MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61d451ce5a169591bd4e8633c9030a8afb54027e66dbae6127984caa48bc2568. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MimiKatz


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61d451ce5a169591bd4e8633c9030a8afb54027e66dbae6127984caa48bc2568
SHA3-384 hash: 0886a90a2dc3d9f40fc9e3633b414eb4aa72f485d4e2f6b84bc66750252c0326bd7db21b3102edba9a31f3d0c4333897
SHA1 hash: 9fb24eaef2da9aa81f5cc90217092b09040421ff
MD5 hash: 7586a115a915c813f58059386db4f9ce
humanhash: illinois-aspen-october-timing
File name:61D451CE5A169591BD4E8633C9030A8AFB54027E66DBAE6127984CAA48BC2568.exe
Download: download sample
Signature MimiKatz
Create hunting rule
File size:4'440'496 bytes
First seen:2022-05-28 13:54:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 98304:+06FOznLo0+Dd6uxcl4j8YTyaBr/6mNcOBiFeHuOPnFx:+3F6n80W6uGaj8k5SmNcO+qFx
Threatray 26 similar samples on MalwareBazaar
TLSH T14B262343F3C1D1B9D9B9C0BA80549AB24B642E3587BAC4E777D0762B8E701C0AB36F55
TrID 68.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
10.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.2% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 9ee8e8f0e8e0e98e (1 x Gh0stRAT, 1 x MimiKatz)
Reporter obfusor
Tags:exe mimikatz RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
406
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
61D451CE5A169591BD4E8633C9030A8AFB54027E66DBAE6127984CAA48BC2568.exe
Verdict:
No threats detected
Analysis date:
2022-05-28 13:55:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/428ade18-3913-4ebd-b6dc-dd9241a4fd70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275145/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for synchronization primitives
Creating a window
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware obfuscated overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/629229f7dbc0312ea2b04db6/reports/7103886a-6f24-4a9a-9340-076f9203b375/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1e5be108-feec-40b9-94ee-b9a59e92475c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1003177
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635680 Sample: mv1ONlclvs.exe Startdate: 29/05/2022 Architecture: WINDOWS Score: 72 27 Antivirus detection for dropped file 2->27 29 Multi AV Scanner detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 2 other signatures 2->33 8 mv1ONlclvs.exe 4 2->8         started        process3 file4 19 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 8->19 dropped 21 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 8->21 dropped 11 irsetup.exe 12 8->11         started        process5 file6 23 C:\ProgramData\data\upx.exe, PE32 11->23 dropped 14 upx.exe 3 11->14         started        process7 file8 25 C:\WindowsNT\WindowsNT.exe, PE32 14->25 dropped 17 conhost.exe 14->17         started        process9
Gathering data
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-05-28 13:55:22 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhkfdts2c2kzdpkoqyz4saykrl5viat6m3n24yjhtbgkusf4evua._file
Verdict:
unknown
Similar samples:
1c60192be3d193617aadd61be5be552a5b24e46e50492b04eb889ed1f6fbd81d
MimiKatz
1e7ed9a8dd2e513ace96352932af722d1c3c88641b97f8f59a50774ef1dc31ea
MimiKatz
47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663
MimiKatz
4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd
MimiKatz
827349ef926486d692dec5158ac66fcc27ec6f628f759f1cb23814f50f93ab88
MimiKatz
86e69b16379a3aa41a658af413ea71364341da11e2f7d724dcefeac6eaa504ec
MimiKatz
94b06e33dfece175f9a41ecf6e1ae4aefbe23ec591e8302eeadf8bbe26f23354
MimiKatz
9aa78623c847c8344516bc815b9c055db994d9ee28c59a0102e1024b9706dbce
MimiKatz
d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
MimiKatz
fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd
MimiKatz
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/220528-q74hdsghen/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Checks BIOS information in registry
Checks computer location settings
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Windows Firewall
Sets file to hidden
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
UAC bypass
Unpacked files
SH256 hash:
4bf743f2e0b30d5f70e73fc3553fe58e2fc8f2c801049de7039a9b29cd381826
MD5 hash:
c4dadf6ff35c7a3b5ebe47a6c2bac9ea
SHA1 hash:
12b44f4b228576409171abb66bfb119c3e8c6b60
Link:
https://www.unpac.me/results/40716175-5be1-4377-982f-5fd229679ce9/
SH256 hash:
55afec20feec6d827e210ddf325655d4e580cb63964d94fe58edbfee4eae4111
MD5 hash:
ecc8d86bf4d96a38eb41ae50fc71e67a
SHA1 hash:
45b827212e8a04b6e89c041b3e570c61dd1b3305
Link:
https://www.unpac.me/results/40716175-5be1-4377-982f-5fd229679ce9/
SH256 hash:
131b5f5e179e8e4ef4252616e0372184db70bc3a5095ae7902698ec2095048ef
MD5 hash:
2d2ae412ba2048089cdd0864b79b7f8c
SHA1 hash:
19a4878e62b4b5ba860166d106c5c8a45e4e2055
Link:
https://www.unpac.me/results/40716175-5be1-4377-982f-5fd229679ce9/
SH256 hash:
02ce69a49442f00cf1cced9968fbeb5e645801efe7c19ab1362fdde14cb0c471
MD5 hash:
1d1b29a06415705a56ed2eebd4a3ecbe
SHA1 hash:
4cfaf4a806238d62a92b5b24ea5093c91d2dfe9a
Link:
https://www.unpac.me/results/40716175-5be1-4377-982f-5fd229679ce9/
SH256 hash:
61d451ce5a169591bd4e8633c9030a8afb54027e66dbae6127984caa48bc2568
MD5 hash:
7586a115a915c813f58059386db4f9ce
SHA1 hash:
9fb24eaef2da9aa81f5cc90217092b09040421ff
Link:
https://www.unpac.me/results/40716175-5be1-4377-982f-5fd229679ce9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61d451ce5a169591bd4e8633c9030a8afb54027e66dbae6127984caa48bc2568

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275145/

Comments