RatiborusKMSTools01[.]12[.]2023[.]u[.]taiwebs[.]com[.]zip

Resubmissions

24/02/2024, 17:57

240224-wj2a1sab22 7

Sharing

Copy URL Twitter E-mail

General

Target

RatiborusKMSTools01.12.2023.u.taiwebs.com.zip
Size

46.3MB
MD5

9228497f77311cc46d5489ce5cffc9d0
SHA1

4c76ddb5318188dcf61b20623277c3e552be1899
SHA256

ae1772341fd96a6ef3b7a9c27e979cfb1f96fd19ee5b8ecef09e8a46055efef9
SHA512

997c242d7444c5221f0d3fb1e402a68d0f1e8e83600c0d5678baaf2ae331ae19907db8b4b8c813270f12f56072d1319b73483d342312cee2ab3d7637a628b746
SSDEEP

786432:5Hi1O6FLA6MUlmXKHkH6w6LhswL2v1D5Vv3FKgAuYbxmjUGPK1oYOOH+XTv6zdCS:5C1TdMUFEH6w6LhswLOB34gHuxmjU+bg

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Ratiborus KMS Tools 01.12.2023/KMS Tools Unpack.exe

Files

RatiborusKMSTools01.12.2023.u.taiwebs.com.zip
.zip

Password: taiwebs.com
Ratiborus KMS Tools 01.12.2023/Add_Defender_Exclusion.cmd
Ratiborus KMS Tools 01.12.2023/KMS Tools Portable.chm
.chm
Ratiborus KMS Tools 01.12.2023/KMS Tools Unpack.exe
.exe windows:4 windows x86 arch:x86

Password: taiwebs.com

f2a10720b5da968a6919d0e09b13ae8f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

memset
wcsncpy
wcslen
wcscmp
memmove
wcscpy
wcscat
memcmp
strlen
strcpy
strcat
_stricmp
memcpy
strncpy
_wfopen
longjmp
_setjmp3
fclose
malloc
free
_wcsicmp
wcsncmp
floor
_snwprintf
tolower
_wcsnicmp
_wtoi
gmtime
localtime
mktime
_itow
fabs
ceil
fseek
ftell
fread
pow
??3@YAXPAX@Z
wcsstr
_wcsdup
abort
frexp
modf
_CIpow
fflush
fwrite
atof
fopen
_errno
strerror
exit
sprintf
__p__iob
fprintf
ferror
getenv
sscanf
_vsnwprintf
cos
fmod
sin
abs

kernel32

GetModuleHandleW
HeapCreate
GetEnvironmentVariableW
HeapDestroy
ExitProcess
SystemTimeToFileTime
LocalFileTimeToFileTime
FindResourceW
LoadResource
LockResource
SizeofResource
CreateToolhelp32Snapshot
CloseHandle
GetLogicalDriveStringsW
QueryDosDeviceW
FileTimeToLocalFileTime
FileTimeToSystemTime
ExpandEnvironmentStringsW
GetCurrentProcess
GetUserDefaultLangID
GetSystemDefaultLangID
MultiByteToWideChar
GetProcAddress
CreateRemoteThread
WaitForSingleObject
GetExitCodeThread
GetCurrentProcessId
OpenProcess
GetLastError
FormatMessageW
GetVolumeInformationW
FindFirstFileW
FindNextFileW
FindClose
WideCharToMultiByte
BeginUpdateResourceW
UpdateResourceW
EndUpdateResourceW
CreateProcessW
Beep
CreateFileW
CreateSemaphoreW
DeviceIoControl
GetCommandLineW
GetComputerNameW
GetDateFormatW
GetDiskFreeSpaceExW
GetExitCodeProcess
GetFileTime
GetPrivateProfileStringW
GetShortPathNameW
GetSystemDirectoryW
GetSystemPowerStatus
GetTimeZoneInformation
GetUserDefaultLCID
GetWindowsDirectoryW
GlobalMemoryStatus
LocalFree
Process32FirstW
Process32NextW
QueryPerformanceCounter
QueryPerformanceFrequency
SetComputerNameW
SetFileTime
SetSystemTime
SetVolumeLabelW
Sleep
TerminateProcess
WritePrivateProfileStringW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
CreateThread
LoadLibraryW
FreeLibrary
GetCurrentThreadId
GetModuleFileNameW
DuplicateHandle
CreatePipe
GetStdHandle
HeapAlloc
HeapFree
PeekNamedPipe
SetEnvironmentVariableW
ReadFile
HeapReAlloc
GetFileSize
SetFilePointer
SetEndOfFile
WriteFile
TlsAlloc
TlsSetValue
GetTickCount
TlsGetValue
DeleteFileW
GetVersionExW
SetLastError
MulDiv
GetDriveTypeW
GetFileAttributesW
GetTempPathW
CreateDirectoryW
CopyFileW
SetFileAttributesW
RemoveDirectoryW
MoveFileW
GetLocalTime
HeapSize
TlsFree
DeleteCriticalSection
InterlockedCompareExchange
InterlockedExchange
UnregisterWait
GetCurrentThread
RegisterWaitForSingleObject

user32

SendMessageW
ReleaseDC
OemToCharW
EnumWindows
GetWindowThreadProcessId
FindWindowExW
FindWindowW
GetCursorPos
GetForegroundWindow
SetCursorPos
AnimateWindow
AttachThreadInput
BlockInput
ChangeDisplaySettingsW
CharToOemW
CreateWindowExW
DrawMenuBar
EnableMenuItem
EnableWindow
EnumDisplaySettingsW
ExitWindowsEx
FlashWindow
GetClassNameW
GetDC
GetDesktopWindow
GetFocus
GetKeyState
GetLastInputInfo
GetSysColor
GetSystemMenu
GetSystemMetrics
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
IsWindow
IsWindowEnabled
KillTimer
LoadCursorW
LockWorkStation
MessageBeep
PostMessageW
RegisterHotKey
RemoveMenu
SetClassLongW
SetFocus
SetForegroundWindow
SetTimer
SetWindowLongW
SetWindowPos
ShowWindow
UnregisterHotKey
UpdateWindow
WaitForInputIdle
keybd_event
mouse_event
MessageBoxW
IsWindowVisible
DestroyWindow
SystemParametersInfoW
GetParent
MapWindowPoints
MoveWindow
InvalidateRect
RedrawWindow
SetWindowTextW
GetSysColorBrush
GetWindowTextLengthW
SetRect
DrawTextW
ValidateRect
CallWindowProcW
RemovePropW
GetPropW
SetPropW
SetScrollPos
InflateRect
GetWindowDC
GetIconInfo
ReleaseCapture
BeginPaint
DrawStateW
EndPaint
SetCapture
ScreenToClient
DefWindowProcW
SetActiveWindow
DestroyIcon
LoadIconW
GetClientRect
RegisterClassW
AdjustWindowRectEx
UnregisterClassW
CreateAcceleratorTableW
PeekMessageW
MsgWaitForMultipleObjects
GetMessageW
GetActiveWindow
TranslateAcceleratorW
TranslateMessage
DispatchMessageW
DefFrameProcW
DestroyAcceleratorTable
EnumChildWindows
FillRect
IsChild
RegisterWindowMessageW
CopyImage
CharUpperW
CharLowerW
DrawIconEx

gdi32

CreateDCW
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteDC
GetPixel
DeleteObject
GetStockObject
CreateFontIndirectW
SetTextColor
SetBkColor
GetTextExtentPoint32W
ExcludeClipRect
GetObjectType
GetObjectW
CreateSolidBrush
GetDeviceCaps
CreateRectRgnIndirect
GetClipRgn
ExtSelectClipRgn
SelectClipRgn
GdiGetBatchLimit
GdiSetBatchLimit
CreateDIBSection
CreateBitmap
SetPixel
GetDIBits
CreateFontW
SetBkMode
SetTextAlign
TextOutW
SetStretchBltMode
SetBrushOrgEx
StretchBlt
GetTextMetricsW

advapi32

RegOpenKeyExW
RegOpenKeyW
RegConnectRegistryW
RegQueryValueExW
RegCloseKey
RegDeleteKeyW
RegSetValueExW
RegCreateKeyExW
LookupAccountNameW
IsValidSid
RegEnumKeyExW
RegDeleteValueW
RegCreateKeyW
AdjustTokenPrivileges
ChangeServiceConfigW
CloseServiceHandle
ControlService
CryptAcquireContextW
CryptCreateHash
CryptDeriveKey
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptHashData
CryptReleaseContext
GetUserNameW
ImpersonateLoggedOnUser
LogonUserW
LookupPrivilegeValueW
OpenProcessToken
OpenSCManagerW
OpenServiceW
QueryServiceStatus
RegEnumValueW
RevertToSelf
StartServiceW

oleaut32

SafeArrayGetDim
SafeArrayGetUBound
SafeArrayGetElement

ole32

CoInitializeEx
CoInitializeSecurity
CoCreateInstance
CoUninitialize
CoSetProxyBlanket
CoCreateGuid
CoInitialize
StringFromGUID2
CoTaskMemFree
RevokeDragDrop

shell32

SHGetSpecialFolderLocation
SHGetPathFromIDListW
ExtractIconExW
ExtractIconW
ord66
ord524
SHAddToRecentDocs
SHFileOperationW
SHFormatDrive
SHGetFileInfoW
ShellAboutW
Shell_NotifyIconW
ShellExecuteExW

ws2_32

WSAStartup
gethostbyname
WSACleanup
gethostbyaddr
inet_addr
closesocket
gethostname
htons
select
__WSAFDIsSet
ioctlsocket
recvfrom
socket
bind
connect
recv

winmm

timeBeginPeriod

gdiplus

GdipDeleteFont
GdipDeleteGraphics
GdipDeletePath
GdipDeleteMatrix
GdipDeletePen
GdipDeleteStringFormat
GdipFree
GdipGetDpiX
GdipGetDpiY

icmp

IcmpCloseHandle
IcmpCreateFile
IcmpSendEcho

imagehlp

MakeSureDirectoryPathExists

iphlpapi

GetAdaptersInfo
GetNetworkParams

msi

ord45
ord70

netapi32

NetApiBufferFree
NetLocalGroupAdd
NetLocalGroupDel
NetLocalGroupEnum
NetUserDel
NetUserGetInfo
NetUserSetInfo

setupapi

SetupIterateCabinetW

urlmon

URLDownloadToFileW
UrlMkSetSessionOption

userenv

GetDefaultUserProfileDirectoryW

wininet

DeleteUrlCacheEntryW
InternetCloseHandle
InternetGetConnectedState
InternetOpenUrlW
InternetOpenW
InternetReadFile
UnlockUrlCacheEntryFileW

winspool.drv

ClosePrinter
DeletePrinter
OpenPrinterW
SetPrinterW

comctl32

InitCommonControlsEx

Sections

.code
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 339KB - Virtual size: 338KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 45.3MB - Virtual size: 45.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 196KB - Virtual size: 195KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Ratiborus KMS Tools 01.12.2023/readme.txt

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: taiwebs.com

Password: taiwebs.com

f2a10720b5da968a6919d0e09b13ae8f

Headers

File Characteristics

Imports

msvcrt

kernel32

user32

gdi32

advapi32

oleaut32

ole32

shell32

ws2_32

winmm

gdiplus

icmp

imagehlp

iphlpapi

msi

netapi32

setupapi

urlmon

userenv

wininet

winspool.drv

comctl32

Sections

.code Size: 29KB - Virtual size: 28KB

.text Size: 339KB - Virtual size: 338KB

.rdata Size: 49KB - Virtual size: 48KB

.data Size: 45.3MB - Virtual size: 45.3MB

.rsrc Size: 196KB - Virtual size: 195KB

.code
Size: 29KB - Virtual size: 28KB

.text
Size: 339KB - Virtual size: 338KB

.rdata
Size: 49KB - Virtual size: 48KB

.data
Size: 45.3MB - Virtual size: 45.3MB

.rsrc
Size: 196KB - Virtual size: 195KB