Manalyze report for e76069f96580ac9d5d2ffe8037c581eceb4fc3f0d2250955273126a6718689f3

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2025-Jan-01 07:43:53
Detected languages	English - United States
CompanyName	lernstuf
ProductName	lernstuf introduction 2024
ProductVersion	`1.0.0.0`
FileVersion	`1.0.0.0`
FileDescription	lernstuf introduction 2024
InternalName	lernstuf introduction 2024
OriginalFilename	lernstuf introduction 2024
LegalCopyright	ttemper
IRC:	ircnet/ttemper

Plugin Output

Suspicious	PEiD Signature:	`UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX -> www.upx.sourceforge.net` `UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser` `UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser`
Suspicious	The PE is packed with UPX	`Unusual section name found: UPX0` `Section UPX0 is both writable and executable.` `Unusual section name found: UPX1` `Section UPX1 is both writable and executable.`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can take screenshots: BitBlt GetDC`
Malicious	VirusTotal score: 26/71 (Scanned on 2026-06-02 12:12:20)	`ALYac: Gen:Variant.Application.HackTool.AutoKMS.Babar.42` `APEX: Malicious` `Antiy-AVL: Trojan/Win32.Caynamer` `Arcabit: Trojan.Application.HackTool.AutoKMS.Babar.42` `BitDefender: Gen:Variant.Application.HackTool.AutoKMS.Babar.42` `CTX: exe.trojan.autokms` `CrowdStrike: win/malicious_confidence_60% (D)` `Cylance: Unsafe` `Cynet: Malicious (score: 100)` `DeepInstinct: MALICIOUS` `Elastic: malicious (moderate confidence)` `Emsisoft: Gen:Variant.Application.HackTool.AutoKMS.Babar.42 (B)` `Fortinet: W32/PossibleThreat` `GData: Gen:Variant.Application.HackTool.AutoKMS.Babar.42` `Lionic: Hacktool.Win32.Generic.3!c` `McAfeeD: ti!E76069F96580` `MicroWorld-eScan: Gen:Variant.Application.HackTool.AutoKMS.Babar.42` `Paloalto: generic.ml` `Sangfor: Hacktool.Win32.KMSAuto.Vfw5` `Trapmine: malicious.high.ml.score` `TrellixENS: Artemis!150F6F2659E2` `TrendMicro-HouseCall: TROJ_GEN.R002H09E425` `VIPRE: Gen:Variant.Application.HackTool.AutoKMS.Babar.42` `Webroot: W32.Malware.gen` `alibabacloud: Trojan:Win/Fugrafa.Gen` `tehtris: Generic.Malware`

Hashes

MD5	`150f6f2659e271ece0d43bbcfff2dd3e`
SHA1	`9dda017bdac4db2d8812fcf4162ab16d00169773`
SHA256	`e76069f96580ac9d5d2ffe8037c581eceb4fc3f0d2250955273126a6718689f3`
SHA3	`9379c16d216c417e84dd18f7b570ce810ce333df34ee947cd514c802406df224`
SSDeep	`12288:czlo/x+XoXcitPBpc1IXnCd35FYHT/4sw2vCZPOaL9K0+rwDet85roSJf:ssqo7B0IXnY5FwKOaLooCt8h`
Imports Hash	`a0f6f6154f6625f3a680648500292d6a`

DOS Header

e_magic	`MZ`
e_cblp	`0x78`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0`
e_ss	`0`
e_sp	`0`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x78`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2025-Jan-01 07:43:53
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0x73000`
SizeOfInitializedData	`0x19000`
SizeOfUninitializedData	`0xa6000`
AddressOfEntryPoint	`0x00118630 (Section: UPX1)`
BaseOfCode	`0xa7000`
BaseOfData	`0x11a000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x133000`
SizeOfHeaders	`0x200`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

UPX0

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0xa6000`
VirtualAddress	`0x1000`
SizeOfRawData	`0`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

UPX1

MD5	`ecdb79b876cb6853e19f45d0c572cc22`
SHA1	`647b9697737f8e0c5e3a11faf263804ce391cbc3`
SHA256	`8c095bb0dc015df0c4a55e4ea76eeb651e926ec05bcd0caf156385c5bbd91e5b`
SHA3	`96ce88cb24cc723c4162b69b70e1932e2a580eda27c3db46bca935a305ee593a`
VirtualSize	`0x73000`
VirtualAddress	`0xa7000`
SizeOfRawData	`0x72400`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`7.99897`

.rsrc

MD5	`38ae8e67055b0f3dbc680cbcc7091226`
SHA1	`c15c44c10a88f06496f8c53a393ba1c205476244`
SHA256	`ecc3decabddf8b800e903e43aeb498e452828d064fdd69a7d099edb05147816e`
SHA3	`67b9b1e26d67425a61f9b3cd22d262c2dbd1444a7fc3d5c3e2f3495193d71f14`
VirtualSize	`0x19000`
VirtualAddress	`0x11a000`
SizeOfRawData	`0x18e00`
PointerToRawData	`0x72600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.92999`

Imports

COMCTL32.dll	`InitCommonControlsEx`
GDI32.dll	`BitBlt`
gdiplus.dll	`GdipFree`
GLU32.dll	`gluOrtho2D`
KERNEL32.DLL	`LoadLibraryA` `ExitProcess` `GetProcAddress` `VirtualProtect`
ole32.dll	`CoInitialize`
OPENGL32.dll	`glEnd`
SHELL32.dll	`Shell_NotifyIconW`
USER32.dll	`GetDC`
WINMM.dll	`waveOutOpen`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.83594`
MD5	`0a47dedd6c92a85cd2ae95d7783aeac8`
SHA1	`4e174dd967484a06923cb21f612da412ae654b9b`
SHA256	`51d6e671e756accb44a76226858ad5e1a71004978468c01db9b7e406639f540a`
SHA3	`27c573dc1db99c187cf1bf72d86be68dfe57a135a071f10558ae821a1b417710`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.15611`
MD5	`f91a56e45478e1310ee61332e8537f3f`
SHA1	`5cdbf986ee703039e153919ffd2a3e9453846fa9`
SHA256	`20572682fa76cade534a4c5c7accafc3391907ff6ed0cb7c7d6aaa25c6ad2ef3`
SHA3	`69eed2c2fe0a9495d8fc74c803a4682b9cb48f5cb6b7a3a5f417f8440b0b9774`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.26036`
MD5	`69964937aee3877d546bf7437ee1d866`
SHA1	`3741a868043d7d193057a33015f6efc7c6b6c103`
SHA256	`8b1a9c348b1ffc299bb113eb6322e0f8d3277fe72b1cfcde12a0c6bdc3e876d9`
SHA3	`56af448027da28ef45d0339bb2b958a7921bb29bed7ddd6f69a55f57bdb63c8d`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.79553`
MD5	`a8bce66baf783d9f289a7de14c1d0629`
SHA1	`9886630edd95f8bf8abde17cd0d138741edcf041`
SHA256	`26180d46ad6165c50a7b764f923fc2ae1b1dbf3c2d69b6306d699d62f39add2d`
SHA3	`41cd01968d0f534d06eac01b2cec4fb23424b373f83450a7936a48bac73591a5`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x258e`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.91828`
Detected Filetype	PNG graphic file
MD5	`7b4cf049072305f5a74df3823e24b9bb`
SHA1	`d0fc93ae4954b40e7b558c6692fb720d9b861b11`
SHA256	`bb7100bfe6155130ff800f76a1f29363acc145ce0c32b652ea763787b1698e90`
SHA3	`4d2690e80b3ba2ab6859eca1dfcbe52681d7b17ccdb82163a88165f4ebc47888`

1 (#2)

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.67841`
Detected Filetype	Icon file
MD5	`d887c5f7a3f47eb6ff3296c118db0a39`
SHA1	`c7985b87c5d57fefc9021e1a2b377a0ba55cb54d`
SHA256	`d7148da8b43f2d9faefab0986910436255ac6b3700840541d324770f0ee92169`
SHA3	`65eb683276043b8b6c0fb1859bc05ee69adc1aa35f6437c5fb274c585484cf78`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x348`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.24668`
MD5	`e43601ec960a11f27271d11cbf17f1c0`
SHA1	`e1ac5bd6bba991e7217a80b36a9258ed574b30aa`
SHA256	`5a57c716b162ae132b78fde6b094a9870379e93596f62f2d0939580050555bfe`
SHA3	`cbc81ae61a9283bbd3d01b131dac5e94e474ee2306602e996c0f71c3538cc523`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	lernstuf
ProductName	lernstuf introduction 2024
ProductVersion (#2)	1.0.0.0
FileVersion (#2)	1.0.0.0
FileDescription	lernstuf introduction 2024
InternalName	lernstuf introduction 2024
OriginalFilename	lernstuf introduction 2024
LegalCopyright	ttemper
IRC:	ircnet/ttemper

Resource LangID	English - United States

TLS Callbacks

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x4e4780`
SEHandlerTable	`0`
SEHandlerCount	`0`

RICH Header

Errors

[*] Warning: Section UPX0 has a size of 0!

Leave a comment

No comments yet.