× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 843b2c2e7a631c393a2763dd03d02166cee0631c07d10dae0a2e6a5816280dd8
File name: mimikatz
Detection ratio: 48 / 64
Analysis date: 2017-07-14 04:59:05 UTC ( 1 week, 1 day ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Application.Hacktool.Mimikatz.1 20170714
AegisLab Hacktool.W32.Mimikatz!c 20170714
Antiy-AVL HackTool/Win32.Mimikatz 20170714
Arcabit Trojan.Application.Hacktool.Mimikatz.1 20170714
Avast Win32:Malware-gen 20170714
AVG Win32:Malware-gen 20170714
AVware Trojan.Win32.Generic!BT 20170714
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9673 20170713
BitDefender Gen:Variant.Application.Hacktool.Mimikatz.1 20170714
CAT-QuickHeal Hacktool.Mikatz 20170713
Comodo UnclassifiedMalware 20170714
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170710
Cylance Unsafe 20170714
Cyren W32/Mimikatz.A.gen!Eldorado 20170714
DrWeb Tool.Mimikatz.23 20170714
Emsisoft Gen:Variant.Application.Hacktool.Mimikatz.1 (B) 20170714
Endgame malicious (high confidence) 20170713
ESET-NOD32 a variant of Win32/RiskWare.Mimikatz.A 20170714
F-Prot W32/Mimikatz.A.gen!Eldorado 20170714
F-Secure Gen:Variant.Application.Hacktool 20170714
Fortinet Riskware/Mimikatz 20170629
GData Gen:Variant.Application.Hacktool.Mimikatz.1 20170714
Ikarus Exploit.Win32.Palsas 20170713
Jiangmin HackTool.Mimikatz.ix 20170714
K7AntiVirus Riskware ( 004dc65a1 ) 20170714
K7GW Riskware ( 004dc65a1 ) 20170714
Kaspersky Trojan-PSW.Win32.Mimikatz.gen 20170714
Malwarebytes HackTool.Mimikatz 20170714
MAX malware (ai score=73) 20170714
McAfee HTool-MimiKatz 20170714
McAfee-GW-Edition BehavesLike.Win32.Rootkit.dh 20170714
Microsoft HackTool:Win64/Mikatz!dha 20170714
eScan Gen:Variant.Application.Hacktool.Mimikatz.1 20170714
NANO-Antivirus Trojan.Win32.Mimikatz.eaazeb 20170714
Panda Trj/GdSda.A 20170713
Rising Trojan.Generic (cloud:YO2NJ4RA9iK) 20170714
SentinelOne (Static ML) static engine - malicious 20170516
Sophos AV Mimikatz Exploit Utility (PUA) 20170714
SUPERAntiSpyware Hack.Tool/Gen-Mimikatz 20170714
Symantec Hacktool.Mimikatz 20170714
Tencent Win32.Trojan-qqpass.Qqrob.Ebqd 20170714
TrendMicro HKTL_MIMIKATZ 20170714
TrendMicro-HouseCall HKTL_MIMIKATZ 20170714
VIPRE Trojan.Win32.Generic!BT 20170714
Webroot W32.Hacktool.Gen 20170714
Yandex Riskware.HackTool!VgREXm7a4uU 20170713
Zillya Tool.Mimikatz.Win32.258 20170713
ZoneAlarm by Check Point Trojan-PSW.Win32.Mimikatz.gen 20170714
AhnLab-V3 20170714
Alibaba 20170714
ALYac 20170714
Avira (no cloud) 20170713
Bkav 20170713
ClamAV 20170714
CMC 20170713
Sophos ML 20170607
Kingsoft 20170714
nProtect 20170714
Palo Alto Networks (Known Signatures) 20170714
Qihoo-360 20170714
Symantec Mobile Insight 20170713
TheHacker 20170712
TotalDefense 20170714
Trustlook 20170714
VBA32 20170713
ViRobot 20170714
WhiteArmor 20170713
Zoner 20170714
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem.
FileVersionInfo properties
Copyright
Copyright (c) 2007 - 2015 gentilkiwi (Benjamin DELPY)

Product mimikatz
Original name mimikatz.exe
Internal name mimikatz
File version 2.0.0.0
Description mimikatz for Windows
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-11-12 23:44:26
Entry Point 0x0001D912
Number of sections 5
PE sections
PE imports
CryptDestroyKey
LsaQueryTrustedDomainInfoByName
RegCloseKey
LookupAccountSidW
DuplicateTokenEx
QueryServiceObjectSecurity
CopySid
CryptSetHashParam
OpenServiceW
ControlService
CryptEncrypt
CreateProcessWithLogonW
ClearEventLogW
GetNumberOfEventLogRecords
DeleteService
OpenThreadToken
CryptHashData
RegQueryValueExW
CryptImportKey
CryptCreateHash
CloseServiceHandle
IsTextUnicode
CryptGetKeyParam
CreateWellKnownSid
OpenProcessToken
LsaClose
LsaEnumerateTrustedDomainsEx
RegOpenKeyExW
CreateProcessAsUserW
SetServiceObjectSecurity
CryptDuplicateKey
SystemFunction032
OpenEventLogW
LsaRetrievePrivateData
LsaOpenPolicy
CryptGenKey
ConvertSidToStringSidW
CreateServiceW
GetTokenInformation
LsaFreeMemory
CryptReleaseContext
CryptAcquireContextA
CryptGetUserKey
RegQueryInfoKeyW
RegEnumKeyExW
CryptGenRandom
CryptAcquireContextW
GetSidSubAuthority
BuildSecurityDescriptorW
GetSidSubAuthorityCount
SetThreadToken
GetLengthSid
ConvertStringSidToSidW
CryptDecrypt
CryptGetProvParam
CryptDestroyHash
CryptEnumProvidersW
LsaQueryInformationPolicy
RegEnumValueW
StartServiceW
RegSetValueExW
CryptSetKeyParam
FreeSid
CryptGetHashParam
CredEnumerateW
OpenSCManagerW
CryptExportKey
AllocateAndInitializeSid
CheckTokenMembership
QueryServiceStatusEx
SystemFunction025
SystemFunction005
SystemFunction006
SystemFunction007
CredFree
CryptUnprotectData
CertEnumCertificatesInStore
CryptAcquireCertificatePrivateKey
CertOpenStore
PFXExportCertStoreEx
CertAddEncodedCertificateToStore
CertAddCertificateContextToStore
CertFreeCertificateContext
CertCloseStore
CryptProtectData
CertGetCertificateContextProperty
CertGetNameStringW
CertSetCertificateContextProperty
CryptBinaryToStringW
CertEnumSystemStore
HidD_GetPreparsedData
HidD_GetHidGuid
HidD_FreePreparsedData
HidP_GetCaps
HidD_GetAttributes
DeviceIoControl
GetStdHandle
GetConsoleOutputCP
ReadFile
VirtualAllocEx
TerminateThread
LoadLibraryW
GetLastError
WaitForSingleObject
FreeLibrary
VirtualProtect
GetTickCount
OutputDebugStringA
SetConsoleCursorPosition
FlushFileBuffers
GetFileAttributesW
SetConsoleOutputCP
RtlUnwind
FillConsoleOutputCharacterW
CreateRemoteThread
VirtualFree
GetCurrentProcess
FileTimeToLocalFileTime
GetCurrentDirectoryW
SetConsoleCtrlHandler
GetCurrentProcessId
WriteProcessMemory
OpenProcess
VirtualQueryEx
GetDateFormatW
UnhandledExceptionFilter
ReadProcessMemory
GetProcAddress
GetConsoleScreenBufferInfo
InterlockedCompareExchange
VirtualProtectEx
GetCurrentThread
CreateFileMappingW
SetConsoleTitleW
GetTimeFormatW
GetFileSizeEx
CreateThread
MapViewOfFile
SetFilePointer
FileTimeToSystemTime
FindNextFileW
GetModuleHandleA
SetUnhandledExceptionFilter
WriteFile
CloseHandle
GetSystemTimeAsFileTime
FindFirstFileW
TerminateProcess
DuplicateHandle
GetModuleHandleW
InterlockedExchange
LocalFree
IsWow64Process
QueryPerformanceCounter
SetCurrentDirectoryW
UnmapViewOfFile
CreateFileW
VirtualQuery
CreateProcessW
FindClose
Sleep
VirtualFreeEx
GetCurrentThreadId
VirtualAlloc
LocalAlloc
SetLastError
DsGetDcNameW
NetApiBufferFree
RpcBindingFree
NdrClientCall2
RpcBindingSetAuthInfoExW
RpcBindingFromStringBindingW
RpcStringBindingComposeW
I_RpcBindingInqSecurityContext
RpcBindingSetOption
RpcStringFreeW
SamOpenDomain
SamQueryInformationUser
SamLookupNamesInDomain
SamConnect
SamEnumerateDomainsInSamServer
SamEnumerateUsersInDomain
SamCloseHandle
SamLookupDomainInSamServer
SamGetGroupsForUser
SamRidToSid
SamGetAliasMembership
SamLookupIdsInDomain
SamOpenUser
SamFreeMemory
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList
CommandLineToArgvW
PathCanonicalizeW
PathIsRelativeW
PathCombineW
LsaConnectUntrusted
QueryContextAttributesW
LsaDeregisterLogonProcess
LsaLookupAuthenticationPackage
LsaFreeReturnBuffer
FreeContextBuffer
LsaCallAuthenticationPackage
GetKeyboardLayout
IsCharAlphaNumericW
CDLocateCSystem
MD5Final
MD5Update
CDLocateCheckSum
MD5Init
CDGenerateRandomBits
_wpgmptr
__wgetmainargs
malloc
_initterm
__p__fmode
ferror
realloc
wcstoul
memset
fclose
mbtowc
_stricmp
_controlfp
wcstombs
_setmode
isdigit
fflush
__pioinfo
_except_handler3
_itoa
iswctype
_errno
isxdigit
_wcsdup
wctomb
vfwprintf
exit
_XcptFilter
_fileno
_snprintf
__setusermatherr
wcsrchr
_amsg_exit
_cexit
_wcsicmp
isleadbyte
?terminate@@YAXXZ
vwprintf
wcschr
__p__commode
free
wcsstr
_isatty
_wfopen
calloc
_write
memcpy
_lseeki64
__badioinfo
_read
isspace
_wcsnicmp
__mb_cur_max
ungetc
wcstol
_exit
__set_app_type
localeconv
fgetws
_iob
RtlDowncaseUnicodeString
RtlInitUnicodeString
RtlAppendUnicodeStringToString
RtlStringFromGUID
NtTerminateProcess
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
RtlGetNtVersionNumbers
NtQueryObject
RtlGUIDFromString
RtlUpcaseUnicodeString
NtQuerySystemInformation
RtlAnsiStringToUnicodeString
RtlEqualUnicodeString
RtlEqualString
RtlFreeUnicodeString
RtlCreateUserThread
NtResumeProcess
NtQueryInformationProcess
RtlAdjustPrivilege
NtSuspendProcess
RtlGetCurrentPeb
Number of PE resources by type
RT_ICON 3
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 5
PE resources
ExifTool file metadata
SpecialBuild
kiwi flavor !

SubsystemVersion
5.0

LinkerVersion
9.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.0.0.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
mimikatz for Windows

CharacterSet
Unicode

InitializedDataSize
162304

PrivateBuild
Build with love for POC only

EntryPoint
0x1d912

OriginalFileName
mimikatz.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright (c) 2007 - 2015 gentilkiwi (Benjamin DELPY)

FileVersion
2.0.0.0

TimeStamp
2015:11:13 00:44:26+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
mimikatz

ProductVersion
2.0.0.0

UninitializedDataSize
0

OSVersion
5.0

FileOS
Windows NT

Subsystem
Windows command line

MachineType
Intel 386 or later, and compatibles

CompanyName
gentilkiwi (Benjamin DELPY)

CodeSize
142336

ProductName
mimikatz

ProductVersionNumber
2.0.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 f547e6f4376eb0879123f02b911e0230
SHA1 4d614f63af33c1fdf65c87db1817865d100a1e4c
SHA256 843b2c2e7a631c393a2763dd03d02166cee0631c07d10dae0a2e6a5816280dd8
ssdeep
6144:liTEqJgoEV4zigjrpBw65TXNEPNMNI60A8ATIPeFiG:liTgoEV1gXw6xXhiG

authentihash dae0efa1381f9f1393174a7d4dcb6f1cf3207466a78cea74d51b2c767ee8272a
imphash deac4bbe7a972b0087757440b203f934
File size 297.0 KB ( 304128 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit

TrID Win64 Executable (generic) (64.6%)
Win32 Dynamic Link Library (generic) (15.4%)
Win32 Executable (generic) (10.5%)
Generic Win/DOS Executable (4.6%)
DOS Executable Generic (4.6%)
Tags
peexe

VirusTotal metadata
First submission 2015-11-13 15:12:44 UTC ( 1 year, 8 months ago )
Last submission 2016-09-21 07:34:02 UTC ( 10 months ago )
File names mimikatz.exe
filename
mimikatz
937868
mimikatz.exe
mimikatz.exe
mimikatz.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Runtime DLLs