MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5409122ed4854435632036bd0ff599fe1b3c623ab7dbf53926bd9a70f1b67888. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MimiKatz


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5409122ed4854435632036bd0ff599fe1b3c623ab7dbf53926bd9a70f1b67888
SHA3-384 hash: bedb976e074ddd42ff43bd5d2353a276930cabed17d2a998ded9b6c474dd20330e1707ba79428fc378b505e8afe61cc7
SHA1 hash: e98b648a8a39b176efca598c867c10e5d5dfebbf
MD5 hash: 84e85403fa92c181d5f184ac5e9dbda8
humanhash: failed-golf-three-single
File name:5409122ed4854435632036bd0ff599fe1b3c623ab7dbf53926bd9a70f1b67888
Download: download sample
Signature MimiKatz
Create hunting rule
File size:591'037 bytes
First seen:2022-06-06 12:55:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f93c9dd2c0a3aa46cd302497351cbda (1 x Gh0stRAT, 1 x MimiKatz)
ssdeep 12288:vCu0EuGfFovspdnRZhy3fYgrGb0rl8GbV5sxIJW24fBDncNBw6ZOSEcQMgbi:60ovspdRDEfYgUkiGWrBANWbeQMg2
Threatray 87 similar samples on MalwareBazaar
TLSH T19BC42390F7641877E8078B387703A0C37DB9E1426B1DDC2B9245519B2E7AB823E9FD19
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.5% (.EXE) Win32 Executable (generic) (4505/5/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.4% (.EXE) Clipper DOS Executable (2018/12)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e8d4929c2cac98a8 (3 x MimiKatz, 1 x Gh0stRAT)
Reporter JAMESWT_WT
Tags:exe kk123456.top related mimikatz

Intelligence

File Origin
# of uploads :
1
# of downloads :
353
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5409122ed4854435632036bd0ff599fe1b3c623ab7dbf53926bd9a70f1b67888
Verdict:
Suspicious activity
Analysis date:
2022-06-06 16:14:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b28fd7d7-abfe-4fad-85bb-d559de9dc5ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat / Gh0st
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277039/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Keylogger.Gh0stRAT-9937448-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/629df94c8e867832d9de2a7a/reports/db0a88a2-9224-4a34-8487-842ebb940051/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Lotok
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbbc5678-d9d1-4892-8fba-e653f2841e1d
Result
Threat name:
GhostRat, Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1007369
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5409122ed4854435632036bd0ff599fe1b3c623ab7dbf53926bd9a70f1b67888/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-05-31 19:09:00 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kqerelwuqvcdkyzag26q75mz7yntyyr2w7n7kojgxwnhb4nwpcea._file
Verdict:
malicious
Similar samples:
0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
MimiKatz
38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84
MimiKatz
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
MimiKatz
5df46a85b08eb145dd1d6341934ac9a46479b6a8685b21c89d01de18aeb0f72b
MimiKatz
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
MimiKatz
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
MimiKatz
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
MimiKatz
c3b1e2b8a95508b33e4a5fdf7275082a2f2578ccbfd16eca42c30c34837e579d
MimiKatz
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
MimiKatz
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
MimiKatz
+ 77 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox rat rootkit trojan upx
Link:
https://tria.ge/reports/220606-p6b63scfcl/
Behaviour
Suspicious use of AdjustPrivilegeToken
UPX packed file
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
e729e0d5037e20f78e1b9665ca29e6355c6f80ae1c6078135c8b5eac4549c4f7
MD5 hash:
78d82a5020250476fa22b2bf47ec2834
SHA1 hash:
4291ce7e33e5c75f10c19308dd79772da45f2b45
Link:
https://www.unpac.me/results/835125b3-54eb-46b5-9e83-39c302f969f0/
Parent samples :
5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
SH256 hash:
4220a27c208aa7076848212f1029e287748a5026d07684101bb51b74c96be073
MD5 hash:
2e700d3b8a8f542f908a5a5c1396bdf2
SHA1 hash:
e58f9d0881171b65c4d1f4d69542e8aeda1c87bc
Link:
https://www.unpac.me/results/835125b3-54eb-46b5-9e83-39c302f969f0/
SH256 hash:
5409122ed4854435632036bd0ff599fe1b3c623ab7dbf53926bd9a70f1b67888
MD5 hash:
84e85403fa92c181d5f184ac5e9dbda8
SHA1 hash:
e98b648a8a39b176efca598c867c10e5d5dfebbf
Link:
https://www.unpac.me/results/835125b3-54eb-46b5-9e83-39c302f969f0/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5409122ed485/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/5409122ed4854435632036bd0ff599fe1b3c623ab7dbf53926bd9a70f1b67888

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277039/

Comments