MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da22c3632239f33fc51ca0b7617c606d60f3b1dd3a225b01febed0602553fe15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MimiKatz

Vendor detections: 11

Intelligence 11 IOCs YARA 23 File information Comments

SHA256 hash:	da22c3632239f33fc51ca0b7617c606d60f3b1dd3a225b01febed0602553fe15
SHA3-384 hash:	abcd1b000553a1c29a29d1057ccc8b75628680c2f8af9457a56f260dce56cc9ca0e29e988ad0b714235a568b2e327030
SHA1 hash:	679d36a2d0d5d06fda72c725f63595e5e553a5df
MD5 hash:	98f00819ec05955ae3109305e14d8f09
humanhash:	mobile-thirteen-rugby-july
File name:	MicrosoftEDGE.exe
Download:	download sample
Signature	MimiKatz Create hunting rule
File size:	1'792'816 bytes
First seen:	2023-05-14 18:40:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	edb52e2d82bcafe2fba2f7d58f725f44 (1 x MimiKatz)
ssdeep	49152:nT4iX9y6yDqEoTBxwmAD3Ptlj/h1wKHHJ91mD23av6+uAt8Wr2WvlIB8/i6u2poq:n/X9jhEIqmADVd/UKH1mD2qiuAx23ixc
Threatray	3 similar samples on MalwareBazaar
TLSH	T16A85BF0E56440D3BD7AC5B3E846E4241630BB454E302A53FA3DE59ABEE477A29FD4B0C
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	JaffaCakes118
Tags:	mimikatz

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/389812/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.66343987.23948.5412.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

90%

Tags:

greyware mimikatz overlay packed

Link:

https://www.filescan.io/uploads/64612b5c91c3774f72e3b984/reports/8daab726-b12b-4ff6-bac2-729f5f4bd0b4/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/da22c3632239f33fc51ca0b7617c606d60f3b1dd3a225b01febed0602553fe15

Result

Verdict:

MALICIOUS

Malware family:

Mimikatz

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cd8f44d1-b74b-4720-9289-b88f8e0c6e67

Result

Threat name:

Mimikatz

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1232956

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected Hacktool Mimikatz

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Mimikatz

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da22c3632239f33fc51ca0b7617c606d60f3b1dd3a225b01febed0602553fe15/

Threat name:

Win64.Trojan.Pwsx

Status:

Malicious

First seen:

2023-04-06 11:54:39 UTC

AV detection:

12 of 22 (54.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3irmgyzchhzt7ri4uc3wc7danvqphmo5hirfwap6x3igajkt7ykq._file

Verdict:

malicious

MimiKatz

ebce499de915d8837bdbd47be0ac19cd6382d52904951fac75484947dfd88aab

MimiKatz

Result

Malware family:

mimikatz

Score:

10/10

Tags:

family:mimikatz

Link:

https://tria.ge/reports/230514-xbnkmafd3v/

Behaviour

mimikatz is an open source tool to dump credentials on Windows

Mimikatz

Unpacked files

SH256 hash:

da22c3632239f33fc51ca0b7617c606d60f3b1dd3a225b01febed0602553fe15

MD5 hash:

98f00819ec05955ae3109305e14d8f09

SHA1 hash:

679d36a2d0d5d06fda72c725f63595e5e553a5df

Link:

https://www.unpac.me/results/0a9e411b-b39d-49e5-b467-71955d2be302/

Malware family:

Mimikatz

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/da22c3632239/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.07

Link:

https://yomi.yoroi.company/submissions/da22c3632239f33fc51ca0b7617c606d60f3b1dd3a225b01febed0602553fe15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HKTL_mimikatz_icon Create hunting rule
Author:	Arnim Rupp
Description:	Detects mimikatz icon in PE file
Reference:	https://blog.gentilkiwi.com/mimikatz

Rule name:	HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Mimikatz SkeletonKey in Memory
Reference:	https://twitter.com/sbousseaden/status/1292143504131600384?s=12

Rule name:	HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1_RID3752 Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz SkeletonKey in Memory
Reference:	https://twitter.com/sbousseaden/status/1292143504131600384?s=12

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_TOOL_EXP_PetitPotam01 Create hunting rule
Author:	ditekSHen
Description:	Detect tool potentially exploiting/attempting PetitPotam

Rule name:	INDICATOR_TOOL_PWS_Mimikatz Create hunting rule
Author:	ditekSHen
Description:	Detects Mimikatz

Rule name:	mimikatz Create hunting rule
Author:	Benjamin DELPY (gentilkiwi)
Description:	mimikatz

Rule name:	Mimikatz_Generic Create hunting rule
Author:	Still
Description:	attempts to match all variants of Mimikatz

Rule name:	Mimikatz_Gen_Strings Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Mimikatz by using some special strings
Reference:	Internal Research

Rule name:	Mimikatz_Gen_Strings_RID2F19 Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz by using some special strings
Reference:	Internal Research

Rule name:	mimikatz_kiwikey Create hunting rule
Author:	SBousseaden
Description:	hunt for default mimikatz kiwikey

Rule name:	mimikatz_memssp_hookfn Create hunting rule
Author:	SBousseaden
Description:	hunt for default mimikatz memssp module both ondisk and in memory artifacts

Rule name:	Mimikatz_Strings Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Mimikatz_Strings_RID2DA0 Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Powerkatz_DLL_Generic Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)
Reference:	PowerKatz Analysis

Rule name:	Powerkatz_DLL_Generic_RID2F2F Create hunting rule
Author:	Florian Roth
Description:	Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)
Reference:	PowerKatz Analysis

Rule name:	Windows_Hacktool_Mimikatz_1388212a Create hunting rule

Rule name:	Windows_Hacktool_Mimikatz_674fd079 Create hunting rule
Description:	Detection for default mimikatz memssp module

Rule name:	win_mimikatz_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.mimikatz.

Rule name:	win_mimikatz_w0 Create hunting rule
Author:	Benjamin DELPY (gentilkiwi)
Description:	mimikatz

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/389812/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample