mimikatz | sudo[.]dll

General

Target

sudo.dll
Size

10KB
MD5

65364acf10e1fe72681d89c47cf14c88
SHA1

04821d491a128434828bef3f9ff75c77e8c6a02f
SHA256

fd89b6aecd7efbbb991c15d1313192c7680be4b06f0ebbf2fc223ab1d6144eff
SHA512

677b8738cfd8025317e68ec834b05f62d2910c1272ac0fd48b1b12b779635f34a4922d45ee3299e56dceb515a8e845179c2d6daf76fd6c4317a6d5e257a18929
SSDEEP

96:4Pb5tcAZX8vpdn701NlSQ4rz35JCUSKasPeWtw1zDHaXKGqQdzAlpHFussDJ9hLs:65tcdHn70oyBKxwxwdzAJu1DLhLouH

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
sample	mimikatz

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
sudo.dll

Files

sudo.dll
.dll windows:6 windows x64 arch:x64

f2ba1d1c78a7d11454a9a14db5a32d93

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

Sleep
IsDebuggerPresent
InitializeSListHead
DisableThreadLibraryCalls
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

vcruntime140

__std_type_info_destroy_list
memset
__C_specific_handler

api-ms-win-crt-stdio-l1-1-0

_wfopen

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_execute_onexit_table
_configure_narrow_argv
_seh_filter_dll
_initterm_e
_initterm
_cexit
_initialize_narrow_environment

Exports

Exports

SpLsaModeInitialize

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 444B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f2ba1d1c78a7d11454a9a14db5a32d93

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

Exports

Exports

Sections

.text Size: 4KB - Virtual size: 3KB

.rdata Size: 3KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 512B - Virtual size: 444B

.rsrc Size: 512B - Virtual size: 248B

.reloc Size: 512B - Virtual size: 56B

.text
Size: 4KB - Virtual size: 3KB

.rdata
Size: 3KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 512B - Virtual size: 444B

.rsrc
Size: 512B - Virtual size: 248B

.reloc
Size: 512B - Virtual size: 56B