MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af46e5160e837fafd904b62bd81795beefa95ec11d854cedee7565a991210d87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MimiKatz

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	af46e5160e837fafd904b62bd81795beefa95ec11d854cedee7565a991210d87
SHA3-384 hash:	59e0a26a084beb054c989dd844ee98b3669d942ca2bad8a936ab92a54e21e9a16b36d625af630b3522e511331f43d550
SHA1 hash:	800da539a3963aca5949b4af8fd308b5a82ddd2f
MD5 hash:	0b6cf208722a841c2e86061070db080e
humanhash:	five-one-timing-july
File name:	‘迪拜女生’在‘遭缅北佤邦男’猥琐轮奸被虐后电击致死.com
Download:	download sample
Signature	MimiKatz Create hunting rule
File size:	3'756'032 bytes
First seen:	2021-11-23 23:52:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f6c4d50d87d4e0d20a5772aea6d13e30 (3 x MimiKatz)
ssdeep	49152:8bsVWAYJjeTIqToZR8D+ONrLVneniqalZ8PrKlSBnFhWUyyjOwe3:8bUWA8y9ei4njOwe3
Threatray	67 similar samples on MalwareBazaar
TLSH	T15D06C4055BEE4114E3B73734D93A92641525BE265F24C0BF2E208A5D7C31B8DEE72B3A
Reporter	Anonymous
Tags:	exe mimikatz test

Anonymous

this malware sample is very nasty!

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

‘迪拜女生’在‘遭缅北佤邦男’猥琐轮奸被虐后电击致死.com

Verdict:

Suspicious activity

Analysis date:

2021-11-23 23:58:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/83aecfc2-12a2-481f-a6ac-6adae97605ee

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware icedid keylogger packed

Link:

https://www.filescan.io/uploads/619d7edfb71ceed4152dad1d/reports/6541802b-5232-4005-97f8-e851e8c854a7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/78527fac-4639-47a6-873e-cf4fe4fd562c

Result

Threat name:

Mimikatz

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/895103

Signature

Connects to many ports of the same IP (likely port scanning)

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to capture and log keystrokes

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Creates an autostart registry key pointing to binary in C:\Windows

Drops executables to the windows directory (C:\Windows) and starts them

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Mimikatz

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/af46e5160e837fafd904b62bd81795beefa95ec11d854cedee7565a991210d87/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2021-11-23 16:43:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v5dokfqoqn727wiewyv5qf4vx3x2sxwbdwcuz3poovs2tejbbwdq._file

Verdict:

malicious

MimiKatz

4985cc63bd295199512f828ac8273951f5ca9b53eac2715b0133a7193c11ea59

MimiKatz

5d6231c525666c6204815f4d1447bbad850bed0450c313bdf5a47612271fa539

MimiKatz

5f90cb5229a6fbb6c8b8c1ec159b60bf6ad2cccaf1bdc59788caf8942ebb2785

MimiKatz

62b14085994023f524c75bb0078c9bb78c5b0e5d82364b87ca7530c041f0ec5d

MimiKatz

640ea5a2c4ea4a2d1a5018f446c0b722407e21f2ec5b81ce2986c037e3f11a09

MimiKatz

aac80ffbaf23f57ae1bc9788b311773ddccacd0838094345f179b777d5d793af

MimiKatz

e0fd6936be4f84e23d88b226280773d0554ef33927e0878a812d1755b8c4bfa2

MimiKatz

f76115cf6e126f5de1f9013a3f62295ef5100a3dda02a3af4a457eccf5793af1

MimiKatz

+ 57 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/211123-3xahsaega5/

Behaviour

Suspicious use of SetWindowsHookEx

Adds Run key to start application

Unpacked files

SH256 hash:

b2a3ea6f79a2d7c8d7a111f8d6151a666822afbc95089b15ea5ca3b04d588b60

MD5 hash:

ab07d9637b29946cb5e1dc9b3cd936fd

SHA1 hash:

a197ec1378968db64a8668575fff658681d1d336

Link:

https://www.unpac.me/results/a63b3c96-59f6-4e52-b014-4fd5d964cbb8/

SH256 hash:

af46e5160e837fafd904b62bd81795beefa95ec11d854cedee7565a991210d87

MD5 hash:

0b6cf208722a841c2e86061070db080e

SHA1 hash:

800da539a3963aca5949b4af8fd308b5a82ddd2f

Link:

https://www.unpac.me/results/a63b3c96-59f6-4e52-b014-4fd5d964cbb8/

Malware family:

Mimikatz

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/af46e5160e83/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/af46e5160e837fafd904b62bd81795beefa95ec11d854cedee7565a991210d87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.