mimikatz | aa3cb43fc5f0a271908426f01a70db67bcc5fcf8233d1b2e40aa434016270d81

Sharing

Copy URL

Twitter E-mail

General

Target

aa3cb43fc5f0a271908426f01a70db67bcc5fcf8233d1b2e40aa434016270d81
Size

3.8MB
MD5

f122de48d32bc13d3d62096b7bb486a7
SHA1

4bf8c39b179be2932c407eb2bf7a381da16a9c2c
SHA256

aa3cb43fc5f0a271908426f01a70db67bcc5fcf8233d1b2e40aa434016270d81
SHA512

431b24dcb04bf1d0a1966e2b9292a7777d8ae40436769b86bf34a07a2a31c5a4584fe49153b0ec72addb96e49730dcecb212e0b23b724e7dabda1f7c66921d5f
SSDEEP

98304:v6+VOO1jvpql2QFIvOXpAE3gVTHtrZCH04QEQMnFkAbGtzWZZcgk+eLA5DbV:v6+VOON4Q2FkAq9WZ+R+b53V

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
sample	mimikatz

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
aa3cb43fc5f0a271908426f01a70db67bcc5fcf8233d1b2e40aa434016270d81

Files

aa3cb43fc5f0a271908426f01a70db67bcc5fcf8233d1b2e40aa434016270d81
.exe windows:6 windows x86 arch:x86

262913b09a168e0e3f1001afd75631c4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

CryptReleaseContext
CryptGenKey
CryptGetProvParam
CryptGetHashParam
CryptImportKey
CryptSetKeyParam
CryptDestroyHash
CryptSetHashParam
CryptHashData
CryptCreateHash
CryptExportKey
CryptDecrypt
SystemFunction007
CryptDuplicateKey
CryptEncrypt
CryptAcquireContextW
CryptGetKeyParam
CryptAcquireContextA
CryptDestroyKey
GetLengthSid
CopySid
LsaClose
LsaOpenPolicy
LsaQueryInformationPolicy
CreateWellKnownSid
CreateProcessAsUserW
CreateProcessWithLogonW
RegQueryValueExW
RegEnumValueW
RegOpenKeyExW
RegSetValueExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
SystemFunction032
ConvertSidToStringSidW
SystemFunction033
QueryServiceObjectSecurity
QueryServiceStatusEx
BuildSecurityDescriptorW
OpenServiceW
StartServiceW
FreeSid
ControlService
SetServiceObjectSecurity
DeleteService
AllocateAndInitializeSid
OpenSCManagerW
CloseServiceHandle
CreateServiceW
IsTextUnicode
GetTokenInformation
LookupAccountNameW
LookupAccountSidW
DuplicateTokenEx
CheckTokenMembership
OpenProcessToken
CryptSetProvParam
CryptEnumProvidersW
ConvertStringSidToSidW
LsaFreeMemory
IsValidSid
GetSidSubAuthority
GetSidSubAuthorityCount
SetThreadToken
SystemFunction006
CryptEnumProviderTypesW
CryptGetUserKey
OpenEventLogW
ClearEventLogW
GetNumberOfEventLogRecords
CryptSignHashW
LsaRetrievePrivateData
LsaOpenSecret
LsaQueryTrustedDomainInfoByName
CryptDeriveKey
LsaQuerySecret
SystemFunction001
SystemFunction005
LsaSetSecret
LsaEnumerateTrustedDomainsEx
SystemFunction023
LookupPrivilegeValueW
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus
OpenThreadToken
LookupPrivilegeNameW
EqualSid
CredFree
CredEnumerateW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SystemFunction027
SystemFunction026
SystemFunction041
CredUnmarshalCredentialW
CredIsMarshaledCredentialW
A_SHAFinal
A_SHAUpdate
A_SHAInit

cabinet

ord14
ord10
ord13
ord11

crypt32

CertGetNameStringW
CryptQueryObject
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertEnumSystemStore
CertAddEncodedCertificateToStore
CertFreeCertificateContext
CryptStringToBinaryA
CertCloseStore
PFXExportCertStoreEx
CertSetCertificateContextProperty
CertOpenStore
CryptStringToBinaryW
CryptUnprotectData
CryptBinaryToStringW
CryptBinaryToStringA
CryptAcquireCertificatePrivateKey
CryptExportPublicKeyInfo
CryptFindOIDInfo
CryptSignAndEncodeCertificate
CertNameToStrW
CryptEncodeObject
CertFindCertificateInStore
CertGetCertificateContextProperty
CryptProtectData
CryptDecodeObjectEx

cryptdll

CDGenerateRandomBits
MD5Init
MD5Update
MD5Final
CDLocateCSystem
CDLocateCheckSum

dnsapi

DnsQuery_A
DnsFree

fltlib

FilterFindNext
FilterFindFirst

mpr

WNetCancelConnection2W
WNetAddConnection2W

netapi32

DsGetDcNameW
NetApiBufferFree
NetWkstaUserEnum
NetShareEnum
NetStatisticsGet
NetRemoteTOD
NetServerGetInfo
DsEnumerateDomainTrustsW
NetSessionEnum
I_NetServerAuthenticate2
I_NetServerTrustPasswordsGet
I_NetServerReqChallenge

odbc32

ord31
ord24
ord43
ord9
ord141
ord111
ord13
ord75

ole32

CoUninitialize
CoSetProxyBlanket
CoTaskMemFree
CoInitializeEx
CoCreateInstance

oleaut32

VariantInit
VariantClear
SysFreeString
SysAllocString

rpcrt4

RpcMgmtEpEltInqDone
RpcMgmtEpEltInqBegin
RpcMgmtEpEltInqNextW
RpcBindingSetObject
I_RpcGetCurrentCallHandle
RpcBindingFree
MesIncrementalHandleReset
NdrMesTypeEncode2
NdrMesTypeDecode2
NdrMesTypeFree2
NdrMesTypeAlignSize2
RpcBindingVectorFree
RpcServerUseProtseqEpW
RpcServerUnregisterIfEx
RpcBindingToStringBindingW
UuidToStringW
RpcEpResolveBinding
RpcServerRegisterIf2
RpcMgmtWaitServerListen
RpcStringFreeW
RpcServerListen
RpcServerRegisterAuthInfoW
RpcEpUnregister
RpcEpRegisterW
RpcServerInqBindings
RpcMgmtStopServerListening
UuidCreate
NdrServerCall2
NdrClientCall2
RpcBindingSetAuthInfoW
RpcBindingInqAuthClientW
RpcBindingSetOption
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcBindingSetAuthInfoExW
MesDecodeIncrementalHandleCreate
MesHandleFree
RpcImpersonateClient
RpcRevertToSelf
MesEncodeIncrementalHandleCreate
I_RpcBindingInqSecurityContext

shlwapi

PathFindFileNameW
PathCombineW
PathIsDirectoryW
PathIsRelativeW
UrlUnescapeW
PathCanonicalizeW

samlib

SamGetGroupsForUser
SamGetMembersInAlias
SamGetMembersInGroup
SamEnumerateGroupsInDomain
SamGetAliasMembership
SamOpenAlias
SamRidToSid
SamEnumerateAliasesInDomain
SamOpenGroup
SamSetInformationUser
SamQueryInformationUser
SamFreeMemory
SamLookupDomainInSamServer
SamCloseHandle
SamConnect
SamLookupIdsInDomain
SamiChangePasswordUser
SamOpenUser
SamEnumerateDomainsInSamServer
SamOpenDomain
SamLookupNamesInDomain
SamEnumerateUsersInDomain

secur32

LsaConnectUntrusted
QueryContextAttributesW
FreeContextBuffer
LsaDeregisterLogonProcess
LsaLookupAuthenticationPackage
LsaFreeReturnBuffer
DeleteSecurityContext
AcquireCredentialsHandleW
EnumerateSecurityPackagesW
FreeCredentialsHandle
LsaCallAuthenticationPackage
InitializeSecurityContextW

shell32

CommandLineToArgvW

user32

CreateWindowExW
IsCharAlphaNumericW
GetKeyboardLayout
GetClipboardSequenceNumber
GetClipboardData
TranslateMessage
EnumClipboardFormats
CloseClipboard
ChangeClipboardChain
DispatchMessageW
GetMessageW
DefWindowProcW
PostMessageW
DestroyWindow
SetClipboardViewer
OpenClipboard
SendMessageW
UnregisterClassW
RegisterClassExW

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

hid

HidD_FreePreparsedData
HidD_GetPreparsedData
HidD_GetAttributes
HidD_GetFeature
HidD_SetFeature
HidP_GetCaps
HidD_GetHidGuid

setupapi

SetupDiGetClassDevsW
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceInterfaceDetailW

winscard

SCardReleaseContext
SCardListCardsW
SCardEstablishContext
SCardGetCardTypeProviderNameW
SCardListReadersW
SCardFreeMemory
SCardTransmit
SCardDisconnect
SCardConnectW
SCardControl
SCardGetAttrib

winsta

WinStationFreeMemory
WinStationEnumerateW
WinStationConnectW
WinStationCloseServer
WinStationQueryInformationW
WinStationOpenServerW

wldap32

ord310
ord208
ord73
ord13
ord36
ord157
ord97
ord122
ord139
ord12
ord69
ord96
ord223
ord113
ord140
ord14
ord88
ord203
ord224
ord147
ord27
ord26
ord127
ord133
ord167
ord309
ord304
ord301
ord54
ord145
ord77
ord142
ord41
ord79

msasn1

ASN1_CloseEncoder
ASN1BERDotVal2Eoid
ASN1_FreeEncoded
ASN1_CreateEncoder
ASN1_CloseModule
ASN1_CreateDecoder
ASN1_CreateModule
ASN1_CloseDecoder

ntdll

RtlAppendUnicodeStringToString
NtOpenDirectoryObject
RtlGetNtVersionNumbers
NtCompareTokens
RtlStringFromGUID
RtlGUIDFromString
RtlCreateUserThread
RtlAnsiStringToUnicodeString
NtQueryInformationProcess
NtQuerySystemInformation
RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
NtQueryObject
RtlInitUnicodeString
RtlUpcaseUnicodeString
RtlFreeOemString
RtlUpcaseUnicodeStringToOemString
RtlEqualString
RtlGetCurrentPeb
RtlIpv6AddressToStringW
RtlEqualUnicodeString
RtlDowncaseUnicodeString
RtlFreeUnicodeString
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
NtResumeProcess
NtQueryDirectoryObject
RtlAdjustPrivilege
NtTerminateProcess
NtSuspendProcess
NtSetSystemEnvironmentValueEx
NtQuerySystemEnvironmentValueEx
NtEnumerateSystemEnvironmentValuesEx
RtlIpv4AddressToStringW

kernel32

ReadFile
WriteConsoleW
ReadConsoleW
GetStringTypeW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindFirstFileExW
SetStdHandle
GetConsoleMode
LCMapStringW
CompareStringW
GetFileType
GetModuleHandleExW
GetModuleFileNameW
GetCommandLineW
GetCommandLineA
EncodePointer
LoadLibraryExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
RtlUnwind
WriteFile
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
InitializeSListHead
GetCurrentThreadId
LoadLibraryExA
SetFilePointerEx
GetProcessId
GetComputerNameW
ProcessIdToSessionId
GetCurrentThread
IsWow64Process
SetConsoleCursorPosition
SetCurrentDirectoryW
FillConsoleOutputCharacterW
GetTimeZoneInformation
GetSystemDirectoryW
GetStdHandle
GetConsoleScreenBufferInfo
SetEvent
CreateEventW
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
CreatePipe
SetHandleInformation
GlobalSize
SetFileAttributesW
SetConsoleTitleW
ExitProcess
RaiseException
ExitThread
SetConsoleCtrlHandler
GetTickCount
QueryPerformanceCounter
FormatMessageA
GetSystemTime
GetProcessHeap
GetCurrentProcessId
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
HeapAlloc
GetSystemInfo
HeapReAlloc
DeleteFileW
WaitForSingleObjectEx
LoadLibraryA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
FormatMessageW
MultiByteToWideChar
HeapSize
HeapValidate
CreateMutexW
GetTempPathW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
GetFullPathNameW
HeapFree
HeapCreate
AreFileApisANSI
GetDateFormatW
GetSystemTimeAsFileTime
WideCharToMultiByte
SystemTimeToFileTime
GetTimeFormatW
lstrlenA
ClearCommError
PurgeComm
CreateRemoteThread
WaitForSingleObject
CreateProcessW
SetConsoleOutputCP
GetConsoleOutputCP
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
VirtualQueryEx
VirtualQuery
VirtualFreeEx
ReadProcessMemory
VirtualAllocEx
VirtualProtectEx
VirtualAlloc
VirtualFree
SetLastError
VirtualProtect
WriteProcessMemory
GetComputerNameExW
DeviceIoControl
OpenProcess
DuplicateHandle
GetCurrentProcess
FlushFileBuffers
GetCurrentDirectoryW
GetFileAttributesW
FindClose
ExpandEnvironmentStringsW
DecodePointer
FindNextFileW
GetFileSizeEx
FindFirstFileW
lstrlenW
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryW
FileTimeToDosDateTime
GetTempFileNameA
FileTimeToLocalFileTime
DeleteFileA
CreateFileA
GetTempPathA
GetFileInformationByHandle
GetCurrentDirectoryA
SetFilePointer
LocalFree
CreateThread
CloseHandle
TerminateThread
GetLastError
Sleep
CreateFileW
LocalAlloc
FileTimeToSystemTime

Sections

.text
Size: 766KB - Virtual size: 766KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 393KB - Virtual size: 392KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

262913b09a168e0e3f1001afd75631c4

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

cabinet

crypt32

cryptdll

dnsapi

fltlib

mpr

netapi32

odbc32

ole32

oleaut32

rpcrt4

shlwapi

samlib

secur32

shell32

user32

userenv

version

hid

setupapi

winscard

winsta

wldap32

msasn1

ntdll

kernel32

Sections

.text Size: 766KB - Virtual size: 766KB

.rdata Size: 393KB - Virtual size: 392KB

.data Size: 15KB - Virtual size: 19KB

.rsrc Size: 2.6MB - Virtual size: 2.6MB

.reloc Size: 36KB - Virtual size: 35KB

.text
Size: 766KB - Virtual size: 766KB

.rdata
Size: 393KB - Virtual size: 392KB

.data
Size: 15KB - Virtual size: 19KB

.rsrc
Size: 2.6MB - Virtual size: 2.6MB

.reloc
Size: 36KB - Virtual size: 35KB