mimikatz | 2024-02-13_39d591d21637fdea2b65d5444fddc092_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-02-13_39d591d21637fdea2b65d5444fddc092_ryuk
Size

4.0MB
MD5

39d591d21637fdea2b65d5444fddc092
SHA1

c727085caa9f92cc190e44972608b980843d024c
SHA256

d26382b33721e06d0f11ed4939cd0cfd9b52a230020eaaf1ae476a175f751fad
SHA512

6d573fc845ce2e8661d07c8ad995249036ae08ee317b43cb0111328a93d25fb1797d67792cc38d8ebdc981795f78176aeab1d815831dd69a4b49e862684c48a5
SSDEEP

49152:vp2d3Ta8CskPEv/cUbHXaK9EyLMsQY69Lv2iE75u5DHIU6iMh8k+rEIUns:vUd1eUbr9EE6d2iOuq+ct2

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
sample	mimikatz

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-02-13_39d591d21637fdea2b65d5444fddc092_ryuk

Files

2024-02-13_39d591d21637fdea2b65d5444fddc092_ryuk
.exe windows:6 windows x64 arch:x64

dbfb4f4ed5fb91e73a2e2433dfc9723a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

c:\jenkins\workspace\workspace\HaXM Windows Collectors\Collectors\bin\x64_Release\MimiWrapper.pdb

Imports

kernel32

WriteConsoleW
SetFilePointerEx
GetTimeZoneInformation
GetProcessHeap
SetEndOfFile
SetStdHandle
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
FindFirstFileExW
GetACP
GetCommandLineW
GetCommandLineA
GetStdHandle
ExitProcess
HeapFree
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
HeapSize
WideCharToMultiByte
MultiByteToWideChar
SetLastError
GetLastError
RtlVirtualUnwind
TlsSetValue
TlsGetValue
TlsAlloc
InitOnceExecuteOnce
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
GetModuleHandleExW
HeapReAlloc
HeapAlloc
GetConsoleCP
ReadConsoleW
GetConsoleMode
GetFileType
ExpandEnvironmentStringsW
GetSystemTimeAsFileTime
RemoveVectoredExceptionHandler
SetErrorMode
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetCurrentThreadId
CloseHandle
ReadFile
WriteFile
CreateFileW
CreateEventW
GetCurrentProcessId
DuplicateHandle
SetEvent
ResetEvent
LocalAlloc
LocalFree
SetConsoleCtrlHandler
GetConsoleOutputCP
SetConsoleOutputCP
FlushFileBuffers
FindClose
FindNextFileW
OpenProcess
VirtualAlloc
VirtualFree
VirtualProtect
SetFilePointer
FileTimeToLocalFileTime
FileTimeToSystemTime
GetTimeFormatW
GetDateFormatW
Sleep
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
FreeLibrary
GetProcAddress
LoadLibraryW
FormatMessageW
RtlPcToFileHeader
EncodePointer
DecodePointer
RaiseException
WaitForSingleObjectEx
GetCurrentThread
TryEnterCriticalSection
DeleteCriticalSection
GetStringTypeW
QueryPerformanceCounter
TlsFree
GetTickCount
GetModuleHandleW
GetCPInfo
CompareStringW
LCMapStringW
GetLocaleInfoW
RtlCaptureContext
RtlLookupFunctionEntry
UnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
CreateTimerQueue
SignalObjectAndWait
SwitchToThread
CreateThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
GetThreadTimes
FreeLibraryAndExitThread
GetModuleFileNameW
GetModuleHandleA
LoadLibraryExW
GetVersionExW
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
RtlUnwindEx
SetEnvironmentVariableA
SetEnvironmentVariableW

advapi32

SystemFunction025
CryptDecrypt
CryptImportKey
CryptExportKey
CryptGetProvParam
CryptSetKeyParam
CryptDestroyKey
CryptGenKey
CryptAcquireContextA
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegEnumKeyExW
RegCloseKey
ConvertSidToStringSidW
IsTextUnicode
SystemFunction032

ole32

CoInitializeEx
CoUninitialize

ntdll

RtlEqualString
RtlGetCurrentPeb
RtlFreeUnicodeString
RtlStringFromGUID
RtlGetNtVersionNumbers
RtlInitUnicodeString
RtlEqualUnicodeString
NtQueryInformationProcess
NtQuerySystemInformation

cryptdll

MD5Init
MD5Update
MD5Final

user32

IsCharAlphaNumericW

Exports

Exports

mimikatz_export

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.5MB - Virtual size: 2.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 69KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 29B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

dbfb4f4ed5fb91e73a2e2433dfc9723a

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

ole32

ntdll

cryptdll

user32

Exports

Exports

Sections

.text Size: 1.4MB - Virtual size: 1.4MB

.rdata Size: 2.5MB - Virtual size: 2.5MB

.data Size: 38KB - Virtual size: 55KB

.pdata Size: 69KB - Virtual size: 69KB

.tls Size: 512B - Virtual size: 29B

.gfids Size: 4KB - Virtual size: 3KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 10KB - Virtual size: 9KB

.text
Size: 1.4MB - Virtual size: 1.4MB

.rdata
Size: 2.5MB - Virtual size: 2.5MB

.data
Size: 38KB - Virtual size: 55KB

.pdata
Size: 69KB - Virtual size: 69KB

.tls
Size: 512B - Virtual size: 29B

.gfids
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 10KB - Virtual size: 9KB