MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c36572664731f058a282fa6f943e48fe80646f6613c3a46f3eee1f4a121b2158. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mimikatz

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	c36572664731f058a282fa6f943e48fe80646f6613c3a46f3eee1f4a121b2158
SHA3-384 hash:	78a44d2a1865981a8eb53edb0f132e5df180d0f17320911964bdf71f7312dded8e00c3ee0d817241c8cceff2d3b42786
SHA1 hash:	71eca56c0d2726883b45c2ca677326550196ccde
MD5 hash:	b11f597b149ff38d9cda7edd889e6744
humanhash:	juliet-oven-winner-william
File name:	7mxQhQbM.exe
Download:	download sample
Signature	Mimikatz Create hunting rule
File size:	848'896 bytes
First seen:	2020-04-01 10:31:47 UTC
Last seen:	2020-04-01 14:27:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e073e25e16aa7b93510ca9c84a1124f9 (1 x Mimikatz)
ssdeep	12288:3B2BOxoDYFsbrqo5/IagBy2IEosk/IkxgcSHcUjqgY8MFPdY4:3sBOxegsnq0Aaqy2IEo1//NSJ2gYf5N
Threatray	3 similar samples on MalwareBazaar
TLSH	7D053A11A7E90068F1B75AB5DEF39506DBB378931930C34F02A8865E2F73B519A2D732
Reporter	johannes
Tags:	mimikatz

viql

mimikatz via https://pastebin.com/raw/7mxQhQbM

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Mimikatz-6466236-0

PUA.Win.Downloader.Aiis-6803892-0

TwinWave.MimiKatz.x64.20191220.UNOFFICIAL

Gathering data

Threat name:

Win64.Trojan.Mimikatz

Status:

Malicious

First seen:

2016-11-11 09:30:06 UTC

AV detection:

36 of 44 (81.82%)

Threat level:

5/5

Verdict:

malicious

Mimikatz

6cb23b48210469ee821a83a1be7b4724ae876f5a7e56ce1878d7ffdf2c6fceb0

Mimikatz

fde7c52c166cd76fea454bbb539e7eba9ce704f5b442534bf5c4163213215426

Mimikatz

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://pastebin.com/raw/7mxQhQbM

Link

https://pastebin.com/raw/EMPE1cmh

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSidToSidW ADVAPI32.dll::CopySid ADVAPI32.dll::CreateWellKnownSid ADVAPI32.dll::FreeSid
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
DP_API	Uses DP API	CRYPT32.dll::CryptProtectData CRYPT32.dll::CryptUnprotectData
KERNEL_API	Manipulates Windows Kernel & Drivers	ntdll.dll::RtlInitUnicodeString
RPC_API	Can Execute Remote Procedures	RPCRT4.dll::MesDecodeIncrementalHandleCreate RPCRT4.dll::MesEncodeIncrementalHandleCreate RPCRT4.dll::MesHandleFree RPCRT4.dll::MesIncrementalHandleReset RPCRT4.dll::RpcBindingFree RPCRT4.dll::RpcBindingFromStringBindingW
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetTokenInformation
SS_API	Uses SS API	Secur32.dll::QueryContextAttributesW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateRemoteThread ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::OpenProcess
WIN_BASE_API	Uses Win Base API	ntdll.dll::NtTerminateProcess KERNEL32.dll::TerminateProcess ntdll.dll::NtQueryInformationProcess ntdll.dll::NtQuerySystemInformation KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::FillConsoleOutputCharacterW KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleCursorPosition KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleScreenBufferInfo
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileMappingA KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileMappingW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::DeleteFileA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupAccountNameW ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeValueW
WIN_CRED_API	Can Manipute Windows Credentials	ADVAPI32.dll::CredEnumerateW
WIN_CRYPT_API	Uses Windows Crypt API	CRYPT32.dll::CertAddCertificateContextToStore CRYPT32.dll::CertAddEncodedCertificateToStore CRYPT32.dll::CertEnumCertificatesInStore CRYPT32.dll::CertFindCertificateInStore CRYPT32.dll::CertFreeCertificateContext CRYPT32.dll::CertGetCertificateContextProperty
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryInfoKeyW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_SCARD_API	Supports Windows Smart Card	WinSCard.dll::SCardConnectW WinSCard.dll::SCardDisconnect WinSCard.dll::SCardEstablishContext WinSCard.dll::SCardGetAttrib WinSCard.dll::SCardGetCardTypeProviderNameW WinSCard.dll::SCardListCardsW
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::ControlService ADVAPI32.dll::CreateServiceW ADVAPI32.dll::OpenSCManagerW ADVAPI32.dll::OpenServiceW ADVAPI32.dll::QueryServiceStatusEx ADVAPI32.dll::SetServiceObjectSecurity

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample