MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c8f59d71eb9a0c17dfb1b541ca3b337202f1c8dd288256159417a4cb739d217. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MimiKatz


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c8f59d71eb9a0c17dfb1b541ca3b337202f1c8dd288256159417a4cb739d217
SHA3-384 hash: ab6e8e4a2c611182464ea08de5fe6c1c16d5ba41431b6078004b266c5a63de7699bed0303f27def173d0ea72a547279f
SHA1 hash: 269829dcd5ad5581ab42aa359b0457da05af696f
MD5 hash: 797560327ed25ca66ba08de50c88b8b1
humanhash: football-west-magnesium-ink
File name:хкт╠цШ╣╔.com
Download: download sample
Signature MimiKatz
Create hunting rule
File size:1'261'568 bytes
First seen:2022-05-05 23:44:10 UTC
Last seen:2022-05-05 23:44:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e6d4c936d9c95e722d2428ba45fa8608 (1 x MimiKatz, 1 x Gh0stRAT)
ssdeep 24576:ej8KH/NVv4gWcixa/Q41L9bQCfYmpbVFgwy2ZAHaRB:e3NVvFixiQiF472ZR
Threatray 65 similar samples on MalwareBazaar
TLSH T18B456B16505A49DBE4B2573F80614DF16610BDB8F888D0AD81EB7BB49FB835C14CE8FA
TrID 42.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
14.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2f07cbe6e67736c (1 x MimiKatz, 1 x Gh0stRAT, 1 x AsyncRAT)
Reporter ActorExpose
Tags:exe mimikatz

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
хкт╠цШ╣╔.com
Verdict:
No threats detected
Analysis date:
2022-05-05 23:46:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6cb5591b-e0df-4067-9a54-5975a170d75a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268944/
Detection(s):
SecuriteInfo.com.Variant.Babar.33049.5734.14998.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a service
Launching a service
Searching for synchronization primitives
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Enabling autorun for a service
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16455/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6274617f36c061db6e5260b5/reports/dbfc4f4f-a29e-494a-a67c-a952ccf34cb3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e400c6f-6a23-409c-aae1-d3352487a98d
Result
Threat name:
GhostRat Mimikatz Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/988785
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Query firmware table information (likely to detect VMs)
Sample is protected by VMProtect
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 621281 Sample: #U0445#U043a#U0442#U2560#U0... Startdate: 06/05/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Yara detected Nitol 2->57 59 5 other signatures 2->59 8 #U0445#U043a#U0442#U2560#U0446#U0428#U2563#U2554.exe 2 2->8         started        12 GwoWgw.exe 2->12         started        14 svchost.exe 2->14         started        16 12 other processes 2->16 process3 file4 45 C:\Users\...\Desktop#bjlkanglkewjglkasg.exe, PE32 8->45 dropped 69 Drops PE files to the user root directory 8->69 18 Desktop#bjlkanglkewjglkasg.exe 1 1 8->18         started        22 cmd.exe 1 8->22         started        71 Found evasive API chain (may stop execution after checking mutex) 12->71 73 Machine Learning detection for dropped file 12->73 75 Contains functionality to automate explorer (e.g. start an application) 12->75 81 5 other signatures 12->81 24 GwoWgw.exe 1 12->24         started        77 Changes security center settings (notifications, updates, antivirus, firewall) 14->77 27 MpCmdRun.exe 1 14->27         started        79 Query firmware table information (likely to detect VMs) 16->79 signatures5 process6 dnsIp7 43 C:\Windows\SysWOW64behaviorgraphwoWgw.exe, PE32 18->43 dropped 61 Found evasive API chain (may stop execution after checking mutex) 18->61 63 Machine Learning detection for dropped file 18->63 65 Checks if browser processes are running 18->65 67 2 other signatures 18->67 29 cmd.exe 1 18->29         started        32 conhost.exe 22->32         started        34 PING.EXE 1 22->34         started        51 110.186.58.114, 49752, 9797 CHINANET-BACKBONENo31Jin-rongStreetCN China 24->51 36 conhost.exe 27->36         started        file8 signatures9 process10 signatures11 83 Uses ping.exe to sleep 29->83 85 Uses ping.exe to check the status of other devices and networks 29->85 38 PING.EXE 1 29->38         started        41 conhost.exe 29->41         started        process12 dnsIp13 47 127.0.0.1 unknown unknown 38->47 49 192.168.2.1 unknown unknown 38->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c8f59d71eb9a0c17dfb1b541ca3b337202f1c8dd288256159417a4cb739d217/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-05-05 23:45:12 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rshvtvy6xgqmc7p3dnkbzi5tg4qc6hen2keckykzif5eznzz2ilq._file
Verdict:
malicious
Similar samples:
03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947
MimiKatz
1bd4eeb7f7ae8a4ca1fb2fcf673cbb810ca123d6672a1d6d10ed317688ffcfac
MimiKatz
944163147cc3579183fd8e7aae63772e52952d6afb7ae8a9f1205876c6914559
MimiKatz
c39ba723990f9e09ecd5f43562fe5626060450dd290b85670412f5be85c727a9
MimiKatz
c6af3ecd4095b7625da3136f209818c4d96689289eddfc3dcff444db9d4ca9c1
MimiKatz
cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e
MimiKatz
dceef11f380d4082b9e67accef94ff1eaf6ba3eb6be59b861a11f084b29a1c7c
MimiKatz
f769926334ff93842429c7eda5c7ba1dedf3fb39a4b7b47decd0cbe7b9454170
MimiKatz
+ 55 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:purplefox rootkit trojan
Link:
https://tria.ge/reports/220505-3rpqhsbefr/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Detect PurpleFox Rootkit
PurpleFox
Unpacked files
SH256 hash:
8c8f59d71eb9a0c17dfb1b541ca3b337202f1c8dd288256159417a4cb739d217
MD5 hash:
797560327ed25ca66ba08de50c88b8b1
SHA1 hash:
269829dcd5ad5581ab42aa359b0457da05af696f
Link:
https://www.unpac.me/results/03c34187-9ff8-4559-99e1-a26f5ae127de/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c8f59d71eb9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c8f59d71eb9a0c17dfb1b541ca3b337202f1c8dd288256159417a4cb739d217

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268944/

Comments