MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7904072314fdac63da52138a8a6267d4780f2d95ae5d8f9866bf83f6d8e89925. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MimiKatz


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7904072314fdac63da52138a8a6267d4780f2d95ae5d8f9866bf83f6d8e89925
SHA3-384 hash: 60507c7c976b1d1512683b0c2678d4df2c78c5e59d7809f772a34e9364d07439b32fbfee4fe65e23ead9546ac93f182a
SHA1 hash: 11d2ecb611a872abf20903e97d351f37c7479e20
MD5 hash: 54340fbbdd7571ec8acfd4f2705848f5
humanhash: magazine-florida-comet-cardinal
File name:54340fbbdd7571ec8acfd4f2705848f5
Download: download sample
Signature MimiKatz
Create hunting rule
File size:3'675'136 bytes
First seen:2022-08-22 12:41:13 UTC
Last seen:2022-08-22 13:35:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:2+fL9S5TJQKdCAZBSs2iqqGYQVD8rUBgGYPKR3jv2kOgkqxt:2+j9eQ4Cd8rUmGYPKR3jv2kOgk8t
Threatray 2'369 similar samples on MalwareBazaar
TLSH T1330638213DFB209DB3E29A995FD8F8BF895AF273174F70B92071434687229818D92735
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe mimikatz

Intelligence

File Origin
# of uploads :
2
# of downloads :
338
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
54340fbbdd7571ec8acfd4f2705848f5
Verdict:
Suspicious activity
Analysis date:
2022-08-22 12:46:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/adec1909-09e7-447c-a8dc-5ef2e5c244d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300213/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Krypt.12.23585.25997.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd.exe explorer.exe fingerprint greyware hacktool hacktool obfuscated regedit.exe stealer
Link:
https://www.filescan.io/uploads/630379a0c9bbd99097879a05/reports/d5a4f7a9-3aaa-406a-9e57-2aa8acb8aec2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43b7d7ef-4239-4f92-bf56-1eeea25a2209
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055507
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Detected Hacktool Mimikatz
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Yara detected Mimikatz
Yara detected RUNPE
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7904072314fdac63da52138a8a6267d4780f2d95ae5d8f9866bf83f6d8e89925/
Threat name:
ByteCode-MSIL.Hacktool.Mimikatz
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 12:42:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 26 (57.69%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pecaoiyu7wwghwsscofiuyth2r4a6lmvvzoy7gdgx6b7nwhitesq._file
Verdict:
malicious
Similar samples:
2421c5815103b12aefee6faecb1ebbe910c6a17c7ed68f0d7bb2064ec4e97291
MimiKatz
3e6f7f9456ae9906e40da831c58f9b78a2eee8af2682cac7a9abf1a854142aa0
MimiKatz
41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547
MimiKatz
6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f
MimiKatz
c8ac98c4e43e4290cdaefce51ebf9165143c31d3fbce0f9f80cf5a3258058c4a
MimiKatz
ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24
MimiKatz
edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
MimiKatz
+ 2'359 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220822-pxb5qaagg8/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
7904072314fdac63da52138a8a6267d4780f2d95ae5d8f9866bf83f6d8e89925
MD5 hash:
54340fbbdd7571ec8acfd4f2705848f5
SHA1 hash:
11d2ecb611a872abf20903e97d351f37c7479e20
Link:
https://www.unpac.me/results/6207cc87-b0ae-4481-8981-24808ede422d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/7904072314fdac63da52138a8a6267d4780f2d95ae5d8f9866bf83f6d8e89925

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Base64_Encoded_Hacktool_Dev
Create hunting rule
Author:Florian Roth
Description:Detects a suspicious base64 encoded keyword
Reference:https://twitter.com/cyb3rops/status/1270626274826911744
Rule name:SUSP_Base64_Encoded_Hacktool_Dev_RID32C3
Create hunting rule
Author:Florian Roth
Description:Detects a suspicious base64 encoded keyword
Reference:https://twitter.com/cyb3rops/status/1270626274826911744

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MimiKatz

Executable exe 7904072314fdac63da52138a8a6267d4780f2d95ae5d8f9866bf83f6d8e89925

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2275588/
Cape
Cape
https://www.capesandbox.com/analysis/300213/
  
URLhaus
https://urlhaus.abuse.ch/url/2276045/

Comments


Avatar
zbet commented on 2022-08-22 12:41:17 UTC

url : hxxp://37.139.129.142/htdocs/FeWTCnXpRcNPRzE.exe