mimikatz | mimikatz[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

mimikatz.exe
Size

1.4MB
MD5

5a4afb58e96e01db89ab537e28fd780b
SHA1

fea5cc5a633646ac7da086a78def2cf30320ba58
SHA256

2fb40644178a51ce0996ea769ad2c7f0819916269a90a3be8e0d91187f557fb9
SHA512

2859cc94b34b50e2a8ecc1ff5669dec1b05d87f58f8ba04290fdb0bb3129f16c45a2d7ad9716bae281158f9d2d84981f3cf704b320a3aa07e0eca10e93e3e3e2
SSDEEP

24576:ckHD7XqTgUjxuCi5WbRfPtIaMPPIFg/M82ICZ:5ja/ig9KaMPPIS/O

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
sample	mimikatz

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
mimikatz.exe

Files

mimikatz.exe
.exe windows:6 windows x64

15930e8c59e9e51cd5852741b1ec9ded

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptReleaseContext
CryptGenKey
CryptGetProvParam
CryptGetHashParam
CryptImportKey
CryptSetKeyParam
CryptDestroyHash
CryptSetHashParam
CryptHashData
CryptCreateHash
CryptExportKey
CryptDecrypt
SystemFunction007
CryptDuplicateKey
CryptEncrypt
CryptAcquireContextW
CryptGetKeyParam
CryptAcquireContextA
CryptDestroyKey
GetLengthSid
CopySid
LsaClose
LsaOpenPolicy
LsaQueryInformationPolicy
CreateWellKnownSid
CreateProcessAsUserW
CreateProcessWithLogonW
RegQueryValueExW
RegEnumValueW
RegOpenKeyExW
RegSetValueExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
SystemFunction032
ConvertSidToStringSidW
SystemFunction033
QueryServiceObjectSecurity
QueryServiceStatusEx
BuildSecurityDescriptorW
OpenServiceW
StartServiceW
FreeSid
ControlService
SetServiceObjectSecurity
DeleteService
AllocateAndInitializeSid
OpenSCManagerW
CloseServiceHandle
CreateServiceW
IsTextUnicode
GetTokenInformation
LookupAccountNameW
LookupAccountSidW
DuplicateTokenEx
CheckTokenMembership
OpenProcessToken
CryptSetProvParam
CryptEnumProvidersW
ConvertStringSidToSidW
LsaFreeMemory
IsValidSid
GetSidSubAuthority
GetSidSubAuthorityCount
SetThreadToken
SystemFunction006
CryptEnumProviderTypesW
CryptGetUserKey
OpenEventLogW
ClearEventLogW
GetNumberOfEventLogRecords
CryptSignHashW
LsaRetrievePrivateData
LsaOpenSecret
LsaQueryTrustedDomainInfoByName
CryptDeriveKey
LsaQuerySecret
SystemFunction001
SystemFunction005
LsaSetSecret
LsaEnumerateTrustedDomainsEx
SystemFunction023
LookupPrivilegeValueW
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus
OpenThreadToken
LookupPrivilegeNameW
EqualSid
CredFree
CredEnumerateW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SystemFunction027
SystemFunction026
CredUnmarshalCredentialW
CredIsMarshaledCredentialW
A_SHAUpdate
A_SHAInit
A_SHAFinal

cabinet

ord14
ord10
ord13
ord11

crypt32

CertGetNameStringW
CryptQueryObject
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertEnumSystemStore
CertAddEncodedCertificateToStore
CertFreeCertificateContext
CertCloseStore
PFXExportCertStoreEx
CertSetCertificateContextProperty
CertOpenStore
CryptUnprotectData
CryptBinaryToStringW
CryptStringToBinaryA
CryptBinaryToStringA
CryptStringToBinaryW
CryptAcquireCertificatePrivateKey
CryptExportPublicKeyInfo
CryptFindOIDInfo
CryptSignAndEncodeCertificate
CertNameToStrW
CryptEncodeObject
CertFindCertificateInStore
CertGetCertificateContextProperty
CryptProtectData
CryptDecodeObjectEx

cryptdll

CDGenerateRandomBits
MD5Init
MD5Update
CDLocateCheckSum
MD5Final
CDLocateCSystem

dnsapi

DnsQuery_A
DnsFree

fltlib

FilterFindFirst
FilterFindNext

netapi32

DsEnumerateDomainTrustsW
NetServerGetInfo
NetRemoteTOD
NetSessionEnum
NetStatisticsGet
NetShareEnum
NetWkstaUserEnum
NetApiBufferFree
DsGetDcNameW
I_NetServerAuthenticate2
I_NetServerReqChallenge
I_NetServerTrustPasswordsGet

ole32

CoTaskMemFree
CoInitializeEx
CoUninitialize
CoCreateInstance

oleaut32

SysAllocString
SysFreeString
VariantInit

rpcrt4

UuidCreate
RpcEpResolveBinding
RpcBindingSetAuthInfoW
NdrServerCall2
RpcMgmtEpEltInqDone
RpcMgmtEpEltInqNextW
NdrClientCall2
I_RpcBindingInqSecurityContext
RpcEpRegisterW
RpcMgmtStopServerListening
RpcMgmtEpEltInqBegin
RpcBindingInqAuthClientW
RpcBindingSetOption
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcBindingSetAuthInfoExW
RpcStringFreeW
MesHandleFree
RpcImpersonateClient
RpcRevertToSelf
MesEncodeIncrementalHandleCreate
MesDecodeIncrementalHandleCreate
RpcServerInqBindings
RpcBindingFree
MesIncrementalHandleReset
NdrMesTypeEncode2
NdrMesTypeDecode2
NdrMesTypeFree2
NdrMesTypeAlignSize2
RpcBindingVectorFree
RpcServerUseProtseqEpW
RpcServerUnregisterIfEx
RpcBindingToStringBindingW
UuidToStringW
RpcServerRegisterIf2
RpcMgmtWaitServerListen
RpcServerListen
RpcServerRegisterAuthInfoW
RpcEpUnregister
I_RpcGetCurrentCallHandle

shlwapi

PathCombineW
PathCanonicalizeW
PathIsRelativeW
PathFindFileNameW
PathIsDirectoryW

samlib

SamOpenGroup
SamSetInformationUser
SamQueryInformationUser
SamFreeMemory
SamLookupDomainInSamServer
SamCloseHandle
SamConnect
SamLookupIdsInDomain
SamiChangePasswordUser
SamEnumerateDomainsInSamServer
SamRidToSid
SamOpenAlias
SamGetAliasMembership
SamEnumerateGroupsInDomain
SamGetMembersInGroup
SamGetMembersInAlias
SamGetGroupsForUser
SamOpenDomain
SamLookupNamesInDomain
SamEnumerateUsersInDomain
SamOpenUser
SamEnumerateAliasesInDomain

secur32

LsaFreeReturnBuffer
FreeContextBuffer
LsaCallAuthenticationPackage
LsaDeregisterLogonProcess
LsaConnectUntrusted
DeleteSecurityContext
AcquireCredentialsHandleW
InitializeSecurityContextW
FreeCredentialsHandle
LsaLookupAuthenticationPackage
EnumerateSecurityPackagesW
QueryContextAttributesW

shell32

CommandLineToArgvW

user32

IsCharAlphaNumericW
UnregisterClassW
GetKeyboardLayout
GetClipboardData
GetClipboardSequenceNumber
TranslateMessage
EnumClipboardFormats
CloseClipboard
ChangeClipboardChain
DispatchMessageW
OpenClipboard
RegisterClassExW
SendMessageW
GetMessageW
DefWindowProcW
PostMessageW
DestroyWindow
SetClipboardViewer
CreateWindowExW

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

hid

HidD_GetFeature
HidD_GetAttributes
HidP_GetCaps
HidD_GetPreparsedData
HidD_FreePreparsedData
HidD_GetHidGuid
HidD_SetFeature

setupapi

SetupDiDestroyDeviceInfoList
SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsW
SetupDiEnumDeviceInterfaces

winscard

SCardDisconnect
SCardConnectW
SCardListReadersW
SCardGetCardTypeProviderNameW
SCardListCardsW
SCardReleaseContext
SCardEstablishContext
SCardGetAttrib
SCardFreeMemory
SCardTransmit
SCardControl

winsta

WinStationEnumerateW
WinStationConnectW
WinStationFreeMemory
WinStationCloseServer
WinStationQueryInformationW
WinStationOpenServerW

wldap32

ord203
ord208
ord73
ord13
ord36
ord79
ord41
ord142
ord77
ord145
ord54
ord301
ord304
ord309
ord167
ord133
ord127
ord26
ord27
ord147
ord157
ord224
ord97
ord122
ord139
ord12
ord69
ord96
ord223
ord113
ord140
ord14
ord88
ord310

msasn1

ASN1_CloseModule
ASN1_FreeEncoded
ASN1BERDotVal2Eoid
ASN1_CreateModule
ASN1_CloseEncoder
ASN1_CreateEncoder
ASN1_CreateDecoder
ASN1_CloseDecoder

ntdll

NtQuerySystemInformation
NtQueryInformationProcess
NtQueryObject
RtlInitUnicodeString
RtlEqualUnicodeString
RtlDowncaseUnicodeString
RtlFreeUnicodeString
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
RtlGetCurrentPeb
RtlCreateUserThread
RtlGUIDFromString
RtlStringFromGUID
NtCompareTokens
RtlGetNtVersionNumbers
RtlEqualString
RtlAppendUnicodeStringToString
RtlUpcaseUnicodeString
RtlAnsiStringToUnicodeString
RtlFreeOemString
RtlUpcaseUnicodeStringToOemString
NtResumeProcess
RtlAdjustPrivilege
NtTerminateProcess
NtSuspendProcess
NtSetSystemEnvironmentValueEx
NtQuerySystemEnvironmentValueEx
NtEnumerateSystemEnvironmentValuesEx
RtlIpv4AddressToStringW
RtlIpv6AddressToStringW
RtlGetCompressionWorkSpaceSize
RtlCompressBuffer

kernel32

GetACP
IsValidCodePage
FindFirstFileExW
SetStdHandle
GetConsoleMode
GetConsoleCP
LCMapStringW
CompareStringW
GetFileType
GetModuleHandleExW
TerminateProcess
GetModuleFileNameW
GetCommandLineW
GetCommandLineA
LoadLibraryExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
RtlUnwindEx
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetCurrentThreadId
LoadLibraryExA
SetFilePointerEx
GetProcessId
GetComputerNameW
ProcessIdToSessionId
GetCurrentThread
SetConsoleCursorPosition
SetCurrentDirectoryW
FillConsoleOutputCharacterW
GetTimeZoneInformation
GetSystemDirectoryW
GetStdHandle
GetConsoleScreenBufferInfo
SetEvent
CreateEventW
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
CreatePipe
SetHandleInformation
GlobalSize
SetFileAttributesW
SetConsoleTitleW
ExitProcess
RaiseException
GetOEMCP
SetConsoleCtrlHandler
GetTickCount
QueryPerformanceCounter
FormatMessageA
GetSystemTime
GetProcessHeap
GetCurrentProcessId
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
HeapAlloc
GetSystemInfo
HeapReAlloc
DeleteFileW
WaitForSingleObjectEx
LoadLibraryA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
FormatMessageW
MultiByteToWideChar
HeapSize
HeapValidate
CreateMutexW
GetTempPathW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
GetFullPathNameW
HeapFree
HeapCreate
AreFileApisANSI
GetDateFormatW
GetSystemTimeAsFileTime
WideCharToMultiByte
SystemTimeToFileTime
GetTimeFormatW
lstrlenA
ClearCommError
PurgeComm
CreateRemoteThread
WaitForSingleObject
SetLastError
CreateProcessW
SetConsoleOutputCP
GetConsoleOutputCP
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
VirtualQueryEx
VirtualQuery
VirtualFreeEx
WriteConsoleW
ReadConsoleW
GetStringTypeW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
ExitThread
GetCPInfo
ReadProcessMemory
VirtualAllocEx
VirtualProtectEx
VirtualAlloc
VirtualFree
VirtualProtect
WriteProcessMemory
GetComputerNameExW
RtlUnwind
DeviceIoControl
OpenProcess
DuplicateHandle
GetCurrentProcess
FlushFileBuffers
GetCurrentDirectoryW
GetFileAttributesW
FindClose
ExpandEnvironmentStringsW
FindNextFileW
GetFileSizeEx
FindFirstFileW
lstrlenW
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryW
FileTimeToDosDateTime
GetTempFileNameA
FileTimeToLocalFileTime
DeleteFileA
CreateFileA
GetTempPathA
GetFileInformationByHandle
GetCurrentDirectoryA
SetFilePointer
LocalFree
CreateThread
CloseHandle
TerminateThread
GetLastError
Sleep
CreateFileW
LocalAlloc
WriteFile
ReadFile
FileTimeToSystemTime

Sections

.text
Size: 883KB - Virtual size: 883KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 428KB - Virtual size: 428KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 25KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 148B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

15930e8c59e9e51cd5852741b1ec9ded

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

cabinet

crypt32

cryptdll

dnsapi

fltlib

netapi32

ole32

oleaut32

rpcrt4

shlwapi

samlib

secur32

shell32

user32

userenv

version

hid

setupapi

winscard

winsta

wldap32

msasn1

ntdll

kernel32

Sections

.text Size: 883KB - Virtual size: 883KB

.rdata Size: 428KB - Virtual size: 428KB

.data Size: 25KB - Virtual size: 32KB

.pdata Size: 30KB - Virtual size: 29KB

_RDATA Size: 512B - Virtual size: 148B

.rsrc Size: 17KB - Virtual size: 16KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 883KB - Virtual size: 883KB

.rdata
Size: 428KB - Virtual size: 428KB

.data
Size: 25KB - Virtual size: 32KB

.pdata
Size: 30KB - Virtual size: 29KB

_RDATA
Size: 512B - Virtual size: 148B

.rsrc
Size: 17KB - Virtual size: 16KB

.reloc
Size: 8KB - Virtual size: 7KB