× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 84b6cd8ccaa60a89c1375bec5044e6240d8a2db3f19fecd763749fa9a530470b
File name: kitikatz2.exe
Detection ratio: 4 / 55
Analysis date: 2015-12-13 00:42:35 UTC ( 1 year, 8 months ago )
Antivirus Result Update
Antiy-AVL Trojan/Generic.ASMalwS.160D364 20151213
Avast Win32:Malware-gen 20151213
AVG HackTool.ARSE 20151213
ESET-NOD32 a variant of Win32/HackTool.Mimikatz.K potentially unsafe 20151212
Ad-Aware 20151213
AegisLab 20151212
Yandex 20151212
AhnLab-V3 20151212
Alibaba 20151208
ALYac 20151213
Arcabit 20151213
Avira (no cloud) 20151212
AVware 20151212
Baidu-International 20151212
BitDefender 20151213
Bkav 20151212
ByteHero 20151213
CAT-QuickHeal 20151212
ClamAV 20151213
CMC 20151211
Comodo 20151209
Cyren 20151212
DrWeb 20151213
Emsisoft 20151213
F-Prot 20151213
F-Secure 20151211
Fortinet 20151213
GData 20151213
Ikarus 20151212
Jiangmin 20151212
K7AntiVirus 20151212
K7GW 20151212
Kaspersky 20151212
Malwarebytes 20151212
McAfee 20151213
McAfee-GW-Edition 20151212
Microsoft 20151213
eScan 20151213
NANO-Antivirus 20151212
nProtect 20151211
Panda 20151212
Qihoo-360 20151213
Rising 20151212
Sophos AV 20151212
SUPERAntiSpyware 20151212
Symantec 20151212
Tencent 20151213
TheHacker 20151211
TrendMicro 20151213
TrendMicro-HouseCall 20151213
VBA32 20151211
VIPRE 20151213
ViRobot 20151212
Zillya 20151211
Zoner 20151212
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem.
FileVersionInfo properties
Copyright
Copyright (c) 2007 - 2015 g@nt1lk1w1 (Benj@m1n D3lpy)

Product kitikatz
Original name kitikatz.exe
Internal name kitikatz
File version 2.0.0.0
Description kitikatz for Windows
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-12-13 00:35:05
Entry Point 0x0001E0C9
Number of sections 6
PE sections
PE imports
CryptDestroyKey
LsaQueryTrustedDomainInfoByName
RegCloseKey
LookupAccountSidW
DuplicateTokenEx
QueryServiceObjectSecurity
CopySid
CryptSetHashParam
OpenServiceW
ControlService
CryptEncrypt
CreateProcessWithLogonW
ClearEventLogW
GetNumberOfEventLogRecords
DeleteService
OpenThreadToken
CryptHashData
RegQueryValueExW
CryptImportKey
CryptCreateHash
CloseServiceHandle
IsTextUnicode
CryptGetKeyParam
CreateWellKnownSid
OpenProcessToken
LsaClose
LsaEnumerateTrustedDomainsEx
RegOpenKeyExW
CreateProcessAsUserW
SetServiceObjectSecurity
SystemFunction036
CryptDuplicateKey
SystemFunction032
OpenEventLogW
LsaRetrievePrivateData
LsaOpenPolicy
CryptGenKey
ConvertSidToStringSidW
CreateServiceW
GetTokenInformation
LsaFreeMemory
CryptReleaseContext
CryptAcquireContextA
CryptGetUserKey
RegQueryInfoKeyW
RegEnumKeyExW
CryptGenRandom
CryptAcquireContextW
GetSidSubAuthority
BuildSecurityDescriptorW
GetSidSubAuthorityCount
SetThreadToken
GetLengthSid
ConvertStringSidToSidW
CryptDecrypt
CryptGetProvParam
CryptDestroyHash
CryptEnumProvidersW
LsaQueryInformationPolicy
RegEnumValueW
StartServiceW
RegSetValueExW
CryptSetKeyParam
FreeSid
CryptGetHashParam
CredEnumerateW
OpenSCManagerW
CryptExportKey
AllocateAndInitializeSid
CheckTokenMembership
QueryServiceStatusEx
SystemFunction025
SystemFunction005
SystemFunction006
SystemFunction007
CredFree
CryptUnprotectData
CertEnumCertificatesInStore
CryptAcquireCertificatePrivateKey
CertOpenStore
PFXExportCertStoreEx
CertAddEncodedCertificateToStore
CryptProtectData
CertFreeCertificateContext
CertCloseStore
CertAddCertificateContextToStore
CertGetCertificateContextProperty
CertGetNameStringW
CertSetCertificateContextProperty
CryptBinaryToStringW
CertEnumSystemStore
HidD_GetAttributes
HidD_GetPreparsedData
HidP_GetCaps
HidD_FreePreparsedData
HidD_GetHidGuid
GetStdHandle
GetConsoleOutputCP
FileTimeToSystemTime
WaitForSingleObject
SetEndOfFile
SetConsoleCursorPosition
GetFileAttributesW
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
LocalAlloc
FreeEnvironmentStringsW
InitializeSListHead
SetStdHandle
WideCharToMultiByte
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
FreeLibrary
LocalFree
IsWow64Process
FindClose
TlsGetValue
SetLastError
DeviceIoControl
WriteProcessMemory
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
SetConsoleOutputCP
SetConsoleCtrlHandler
UnhandledExceptionFilter
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
CreateThread
SetEnvironmentVariableW
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
DecodePointer
TerminateProcess
GetModuleHandleExW
SetCurrentDirectoryW
VirtualQuery
VirtualQueryEx
ReadConsoleW
GetCurrentThreadId
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
TerminateThread
LoadLibraryW
GetOEMCP
QueryPerformanceCounter
TlsAlloc
VirtualProtect
FlushFileBuffers
FillConsoleOutputCharacterW
RtlUnwind
CreateRemoteThread
OpenProcess
GetDateFormatW
GetStartupInfoW
ReadProcessMemory
GetProcAddress
GetConsoleScreenBufferInfo
VirtualProtectEx
GetProcessHeap
CreateFileMappingW
CompareStringW
GetFileSizeEx
FindNextFileW
FindFirstFileW
DuplicateHandle
FindFirstFileExW
CreateFileW
GetFileType
TlsSetValue
HeapAlloc
LeaveCriticalSection
GetLastError
LCMapStringW
VirtualAllocEx
GetConsoleCP
GetTimeFormatW
GetEnvironmentStringsW
CreateProcessW
FileTimeToLocalFileTime
GetCurrentDirectoryW
VirtualFreeEx
GetCurrentProcessId
GetCommandLineW
GetCPInfo
HeapSize
GetCommandLineA
GetCurrentThread
SetConsoleTitleW
RaiseException
MapViewOfFile
TlsFree
SetFilePointer
ReadFile
CloseHandle
GetACP
GetModuleHandleW
IsValidCodePage
UnmapViewOfFile
VirtualFree
Sleep
VirtualAlloc
DsGetDcNameW
NetApiBufferFree
RpcBindingFree
NdrClientCall2
RpcBindingSetAuthInfoExW
RpcBindingFromStringBindingW
RpcStringBindingComposeW
I_RpcBindingInqSecurityContext
RpcBindingSetOption
RpcStringFreeW
SamOpenDomain
SamQueryInformationUser
SamLookupNamesInDomain
SamOpenUser
SamEnumerateDomainsInSamServer
SamEnumerateUsersInDomain
SamCloseHandle
SamLookupDomainInSamServer
SamGetGroupsForUser
SamConnect
SamRidToSid
SamGetAliasMembership
SamLookupIdsInDomain
SamFreeMemory
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList
CommandLineToArgvW
PathIsRelativeW
PathCanonicalizeW
PathCombineW
LsaConnectUntrusted
QueryContextAttributesW
LsaDeregisterLogonProcess
LsaLookupAuthenticationPackage
LsaFreeReturnBuffer
FreeContextBuffer
LsaCallAuthenticationPackage
GetKeyboardLayout
IsCharAlphaNumericW
CDLocateCSystem
MD5Final
MD5Update
CDLocateCheckSum
MD5Init
CDGenerateRandomBits
RtlDowncaseUnicodeString
RtlInitUnicodeString
RtlAppendUnicodeStringToString
RtlStringFromGUID
NtTerminateProcess
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
RtlGetNtVersionNumbers
NtQueryObject
RtlGUIDFromString
RtlUpcaseUnicodeString
NtQuerySystemInformation
RtlAnsiStringToUnicodeString
RtlEqualUnicodeString
RtlEqualString
RtlFreeUnicodeString
RtlCreateUserThread
NtResumeProcess
RtlGetCurrentPeb
RtlAdjustPrivilege
NtSuspendProcess
NtQueryInformationProcess
Number of PE resources by type
RT_ICON 3
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 6
PE resources
Debug information
ExifTool file metadata
SpecialBuild
kiwi flavor !

SubsystemVersion
5.1

InitializedDataSize
195072

ImageVersion
0.0

ProductName
kitikatz

FileVersionNumber
2.0.0.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
14.0

PrivateBuild
Build with love for POC only

FileTypeExtension
exe

OriginalFileName
kitikatz.exe

MIMEType
application/octet-stream

Subsystem
Windows command line

FileVersion
2.0.0.0

TimeStamp
2015:12:13 01:35:05+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
kitikatz

ProductVersion
2.0.0.0

FileDescription
kitikatz for Windows

OSVersion
5.1

FileOS
Windows NT

LegalCopyright
Copyright (c) 2007 - 2015 g@nt1lk1w1 (Benj@m1n D3lpy)

MachineType
Intel 386 or later, and compatibles

CompanyName
g@nt1lk1w1 (Benj@m1n D3lpy)

CodeSize
242176

FileSubtype
0

ProductVersionNumber
2.0.0.0

EntryPoint
0x1e0c9

ObjectFileType
Executable application

File identification
MD5 106b1541037ebac60c07615da344a3ca
SHA1 a5d3dd45c93020a05c6453e5a18cd4e83010ada4
SHA256 84b6cd8ccaa60a89c1375bec5044e6240d8a2db3f19fecd763749fa9a530470b
ssdeep
6144:MIoUHeU7H2s3b2lQLuJskhPchJUZOi+MFEPNMNI60A8ATIPqceJ8:LoI7HaYuJsKWJwBHJ8

authentihash 6b7f76e4eaba47ab53882066099f2b4f0760b2dfbf7af2686e8e06c9200348a3
imphash 22733298923639ca1e316f947ca5d96e
File size 424.5 KB ( 434688 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit

TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe

VirusTotal metadata
First submission 2015-12-13 00:42:35 UTC ( 1 year, 8 months ago )
Last submission 2015-12-13 00:42:35 UTC ( 1 year, 8 months ago )
File names kitikatz2.exe
kitikatz.exe
kitikatz
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Runtime DLLs