MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3b1e2b8a95508b33e4a5fdf7275082a2f2578ccbfd16eca42c30c34837e579d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MimiKatz


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3b1e2b8a95508b33e4a5fdf7275082a2f2578ccbfd16eca42c30c34837e579d
SHA3-384 hash: 4e1a5ba5b7a171616690a1f5b039ee4920ca8d7ad0ab7e0852a3179ed8a427422a68afd59d7036c45035868e944fab15
SHA1 hash: bd93862e0c37770e7a3ae5d2f3dfc59f60a9ca8f
MD5 hash: 6edcab13aacb255a1130b4ae3fa72b27
humanhash: kansas-speaker-lactose-missouri
File name:c3b1e2b8a95508b33e4a5fdf7275082a2f2578ccbfd16eca42c30c34837e579d
Download: download sample
Signature MimiKatz
Create hunting rule
File size:1'394'877 bytes
First seen:2022-06-06 12:54:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa67556ee15c33b9e8a148f0b47f6292 (2 x MimiKatz)
ssdeep 24576:v0LOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNL:M2HPkVOBTKL
Threatray 97 similar samples on MalwareBazaar
TLSH T14C558B592BAB4266DB553779C8B6A69409190F531F28C0B51E301E1EBD2720FFC23EBD
TrID 36.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
23.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.0% (.EXE) Win32 Executable (generic) (4505/5/1)
4.5% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e8d4929c2cac98a8 (3 x MimiKatz, 1 x Gh0stRAT)
Reporter JAMESWT_WT
Tags:exe kk123456.top related mimikatz

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c3b1e2b8a95508b33e4a5fdf7275082a2f2578ccbfd16eca42c30c34837e579d
Verdict:
Suspicious activity
Analysis date:
2022-06-06 12:59:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/42b06400-0dfc-4cef-9dc9-a8541684046b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat / Gh0st
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277037/
Detection(s):
Win.Keylogger.Gh0stRAT-9937448-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/629df9495dc88d357164d4a4/reports/f739f404-fb6c-4798-89e4-0e4512077e49/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Lotok
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce6f5d0b-7679-47d8-8158-652e36cec43d
Result
Threat name:
GhostRat, Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.bank
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1007366
Signature
Antivirus / Scanner detection for submitted sample
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3b1e2b8a95508b33e4a5fdf7275082a2f2578ccbfd16eca42c30c34837e579d/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-05-31 19:12:00 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yoy6fofjkuelgpskl7pxe5iifixsk6gmx7iw5sscymgdja36k6oq._file
Verdict:
malicious
Similar samples:
0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
MimiKatz
38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84
MimiKatz
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
MimiKatz
8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905
MimiKatz
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
MimiKatz
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
MimiKatz
ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f
MimiKatz
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
MimiKatz
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
MimiKatz
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
MimiKatz
+ 87 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox rat rootkit trojan
Link:
https://tria.ge/reports/220606-p5sgnscfbr/
Behaviour
Suspicious use of AdjustPrivilegeToken
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
e729e0d5037e20f78e1b9665ca29e6355c6f80ae1c6078135c8b5eac4549c4f7
MD5 hash:
78d82a5020250476fa22b2bf47ec2834
SHA1 hash:
4291ce7e33e5c75f10c19308dd79772da45f2b45
Link:
https://www.unpac.me/results/737903eb-f36e-4540-b6ed-6a16760a3d44/
Parent samples :
5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
b511d6e13c1d4b90ebff10d21c6f6d689b9c07b8377a21f63d1c6895525ffbc8
d8ae95705379f6f0233c294d5d9d841ebccb6dae75736aadd0ff25d6d350b9ed
SH256 hash:
c3b1e2b8a95508b33e4a5fdf7275082a2f2578ccbfd16eca42c30c34837e579d
MD5 hash:
6edcab13aacb255a1130b4ae3fa72b27
SHA1 hash:
bd93862e0c37770e7a3ae5d2f3dfc59f60a9ca8f
Link:
https://www.unpac.me/results/737903eb-f36e-4540-b6ed-6a16760a3d44/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c3b1e2b8a955/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/c3b1e2b8a95508b33e4a5fdf7275082a2f2578ccbfd16eca42c30c34837e579d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277037/

Comments