MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52f137c22685d15df043daabdb9c823e07ecec4df42bcc2fa2c5bd45913d32ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mimikatz


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52f137c22685d15df043daabdb9c823e07ecec4df42bcc2fa2c5bd45913d32ea
SHA3-384 hash: 9d1fab53d909efbe8b3dfe4ea52f610eb21680dc0072f6735350af6bab3fb7e33b13e8a90825da509b279ff0352d8132
SHA1 hash: e5326634b6e7ed0ab4958317df3ab02639fdffa2
MD5 hash: 186d0de73c2740320bf91d96f7ff89e6
humanhash: lima-echo-lamp-venus
File name:PkV9U.txt
Download: download sample
Signature Mimikatz
Create hunting rule
File size:6'247'867 bytes
First seen:2020-08-04 16:27:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e72c3bfcbb77a361abf35cfdb2b95db2 (1 x Formbook, 1 x Mimikatz, 1 x BlackKingdom)
ssdeep 98304:iuscGZ/KyVyGHAeBSut+aFNnxsq8vpc4KbxabdDkaduupkZ1ROAuDwQKDfMG:9nmJlX+aFFx6hc+kFbkjxY
Threatray 33 similar samples on MalwareBazaar
TLSH 21563356F16004B6D4A6D9BDA1B2C5365279E4070B1078E363F83E933A333E31AFD669
Reporter abuse_ch
Tags:exe mimikatz


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cp-10.hkdns.co.za
Sending IP: 156.38.171.150
From: info@wildrangeconstruction.co.za
Subject: Request for quotation
Attachment: Quotation.xlsm

Unknown payload URL:
https://u.teknik.io/PkV9U.txt

Unknown C2:
http://mypapal.com/132134F/up.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Malware.Generic-6651521-0
Create hunting rule

SecuriteInfo.com.Python.Stealer.73.15134.24548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Deleting a recently created file
Sending an HTTP GET request
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Reading critical registry keys
Creating a file in the %temp% subdirectories
DNS request
Sending a custom TCP request
Sending a UDP request
Stealing user critical data
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/409790
Signature
Installs a global keyboard hook
May check the online IP address of the machine
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257144 Sample: PkV9U.txt Startdate: 04/08/2020 Architecture: WINDOWS Score: 64 40 mypapal.com 2->40 42 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->42 54 Yara detected Mimikatz 2->54 56 May check the online IP address of the machine 2->56 10 PkV9U.exe 75 2->10         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\win32pipe.pyd, PE32 10->30 dropped 32 C:\Users\user\AppData\...\unicodedata.pyd, PE32 10->32 dropped 34 C:\Users\user\AppData\Local\...\select.pyd, PE32 10->34 dropped 36 58 other files (none is malicious) 10->36 dropped 13 PkV9U.exe 1 10->13         started        process6 dnsIp7 50 teknik.io 5.79.72.163, 443, 49728 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 13->50 52 u.teknik.io 13->52 38 C:\Users\user\AppData\Local\...\BBtt6.exe, PE32 13->38 dropped 17 cmd.exe 1 13->17         started        file8 process9 process10 19 BBtt6.exe 501 17->19         started        21 conhost.exe 17->21         started        process11 23 BBtt6.exe 4 19->23         started        dnsIp12 44 mypapal.com 23->44 46 ipinfo.io 216.239.38.21 GOOGLEUS United States 23->46 48 192.168.2.1 unknown unknown 23->48 28 C:\Users\user\AppData\Local\...\SynTPEnh.exe, PE32 23->28 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->58 60 Tries to steal Mail credentials (via file access) 23->60 62 Installs a global keyboard hook 23->62 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52f137c22685d15df043daabdb9c823e07ecec4df42bcc2fa2c5bd45913d32ea/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 16:29:06 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=klytpqrgqxiv34cd3kv5xhechyd6z3cn6qv4yl5cyw6ulej5glva._file
Verdict:
malicious
Similar samples:
078f883c1bcf8d0f9d5eb75f2dcc849564bb7e3fee851df036acb2e6870e95c1
Mimikatz
0eb41e962d7be24fe14670c0bda3283dd6db00bbe813d1d93da23c125af8e4dc
Mimikatz
2b6160a9720ed2cf3b818dafc81e4f092111d4df2e0db161b994b39a5ceb78f3
Mimikatz
2c9a56116d34514c98f71a77cd80ab3b32d6523b2d7aa9b89b6e4f5c1cd8a8df
Mimikatz
434ea880ad59cffded73a776f3a01a75e6afef21fc6dca45b364fd3f0ba54de3
Mimikatz
49ea2b64601f51c9464960630f27180d4a4ae27c1dfd1ab0fe91a315ac945fa8
Mimikatz
5cd1e21eef3c4ed694dc429b88b403995244060feb4fdea12473aff4d782e1f5
Mimikatz
925f678c8adafa7aeae7d0894ea871001ffabe237d6e6b5764eabb0c59c6f8d1
Mimikatz
95e35f1614df92a318a749a8f62a35b9c03f2f34f08ad5606b45c9d817ff1d93
Mimikatz
e6ff6d164a876c50bfc4a6f7b6397914f9656d0e4aef1ceba65f1e92ed1b6c69
Mimikatz
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200804-ne4p1kpzd2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Looks up external IP address via web service
JavaScript code in executable
Looks up external IP address via web service
JavaScript code in executable
Reads user/profile data of web browsers
Loads dropped DLL
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52f137c22685d15df043daabdb9c823e07ecec4df42bcc2fa2c5bd45913d32ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Mimikatz

Excel file xlsm 574b59dc1edfd81da481081c8a8eeae2f3f9c62965a25ef4ab67aacbd4ce63fa

Mimikatz

Executable exe 52f137c22685d15df043daabdb9c823e07ecec4df42bcc2fa2c5bd45913d32ea

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/424444/
  
Dropped by
MD5 f743ef79b812d3133a9374bd472e0362
  
Dropped by
SHA256 574b59dc1edfd81da481081c8a8eeae2f3f9c62965a25ef4ab67aacbd4ce63fa
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38847/

Comments