MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c39ba723990f9e09ecd5f43562fe5626060450dd290b85670412f5be85c727a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MimiKatz


Vendor detections: 11


Intelligence 11 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c39ba723990f9e09ecd5f43562fe5626060450dd290b85670412f5be85c727a9
SHA3-384 hash: 2db2d7cd9e1f2f6e78e2b21f25bf9c935030646d916f699b8a15ca9f972b5a10ff6a19d86fd218b3285da49452f7da23
SHA1 hash: 097c88cd4aa5b8d1178541d407b81ab2a7ef4f4c
MD5 hash: 0f86601b5908f782f7fa8af68a88eb8e
humanhash: texas-berlin-freddie-monkey
File name:c39ba723990f9e09ecd5f43562fe5626060450dd290b85670412f5be85c727a9
Download: download sample
Signature MimiKatz
Create hunting rule
File size:1'716'224 bytes
First seen:2022-01-07 08:41:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a99d91e1b68c500bb1244eb377c47a1 (4 x MimiKatz, 1 x Gh0stRAT)
ssdeep 49152:OYEH4JNtyzao7HslQj33ZJF/SUyEA1thsU:ZJNtyGo7Hs2b3Z3yEA1tP
Threatray 7 similar samples on MalwareBazaar
TLSH T1008533350A4BB4CDD605EAFC0F1EA36E918F6DF6AFE6C20C26F1771841324C9C5A9961
File icon (PE):PE icon
dhash icon c0c0e2ccfc6ad29c (2 x MimiKatz)
Reporter JAMESWT_WT
Tags:exe mimikatz

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c39ba723990f9e09ecd5f43562fe5626060450dd290b85670412f5be85c727a9
Verdict:
Suspicious activity
Analysis date:
2022-01-07 08:50:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/45fd5fa6-09ab-4cab-8a81-528b0396a96a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217684/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
DNS request
Running batch commands
Creating a process with a hidden window
Searching for the window
Sending a custom TCP request
Launching a process
Creating a file
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61d7fce202e388f9fdb26b76/reports/82c15939-f154-4860-a692-6c047e0d9838/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b6909ae-15a6-49d4-bc9c-41f59c1e5e80
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916729
Signature
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549203 Sample: z01bTk1W90 Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Mimikatz 2->42 44 2 other signatures 2->44 7 AWrjar.exe 2->7         started        10 z01bTk1W90.exe 1 2 2->10         started        13 svchost.exe 1 1 2->13         started        15 4 other processes 2->15 process3 file4 52 Multi AV Scanner detection for dropped file 7->52 54 Detected unpacking (changes PE section rights) 7->54 56 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->56 62 2 other signatures 7->62 17 AWrjar.exe 1 7->17         started        28 C:\Windows\SysWOW64\AWrjar.exe, PE32 10->28 dropped 30 C:\Windows\...\AWrjar.exe:Zone.Identifier, ASCII 10->30 dropped 58 Tries to evade analysis by execution special instruction which cause usermode exception 10->58 60 Hides threads from debuggers 10->60 21 cmd.exe 1 10->21         started        signatures5 process6 dnsIp7 32 182.255.60.145, 49740, 9893 LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHK China 17->32 34 192.168.2.1 unknown unknown 17->34 46 Hides threads from debuggers 17->46 48 Uses ping.exe to sleep 21->48 50 Uses ping.exe to check the status of other devices and networks 21->50 23 PING.EXE 1 21->23         started        26 conhost.exe 21->26         started        signatures8 process9 dnsIp10 36 127.0.0.1 unknown unknown 23->36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c39ba723990f9e09ecd5f43562fe5626060450dd290b85670412f5be85c727a9/
Threat name:
Win32.Packed.EnigmaProtector
Create hunting rule
Status:
Malicious
First seen:
2021-12-04 15:24:01 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 28 (89.29%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yon2oi4zb6pat3gv6q2wf7sweydaiug5fefykzyecl235bohe6uq._file
Verdict:
malicious
Similar samples:
03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947
MimiKatz
1bd4eeb7f7ae8a4ca1fb2fcf673cbb810ca123d6672a1d6d10ed317688ffcfac
MimiKatz
3ce7a091f24c19dd1a0875c60f9e97ee017435614198c62ca97220658723b785
MimiKatz
8872e76ffc38017c1b3ef4b07756edb26c82cf45cceb8ed4d8c153c358fb5674
MimiKatz
c6af3ecd4095b7625da3136f209818c4d96689289eddfc3dcff444db9d4ca9c1
MimiKatz
cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e
MimiKatz
f769926334ff93842429c7eda5c7ba1dedf3fb39a4b7b47decd0cbe7b9454170
MimiKatz
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220107-kl2tsacae9/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Deletes itself
Executes dropped EXE
Unpacked files
SH256 hash:
c39ba723990f9e09ecd5f43562fe5626060450dd290b85670412f5be85c727a9
MD5 hash:
0f86601b5908f782f7fa8af68a88eb8e
SHA1 hash:
097c88cd4aa5b8d1178541d407b81ab2a7ef4f4c
Link:
https://www.unpac.me/results/94f869e8-3f8c-40a4-9fde-ad9cfdb77250/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c39ba723990f9e09ecd5f43562fe5626060450dd290b85670412f5be85c727a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217684/

Comments