MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 640ea5a2c4ea4a2d1a5018f446c0b722407e21f2ec5b81ce2986c037e3f11a09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MimiKatz

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	640ea5a2c4ea4a2d1a5018f446c0b722407e21f2ec5b81ce2986c037e3f11a09
SHA3-384 hash:	984f02832ecde54332f04b6f1996ed36a1b353b2e362af6db9b8fea5eba29f70511e2e9ae878a816259a5679ebcf6963
SHA1 hash:	901720cc3f9e1a466d804c32353501f8cc36a90b
MD5 hash:	e22d7cd27166ed12fd707e5b4b66c7d5
humanhash:	ceiling-quebec-beryllium-happy
File name:	“江西小伙”在“迪“惨遭鸡奸、鞭打、睾丸被切视频.cmd
Download:	download sample
Signature	MimiKatz Create hunting rule
File size:	2'770'432 bytes
First seen:	2021-09-22 01:15:36 UTC
Last seen:	2021-09-22 02:01:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f6c4d50d87d4e0d20a5772aea6d13e30 (3 x MimiKatz)
ssdeep	49152:GbsVWAYJjeTIqToZu8Pazb7iOWmOSRTlJhNpccM8sMTbL7rbL7rbL7pR:GbUWA8yhB7ihdSRTlJhH
Threatray	46 similar samples on MalwareBazaar
TLSH	T148D548092B921760E79A7378D875925104985F131F68C0B64EB45E1E7C22A9EFC33FBE
File icon (PE):
dhash icon	606868e4c4e4e4cc (1 x MimiKatz)
Reporter	ActorExpose
Tags:	exe mimikatz

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

“江西小伙”在“迪“惨遭鸡奸、鞭打、睾丸被切视频.cmd

Verdict:

No threats detected

Analysis date:

2021-09-22 01:18:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6c254262-9e11-408e-9cfa-187a3932fe74

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Variant.Mikey.116590.6388.30605.UNOFFICIAL

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2e47338e-9147-42d1-be98-87818a3191a9

Result

Threat name:

Mimikatz

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/855279

Signature

Connects to many ports of the same IP (likely port scanning)

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to capture and log keystrokes

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Creates an autostart registry key pointing to binary in C:\Windows

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected Mimikatz

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/640ea5a2c4ea4a2d1a5018f446c0b722407e21f2ec5b81ce2986c037e3f11a09/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2021-09-22 01:16:10 UTC

AV detection:

23 of 45 (51.11%)

Threat level:

5/5

Verdict:

malicious

MimiKatz

248c72c5eb7823243a820b9935e49534d8a94b91a6528afd8db98c9e8f56fbc0

MimiKatz

3698d2855e9efa5979d94dad6e2044627134de86015421ebf548682400fe2163

MimiKatz

389ddb82e254c476a6e3e2534182314d4702ce525371c2bcd5da6ef19d4851fb

MimiKatz

3ce7a091f24c19dd1a0875c60f9e97ee017435614198c62ca97220658723b785

MimiKatz

5f90cb5229a6fbb6c8b8c1ec159b60bf6ad2cccaf1bdc59788caf8942ebb2785

MimiKatz

8872e76ffc38017c1b3ef4b07756edb26c82cf45cceb8ed4d8c153c358fb5674

MimiKatz

ea45f9b3dd2e613bb9cb0659dcf6d66ca092738fc510e37226bb99542ad685c8

MimiKatz

eb6478f051ae5b16921ed95f6a2f761512c79787ac2b54f0d00742ad526c34b8

MimiKatz

+ 36 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/210922-bms4laaha9/

Behaviour

Suspicious use of SetWindowsHookEx

Adds Run key to start application

Unpacked files

SH256 hash:

b2a3ea6f79a2d7c8d7a111f8d6151a666822afbc95089b15ea5ca3b04d588b60

MD5 hash:

ab07d9637b29946cb5e1dc9b3cd936fd

SHA1 hash:

a197ec1378968db64a8668575fff658681d1d336

Link:

https://www.unpac.me/results/34fddbf9-bc64-47fd-8e10-245d617f3763/

SH256 hash:

640ea5a2c4ea4a2d1a5018f446c0b722407e21f2ec5b81ce2986c037e3f11a09

MD5 hash:

e22d7cd27166ed12fd707e5b4b66c7d5

SHA1 hash:

901720cc3f9e1a466d804c32353501f8cc36a90b

Link:

https://www.unpac.me/results/34fddbf9-bc64-47fd-8e10-245d617f3763/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/640ea5a2c4ea4a2d1a5018f446c0b722407e21f2ec5b81ce2986c037e3f11a09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_TOOL_RTK_HiddenRootKit Create hunting rule
Author:	ditekSHen
Description:	Detects the Hidden public rootkit

Rule name:	Mimikatz_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Mimikatz_Strings_RID2DA0 Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample