MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f769926334ff93842429c7eda5c7ba1dedf3fb39a4b7b47decd0cbe7b9454170. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MimiKatz


Vendor detections: 10


Intelligence 10 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f769926334ff93842429c7eda5c7ba1dedf3fb39a4b7b47decd0cbe7b9454170
SHA3-384 hash: 5019f019c2a185db48321a01ce80ae83340f6e5471d096313ac3c950748ace57569c5e09cb49cd9b1bdca3dd61ce3076
SHA1 hash: 8c21b38f786b0e7f0c53f9985e207629650f556c
MD5 hash: bcfdebfd8267c37048ab2ff65a2c97fc
humanhash: princess-twelve-apart-texas
File name:Desktop_irtkes.bin
Download: download sample
Signature MimiKatz
Create hunting rule
File size:1'720'832 bytes
First seen:2022-01-07 08:31:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a99d91e1b68c500bb1244eb377c47a1 (4 x MimiKatz, 1 x Gh0stRAT)
ssdeep 24576:zE8vt/ROAYDTv3Vpy4KoZRHgrYKR6BNkeQMHvr0AjRFLTQ7tl/6kC7:g8uAW9s4v1grlPeYANFPIzSky
Threatray 82 similar samples on MalwareBazaar
TLSH T17C85334564106443F386DFB14655FC98D386AEBDC4F8D20CE27ABB39D47484BA0A7A8F
File icon (PE):PE icon
dhash icon 818da080a0a0a0a2 (137 x Heodo, 46 x Urelas, 12 x Rhadamanthys)
Reporter JAMESWT_WT
Tags:exe mimikatz

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EasyPay.exe
Verdict:
Malicious activity
Analysis date:
2022-01-07 08:24:34 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/707df8cd-5d72-4bba-ac98-9b67d7ace961

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217678/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Win.Malware.Predator-9794784-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Searching for the window
Sending a custom TCP request
DNS request
Launching a process
Creating a file
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed predator
Link:
https://www.filescan.io/uploads/61d7fa871c0d769df9d515be/reports/7d32759a-a173-488d-aa58-a2b8062dd3df/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c78d169a-f9ee-47f9-bd68-d770910ace3b
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916719
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549193 Sample: Desktop_irtkes.bin Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected Mimikatz 2->52 54 PE file has nameless sections 2->54 7 Desktop_irtkes.exe 1 2 2->7         started        11 DGtldt.exe 2->11         started        13 svchost.exe 2->13         started        15 10 other processes 2->15 process3 file4 32 C:\Windows\SysWOW64\DGtldt.exe, PE32 7->32 dropped 34 C:\Windows\...\DGtldt.exe:Zone.Identifier, ASCII 7->34 dropped 56 Detected unpacking (changes PE section rights) 7->56 58 Tries to evade analysis by execution special instruction which cause usermode exception 7->58 60 Hides threads from debuggers 7->60 17 cmd.exe 1 7->17         started        62 Multi AV Scanner detection for dropped file 11->62 64 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->64 66 Drops executables to the windows directory (C:\Windows) and starts them 11->66 20 DGtldt.exe 1 11->20         started        68 Changes security center settings (notifications, updates, antivirus, firewall) 13->68 23 MpCmdRun.exe 1 13->23         started        signatures5 process6 dnsIp7 42 Uses ping.exe to sleep 17->42 44 Uses ping.exe to check the status of other devices and networks 17->44 25 PING.EXE 1 17->25         started        28 conhost.exe 17->28         started        36 193.203.214.98, 49747, 8080 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK Hong Kong 20->36 38 192.168.2.1 unknown unknown 20->38 46 Hides threads from debuggers 20->46 30 conhost.exe 23->30         started        signatures8 process9 dnsIp10 40 127.0.0.1 unknown unknown 25->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f769926334ff93842429c7eda5c7ba1dedf3fb39a4b7b47decd0cbe7b9454170/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-01-07 08:32:15 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=65uzeyzu76jyijbjy7w2lr52dxw7h6zzus33i7pm2df6pokfifya._file
Verdict:
malicious
Similar samples:
0e7788bda2da25fa8b20310c6cb0618c0a1b989f72006f96526704a6b8c90866
MimiKatz
389ddb82e254c476a6e3e2534182314d4702ce525371c2bcd5da6ef19d4851fb
MimiKatz
3ce7a091f24c19dd1a0875c60f9e97ee017435614198c62ca97220658723b785
MimiKatz
62b14085994023f524c75bb0078c9bb78c5b0e5d82364b87ca7530c041f0ec5d
MimiKatz
8872e76ffc38017c1b3ef4b07756edb26c82cf45cceb8ed4d8c153c358fb5674
MimiKatz
af46e5160e837fafd904b62bd81795beefa95ec11d854cedee7565a991210d87
MimiKatz
ea45f9b3dd2e613bb9cb0659dcf6d66ca092738fc510e37226bb99542ad685c8
MimiKatz
+ 72 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220107-kfa4wacad6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
f769926334ff93842429c7eda5c7ba1dedf3fb39a4b7b47decd0cbe7b9454170
MD5 hash:
bcfdebfd8267c37048ab2ff65a2c97fc
SHA1 hash:
8c21b38f786b0e7f0c53f9985e207629650f556c
Link:
https://www.unpac.me/results/0f02400f-f518-4921-a64e-a3ae2d774c33/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f769926334ff93842429c7eda5c7ba1dedf3fb39a4b7b47decd0cbe7b9454170

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217678/

Comments