× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 843b2c2e7a631c393a2763dd03d02166cee0631c07d10dae0a2e6a5816280dd8
File name: mimikatz
Detection ratio: 44 / 57
Analysis date: 2016-11-23 14:32:40 UTC ( 5 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Application.Hacktool.Mimikatz.1 20161123
AegisLab Hacktool.W32.Mimikatz!c 20161123
Antiy-AVL HackTool/Win32.Mimikatz 20161123
Arcabit Trojan.Application.Hacktool.Mimikatz.1 20161123
Avast Win32:Malware-gen 20161123
AVG HackTool.ARKP 20161123
Avira (no cloud) SPR/Hacktool.304128 20161123
AVware Trojan.Win32.Generic!BT 20161123
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9673 20161123
BitDefender Gen:Variant.Application.Hacktool.Mimikatz.1 20161123
CAT-QuickHeal Hacktool.Mikatz 20161123
Comodo UnclassifiedMalware 20161122
CrowdStrike Falcon (ML) malicious_confidence_88% (D) 20161024
Cyren W32/Mimikatz.A.gen!Eldorado 20161123
DrWeb Tool.Mimikatz.23 20161123
ESET-NOD32 a variant of Win32/RiskWare.Mimikatz.A 20161123
F-Prot W32/Mimikatz.A.gen!Eldorado 20161123
F-Secure Gen:Variant.Application.Hacktool 20161123
Fortinet Riskware/Mimikatz 20161123
GData Gen:Variant.Application.Hacktool.Mimikatz.1 20161123
Ikarus Exploit.Win32.Palsas 20161123
Invincea trojan.win32.qadars.a 20161018
Jiangmin HackTool.Mimikatz.ix 20161123
K7AntiVirus Riskware ( 004dc65a1 ) 20161123
K7GW Riskware ( 004dc65a1 ) 20161123
Kaspersky Trojan-PSW.Win32.Mimikatz.gen 20161123
Malwarebytes HackTool.Mimikatz 20161123
McAfee HTool-Mimikatz 20161123
McAfee-GW-Edition BehavesLike.Win32.Rootkit.dh 20161123
Microsoft HackTool:Win64/Mikatz!dha 20161123
eScan Gen:Variant.Application.Hacktool.Mimikatz.1 20161123
NANO-Antivirus Trojan.Win32.Mimikatz.eaazeb 20161123
Panda Trj/Genetic.gen 20161122
Qihoo-360 Win32/Trojan.e6d 20161123
Rising Trojan.Generic-YO2NJ4RA9iK (cloud) 20161123
Sophos Mimikatz Exploit Utility (PUA) 20161123
SUPERAntiSpyware Hack.Tool/Gen-Mimikatz 20161123
Symantec Hacktool.Mimikatz 20161123
Tencent Win32.Trojan-qqpass.Qqrob.Ebqd 20161123
TrendMicro HKTL_MIMIKATZ 20161123
TrendMicro-HouseCall HKTL_MIMIKATZ 20161123
VIPRE Trojan.Win32.Generic!BT 20161123
Yandex Riskware.HackTool!VgREXm7a4uU 20161123
Zillya Tool.Mimikatz.Win32.258 20161122
AhnLab-V3 20161123
Alibaba 20161123
ALYac 20161123
Bkav 20161123
ClamAV 20161123
CMC 20161123
Emsisoft 20161123
Kingsoft 20161123
nProtect 20161123
TheHacker 20161122
TotalDefense 20161123
Trustlook 20161123
VBA32 20161123
ViRobot 20161123
WhiteArmor 20161018
Zoner 20161123
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem.
FileVersionInfo properties
Copyright
Copyright (c) 2007 - 2015 gentilkiwi (Benjamin DELPY)

Product mimikatz
Original name mimikatz.exe
Internal name mimikatz
File version 2.0.0.0
Description mimikatz for Windows
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-11-12 23:44:26
Entry Point 0x0001D912
Number of sections 5
PE sections
PE imports
CryptDestroyKey
LsaQueryTrustedDomainInfoByName
RegCloseKey
LookupAccountSidW
DuplicateTokenEx
QueryServiceObjectSecurity
CopySid
CryptSetHashParam
OpenServiceW
ControlService
CryptEncrypt
CreateProcessWithLogonW
ClearEventLogW
GetNumberOfEventLogRecords
DeleteService
OpenThreadToken
CryptHashData
RegQueryValueExW
CryptImportKey
CryptCreateHash
CloseServiceHandle
IsTextUnicode
CryptGetKeyParam
CreateWellKnownSid
OpenProcessToken
LsaClose
LsaEnumerateTrustedDomainsEx
RegOpenKeyExW
CreateProcessAsUserW
SetServiceObjectSecurity
CryptDuplicateKey
SystemFunction032
OpenEventLogW
LsaRetrievePrivateData
LsaOpenPolicy
CryptGenKey
ConvertSidToStringSidW
CreateServiceW
GetTokenInformation
LsaFreeMemory
CryptReleaseContext
CryptAcquireContextA
CryptGetUserKey
RegQueryInfoKeyW
RegEnumKeyExW
CryptGenRandom
CryptAcquireContextW
GetSidSubAuthority
BuildSecurityDescriptorW
GetSidSubAuthorityCount
SetThreadToken
GetLengthSid
ConvertStringSidToSidW
CryptDecrypt
CryptGetProvParam
CryptDestroyHash
CryptEnumProvidersW
LsaQueryInformationPolicy
RegEnumValueW
StartServiceW
RegSetValueExW
CryptSetKeyParam
FreeSid
CryptGetHashParam
CredEnumerateW
OpenSCManagerW
CryptExportKey
AllocateAndInitializeSid
CheckTokenMembership
QueryServiceStatusEx
SystemFunction025
SystemFunction005
SystemFunction006
SystemFunction007
CredFree
CryptUnprotectData
CertEnumCertificatesInStore
CryptAcquireCertificatePrivateKey
CertOpenStore
PFXExportCertStoreEx
CertAddEncodedCertificateToStore
CertAddCertificateContextToStore
CertFreeCertificateContext
CertCloseStore
CryptProtectData
CertGetCertificateContextProperty
CertGetNameStringW
CertSetCertificateContextProperty
CryptBinaryToStringW
CertEnumSystemStore
HidD_GetPreparsedData
HidD_GetHidGuid
HidD_FreePreparsedData
HidP_GetCaps
HidD_GetAttributes
DeviceIoControl
GetStdHandle
GetConsoleOutputCP
ReadFile
VirtualAllocEx
TerminateThread
LoadLibraryW
GetLastError
WaitForSingleObject
FreeLibrary
VirtualProtect
GetTickCount
OutputDebugStringA
SetConsoleCursorPosition
FlushFileBuffers
GetFileAttributesW
SetConsoleOutputCP
RtlUnwind
FillConsoleOutputCharacterW
CreateRemoteThread
VirtualFree
GetCurrentProcess
FileTimeToLocalFileTime
GetCurrentDirectoryW
SetConsoleCtrlHandler
GetCurrentProcessId
WriteProcessMemory
OpenProcess
VirtualQueryEx
GetDateFormatW
UnhandledExceptionFilter
ReadProcessMemory
GetProcAddress
GetConsoleScreenBufferInfo
InterlockedCompareExchange
VirtualProtectEx
GetCurrentThread
CreateFileMappingW
SetConsoleTitleW
GetTimeFormatW
GetFileSizeEx
CreateThread
MapViewOfFile
SetFilePointer
FileTimeToSystemTime
FindNextFileW
GetModuleHandleA
SetUnhandledExceptionFilter
WriteFile
CloseHandle
GetSystemTimeAsFileTime
FindFirstFileW
TerminateProcess
DuplicateHandle
GetModuleHandleW
InterlockedExchange
LocalFree
IsWow64Process
QueryPerformanceCounter
SetCurrentDirectoryW
UnmapViewOfFile
CreateFileW
VirtualQuery
CreateProcessW
FindClose
Sleep
VirtualFreeEx
GetCurrentThreadId
VirtualAlloc
LocalAlloc
SetLastError
DsGetDcNameW
NetApiBufferFree
RpcBindingFree
NdrClientCall2
RpcBindingSetAuthInfoExW
RpcBindingFromStringBindingW
RpcStringBindingComposeW
I_RpcBindingInqSecurityContext
RpcBindingSetOption
RpcStringFreeW
SamOpenDomain
SamQueryInformationUser
SamLookupNamesInDomain
SamConnect
SamEnumerateDomainsInSamServer
SamEnumerateUsersInDomain
SamCloseHandle
SamLookupDomainInSamServer
SamGetGroupsForUser
SamRidToSid
SamGetAliasMembership
SamLookupIdsInDomain
SamOpenUser
SamFreeMemory
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList
CommandLineToArgvW
PathCanonicalizeW
PathIsRelativeW
PathCombineW
LsaConnectUntrusted
QueryContextAttributesW
LsaDeregisterLogonProcess
LsaLookupAuthenticationPackage
LsaFreeReturnBuffer
FreeContextBuffer
LsaCallAuthenticationPackage
GetKeyboardLayout
IsCharAlphaNumericW
CDLocateCSystem
MD5Final
MD5Update
CDLocateCheckSum
MD5Init
CDGenerateRandomBits
_wpgmptr
__wgetmainargs
malloc
_initterm
__p__fmode
ferror
realloc
wcstoul
memset
fclose
mbtowc
_stricmp
_controlfp
wcstombs
_setmode
isdigit
fflush
__pioinfo
_except_handler3
_itoa
iswctype
_errno
isxdigit
_wcsdup
wctomb
vfwprintf
exit
_XcptFilter
_fileno
_snprintf
__setusermatherr
wcsrchr
_amsg_exit
_cexit
_wcsicmp
isleadbyte
?terminate@@YAXXZ
vwprintf
wcschr
__p__commode
free
wcsstr
_isatty
_wfopen
calloc
_write
memcpy
_lseeki64
__badioinfo
_read
isspace
_wcsnicmp
__mb_cur_max
ungetc
wcstol
_exit
__set_app_type
localeconv
fgetws
_iob
RtlDowncaseUnicodeString
RtlInitUnicodeString
RtlAppendUnicodeStringToString
RtlStringFromGUID
NtTerminateProcess
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
RtlGetNtVersionNumbers
NtQueryObject
RtlGUIDFromString
RtlUpcaseUnicodeString
NtQuerySystemInformation
RtlAnsiStringToUnicodeString
RtlEqualUnicodeString
RtlEqualString
RtlFreeUnicodeString
RtlCreateUserThread
NtResumeProcess
NtQueryInformationProcess
RtlAdjustPrivilege
NtSuspendProcess
RtlGetCurrentPeb
Number of PE resources by type
RT_ICON 3
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 5
PE resources
ExifTool file metadata
SpecialBuild
kiwi flavor !

SubsystemVersion
5.0

InitializedDataSize
162304

ImageVersion
0.0

ProductName
mimikatz

FileVersionNumber
2.0.0.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
9.0

PrivateBuild
Build with love for POC only

FileTypeExtension
exe

OriginalFileName
mimikatz.exe

MIMEType
application/octet-stream

Subsystem
Windows command line

FileVersion
2.0.0.0

TimeStamp
2015:11:13 00:44:26+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
mimikatz

ProductVersion
2.0.0.0

FileDescription
mimikatz for Windows

OSVersion
5.0

FileOS
Windows NT

LegalCopyright
Copyright (c) 2007 - 2015 gentilkiwi (Benjamin DELPY)

MachineType
Intel 386 or later, and compatibles

CompanyName
gentilkiwi (Benjamin DELPY)

CodeSize
142336

FileSubtype
0

ProductVersionNumber
2.0.0.0

EntryPoint
0x1d912

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 f547e6f4376eb0879123f02b911e0230
SHA1 4d614f63af33c1fdf65c87db1817865d100a1e4c
SHA256 843b2c2e7a631c393a2763dd03d02166cee0631c07d10dae0a2e6a5816280dd8
ssdeep
6144:liTEqJgoEV4zigjrpBw65TXNEPNMNI60A8ATIPeFiG:liTgoEV1gXw6xXhiG

authentihash dae0efa1381f9f1393174a7d4dcb6f1cf3207466a78cea74d51b2c767ee8272a
imphash deac4bbe7a972b0087757440b203f934
File size 297.0 KB ( 304128 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit

TrID Win64 Executable (generic) (64.6%)
Win32 Dynamic Link Library (generic) (15.4%)
Win32 Executable (generic) (10.5%)
Generic Win/DOS Executable (4.6%)
DOS Executable Generic (4.6%)
Tags
peexe

VirusTotal metadata
First submission 2015-11-13 15:12:44 UTC ( 1 year, 5 months ago )
Last submission 2016-09-21 07:34:02 UTC ( 7 months ago )
File names mimikatz.exe
filename
mimikatz
937868
mimikatz.exe
mimikatz.exe
mimikatz.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Runtime DLLs