mimikatz | 720294b97d64886d1ef5c6c174c804165b67cdf0a3e68f2541198977f12603a1

Sharing

Copy URL Twitter E-mail

General

Target

720294b97d64886d1ef5c6c174c804165b67cdf0a3e68f2541198977f12603a1
Size

234KB
MD5

a742e974e1cd1fa77bfe3d580b9f7e17
SHA1

073beb1a8a22bfcdb4e46a37e57568f11e3b6d7f
SHA256

720294b97d64886d1ef5c6c174c804165b67cdf0a3e68f2541198977f12603a1
SHA512

5ff8eb372f940ceb7ed35958cb08cdf37c295dee8c6bee894439bfe7fb85c95134df2b5a704319b20445b56ef5f6c86b91adbfd0c23cc87b8bfc6dbe4fd52e36
SSDEEP

3072:FrcpKG8JVmxtsTzL+CR8GXIvT/FwOizamA1WYu47ZRiW+KF7G4VsDpG+0xuYzjpJ:rmqzh8G4yu99uAbpl1VsDAZzjphy1sl

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
static1/unpack001/Win32/mimidrv.sys	mimikatz
static1/unpack001/Win32/mimilib.dll	mimikatz
static1/unpack001/x64/mimidrv.sys	mimikatz
static1/unpack001/x64/mimilib.dll	mimikatz

Files

720294b97d64886d1ef5c6c174c804165b67cdf0a3e68f2541198977f12603a1
.zip
README.md
Win32/mimidrv.sys
.exe windows x86

98417e01a287b51816cf84c6650a0141

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28/06/2011, 09:46

Not After

28/06/2014, 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

11:21:22:31:90:c8:f2:13:3f:6f:93:c7:23:14:f0:92:e6:5c
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

23/08/2013, 00:00

Not After

23/09/2024, 00:00

Subject

CN=GlobalSign TSA for Standard - G1,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

81:8c:20:7c:95:8a:a6:5f:10:ab:21:20:12:a0:0c:97:5c:b0:1b:86:2c:db:88:5a:0d:e3:20:0f:cd:fa:21:5b
Signer

Actual PE Digest

81:8c:20:7c:95:8a:a6:5f:10:ab:21:20:12:a0:0c:97:5c:b0:1b:86:2c:db:88:5a:0d:e3:20:0f:cd:fa:21:5b

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Benjamin Delpy,C=FR

10/10/2014, 08:54
Valid: false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

KeBugCheck
IoCreateSymbolicLink
IoCreateDevice
PsInitialSystemProcess
ObfDereferenceObject
PsLookupProcessByProcessId
PsGetProcessImageFileName
PsGetProcessId
ZwClose
ZwSetInformationProcess
ZwDuplicateToken
ObOpenObjectByPointer
PsProcessType
PsDereferencePrimaryToken
PsReferencePrimaryToken
IofCompleteRequest
RtlCompareMemory
ZwOpenProcessTokenEx
ExFreePoolWithTag
ExAllocatePoolWithTag
IoFreeMdl
MmUnlockPages
MmProbeAndLockPages
IoAllocateMdl
memcpy
KeServiceDescriptorTable
MmGetSystemRoutineAddress
RtlInitUnicodeString
IoEnumerateRegisteredFiltersList
KeTickCount
NtBuildNumber
IoDeleteSymbolicLink
IoDeleteDevice
memset
IoGetCurrentProcess
_vsnwprintf
PsGetVersion
ExAllocatePoolWithQuotaTag
ZwQuerySystemInformation
RtlUnwind
KeBugCheckEx

fltmgr.sys

FltGetFilterInformation
FltEnumerateInstances
FltGetVolumeFromInstance
FltObjectDereference
FltEnumerateFilters

Sections

.text
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 1024B - Virtual size: 614B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Win32/mimikatz.exe
.exe windows x86

9350e190375290368653be75573eb978

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
CreateWellKnownSid
CreateProcessWithLogonW
CreateProcessAsUserW
RegQueryValueExW
RegQueryInfoKeyW
RegEnumValueW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
CloseServiceHandle
DeleteService
OpenSCManagerW
OpenServiceW
StartServiceW
QueryServiceStatusEx
ControlService
IsTextUnicode
ConvertSidToStringSidW
OpenProcessToken
GetTokenInformation
LookupAccountSidW
ConvertStringSidToSidW
CryptExportKey
CryptAcquireContextW
CryptGetKeyParam
CryptReleaseContext
CryptEnumProvidersW
CryptGetProvParam
CryptDestroyKey
CryptGetUserKey
OpenEventLogW
GetNumberOfEventLogRecords
ClearEventLogW
CreateServiceW
SetServiceObjectSecurity
BuildSecurityDescriptorW
QueryServiceObjectSecurity
AllocateAndInitializeSid
FreeSid
CryptGetHashParam
CryptSetKeyParam
SystemFunction032
SystemFunction005
CryptImportKey
SystemFunction025
CryptCreateHash
CryptDecrypt
CryptDestroyHash
LsaFreeMemory
CryptHashData
OpenThreadToken
SetThreadToken
DuplicateTokenEx
CheckTokenMembership
CredFree
CredEnumerateW
MD4Final
MD4Init
MD4Update

crypt32

CryptBinaryToStringW
CryptAcquireCertificatePrivateKey
CertGetNameStringW
CertOpenStore
CertFreeCertificateContext
CertAddCertificateContextToStore
CertCloseStore
CertGetCertificateContextProperty
CertEnumCertificatesInStore
CertEnumSystemStore
PFXExportCertStoreEx

cryptdll

CDGenerateRandomBits
CDLocateCheckSum
MD5Final
MD5Update
MD5Init
CDLocateCSystem

shlwapi

PathIsRelativeW
PathCanonicalizeW
PathCombineW

samlib

SamCloseHandle
SamFreeMemory
SamEnumerateUsersInDomain
SamOpenUser
SamLookupNamesInDomain
SamLookupIdsInDomain
SamOpenDomain
SamGetAliasMembership
SamLookupDomainInSamServer
SamRidToSid
SamQueryInformationUser
SamConnect
SamEnumerateDomainsInSamServer
SamGetGroupsForUser

secur32

LsaConnectUntrusted
LsaCallAuthenticationPackage
LsaLookupAuthenticationPackage
LsaFreeReturnBuffer
LsaDeregisterLogonProcess

shell32

CommandLineToArgvW

user32

IsCharAlphaNumericW

ntdll

wcstol
wcstoul
wcsstr
_wcsnicmp
_stricmp
_wcsicmp
wcschr
wcsrchr
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
RtlInitUnicodeString
RtlEqualUnicodeString
NtQueryObject
NtQuerySystemInformation
RtlGetCurrentPeb
NtQueryInformationProcess
RtlCreateUserThread
RtlStringFromGUID
RtlFreeUnicodeString
RtlGetNtVersionNumbers
RtlUpcaseUnicodeString
RtlAppendUnicodeStringToString
NtResumeProcess
RtlAdjustPrivilege
NtSuspendProcess
NtTerminateProcess
RtlEqualString
_chkstk
_aullrem

kernel32

GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
InterlockedCompareExchange
InterlockedExchange
RtlUnwind
OutputDebugStringA
GetCurrentProcessId
GetCurrentThread
SetCurrentDirectoryW
IsWow64Process
GetConsoleScreenBufferInfo
FillConsoleOutputCharacterW
GetStdHandle
SetConsoleCursorPosition
Sleep
GetProcAddress
LoadLibraryW
FreeLibrary
FindNextFileW
FindClose
GetFileAttributesW
GetSystemTimeAsFileTime
FindFirstFileW
SetConsoleTitleW
SetConsoleOutputCP
SetConsoleCtrlHandler
FileTimeToLocalFileTime
GetTimeFormatW
GetDateFormatW
CreateRemoteThread
WaitForSingleObject
SetLastError
CreateProcessW
CreateFileMappingW
UnmapViewOfFile
MapViewOfFile
WriteProcessMemory
VirtualProtect
VirtualAllocEx
VirtualProtectEx
VirtualAlloc
ReadProcessMemory
VirtualFreeEx
VirtualQueryEx
VirtualFree
VirtualQuery
SetFilePointer
DeviceIoControl
DuplicateHandle
GetLastError
OpenProcess
GetCurrentProcess
FileTimeToSystemTime
LocalAlloc
LocalFree
WriteFile
ReadFile
CreateFileW
FlushFileBuffers
GetFileSizeEx
GetCurrentDirectoryW
CloseHandle

msvcrt

_isatty
_lseeki64
_read
__pioinfo
__badioinfo
realloc
_write
ungetc
_controlfp
?terminate@@YAXXZ
wcstombs
iswctype
ferror
malloc
wctomb
_itoa
_snprintf
_lock
_unlock
_errno
localeconv
fflush
_wfopen
_iob
vwprintf
fclose
free
_wcsdup
_fileno
_setmode
memset
memcpy
__wgetmainargs
_cexit
_exit
_XcptFilter
exit
_initterm
_amsg_exit
__setusermatherr
__p__commode
__p__fmode
__set_app_type
calloc
isdigit
mbtowc
__mb_cur_max
isleadbyte
isxdigit
vfwprintf

Sections

.text
Size: 88KB - Virtual size: 88KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Win32/mimilib.dll
.dll windows x86

5fb9170191537a3476f88c308b72602c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

CreateRestrictedToken
CreateProcessAsUserW
ConvertSidToStringSidA
IsTextUnicode
OpenProcessToken

ntdll

RtlFreeUnicodeString
RtlStringFromGUID
RtlEqualString

kernel32

GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetCurrentProcess
CloseHandle
LoadLibraryW
GetProcAddress
LocalAlloc
LocalFree
GetTimeFormatA
GetDateFormatA
FileTimeToSystemTime
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
InterlockedCompareExchange
Sleep
InterlockedExchange
RtlUnwind
GetSystemTimeAsFileTime

msvcrt

_wfopen
fclose
vfwprintf
fflush
memset
_XcptFilter
malloc
_initterm
_amsg_exit
free

Exports

Exports

ExtensionApiVersion
InitializeChangeNotify
PasswordChangeNotify
SpLsaModeInitialize
WinDbgExtensionDllInit
mimikatz
startW

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
x64/mimidrv.sys
.exe windows x64

21ec10a4f7c47d2799b4bd4ed6dfe115

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28/06/2011, 09:46

Not After

28/06/2014, 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

11:21:22:31:90:c8:f2:13:3f:6f:93:c7:23:14:f0:92:e6:5c
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

23/08/2013, 00:00

Not After

23/09/2024, 00:00

Subject

CN=GlobalSign TSA for Standard - G1,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

b9:45:76:02:a3:86:6d:4e:1f:31:6e:2a:60:23:2e:3d:27:7a:02:83:8f:b0:5b:b3:ea:d1:d6:6c:e3:05:95:a4
Signer

Actual PE Digest

b9:45:76:02:a3:86:6d:4e:1f:31:6e:2a:60:23:2e:3d:27:7a:02:83:8f:b0:5b:b3:ea:d1:d6:6c:e3:05:95:a4

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Benjamin Delpy,C=FR

10/10/2014, 08:54
Valid: false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

IoCreateSymbolicLink
IoCreateDevice
PsProcessType
PsGetProcessImageFileName
PsLookupProcessByProcessId
PsReferencePrimaryToken
ZwOpenProcessTokenEx
IoGetCurrentProcess
ZwSetInformationProcess
ZwClose
ZwDuplicateToken
PsInitialSystemProcess
RtlCompareMemory
ObfDereferenceObject
IofCompleteRequest
PsGetProcessId
PsDereferencePrimaryToken
ExAllocatePoolWithTag
ExFreePoolWithTag
IoFreeMdl
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
ZwUnloadKey
RtlInitUnicodeString
MmGetSystemRoutineAddress
IoEnumerateRegisteredFiltersList
KeBugCheckEx
KeBugCheck
_vsnwprintf
IoDeleteDevice
NtBuildNumber
ObOpenObjectByPointer
IoDeleteSymbolicLink
PsGetVersion
ExAllocatePoolWithQuotaTag
ZwQuerySystemInformation
RtlUnwindEx

fltmgr.sys

FltGetFilterInformation
FltEnumerateInstances
FltEnumerateFilters
FltObjectDereference
FltGetVolumeFromInstance

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 444B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 1024B - Virtual size: 651B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 338B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
x64/mimikatz.exe
.exe windows x64

1e91a75eca0fa7efced1ee3fcead4e3d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
CreateWellKnownSid
CreateProcessWithLogonW
CreateProcessAsUserW
RegQueryValueExW
RegQueryInfoKeyW
RegEnumValueW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
CloseServiceHandle
DeleteService
OpenSCManagerW
OpenServiceW
StartServiceW
QueryServiceStatusEx
ControlService
IsTextUnicode
ConvertSidToStringSidW
OpenProcessToken
GetTokenInformation
LookupAccountSidW
ConvertStringSidToSidW
CryptExportKey
CryptAcquireContextW
CryptGetKeyParam
CryptReleaseContext
CryptEnumProvidersW
CryptGetProvParam
CryptDestroyKey
CryptGetUserKey
OpenEventLogW
GetNumberOfEventLogRecords
ClearEventLogW
CreateServiceW
SetServiceObjectSecurity
BuildSecurityDescriptorW
QueryServiceObjectSecurity
AllocateAndInitializeSid
FreeSid
CryptGetHashParam
CryptSetKeyParam
SystemFunction032
SystemFunction005
CryptImportKey
SystemFunction025
CryptCreateHash
CryptDecrypt
CryptDestroyHash
LsaFreeMemory
CryptHashData
OpenThreadToken
SetThreadToken
DuplicateTokenEx
CheckTokenMembership
CredFree
CredEnumerateW
MD4Final
MD4Init
MD4Update

crypt32

CryptBinaryToStringW
CryptAcquireCertificatePrivateKey
CertGetNameStringW
CertOpenStore
CertFreeCertificateContext
CertAddCertificateContextToStore
CertCloseStore
CertGetCertificateContextProperty
CertEnumCertificatesInStore
CertEnumSystemStore
PFXExportCertStoreEx

cryptdll

CDGenerateRandomBits
CDLocateCSystem
CDLocateCheckSum
MD5Final
MD5Update
MD5Init

ntdsapi

DsBindW
DsAddSidHistoryW
DsUnBindW

shlwapi

PathCanonicalizeW
PathCombineW
PathIsRelativeW

samlib

SamLookupDomainInSamServer
SamFreeMemory
SamGetAliasMembership
SamCloseHandle
SamQueryInformationUser
SamOpenUser
SamEnumerateUsersInDomain
SamGetGroupsForUser
SamLookupNamesInDomain
SamLookupIdsInDomain
SamOpenDomain
SamConnect
SamEnumerateDomainsInSamServer
SamRidToSid

secur32

LsaConnectUntrusted
LsaDeregisterLogonProcess
LsaCallAuthenticationPackage
LsaLookupAuthenticationPackage
LsaFreeReturnBuffer

shell32

CommandLineToArgvW

user32

IsCharAlphaNumericW

ntdll

wcstol
wcstoul
wcsstr
_wcsnicmp
_stricmp
_wcsicmp
wcschr
wcsrchr
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
RtlInitUnicodeString
RtlEqualUnicodeString
NtQueryObject
NtQuerySystemInformation
RtlGetCurrentPeb
NtQueryInformationProcess
RtlCreateUserThread
RtlStringFromGUID
RtlFreeUnicodeString
RtlGetNtVersionNumbers
RtlUpcaseUnicodeString
RtlAppendUnicodeStringToString
NtResumeProcess
RtlAdjustPrivilege
NtSuspendProcess
NtTerminateProcess
RtlEqualString
__chkstk
memcmp

kernel32

GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
OutputDebugStringA
GetModuleHandleW
GetCurrentProcessId
GetCurrentThread
SetCurrentDirectoryW
GetConsoleScreenBufferInfo
FillConsoleOutputCharacterW
GetStdHandle
SetConsoleCursorPosition
GetProcAddress
LoadLibraryW
FreeLibrary
FindNextFileW
FindClose
GetFileAttributesW
GetSystemTimeAsFileTime
FindFirstFileW
SetConsoleTitleW
SetConsoleOutputCP
SetConsoleCtrlHandler
FileTimeToLocalFileTime
GetTimeFormatW
GetDateFormatW
CreateRemoteThread
WaitForSingleObject
SetLastError
CreateProcessW
CreateFileMappingW
UnmapViewOfFile
MapViewOfFile
WriteProcessMemory
VirtualAllocEx
VirtualProtectEx
VirtualAlloc
ReadProcessMemory
VirtualFreeEx
VirtualQueryEx
VirtualFree
VirtualQuery
SetFilePointer
DeviceIoControl
DuplicateHandle
GetLastError
OpenProcess
GetCurrentProcess
CloseHandle
GetCurrentDirectoryW
GetFileSizeEx
FlushFileBuffers
CreateFileW
ReadFile
WriteFile
LocalFree
VirtualProtect
Sleep
FileTimeToSystemTime
LocalAlloc

msvcrt

_isatty
ungetc
_write
_lseeki64
_read
__pioinfo
__badioinfo
realloc
?terminate@@YAXXZ
wcstombs
iswctype
ferror
malloc
wctomb
_itoa
_snprintf
_lock
_unlock
_errno
vfwprintf
fflush
_wfopen
localeconv
vwprintf
fclose
free
_wcsdup
_fileno
_setmode
memcpy
memset
__C_specific_handler
__wgetmainargs
_XcptFilter
_exit
_cexit
exit
_initterm
_amsg_exit
__setusermatherr
_commode
_fmode
__set_app_type
calloc
isdigit
mbtowc
__mb_cur_max
isleadbyte
isxdigit
_iob

Sections

.text
Size: 114KB - Virtual size: 114KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
x64/mimilib.dll
.dll windows x64

21225f2b6a83d9bc55bb1f288175c383

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CreateRestrictedToken
CreateProcessAsUserW
ConvertSidToStringSidA
IsTextUnicode
OpenProcessToken

ntdll

RtlFreeUnicodeString
RtlStringFromGUID
RtlEqualString

kernel32

GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
Sleep
GetCurrentProcess
CloseHandle
LoadLibraryW
GetProcAddress
LocalAlloc
LocalFree
GetTimeFormatA
GetDateFormatA
FileTimeToSystemTime
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
GetSystemTimeAsFileTime

msvcrt

_wfopen
fclose
vfwprintf
fflush
memcpy
memset
__C_specific_handler
_XcptFilter
malloc
_initterm
free
_amsg_exit

Exports

Exports

ExtensionApiVersion
InitializeChangeNotify
PasswordChangeNotify
SpLsaModeInitialize
WinDbgExtensionDllInit
mimikatz
startW

Sections

.text
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 516B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 230B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

98417e01a287b51816cf84c6650a0141

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0Certificate

Extended Key Usages

Key Usages

61:0b:7f:6b:00:00:00:00:00:19Certificate

Key Usages

11:21:22:31:90:c8:f2:13:3f:6f:93:c7:23:14:f0:92:e6:5cCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

81:8c:20:7c:95:8a:a6:5f:10:ab:21:20:12:a0:0c:97:5c:b0:1b:86:2c:db:88:5a:0d:e3:20:0f:cd:fa:21:5bSigner

Signature Validations

Verification

10/10/2014, 08:54 Valid: false

Headers

File Characteristics

Imports

ntoskrnl.exe

fltmgr.sys

Sections

.text Size: 9KB - Virtual size: 8KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 2KB - Virtual size: 2KB

PAGE Size: 1024B - Virtual size: 614B

INIT Size: 1KB - Virtual size: 1KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 1024B - Virtual size: 896B

9350e190375290368653be75573eb978

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

crypt32

cryptdll

shlwapi

samlib

secur32

shell32

user32

ntdll

kernel32

msvcrt

Sections

.text Size: 88KB - Virtual size: 88KB

.rdata Size: 68KB - Virtual size: 68KB

.data Size: 5KB - Virtual size: 6KB

.rsrc Size: 16KB - Virtual size: 15KB

.reloc Size: 7KB - Virtual size: 7KB

5fb9170191537a3476f88c308b72602c

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

ntdll

kernel32

msvcrt

Exports

Exports

Sections

.text Size: 9KB - Virtual size: 9KB

.rdata Size: 5KB - Virtual size: 5KB

.data Size: 1KB - Virtual size: 2KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 1KB

21ec10a4f7c47d2799b4bd4ed6dfe115

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

11:21:22:31:90:c8:f2:13:3f:6f:93:c7:23:14:f0:92:e6:5c
Certificate

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

81:8c:20:7c:95:8a:a6:5f:10:ab:21:20:12:a0:0c:97:5c:b0:1b:86:2c:db:88:5a:0d:e3:20:0f:cd:fa:21:5b
Signer

10/10/2014, 08:54
Valid: false

.text
Size: 9KB - Virtual size: 8KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 2KB - Virtual size: 2KB

PAGE
Size: 1024B - Virtual size: 614B

INIT
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 896B

.text
Size: 88KB - Virtual size: 88KB

.rdata
Size: 68KB - Virtual size: 68KB

.data
Size: 5KB - Virtual size: 6KB

.rsrc
Size: 16KB - Virtual size: 15KB

.reloc
Size: 7KB - Virtual size: 7KB

.text
Size: 9KB - Virtual size: 9KB

.rdata
Size: 5KB - Virtual size: 5KB

.data
Size: 1KB - Virtual size: 2KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 1KB

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

11:21:22:31:90:c8:f2:13:3f:6f:93:c7:23:14:f0:92:e6:5c
Certificate

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

b9:45:76:02:a3:86:6d:4e:1f:31:6e:2a:60:23:2e:3d:27:7a:02:83:8f:b0:5b:b3:ea:d1:d6:6c:e3:05:95:a4
Signer

10/10/2014, 08:54
Valid: false

.text
Size: 12KB - Virtual size: 12KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 3KB - Virtual size: 3KB

.pdata
Size: 512B - Virtual size: 444B

PAGE
Size: 1024B - Virtual size: 651B

INIT
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 338B

.text
Size: 114KB - Virtual size: 114KB

.rdata
Size: 80KB - Virtual size: 79KB

.data
Size: 9KB - Virtual size: 11KB

.pdata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 16KB - Virtual size: 15KB

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 10KB - Virtual size: 10KB

.rdata
Size: 7KB - Virtual size: 6KB

.data
Size: 1KB - Virtual size: 3KB

.pdata
Size: 1024B - Virtual size: 516B

.rsrc
Size: 1KB - Virtual size: 1KB