MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MimiKatz

Vendor detections: 12

Intelligence 12 IOCs YARA 12 File information Comments

SHA256 hash:	03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947
SHA3-384 hash:	18caf7e86db203dde2d970495586115af9257d064c7a8cfd1b18b501ae1d9ab36e4d087d8d9c316e7c565467ad72b287
SHA1 hash:	628b7199fbc62d4afe9e9f8f079323dc0a768c8d
MD5 hash:	514257b3833554e107952f7a33c31092
humanhash:	idaho-venus-mars-burger
File name:	03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947
Download:	download sample
Signature	MimiKatz Create hunting rule
File size:	1'716'224 bytes
First seen:	2022-01-07 08:37:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4a99d91e1b68c500bb1244eb377c47a1 (4 x MimiKatz, 1 x Gh0stRAT)
ssdeep	49152:HZC1trXgl3ug+31zJIBmJFyeRz13ZbD0+3tUh:HZUXUeg6zJIBmJFyi1pEIu
Threatray	84 similar samples on MalwareBazaar
TLSH	T14785230C57E04E44F4AA0E3E39724ADBDDB37C1A9AB5E61D442D480C8C70599B8A5F3F
File icon (PE):
dhash icon	106c2cac68104c2c (2 x Gh0stRAT, 1 x MimiKatz)
Reporter	JAMESWT_WT
Tags:	exe mimikatz

Intelligence

File Origin

# of uploads :

# of downloads :

264

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947

Verdict:

Suspicious activity

Analysis date:

2022-01-07 08:39:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b39c6e9b-a91a-4332-8cf8-a7b5d13d82f4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PCRat

Link:

https://www.capesandbox.com/analysis/217680/

Detection(s):

PUA.Win.Packer.EnigmaProtector-19

PUA.Win.Packer.EnigmaProtector-1

PUA.Win.Packer.EnigmaProtector-9852682-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Creating a file in the Windows subdirectories

Creating a service

Launching a service

Creating a process from a recently created file

Searching for synchronization primitives

Running batch commands

Creating a process with a hidden window

DNS request

Searching for the window

Sending a custom TCP request

Launching a process

Creating a file

Enabling autorun for a service

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bladabindi packed

Link:

https://www.filescan.io/uploads/61d7fbf302e388f9fdb26976/reports/dce442d4-3caa-4a3d-be1c-9dfb66aa904f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/786bc2bf-17ce-43d4-8417-755d2d2e1137

Result

Threat name:

Mimikatz

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/916726

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes security center settings (notifications, updates, antivirus, firewall)

Detected unpacking (changes PE section rights)

Drops executables to the windows directory (C:\Windows) and starts them

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected Mimikatz

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947/

Threat name:

Win32.Packed.EnigmaProtector

Status:

Malicious

First seen:

2021-10-23 11:55:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aphrvmedba6lbn54sdiy7h4oh54fatzirwxm4jv7ydwjnkw5ffdq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220107-kjrwsscae7/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates connected drives

Deletes itself

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947

MD5 hash:

514257b3833554e107952f7a33c31092

SHA1 hash:

628b7199fbc62d4afe9e9f8f079323dc0a768c8d

Link:

https://www.unpac.me/results/7485ec5a-b7a2-40dd-9f8c-1a6e88581273/

Malware family:

Mimikatz

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/03cf1ab08308/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	Hidden Create hunting rule
Author:	@bartblaze
Description:	Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:	https://github.com/JKornev/hidden

Rule name:	INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess Create hunting rule
Author:	ditekSHen
Description:	Detects executables calling ClearMyTracksByProcess

Rule name:	INDICATOR_TOOL_RTK_HiddenRootKit Create hunting rule
Author:	ditekSHen
Description:	Detects the Hidden public rootkit

Rule name:	MALWARE_Win_FatalRAT Create hunting rule
Author:	ditekSHen
Description:	Detects FatalRAT

Rule name:	MALWARE_Win_PCRat Create hunting rule
Author:	ditekSHen
Description:	Detects PCRat / Gh0st

Rule name:	MALWARE_Win_Zegost Create hunting rule
Author:	ditekSHen
Description:	Detects Zegost

Rule name:	Mimikatz_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Mimikatz_Strings_RID2DA0 Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	win_iceid_core_ldr_202104 Create hunting rule
Author:	Thomas Barabosch, Telekom Security
Description:	2021 loader for Bokbot / Icedid core (license.dat)

Rule name:	win_smominru_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.smominru.

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/217680/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample