MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d6231c525666c6204815f4d1447bbad850bed0450c313bdf5a47612271fa539. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MimiKatz


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d6231c525666c6204815f4d1447bbad850bed0450c313bdf5a47612271fa539
SHA3-384 hash: fab787ac696463f99d6677d9e8cb69f986358284a38be12b67fa39b65a8ca4159998688057788ecba431ca889ab58ac1
SHA1 hash: cc00aab329c879b72fbad3720bbef211df83a234
MD5 hash: 010afce5f43aa7f0b2537ee879762684
humanhash: massachusetts-spring-harry-monkey
File name:最新通告来了:境外打算回国人员最好看一下.com
Download: download sample
Signature MimiKatz
Create hunting rule
File size:4'091'904 bytes
First seen:2021-11-11 18:54:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b007226ed4de305312c3a957bbbc2986 (1 x MimiKatz)
ssdeep 49152:vWAYJjeTIqToZFFIHYX0C0htA+iFK3A113E7:vWA8ymFIHYEC0jbfeE7
Threatray 63 similar samples on MalwareBazaar
TLSH T14D16E7107BA68125E76A3375C835A22455297E030F28C1F72D648A5D3D626CEFD32BBF
File icon (PE):PE icon
dhash icon 8833134c552b174e (1 x MimiKatz)
Reporter ActorExpose
Tags:exe mimikatz

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205113/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/618d66d1dec3347825a2311c/reports/9396dacc-e550-4308-a50c-52a5feb32223/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05e0fe61-6a43-4fe3-bb09-8e3cd1d2d7aa
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887727
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d6231c525666c6204815f4d1447bbad850bed0450c313bdf5a47612271fa539/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-11-11 16:37:00 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1c4d52717bfd4ec045a8fd37e819f92f695c962968d026c5172685c7b4cbba3d
MimiKatz
3698d2855e9efa5979d94dad6e2044627134de86015421ebf548682400fe2163
MimiKatz
4985cc63bd295199512f828ac8273951f5ca9b53eac2715b0133a7193c11ea59
MimiKatz
5f90cb5229a6fbb6c8b8c1ec159b60bf6ad2cccaf1bdc59788caf8942ebb2785
MimiKatz
640ea5a2c4ea4a2d1a5018f446c0b722407e21f2ec5b81ce2986c037e3f11a09
MimiKatz
aac80ffbaf23f57ae1bc9788b311773ddccacd0838094345f179b777d5d793af
MimiKatz
e0fd6936be4f84e23d88b226280773d0554ef33927e0878a812d1755b8c4bfa2
MimiKatz
eb6478f051ae5b16921ed95f6a2f761512c79787ac2b54f0d00742ad526c34b8
MimiKatz
f76115cf6e126f5de1f9013a3f62295ef5100a3dda02a3af4a457eccf5793af1
MimiKatz
+ 53 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/211111-xj7ngahafr/
Behaviour
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Unpacked files
SH256 hash:
b2a3ea6f79a2d7c8d7a111f8d6151a666822afbc95089b15ea5ca3b04d588b60
MD5 hash:
ab07d9637b29946cb5e1dc9b3cd936fd
SHA1 hash:
a197ec1378968db64a8668575fff658681d1d336
Link:
https://www.unpac.me/results/314e5d1a-54ef-42ad-8a1e-3d8d48e1d528/
SH256 hash:
5d6231c525666c6204815f4d1447bbad850bed0450c313bdf5a47612271fa539
MD5 hash:
010afce5f43aa7f0b2537ee879762684
SHA1 hash:
cc00aab329c879b72fbad3720bbef211df83a234
Link:
https://www.unpac.me/results/314e5d1a-54ef-42ad-8a1e-3d8d48e1d528/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5d6231c52566/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/5d6231c525666c6204815f4d1447bbad850bed0450c313bdf5a47612271fa539

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205113/

Comments