f26a8d504043f785d7360e8febf2eeb8522ec873a0d4dd5d1d4bfd1e67d3d`
SHA3	`149467cafc03ba34b33cd8076fc2771413760822357952de205dbae2b5cb8059`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x413000`
EndAddressOfRawData	`0x41301c`
AddressOfIndex	`0x4103d0`
AddressOfCallbacks	`0x412020`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x004018B0` `0x00401860`

Load Configuration

RICH Header

Errors

[*] Warning: Section .bss has a size of 0!

Leave a comment

No comments yet.