MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a39d04119147f3cfd6afe16e5d5cda2c205030114095921ad6a77a47cd230afa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MimiKatz


Vendor detections: 12


Intelligence 12 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a39d04119147f3cfd6afe16e5d5cda2c205030114095921ad6a77a47cd230afa
SHA3-384 hash: a23abd5b760f665772140abef10f1338922a61cf38ae9570377a569a20f8aece34afecfb30eb1a1141496d97f70ed8b5
SHA1 hash: a6b8f86c05aa03f304f145bb96f83d4ef8467dc1
MD5 hash: be740ffc1f8f0dcc94a5befcc0efdcdf
humanhash: september-alabama-aspen-gee
File name:ÇåÍËÍŶÓÊý¾ÝʹÓÃÃûµ¥-VIP.exe
Download: download sample
Signature MimiKatz
Create hunting rule
File size:219'136 bytes
First seen:2025-02-17 06:55:45 UTC
Last seen:2025-02-17 08:44:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 932d3e3fd894f647771de5d4b8ae29bb (1 x MimiKatz)
ssdeep 3072:bDCC5d3MQpK3o5IIa3rbjQ++239AXzcsc8mxNj4twiEuSksk0Lqx24mK:HCwg3oWB3njQ++cKavwqL2R
TLSH T1B4247D5573A50CF8E5B79239CD424A45E6B2BC160760EBCF03A0076ADF236E19D3EB61
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter skocherhan
Tags:exe mimikatz


Avatar
skocherhan
http://69.165.65.24:8888/%E6%B8%85%E9%80%80%E5%9B%A2%E9%98%9F%E6%95%B0%E6%8D%AE%E4%BD%BF%E7%94%A8%E5%90%8D%E5%8D%95-VIP.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
597
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
gh0st
Create hunting rule
ID:
1
File name:
ÇåÍËÍŶÓÊý¾ÝʹÓÃÃûµ¥-VIP.exe
Verdict:
Malicious activity
Analysis date:
2025-02-17 07:00:53 UTC
Tags:
loader remote rat gh0st gh0stcringe
Link:
https://app.any.run/tasks/16d217ff-ad69-4bc2-a8af-dd6307dd133b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.23129.20016.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b2de5128ab76d43a5b6b4b
Tags:
packed extens blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Connection attempt
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process from a recently created file
Adding an access-denied ACE
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a39d04119147f3cfd6afe16e5d5cda2c205030114095921ad6a77a47cd230afa
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a80e262-c416-4ea6-80c4-0ea0e62fc913
Result
Threat name:
GhostRat, Mimikatz, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1616762
Signature
Antivirus detection for URL or domain
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a39d04119147f3cfd6afe16e5d5cda2c205030114095921ad6a77a47cd230afa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a39d04119147f3cfd6afe16e5d5cda2c205030114095921ad6a77a47cd230afa/
Threat name:
Win32.Backdoor.GhostRAT
Create hunting rule
Status:
Malicious
First seen:
2025-02-17 06:56:10 UTC
File Type:
PE+ (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uooqiemri7z47vvp4fxf2xg2fqqfamarickzegwwu55eptjdbl5a._file
Verdict:
malicious
Label(s):
gh0strat
Create hunting rule
Similar samples:
error
MimiKatz
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/250217-hqd76svjes/
Behaviour
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c85ce9d7-8fd9-42c5-b4d8-446758691afe
Unpacked files
SH256 hash:
a39d04119147f3cfd6afe16e5d5cda2c205030114095921ad6a77a47cd230afa
MD5 hash:
be740ffc1f8f0dcc94a5befcc0efdcdf
SHA1 hash:
a6b8f86c05aa03f304f145bb96f83d4ef8467dc1
Link:
https://www.unpac.me/results/c55a73ec-94e5-405d-8e08-cae74eafb7ea/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_Gh0st_ee6de6bc
Create hunting rule
Author:Elastic Security
Description:Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MimiKatz

Executable exe a39d04119147f3cfd6afe16e5d5cda2c205030114095921ad6a77a47cd230afa

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3442706/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::FindFirstFileW

Comments