mimikatz | 216cb059f34d133b788db7aad7f497d71a52c899a875560ede194a840219d740

Sharing

Copy URL

Twitter E-mail

General

Target

216cb059f34d133b788db7aad7f497d71a52c899a875560ede194a840219d740
Size

1.6MB
MD5

eb2c257d7ae2ce4c96e7eac775f1c409
SHA1

f4e6d12a10c61118d0d1f75b27d7dcc7ba7477f0
SHA256

216cb059f34d133b788db7aad7f497d71a52c899a875560ede194a840219d740
SHA512

2bc1d8ce0614eac055f33ffb159893816a5bc3ab1bd4c64a62f137debb6d417e355014c0dd9f169ba2af62b3b541ba0a7cf42fa409db40946c0a6c729723c840
SSDEEP

49152:2Gwpj2C5GY1euaazOuJiZRiJTEsRL/JsErTI:2zpjZC3iJTRL/JsErT

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz
mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource yara_rule

sample mimikatz

resource	yara_rule
sample	mimikatz

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
216cb059f34d133b788db7aad7f497d71a52c899a875560ede194a840219d740

Files

216cb059f34d133b788db7aad7f497d71a52c899a875560ede194a840219d740
.exe windows:6 windows x64 arch:x64

ac55e8da98447d67905d85bbd85bb62b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

winscard

SCardConnectW
SCardControl
SCardDisconnect
SCardEstablishContext
SCardFreeMemory
SCardGetAttrib
SCardGetCardTypeProviderNameW
SCardListCardsW
SCardListReadersW
SCardReleaseContext
SCardTransmit

wldap32

ord304
ord54
ord309
ord301
ord310
ord69
ord73
ord88
ord36
ord96
ord97
ord77
ord113
ord122
ord127
ord26
ord133
ord12
ord139
ord140
ord142
ord145
ord147
ord157
ord41
ord167
ord27
ord203
ord208
ord14
ord13
ord223
ord224
ord79

kernel32

AreFileApisANSI
ClearCommError
CloseHandle
CompareStringW
CreateEventW
CreateFileA
CreateFileMappingW
CreateFileW
CreateMutexW
CreatePipe
CreateProcessW
CreateRemoteThread
CreateThread
DeleteCriticalSection
DeleteFileA
DeleteFileW
DeviceIoControl
DuplicateHandle
EncodePointer
EnterCriticalSection
ExitProcess
ExpandEnvironmentStringsW
FileTimeToDosDateTime
FileTimeToLocalFileTime
FileTimeToSystemTime
FillConsoleOutputCharacterW
FindClose
FindFirstFileExW
FindFirstFileW
FindNextFileW
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FlushViewOfFile
FormatMessageA
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetComputerNameExW
GetComputerNameW
GetConsoleMode
GetConsoleOutputCP
GetConsoleScreenBufferInfo
GetCurrentDirectoryA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDateFormatW
GetDiskFreeSpaceA
GetDiskFreeSpaceW
GetEnvironmentStringsW
GetFileAttributesA
GetFileAttributesExW
GetFileAttributesW
GetFileInformationByHandle
GetFileSize
GetFileSizeEx
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetModuleFileNameW
GetModuleHandleExW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessId
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDirectoryW
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTempFileNameA
GetTempPathA
GetTempPathW
GetTickCount
GetTimeFormatW
GetTimeZoneInformation
GlobalSize
HeapAlloc
HeapCompact
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HeapValidate
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeSListHead
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
LCMapStringW
LeaveCriticalSection
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
LockFile
LockFileEx
MapViewOfFile
MultiByteToWideChar
OpenProcess
OutputDebugStringA
OutputDebugStringW
ProcessIdToSessionId
PurgeComm
QueryPerformanceCounter
RaiseException
ReadConsoleW
ReadFile
ReadProcessMemory
RtlCaptureContext
RtlLookupFunctionEntry
RtlPcToFileHeader
RtlUnwind
RtlUnwindEx
RtlVirtualUnwind
SetConsoleCtrlHandler
SetConsoleCursorPosition
SetConsoleOutputCP
SetConsoleTitleW
SetCurrentDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetEvent
SetFilePointer
SetFilePointerEx
SetHandleInformation
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
Sleep
SystemTimeToFileTime
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnhandledExceptionFilter
UnlockFile
UnlockFileEx
UnmapViewOfFile
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualProtectEx
VirtualQuery
VirtualQueryEx
WaitForSingleObject
WaitForSingleObjectEx
WideCharToMultiByte
WriteConsoleW
WriteFile
WriteProcessMemory
lstrlenA
lstrlenW

ntdll

NtCompareTokens
NtEnumerateSystemEnvironmentValuesEx
NtQueryInformationProcess
NtQueryObject
NtQuerySystemEnvironmentValueEx
NtQuerySystemInformation
NtResumeProcess
NtSetSystemEnvironmentValueEx
NtSuspendProcess
NtTerminateProcess
RtlAdjustPrivilege
RtlAnsiStringToUnicodeString
RtlAppendUnicodeStringToString
RtlCompressBuffer
RtlCreateUserThread
RtlDowncaseUnicodeString
RtlEqualString
RtlEqualUnicodeString
RtlFreeAnsiString
RtlFreeOemString
RtlFreeUnicodeString
RtlGUIDFromString
RtlGetCompressionWorkSpaceSize
RtlGetCurrentPeb
RtlGetNtVersionNumbers
RtlInitUnicodeString
RtlIpv4AddressToStringW
RtlIpv6AddressToStringW
RtlStringFromGUID
RtlUnicodeStringToAnsiString
RtlUpcaseUnicodeString
RtlUpcaseUnicodeStringToOemString

msasn1

ASN1BERDotVal2Eoid
ASN1_CloseDecoder
ASN1_CloseEncoder
ASN1_CloseModule
ASN1_CreateDecoder
ASN1_CreateEncoder
ASN1_CreateModule
ASN1_FreeEncoded

hid

HidD_FreePreparsedData
HidD_GetAttributes
HidD_GetFeature
HidD_GetHidGuid
HidD_GetPreparsedData
HidD_SetFeature
HidP_GetCaps

setupapi

SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsW
SetupDiGetDeviceInterfaceDetailW

cabinet

ord11
ord10
ord14
ord13

cryptdll

CDGenerateRandomBits
CDLocateCSystem
CDLocateCheckSum
MD5Final
MD5Init
MD5Update

advapi32

A_SHAFinal
A_SHAInit
A_SHAUpdate
AllocateAndInitializeSid
BuildSecurityDescriptorW
CheckTokenMembership
ClearEventLogW
CloseServiceHandle
ControlService
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertStringSidToSidW
CopySid
CreateProcessAsUserW
CreateProcessWithLogonW
CreateServiceW
CreateWellKnownSid
CredEnumerateW
CredFree
CredIsMarshaledCredentialW
CredUnmarshalCredentialW
CryptAcquireContextA
CryptAcquireContextW
CryptCreateHash
CryptDecrypt
CryptDeriveKey
CryptDestroyHash
CryptDestroyKey
CryptDuplicateKey
CryptEncrypt
CryptEnumProviderTypesW
CryptEnumProvidersW
CryptExportKey
CryptGenKey
CryptGetHashParam
CryptGetKeyParam
CryptGetProvParam
CryptGetUserKey
CryptHashData
CryptImportKey
CryptReleaseContext
CryptSetHashParam
CryptSetKeyParam
CryptSetProvParam
CryptSignHashW
DeleteService
DuplicateTokenEx
FreeSid
GetLengthSid
GetNumberOfEventLogRecords
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
IsTextUnicode
IsValidSid
LookupAccountNameW
LookupAccountSidW
LookupPrivilegeNameW
LookupPrivilegeValueW
LsaClose
LsaEnumerateTrustedDomainsEx
LsaFreeMemory
LsaOpenPolicy
LsaOpenSecret
LsaQueryInformationPolicy
LsaQuerySecret
LsaQueryTrustedDomainInfoByName
LsaRetrievePrivateData
OpenEventLogW
OpenProcessToken
OpenSCManagerW
OpenServiceW
OpenThreadToken
QueryServiceObjectSecurity
QueryServiceStatusEx
RegCloseKey
RegEnumKeyExW
RegEnumValueW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExW
RegisterServiceCtrlHandlerW
SetServiceObjectSecurity
SetServiceStatus
SetThreadToken
StartServiceCtrlDispatcherW
StartServiceW
SystemFunction001
SystemFunction005
SystemFunction006
SystemFunction007
SystemFunction013
SystemFunction024
SystemFunction025
SystemFunction032

crypt32

CertAddCertificateContextToStore
CertAddEncodedCertificateToStore
CertCloseStore
CertEnumCertificatesInStore
CertEnumSystemStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CertGetNameStringW
CertNameToStrW
CertOpenStore
CertSetCertificateContextProperty
CryptAcquireCertificatePrivateKey
CryptBinaryToStringW
CryptEncodeObject
CryptExportPublicKeyInfo
CryptProtectData
CryptSignAndEncodeCertificate
CryptStringToBinaryW
CryptUnprotectData
PFXExportCertStoreEx

shlwapi

PathCanonicalizeW
PathCombineW
PathFindFileNameW
PathIsDirectoryW
PathIsRelativeW

netapi32

DsEnumerateDomainTrustsW
DsGetDcNameW
I_NetServerAuthenticate2
I_NetServerReqChallenge
I_NetServerTrustPasswordsGet
NetApiBufferFree
NetRemoteTOD
NetServerGetInfo
NetSessionEnum
NetShareEnum
NetStatisticsGet
NetWkstaUserEnum

rpcrt4

I_RpcBindingInqSecurityContext
I_RpcGetCurrentCallHandle
MesDecodeIncrementalHandleCreate
MesEncodeIncrementalHandleCreate
MesHandleFree
MesIncrementalHandleReset
NdrClientCall2
NdrMesTypeAlignSize2
NdrMesTypeDecode2
NdrMesTypeEncode2
NdrMesTypeFree2
NdrServerCall2
RpcBindingFree
RpcBindingFromStringBindingW
RpcBindingInqAuthClientW
RpcBindingSetAuthInfoExW
RpcBindingSetOption
RpcBindingToStringBindingW
RpcBindingVectorFree
RpcEpRegisterW
RpcEpResolveBinding
RpcEpUnregister
RpcImpersonateClient
RpcMgmtEpEltInqBegin
RpcMgmtEpEltInqDone
RpcMgmtEpEltInqNextW
RpcMgmtStopServerListening
RpcMgmtWaitServerListen
RpcRevertToSelf
RpcServerInqBindings
RpcServerListen
RpcServerRegisterAuthInfoW
RpcServerRegisterIf2
RpcServerUnregisterIfEx
RpcServerUseProtseqEpW
RpcStringBindingComposeW
RpcStringFreeW
UuidCreate
UuidToStringW

secur32

AcquireCredentialsHandleW
DeleteSecurityContext
EnumerateSecurityPackagesW
FreeContextBuffer
FreeCredentialsHandle
InitializeSecurityContextW
LsaCallAuthenticationPackage
LsaConnectUntrusted
LsaDeregisterLogonProcess
LsaFreeReturnBuffer
LsaLookupAuthenticationPackage
QueryContextAttributesW

user32

ChangeClipboardChain
CloseClipboard
CreateWindowExW
DefWindowProcW
DestroyWindow
DispatchMessageW
EnumClipboardFormats
GetClipboardData
GetClipboardSequenceNumber
GetKeyboardLayout
GetMessageW
IsCharAlphaNumericW
OpenClipboard
PostMessageW
RegisterClassExW
SendMessageW
SetClipboardViewer
TranslateMessage
UnregisterClassW

ole32

CoCreateInstance
CoInitializeEx
CoUninitialize

oleaut32

SysAllocString
SysFreeString
VariantInit

shell32

CommandLineToArgvW

ncrypt

NCryptEnumKeys
NCryptExportKey
NCryptFreeBuffer
NCryptFreeObject
NCryptGetProperty
NCryptImportKey
NCryptOpenKey
NCryptOpenStorageProvider
NCryptSetProperty

bcrypt

BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptDestroyKey
BCryptEncrypt
BCryptEnumRegisteredProviders
BCryptExportKey
BCryptFreeBuffer
BCryptGenerateSymmetricKey
BCryptGetProperty
BCryptImportKeyPair
BCryptOpenAlgorithmProvider
BCryptSetProperty

samlib

SamCloseHandle
SamConnect
SamEnumerateAliasesInDomain
SamEnumerateDomainsInSamServer
SamEnumerateGroupsInDomain
SamEnumerateUsersInDomain
SamFreeMemory
SamGetAliasMembership
SamGetGroupsForUser
SamGetMembersInAlias
SamGetMembersInGroup
SamLookupDomainInSamServer
SamLookupIdsInDomain
SamLookupNamesInDomain
SamOpenAlias
SamOpenDomain
SamOpenGroup
SamOpenUser
SamQueryInformationUser
SamRidToSid
SamSetInformationUser
SamiChangePasswordUser

fltlib

FilterFindFirst
FilterFindNext

dnsapi

DnsFree
DnsQuery_A

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

winsta

WinStationCloseServer
WinStationConnectW
WinStationEnumerateW
WinStationFreeMemory
WinStationOpenServerW
WinStationQueryInformationW

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 127KB - Virtual size: 126KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 243KB - Virtual size: 249KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gehcont
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gxfg
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.retplne
Size: 512B - Virtual size: 140B

.voltbl
Size: 512B - Virtual size: 49B

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 93KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ac55e8da98447d67905d85bbd85bb62b

Headers

DLL Characteristics

File Characteristics

Imports

winscard

wldap32

kernel32

ntdll

msasn1

hid

setupapi

cabinet

cryptdll

advapi32

crypt32

shlwapi

netapi32

rpcrt4

secur32

user32

ole32

oleaut32

shell32

ncrypt

bcrypt

samlib

fltlib

dnsapi

userenv

version

winsta

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 127KB - Virtual size: 126KB

.data Size: 243KB - Virtual size: 249KB

.pdata Size: 26KB - Virtual size: 25KB

.00cfg Size: 512B - Virtual size: 48B

.gehcont Size: 512B - Virtual size: 60B

.gxfg Size: 10KB - Virtual size: 9KB

.retplne Size: 512B - Virtual size: 140B

.voltbl Size: 512B - Virtual size: 49B

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 93KB - Virtual size: 92KB

.reloc Size: 7KB - Virtual size: 6KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 127KB - Virtual size: 126KB

.data
Size: 243KB - Virtual size: 249KB

.pdata
Size: 26KB - Virtual size: 25KB

.00cfg
Size: 512B - Virtual size: 48B

.gehcont
Size: 512B - Virtual size: 60B

.gxfg
Size: 10KB - Virtual size: 9KB

.retplne
Size: 512B - Virtual size: 140B

.voltbl
Size: 512B - Virtual size: 49B

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 93KB - Virtual size: 92KB

.reloc
Size: 7KB - Virtual size: 6KB