d235ba8691c9d5b6667f4f0b69af58af

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2018-Nov-30 14:46:18
Detected languages English - United States
CompanyName Ratiborus
FileDescription W10 Digital Activation Program + KMS38

Plugin Output

Suspicious PEiD Signature: UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX v2.0 -> Markus, Laszlo & Reiser (h)
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX -> www.upx.sourceforge.net
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser
UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Uses constants related to SHA1
Uses constants related to SHA256
Suspicious The PE is packed with UPX Unusual section name found: UPX0
Section UPX0 is both writable and executable.
Unusual section name found: UPX1
Section UPX1 is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Has Internet access capabilities:
  • URLDownloadToFileW
  • InternetOpenW
Can take screenshots:
  • BitBlt
  • GetDC
Info The PE is digitally signed. Signer: WZTeam
Issuer: WZTeam
Malicious VirusTotal score: 41/74 (Scanned on 2019-06-03 23:37:58) CAT-QuickHeal: Trojan.AutoKMS
McAfee: Crack-KMS
Cylance: Unsafe
Zillya: Tool.WinActivator.Win32.583
Alibaba: HackTool:Win32/HackKMS.2d679eed
K7GW: Unwanted-Program ( 005144031 )
K7AntiVirus: Unwanted-Program ( 005144031 )
Invincea: heuristic
Cyren: W32/Trojan.HHKC-7833
Symantec: Trojan.Gen.MBT
APEX: Malicious
Kaspersky: HackTool.Win32.HackKMS.h
Paloalto: generic.ml
Avast: Win32:Malware-gen
Rising: PUA.AutoKMS!8.F60B (CLOUD)
Comodo: Malware@#t6d6oe8af4rl
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: TROJ_GEN.R002C0OL318
McAfee-GW-Edition: BehavesLike.Win32.Crack.tc
FireEye: Generic.mg.d235ba8691c9d5b6
Sophos: Generic PUA KK (PUA)
SentinelOne: DFI - Malicious PE
MaxSecure: Trojan.Malware.73959050.susgen
Antiy-AVL: GrayWare/Win32.Unwaders
Microsoft: PUA:Win32/AutoKMS
Endgame: malicious (moderate confidence)
ViRobot: Trojan.Win32.Z.Agent.1431072
ZoneAlarm: HackTool.Win32.HackKMS.h
GData: Win32.Trojan.Agent.4NRGQ7
AhnLab-V3: Unwanted/Win32.HackKMS.C2079343
Acronis: suspicious
MAX: malware (ai score=100)
ESET-NOD32: a variant of Win32/HackTool.WinActivator.AA potentially unsafe
TrendMicro-HouseCall: TROJ_GEN.R002C0OL318
Tencent: Win32.Trojan.Falsesign.Wofl
Ikarus: PUA.HackTool.Kmsauto
Fortinet: W32/Generic_PUA_KK
Webroot: W32.Hacktool.Kms
AVG: FileRepMalware [PUP]
Cybereason: malicious.f77971
Panda: Trj/GdSda.A

Hashes

MD5 d235ba8691c9d5b6667f4f0b69af58af
SHA1 4c6c095f77971fc34878bd052929bc8b6c78372a
SHA256 07ec18c02e1298b5b47f04f267e5eecf8a161add80ed85a7d94941f9d9ef318f
SHA3 d1f5f251c867690ed8aece16de3d192c3fc24cec352e2683f9613540970922f1
SSDeep 24576:URRsO6rWrthMNU3hI1nN5stIU0tU5a2cYuZlYpXXABELXDohgUqF+7JV/NOiTtL:UR6O6rGy1nN5suBU53cYuApXXAyLXxU
Imports Hash 2a6e8c27cd939f7a9015601a417f473e

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2018-Nov-30 14:46:18
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 2.0
SizeOfCode 0x14b000
SizeOfInitializedData 0x12000
SizeOfUninitializedData 0x351000
AddressOfEntryPoint 0x0049C4F0 (Section: UPX1)
BaseOfCode 0x352000
BaseOfData 0x49d000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x4af000
SizeOfHeaders 0x1000
Checksum 0x169b14
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

UPX0

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA3 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
VirtualSize 0x351000
VirtualAddress 0x1000
SizeOfRawData 0
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1

MD5 b35222a8c922fa1becee372b2aaa3b8a
SHA1 17fcf77524d03d89265e21b59fea4166b24f14b7
SHA256 3b0c534c9638831dca8fce648c28921405fd696133d905610940bfb23f6eec3b
SHA3 14a91af3408457234371f545fad2ac6e005f42bb2c370d7e6ffa1dbe78c58ed5
VirtualSize 0x14b000
VirtualAddress 0x352000
SizeOfRawData 0x14a800
PointerToRawData 0x200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.8555

.rsrc

MD5 e97c2523595511118f23c14d31f8490e
SHA1 955aca701b75dc0f28bcc950693d12fa9df206c4
SHA256 11d8ad094adb6dcd4990a6b88e9fc33edd3994e0b011e6f0636a53e9e3c2d7d8
SHA3 2a7995c6efe8e830a11fa82bf64592ea2e5ac2a1b43b39586f581514027037e6
VirtualSize 0x12000
VirtualAddress 0x49d000
SizeOfRawData 0x11400
PointerToRawData 0x14aa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.51403

Imports

ADVAPI32.DLL IsValidSid
COMCTL32.DLL ImageList_Add
GDI32.DLL BitBlt
gdiplus.dll GdipFree
ICMP.DLL IcmpSendEcho
IMAGEHLP.DLL MakeSureDirectoryPathExists
IPHLPAPI.DLL GetAdaptersInfo
KERNEL32.DLL LoadLibraryA
ExitProcess
GetProcAddress
VirtualProtect
MSI.DLL MsiEnumProductsW
MSVCRT.dll pow
NETAPI32.DLL NetUserDel
OLE32.DLL CoInitialize
OLEAUT32.DLL SafeArrayGetDim
SETUPAPI.DLL SetupIterateCabinetW
SHELL32.DLL IsNetDrive
URLMON.DLL URLDownloadToFileW
USER32.DLL GetDC
USERENV.DLL GetDefaultUserProfileDirectoryW
WININET.DLL InternetOpenW
WINMM.DLL timeBeginPeriod
WINSPOOL.DRV SetPrinterW
WSOCK32.DLL bind

Delayed Imports

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10828
TimeDateStamp 2018-Nov-30 14:46:18
Entropy 3.27326
MD5 3faba206e17a7739fde9395af30429d6
SHA1 f246a0ee4150bf9a374c037530357107799220a0
SHA256 176a25d21a29ffb94a85722207cc61168910639558e8e3151943202ebe87b4f7
SHA3 1c141d80cd3f48ebe43b7aef7d5f86a83e69a86dd7bb5653c6151fad184a6eda

1 (#2)

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x14
TimeDateStamp 2018-Nov-30 14:46:18
Entropy 1.98048
Detected Filetype Icon file
MD5 38388dda6548693f4d42f2241a4218d7
SHA1 78bedd12a20f97e31e58742381f3d0ca1edb4715
SHA256 cd0991dd595a1392452a8c7ccf089e73626bc6eed1fd3f54ee4c6aa7ffbaedba
SHA3 9ace1e9f008d60580379cdfdcd4119706c82d52d2e5fdb9e5745fa00864cc1a8

1 (#3)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x188
TimeDateStamp 2018-Nov-30 14:46:18
Entropy 3.18521
MD5 bf8dcdbeded4885986b8fb868e43f7a3
SHA1 244744651206c5e2f6c106d24620c9c9239e2d2a
SHA256 eea0be9333f25983bf89ee75c2d97754a3c2804485ba924d1974a2d688f30c67
SHA3 452e902336439c9cf46184e582caac48de6764aa4470fcf63d0833dd50544e5f

1 (#4)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x36a
TimeDateStamp 2018-Nov-30 14:46:18
Entropy 4.8674
MD5 51b64d39a55078d058a15b5e22444329
SHA1 b9950727e9851ea00b78c38dbfa273f10b62b5c1
SHA256 73be60d13be4f58a165c75b1b9706812ebf610f779501c9884dcb829229599b6
SHA3 4e6c684060193156f2f2b382f9362c400cefddcc2c7a2985f775e712a4a88a12

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.3.7.0
ProductVersion 1.3.7.0
FileFlags (EMPTY)
FileOs (EMPTY)
FileType VFT_UNKNOWN
Language UNKNOWN
CompanyName Ratiborus
FileDescription W10 Digital Activation Program + KMS38
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!