Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2020-Feb-29 10:13:28 |
Detected languages |
English - United States
|
ProductName | mimikatz |
ProductVersion | 2.2.0.0 |
CompanyName | gentilkiwi (Benjamin DELPY) |
FileDescription | mimikatz for Windows |
FileVersion | 2.2.0.0 |
InternalName | mimikatz |
LegalCopyright | Copyright (c) 2007 - 2020 gentilkiwi (Benjamin DELPY) |
OriginalFilename | mimikatz.exe |
PrivateBuild | Build with love for POC only |
SpecialBuild | :) |
Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 - 8.0
MASM/TASM - sig2(h) MASM/TASM - sig1(h) |
Suspicious | PEiD Signature: | UPolyX V0.1 -> Delikon |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to system / monitoring tools:
Contains strings from Mimikatz:
|
Info | Libraries used to perform cryptographic operations: | Microsoft's Cryptography API |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Info | The PE is digitally signed. |
Signer: Open Source Developer
Issuer: Certum Code Signing CA SHA2 |
Malicious | VirusTotal score: 55/70 (Scanned on 2023-01-23 16:51:33) |
MicroWorld-eScan:
Trojan.Mimikatz.B
ClamAV: Win.Tool.Mimikatz-9862700-0 FireEye: Generic.mg.46f366e3ee36c05a CAT-QuickHeal: HackTool.Mimikatz.S13719266 ALYac: Trojan.Mimikatz.B Cylance: Unsafe Sangfor: Trojan.Win32.Save.a K7AntiVirus: Riskware ( 004f0b6d1 ) Alibaba: Trojan:Win32/Mimikatz.4b2 K7GW: Riskware ( 004f0b6d1 ) Cybereason: malicious.3ee36c BitDefenderTheta: Gen:NN.ZexaF.36212.8u2@a0Ld2bai VirIT: PUP.Win32.Delpy.B Cyren: W32/Mimikatz.A.gen!Eldorado Symantec: Hacktool.Mimikatz Elastic: Windows.Hacktool.Mimikatz ESET-NOD32: a variant of Win32/RiskWare.Mimikatz.BC APEX: Malicious Cynet: Malicious (score: 100) Kaspersky: Trojan-PSW.Win32.Mimikatz.gen BitDefender: Trojan.Mimikatz.B NANO-Antivirus: Trojan.Win32.Mimikatz.hddnuq SUPERAntiSpyware: Trojan.Agent/Gen-Mimikatz Avast: Win32:Malware-gen Tencent: Malware.Win32.Gencirc.10bd6eef Emsisoft: Trojan.Mimikatz.B (B) DrWeb: Tool.Mimikatz.704 VIPRE: Trojan.Mimikatz.B TrendMicro: HKTL_MIMIKATZ McAfee-GW-Edition: HTool-Mimikatz Sophos: Mal/Generic-R + ATK/Apteryx-Gen GData: Win32.Riskware.Mimikatz.F Jiangmin: Trojan.PSW.Mimikatz.bgi Webroot: W32.Hacktool.Mimikatz Avira: HEUR/AGEN.1216257 MAX: malware (ai score=100) Antiy-AVL: Trojan[PSW]/Win32.Mimikatz Kingsoft: Win32.PSWTroj.Mimikatz.g.(kcloud) Gridinsoft: Hack.Mimikatz.ka!c Xcitium: Malware@#3p7xsaxu4ql8i Arcabit: Trojan.Mimikatz.B ZoneAlarm: Trojan-PSW.Win32.Mimikatz.gen Microsoft: HackTool:Win32/Mimikatz.D Google: Detected AhnLab-V3: Trojan/Win32.RL_Mimikatz.R290617 McAfee: HTool-Mimikatz VBA32: BScope.TrojanPSW.Mimikatz Malwarebytes: Mimikatz.Spyware.Stealer.DDS TrendMicro-HouseCall: HKTL_MIMIKATZ Rising: HackTool.Mimikatz!1.B3A8 (CLASSIC) Ikarus: HackTool.Mimikatz MaxSecure: Trojan.Malware.9460437.susgen Fortinet: Riskware/Mimikatz AVG: Win32:Malware-gen Panda: HackingTool/Mimikatz |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x118 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2020-Feb-29 10:13:28 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 9.0 |
SizeOfCode | 0x93800 |
SizeOfInitializedData | 0x5d000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0008E242 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x95000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 5.0 |
ImageVersion | 0.0 |
SubsystemVersion | 5.0 |
Win32VersionValue | 0 |
SizeOfImage | 0xf4000 |
SizeOfHeaders | 0x400 |
Checksum | 0x102bb0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ADVAPI32.dll |
CryptSetHashParam
CryptGetHashParam CryptExportKey CryptAcquireContextW CryptSetKeyParam CryptGetKeyParam CryptReleaseContext CryptDuplicateKey CryptAcquireContextA CryptGetProvParam CryptImportKey SystemFunction007 CryptEncrypt CryptCreateHash CryptGenKey CryptDestroyKey CryptDecrypt CryptDestroyHash CryptHashData CopySid GetLengthSid LsaQueryInformationPolicy LsaOpenPolicy LsaClose CreateWellKnownSid CreateProcessWithLogonW CreateProcessAsUserW RegQueryValueExW RegQueryInfoKeyW RegEnumValueW RegOpenKeyExW RegEnumKeyExW RegCloseKey RegSetValueExW SystemFunction032 ConvertSidToStringSidW CreateServiceW CloseServiceHandle DeleteService OpenSCManagerW SetServiceObjectSecurity OpenServiceW BuildSecurityDescriptorW QueryServiceObjectSecurity StartServiceW AllocateAndInitializeSid QueryServiceStatusEx FreeSid ControlService IsTextUnicode OpenProcessToken GetTokenInformation LookupAccountNameW LookupAccountSidW DuplicateTokenEx CheckTokenMembership CryptSetProvParam CryptEnumProvidersW ConvertStringSidToSidW LsaFreeMemory GetSidSubAuthority GetSidSubAuthorityCount IsValidSid SetThreadToken CryptEnumProviderTypesW SystemFunction006 CryptGetUserKey OpenEventLogW GetNumberOfEventLogRecords ClearEventLogW SystemFunction001 CryptDeriveKey SystemFunction005 LsaQueryTrustedDomainInfoByName CryptSignHashW LsaOpenSecret LsaQuerySecret SystemFunction013 LsaRetrievePrivateData LsaEnumerateTrustedDomainsEx LookupPrivilegeValueW StartServiceCtrlDispatcherW SetServiceStatus RegisterServiceCtrlHandlerW LookupPrivilegeNameW OpenThreadToken CredFree CredEnumerateW SystemFunction025 ConvertStringSecurityDescriptorToSecurityDescriptorW SystemFunction024 CredIsMarshaledCredentialW CredUnmarshalCredentialW |
---|---|
Cabinet.dll |
#11
#14 #10 #13 |
CRYPT32.dll |
CertFindCertificateInStore
CertEnumSystemStore CertEnumCertificatesInStore CertAddCertificateContextToStore CryptDecodeObjectEx CertAddEncodedCertificateToStore CertOpenStore CertFreeCertificateContext CertCloseStore CertSetCertificateContextProperty PFXExportCertStoreEx CryptUnprotectData CryptBinaryToStringW CryptBinaryToStringA CryptStringToBinaryW CryptExportPublicKeyInfo CryptFindOIDInfo CryptAcquireCertificatePrivateKey CertNameToStrW CryptStringToBinaryA CertGetCertificateContextProperty CryptSignAndEncodeCertificate CryptEncodeObject CryptProtectData CryptQueryObject CertGetNameStringW |
cryptdll.dll |
MD5Init
MD5Update MD5Final CDLocateCSystem CDGenerateRandomBits CDLocateCheckSum |
DNSAPI.dll |
DnsFree
DnsQuery_A |
FLTLIB.DLL |
FilterFindFirst
FilterFindNext |
NETAPI32.dll |
NetServerGetInfo
NetStatisticsGet NetShareEnum DsEnumerateDomainTrustsW DsGetDcNameW NetApiBufferFree NetRemoteTOD NetSessionEnum NetWkstaUserEnum |
ole32.dll |
CoInitializeEx
CoUninitialize CoCreateInstance |
OLEAUT32.dll |
VariantInit
SysFreeString SysAllocString |
RPCRT4.dll |
RpcMgmtEpEltInqNextW
RpcMgmtEpEltInqBegin I_RpcGetCurrentCallHandle NdrClientCall2 RpcMgmtEpEltInqDone RpcBindingFromStringBindingW RpcStringBindingComposeW MesEncodeIncrementalHandleCreate RpcBindingSetAuthInfoExW RpcBindingInqAuthClientW RpcBindingSetOption RpcImpersonateClient RpcBindingFree RpcStringFreeW RpcRevertToSelf MesDecodeIncrementalHandleCreate MesHandleFree MesIncrementalHandleReset NdrMesTypeDecode2 NdrMesTypeAlignSize2 NdrMesTypeFree2 NdrMesTypeEncode2 RpcServerUnregisterIfEx I_RpcBindingInqSecurityContext RpcServerInqBindings RpcServerListen RpcMgmtWaitServerListen RpcEpRegisterW RpcMgmtStopServerListening RpcBindingToStringBindingW RpcServerRegisterIf2 RpcServerRegisterAuthInfoW RpcBindingVectorFree UuidToStringW RpcServerUseProtseqEpW RpcEpUnregister NdrServerCall2 RpcEpResolveBinding UuidCreate |
SHLWAPI.dll |
PathIsDirectoryW
PathCanonicalizeW PathCombineW PathFindFileNameW PathIsRelativeW |
SAMLIB.dll |
SamEnumerateGroupsInDomain
SamiChangePasswordUser SamSetInformationUser SamGetGroupsForUser SamConnect SamGetMembersInGroup SamRidToSid SamGetMembersInAlias SamEnumerateAliasesInDomain SamGetAliasMembership SamOpenGroup SamQueryInformationUser SamCloseHandle SamEnumerateDomainsInSamServer SamFreeMemory SamEnumerateUsersInDomain SamOpenUser SamLookupDomainInSamServer SamLookupNamesInDomain SamLookupIdsInDomain SamOpenDomain SamOpenAlias |
Secur32.dll |
QueryContextAttributesW
FreeContextBuffer LsaConnectUntrusted LsaLookupAuthenticationPackage LsaFreeReturnBuffer DeleteSecurityContext LsaCallAuthenticationPackage FreeCredentialsHandle EnumerateSecurityPackagesW AcquireCredentialsHandleW InitializeSecurityContextW LsaDeregisterLogonProcess |
SHELL32.dll |
CommandLineToArgvW
|
USER32.dll |
IsCharAlphaNumericW
GetKeyboardLayout DispatchMessageW DefWindowProcW SetClipboardViewer SendMessageW GetClipboardSequenceNumber OpenClipboard CreateWindowExW ChangeClipboardChain GetClipboardData RegisterClassExW TranslateMessage EnumClipboardFormats PostMessageW UnregisterClassW GetMessageW CloseClipboard DestroyWindow |
USERENV.dll |
CreateEnvironmentBlock
DestroyEnvironmentBlock |
VERSION.dll |
GetFileVersionInfoSizeW
VerQueryValueW GetFileVersionInfoW |
HID.DLL |
HidD_GetFeature
HidD_GetPreparsedData HidD_GetHidGuid HidD_GetAttributes HidD_FreePreparsedData HidP_GetCaps HidD_SetFeature |
SETUPAPI.dll |
SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInterfaces SetupDiGetClassDevsW SetupDiDestroyDeviceInfoList |
WinSCard.dll |
SCardControl
SCardTransmit SCardDisconnect SCardGetAttrib SCardEstablishContext SCardFreeMemory SCardListReadersW SCardReleaseContext SCardGetCardTypeProviderNameW SCardListCardsW SCardConnectW |
WINSTA.dll |
WinStationCloseServer
WinStationOpenServerW WinStationFreeMemory WinStationConnectW WinStationQueryInformationW WinStationEnumerateW |
WLDAP32.dll |
#203
#140 #122 #14 #157 #88 #133 #27 #147 #167 #127 #96 #304 #309 #54 #142 #77 #13 #208 #145 #36 #79 #41 #73 #310 #139 #97 #223 #12 #113 #301 #224 #26 #69 |
advapi32.dll |
A_SHAFinal
A_SHAInit A_SHAUpdate |
msasn1.dll |
ASN1_CreateModule
ASN1BERDotVal2Eoid ASN1_CloseEncoder ASN1_CreateDecoder ASN1_FreeEncoded ASN1_CloseModule ASN1_CreateEncoder ASN1_CloseDecoder |
ntdll.dll |
RtlUnicodeStringToAnsiString
RtlFreeAnsiString RtlDowncaseUnicodeString RtlFreeUnicodeString RtlInitUnicodeString RtlEqualUnicodeString NtQueryObject RtlCompressBuffer RtlGetCompressionWorkSpaceSize NtQuerySystemInformation RtlGetCurrentPeb NtQueryInformationProcess RtlCreateUserThread RtlGUIDFromString RtlStringFromGUID NtCompareTokens RtlGetNtVersionNumbers RtlEqualString RtlUpcaseUnicodeString RtlAppendUnicodeStringToString RtlAnsiStringToUnicodeString RtlFreeOemString RtlUpcaseUnicodeStringToOemString NtResumeProcess RtlAdjustPrivilege NtSuspendProcess NtTerminateProcess NtQuerySystemEnvironmentValueEx NtSetSystemEnvironmentValueEx NtEnumerateSystemEnvironmentValuesEx RtlIpv4AddressToStringW RtlIpv6AddressToStringW |
netapi32.dll |
I_NetServerAuthenticate2
I_NetServerTrustPasswordsGet I_NetServerReqChallenge |
KERNEL32.dll |
GetFileSize
HeapReAlloc GetFullPathNameA GetFullPathNameW GetTimeFormatW WideCharToMultiByte GetSystemTimeAsFileTime SystemTimeToFileTime GetDateFormatW InterlockedExchange SetFilePointerEx GetProcessId PurgeComm ClearCommError CreateRemoteThread WaitForSingleObject SetLastError CreateProcessW SetConsoleOutputCP GetConsoleOutputCP CreateFileMappingW UnmapViewOfFile MapViewOfFile WriteProcessMemory VirtualProtect VirtualAllocEx VirtualProtectEx VirtualAlloc ReadProcessMemory VirtualFreeEx VirtualQueryEx VirtualFree VirtualQuery GetComputerNameExW DeviceIoControl DuplicateHandle OpenProcess GetCurrentProcess ExpandEnvironmentStringsW FindNextFileW FindClose GetCurrentDirectoryW GetFileSizeEx FlushFileBuffers GetFileAttributesW FindFirstFileW lstrlenW DeleteFileA GetTempPathA GetFileInformationByHandle FileTimeToLocalFileTime GetCurrentDirectoryA GetTempFileNameA SetFilePointer CreateFileA FileTimeToDosDateTime CreateThread CreateMutexW CloseHandle LocalAlloc GetLastError CreateFileW ReadFile Sleep TerminateThread WriteFile FileTimeToSystemTime SetEndOfFile FreeLibrary HeapAlloc QueryPerformanceCounter HeapFree InterlockedCompareExchange UnlockFile FlushViewOfFile LockFile WaitForSingleObjectEx OutputDebugStringW GetTickCount UnlockFileEx GetProcessHeap FormatMessageA LoadLibraryW HeapCompact FormatMessageW GetVersionExW HeapDestroy GetFileAttributesA HeapCreate HeapValidate MultiByteToWideChar GetTempPathW GetProcAddress HeapSize LockFileEx GetDiskFreeSpaceW LoadLibraryA CreateFileMappingA GetDiskFreeSpaceA GetSystemInfo GetFileAttributesExW OutputDebugStringA GetVersionExA DeleteFileW GetCurrentProcessId GetSystemTime AreFileApisANSI ExitProcess RaiseException SetConsoleCtrlHandler SetConsoleTitleW lstrlenA GlobalSize GetModuleHandleW SetHandleInformation CreatePipe InitializeCriticalSection LeaveCriticalSection EnterCriticalSection DeleteCriticalSection SetEvent CreateEventW GetCurrentThreadId GetModuleHandleA GetVersion SetUnhandledExceptionFilter UnhandledExceptionFilter TerminateProcess LocalFree RtlUnwind GetSystemDirectoryW SetConsoleCursorPosition GetTimeZoneInformation GetStdHandle FillConsoleOutputCharacterW GetComputerNameW ProcessIdToSessionId GetCurrentThread SetCurrentDirectoryW IsWow64Process GetConsoleScreenBufferInfo |
msvcrt.dll |
calloc
__set_app_type isdigit _read _lseeki64 mbtowc __mb_cur_max isleadbyte isxdigit localeconv _snprintf _itoa wctomb ferror iswctype wcstombs _write _isatty ungetc ?terminate@@YAXXZ _controlfp __badioinfo __pioinfo __p__fmode isspace _wcsicmp __p__commode __setusermatherr _amsg_exit _initterm _errno free _wcsdup _vsnprintf strrchr _except_handler3 vfwprintf _vscwprintf fflush _wfopen wprintf _fileno _iob vwprintf _setmode fclose _stricmp wcsrchr wcschr strtoul _wcsnicmp wcsstr _vscprintf memmove strncmp malloc _msize strcspn realloc fgetws wcstoul wcstol towupper _wpgmptr strstr strchr _wcstoui64 wcsncmp getchar memset memcpy __wgetmainargs _cexit _exit _XcptFilter exit |
bcrypt.dll (delay-loaded) |
BCryptEncrypt
BCryptOpenAlgorithmProvider BCryptKeyDerivation BCryptGenerateSymmetricKey BCryptCloseAlgorithmProvider BCryptDecrypt BCryptSetProperty BCryptDestroyKey BCryptGetProperty BCryptImportKeyPair BCryptExportKey BCryptFreeBuffer BCryptEnumRegisteredProviders |
Attributes | 0x1 |
---|---|
Name | bcrypt.dll |
ModuleHandle | 0xe6800 |
DelayImportAddressTable | 0xe6790 |
DelayImportNameTable | 0xdeb3c |
BoundDelayImportTable | 0xded90 |
UnloadDelayImportTable | 0 |
TimeStamp | 1970-Jan-01 00:00:00 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 2.2.0.0 |
ProductVersion | 2.2.0.0 |
FileFlags |
VS_FF_PRERELEASE
VS_FF_PRIVATEBUILD
VS_FF_SPECIALBUILD
|
FileOs |
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
|
FileType |
VFT_APP
|
Language | English - United States |
ProductName | mimikatz |
ProductVersion (#2) | 2.2.0.0 |
CompanyName | gentilkiwi (Benjamin DELPY) |
FileDescription | mimikatz for Windows |
FileVersion (#2) | 2.2.0.0 |
InternalName | mimikatz |
LegalCopyright | Copyright (c) 2007 - 2020 gentilkiwi (Benjamin DELPY) |
OriginalFilename | mimikatz.exe |
PrivateBuild | Build with love for POC only |
SpecialBuild | :) |
Resource LangID | English - United States |
---|
XOR Key | 0xca2952eb |
---|---|
Unmarked objects | 0 |
ASM objects (VS2008 SP1 build 30729) | 16 |
C++ objects (VS2008 SP1 build 30729) | 14 |
Imports (VS2008 SP1 build 30729) | 2 |
C objects (VS2008 SP1 build 30729) | 67 |
Imports (VS2010 SP1 build 40219) | 2 |
Imports (VS2012 UPD4 build 61030) | 4 |
Imports (VS2012 UPD2 build 60315) | 2 |
C objects (VS2003 (.NET) build 4035) | 2 |
C++ objects (VS2008 build 21022) | 2 |
Imports (VS2003 (.NET) build 4035) | 47 |
Total imports | 626 |
126 (VS2012 build 50727 / VS2005 build 50727) | 1 |
137 (VS2008 SP1 build 30729) | 99 |
Linker (VS2008 SP1 build 30729) | 1 |
Resource objects (VS2008 SP1 build 30729) | 1 |