mimikatz | a6169be394aa6df302975d5915dcb0896c8a69e56de5d1a4dd448042cdad14be

Sharing

Copy URL Twitter E-mail

General

Target

a6169be394aa6df302975d5915dcb0896c8a69e56de5d1a4dd448042cdad14be
Size

28KB
MD5

c71f04dc7dbc474fddeffbc2d4d6c6d4
SHA1

5a20de8f86970c18f6528f32086c0418e3947489
SHA256

a6169be394aa6df302975d5915dcb0896c8a69e56de5d1a4dd448042cdad14be
SHA512

991c6bd718c47b286f19f5c8f6991ab82d4e097e577789f50a33552200eca6e1582c9268a2d841760e8ce339b53ac99814dc6220dc2ecede5f07c4dd6efbcb71
SSDEEP

768:kUzbk27qDyLfbavfNqD+dlqWWVHkiMsx5D:kUzCDM+XcD+dlqJkiMMD

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
sample	mimikatz

Files

a6169be394aa6df302975d5915dcb0896c8a69e56de5d1a4dd448042cdad14be
.exe windows x86

98417e01a287b51816cf84c6650a0141

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28/06/2011, 09:46

Not After

28/06/2014, 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

11:21:22:31:90:c8:f2:13:3f:6f:93:c7:23:14:f0:92:e6:5c
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

23/08/2013, 00:00

Not After

23/09/2024, 00:00

Subject

CN=GlobalSign TSA for Standard - G1,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

81:8c:20:7c:95:8a:a6:5f:10:ab:21:20:12:a0:0c:97:5c:b0:1b:86:2c:db:88:5a:0d:e3:20:0f:cd:fa:21:5b
Signer

Actual PE Digest

81:8c:20:7c:95:8a:a6:5f:10:ab:21:20:12:a0:0c:97:5c:b0:1b:86:2c:db:88:5a:0d:e3:20:0f:cd:fa:21:5b

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Benjamin Delpy,C=FR

10/10/2014, 08:54
Valid: false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

KeBugCheck
IoCreateSymbolicLink
IoCreateDevice
PsInitialSystemProcess
ObfDereferenceObject
PsLookupProcessByProcessId
PsGetProcessImageFileName
PsGetProcessId
ZwClose
ZwSetInformationProcess
ZwDuplicateToken
ObOpenObjectByPointer
PsProcessType
PsDereferencePrimaryToken
PsReferencePrimaryToken
IofCompleteRequest
RtlCompareMemory
ZwOpenProcessTokenEx
ExFreePoolWithTag
ExAllocatePoolWithTag
IoFreeMdl
MmUnlockPages
MmProbeAndLockPages
IoAllocateMdl
memcpy
KeServiceDescriptorTable
MmGetSystemRoutineAddress
RtlInitUnicodeString
IoEnumerateRegisteredFiltersList
KeTickCount
NtBuildNumber
IoDeleteSymbolicLink
IoDeleteDevice
memset
IoGetCurrentProcess
_vsnwprintf
PsGetVersion
ExAllocatePoolWithQuotaTag
ZwQuerySystemInformation
RtlUnwind
KeBugCheckEx

fltmgr.sys

FltGetFilterInformation
FltEnumerateInstances
FltGetVolumeFromInstance
FltObjectDereference
FltEnumerateFilters

Sections

.text
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 1024B - Virtual size: 614B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

98417e01a287b51816cf84c6650a0141

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0Certificate

Extended Key Usages

Key Usages

61:0b:7f:6b:00:00:00:00:00:19Certificate

Key Usages

11:21:22:31:90:c8:f2:13:3f:6f:93:c7:23:14:f0:92:e6:5cCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

81:8c:20:7c:95:8a:a6:5f:10:ab:21:20:12:a0:0c:97:5c:b0:1b:86:2c:db:88:5a:0d:e3:20:0f:cd:fa:21:5bSigner

Signature Validations

Verification

10/10/2014, 08:54 Valid: false

Headers

File Characteristics

Imports

ntoskrnl.exe

fltmgr.sys

Sections

.text Size: 9KB - Virtual size: 8KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 2KB - Virtual size: 2KB

PAGE Size: 1024B - Virtual size: 614B

INIT Size: 1KB - Virtual size: 1KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 1024B - Virtual size: 896B

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

11:21:22:31:90:c8:f2:13:3f:6f:93:c7:23:14:f0:92:e6:5c
Certificate

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

81:8c:20:7c:95:8a:a6:5f:10:ab:21:20:12:a0:0c:97:5c:b0:1b:86:2c:db:88:5a:0d:e3:20:0f:cd:fa:21:5b
Signer

10/10/2014, 08:54
Valid: false

.text
Size: 9KB - Virtual size: 8KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 2KB - Virtual size: 2KB

PAGE
Size: 1024B - Virtual size: 614B

INIT
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 896B