KMSTools Lite[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

KMSTools Lite.exe
Size

19.2MB
MD5

c3c5adf650d5cf05bd1b08590d62cf53
SHA1

7781e1ecd78490ebaeb73314855efadff2bfeeed
SHA256

ed63b2a33066ef63bdb5b99c40d660f29653386b334f45d5296ead6fbcbc2861
SHA512

79550a7f9afccc4ee58e8f74df80653d566ceb067e9ef57baa8aeff14ace2f8730d8cc22d0fad523bb36dc6736cb112cbc21ecfe6cb657c7cd2d483026b84249
SSDEEP

393216:p0leyIB6YMU/OZ28Zrms74w4WKy7sI2MqJ6i9HDBt3EtuXKoR:p4K6YMU/OZThb7l46FqEQHDBt3EtuXK

Score

9^/10

Malware Config

Signatures

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
sample	Nirsoft

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
KMSTools Lite.exe

Files

KMSTools Lite.exe
.exe windows:4 windows x86 arch:x86

04ee027b004efb3ea882ad3295c21d97

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleHandleW
HeapCreate
GetEnvironmentVariableW
GetUserDefaultLangID
CreateSemaphoreW
GetLastError
CloseHandle
HeapDestroy
ExitProcess
GetCurrentThreadId
SystemTimeToFileTime
LocalFileTimeToFileTime
FindResourceW
LoadResource
LockResource
SizeofResource
CreateToolhelp32Snapshot
GetLogicalDriveStringsW
QueryDosDeviceW
FileTimeToLocalFileTime
FileTimeToSystemTime
ExpandEnvironmentStringsW
GetCurrentProcess
GetSystemDefaultLangID
MultiByteToWideChar
GetProcAddress
CreateRemoteThread
WaitForSingleObject
GetExitCodeThread
GetCurrentProcessId
OpenProcess
FormatMessageW
GetVolumeInformationW
FindFirstFileW
FindNextFileW
FindClose
WideCharToMultiByte
BeginUpdateResourceW
UpdateResourceW
EndUpdateResourceW
CreateProcessW
Beep
CreateFileW
DeviceIoControl
GetCommandLineW
GetComputerNameW
GetDateFormatW
GetDiskFreeSpaceExW
GetExitCodeProcess
GetFileTime
GetPrivateProfileStringW
GetShortPathNameW
GetSystemDirectoryW
GetSystemPowerStatus
GetTimeZoneInformation
GetUserDefaultLCID
GetWindowsDirectoryW
GlobalMemoryStatus
LocalFree
Process32FirstW
Process32NextW
QueryPerformanceCounter
QueryPerformanceFrequency
SetComputerNameW
SetFileTime
SetSystemTime
SetVolumeLabelW
Sleep
TerminateProcess
WritePrivateProfileStringW
InitializeSListHead
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetStartupInfoW
GetSystemTimeAsFileTime
GetStdHandle
WriteFile
GetModuleFileNameW
FreeLibrary
GetModuleHandleExW
EnterCriticalSection
DeleteCriticalSection
LeaveCriticalSection
HeapFree
SetLastError
GetCurrentThread
HeapAlloc
EnumSystemLocalesW
LoadLibraryExW
CompareStringW
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
GetLocaleInfoW
GetTempPathW
GetTimeFormatW
InitializeCriticalSectionAndSpinCount
IsValidLocale
LCMapStringW
OutputDebugStringW
GetFileType
SetStdHandle
GetOEMCP
GetACP
GetCPInfo
IsValidCodePage
GetCommandLineA
FindFirstFileExW
GetStringTypeW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetEnvironmentVariableW
SetConsoleCtrlHandler
GetProcessHeap
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
HeapSize
HeapReAlloc
ReadFile
ReadConsoleW
SetFilePointerEx
WriteConsoleW
InterlockedFlushSList
InterlockedPushEntrySList
RtlUnwind
EncodePointer
RaiseException
InitializeCriticalSection
CreateThread
GetTickCount
DuplicateHandle
CreatePipe
PeekNamedPipe
GetFileSize
SetFilePointer
SetEndOfFile
LoadLibraryW
DeleteFileW
GetVersionExW
GetDriveTypeW
GetFileAttributesW
SetFileAttributesW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
CopyFileW
MulDiv
GetLocalTime
GlobalFree
GlobalAlloc
SetEvent
CreateEventA
LoadLibraryA
ReleaseSemaphore
GetFileInformationByHandle
CreateFileA
ResetEvent
SetThreadPriority
UnregisterWait
RegisterWaitForSingleObject
DecodePointer
GetFileSizeEx

user32

RegisterWindowMessageW
GetKeyState
SendMessageW
ShowWindow
SetForegroundWindow
SetTimer
GetClassNameW
CallNextHookEx
SetWindowsHookExW
UnhookWindowsHookEx
GetCursorPos
WindowFromPoint
SetClassLongW
KillTimer
ReleaseDC
OemToCharW
EnumWindows
GetWindowThreadProcessId
FindWindowExW
FindWindowW
GetForegroundWindow
SetCursorPos
AnimateWindow
AttachThreadInput
BlockInput
ChangeDisplaySettingsW
CharToOemW
CreateWindowExW
DispatchMessageW
DrawMenuBar
EnableMenuItem
EnableWindow
EnumDisplaySettingsW
ExitWindowsEx
FlashWindow
GetDC
GetDesktopWindow
GetFocus
GetLastInputInfo
GetSysColor
GetSystemMenu
GetSystemMetrics
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
InvalidateRect
IsWindow
IsWindowEnabled
LoadCursorW
LockWorkStation
MessageBeep
PeekMessageW
PostMessageW
RegisterHotKey
RemoveMenu
SetFocus
SetWindowLongW
SetWindowPos
TranslateMessage
UnregisterHotKey
UpdateLayeredWindow
UpdateWindow
WaitForInputIdle
keybd_event
mouse_event
SetWindowRgn
SetWindowLongA
SetClassLongA
GetClientRect
CallWindowProcA
DefWindowProcA
MessageBoxW
IsWindowVisible
DestroyWindow
SystemParametersInfoW
GetPropW
BeginPaint
EndPaint
ClipCursor
SetCursor
RedrawWindow
MapWindowPoints
SetCapture
GetCapture
ReleaseCapture
CallWindowProcW
DefWindowProcW
FillRect
DrawStateW
DrawFocusRect
GetMessagePos
ScreenToClient
SetPropW
ChildWindowFromPointEx
RegisterClassExW
GetIconInfo
GetWindowTextLengthW
GetParent
MoveWindow
ClientToScreen
SetWindowTextW
RemovePropW
SetScrollPos
InflateRect
GetWindowDC
GetSysColorBrush
GetAsyncKeyState
SetActiveWindow
DestroyIcon
LoadIconW
GetMenu
IsZoomed
IsIconic
RegisterClassW
AdjustWindowRectEx
UnregisterClassW
CreateAcceleratorTableW
MsgWaitForMultipleObjects
GetMessageW
GetActiveWindow
TranslateAcceleratorW
DefFrameProcW
EnumChildWindows
DestroyAcceleratorTable
SetRect
TrackPopupMenu
IsChild
SetMenu
DestroyMenu
DrawIconEx
DrawTextW
GetMenuItemCount
GetSubMenu
GetMenuItemInfoW
ModifyMenuW
SetMenuItemInfoW
FrameRect
CreateMenu
AppendMenuW
CreatePopupMenu
CreateIconIndirect
CopyImage
CreateIconFromResourceEx
CreateIconFromResource
CharUpperW
CharLowerW

gdi32

GetStockObject
CreateDCW
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteDC
GetDIBits
GetPixel
SetDIBits
DeleteObject
GetObjectA
CreateRectRgn
CombineRgn
CreateFontIndirectW
GetObjectW
CreateSolidBrush
CreateDIBSection
GdiGetBatchLimit
GdiSetBatchLimit
GetObjectType
GetTextExtentPoint32W
ExcludeClipRect
SetBkColor
SetTextColor
SelectClipRgn
CreateRectRgnIndirect
GetClipRgn
ExtSelectClipRgn
SetPixel
SetBkMode
LineTo
MoveToEx
CreatePen
GetDeviceCaps
SetTextAlign
TextOutW
SetStretchBltMode
SetBrushOrgEx
StretchBlt
GetTextMetricsW
CreateBitmap
CreateFontW

advapi32

OpenSCManagerW
OpenServiceW
CloseServiceHandle
RegOpenKeyExW
RegOpenKeyW
RegConnectRegistryW
RegQueryValueExW
RegCloseKey
RegDeleteKeyW
RegSetValueExW
RegCreateKeyExW
LookupAccountNameW
IsValidSid
RegEnumKeyExW
RegDeleteValueW
RegCreateKeyW
AdjustTokenPrivileges
ChangeServiceConfigW
ControlService
CryptAcquireContextW
CryptCreateHash
CryptDeriveKey
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptHashData
CryptReleaseContext
GetUserNameW
ImpersonateLoggedOnUser
LogonUserW
LookupPrivilegeValueW
OpenProcessToken
QueryServiceStatus
RegEnumValueW
RevertToSelf
StartServiceW

oleaut32

SafeArrayGetDim
SafeArrayGetUBound
SafeArrayGetElement

ole32

CoInitialize
CoCreateInstance
CoUninitialize
CoInitializeEx
CoInitializeSecurity
CoSetProxyBlanket
CoCreateGuid
StringFromGUID2
RevokeDragDrop
OleUninitialize
OleInitialize

shell32

ExtractIconW
SHGetSpecialFolderLocation
SHGetPathFromIDListW
ExtractIconExW
ord66
ord524
SHAddToRecentDocs
SHFileOperationW
SHFormatDrive
SHGetFileInfoW
ShellAboutW
Shell_NotifyIconW
ShellExecuteExW

ws2_32

WSAStartup
gethostbyname
WSACleanup
gethostbyaddr
inet_addr
closesocket
gethostname
htons
select
__WSAFDIsSet
ioctlsocket
recvfrom
socket
connect
recv
bind

winmm

timeBeginPeriod

gdiplus

GdipDeleteFont
GdipDeleteGraphics
GdipDeletePath
GdipDeleteMatrix
GdipDeletePen
GdipDeleteStringFormat
GdipFree

icmp

IcmpCloseHandle
IcmpCreateFile
IcmpSendEcho

imagehlp

MakeSureDirectoryPathExists

iphlpapi

GetAdaptersInfo
GetNetworkParams

msi

ord45
ord70

netapi32

NetApiBufferFree
NetLocalGroupAdd
NetLocalGroupDel
NetLocalGroupEnum
NetUserDel
NetUserGetInfo
NetUserSetInfo

setupapi

SetupIterateCabinetW

urlmon

URLDownloadToFileW
UrlMkSetSessionOption

userenv

GetDefaultUserProfileDirectoryW

wininet

DeleteUrlCacheEntryW
InternetCloseHandle
InternetGetConnectedState
InternetOpenUrlW
InternetOpenW
InternetReadFile
UnlockUrlCacheEntryFileW

winspool.drv

ClosePrinter
DeletePrinter
OpenPrinterW
SetPrinterW

comctl32

InitCommonControlsEx
_TrackMouseEvent

Sections

.code
Size: 63KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 199KB - Virtual size: 198KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 17.8MB - Virtual size: 17.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 108KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

04ee027b004efb3ea882ad3295c21d97

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

oleaut32

ole32

shell32

ws2_32

winmm

gdiplus

icmp

imagehlp

iphlpapi

msi

netapi32

setupapi

urlmon

userenv

wininet

winspool.drv

comctl32

Sections

.code Size: 63KB - Virtual size: 62KB

.text Size: 1.0MB - Virtual size: 1.0MB

.rdata Size: 199KB - Virtual size: 198KB

.gfids Size: 512B - Virtual size: 448B

.00cfg Size: 512B - Virtual size: 8B

.data Size: 17.8MB - Virtual size: 17.8MB

.rsrc Size: 108KB - Virtual size: 108KB

.code
Size: 63KB - Virtual size: 62KB

.text
Size: 1.0MB - Virtual size: 1.0MB

.rdata
Size: 199KB - Virtual size: 198KB

.gfids
Size: 512B - Virtual size: 448B

.00cfg
Size: 512B - Virtual size: 8B

.data
Size: 17.8MB - Virtual size: 17.8MB

.rsrc
Size: 108KB - Virtual size: 108KB