× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d5ba21ae92e13bfa6daab80c3df7230d77ea3e8060da93453d374fc72317b69c
File name: mimikatz.exe
Detection ratio: 5 / 41
Analysis date: 2012-07-05 12:21:12 UTC ( 5 years, 4 months ago ) View latest
Antivirus Result Update
CAT-QuickHeal HackTool.Mimikatz (Not a Virus) 20120705
PCTools Hacktool.Mimikatz 20120705
Sophos AV Mimikatz Exploit Utility 20120705
Symantec Hacktool.Mimikatz 20120705
VIPRE Trojan.Win32.Generic!BT 20120705
AntiVir 20120705
Antiy-AVL 20120705
Avast 20120705
AVG 20120705
BitDefender 20120705
ByteHero 20120613
ClamAV 20120705
Commtouch 20120705
Comodo 20120705
DrWeb 20120705
Emsisoft 20120705
eSafe 20120704
F-Prot 20120705
F-Secure 20120705
Fortinet 20120705
GData 20120705
Ikarus 20120705
Jiangmin 20120705
K7AntiVirus 20120704
Kaspersky 20120705
McAfee 20120705
McAfee-GW-Edition 20120705
Microsoft 20120705
NOD32 20120705
Norman 20120705
nProtect 20120705
Panda 20120705
Rising 20120705
SUPERAntiSpyware 20120705
TheHacker 20120704
TotalDefense 20120705
TrendMicro 20120705
TrendMicro-HouseCall 20120704
VBA32 20120705
ViRobot 20120705
VirusBuster 20120704
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2012 Gentil Kiwi

Publisher Benjamin Delpy
Product mimikatz
Internal name mimikatz
File version 1.0.0.0
Description mimikatz pour Windows
Signature verification Signed file, verified signature
Signing date 4:26 PM 6/18/2012
Signers
[+] Benjamin Delpy
Status
Issuer None
Valid from 10:46 AM 6/28/2011
Valid to 10:46 AM 6/28/2014
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint AB9E92B943ED47D915BC26939E24A58303ACAA7E
Serial number 11 21 69 41 7A 1C 3E F4 6A 30 1F 99 38 5F 50 68 0F A0
[+] GlobalSign CodeSigning CA - G2
Status
Issuer None
Valid from 11:00 AM 4/13/2011
Valid to 11:00 AM 4/13/2019
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 9000401777DD2B43393D7B594D2FF4CBA4516B38
Serial number 04 00 00 00 00 01 2F 4E E1 35 5C
[+] GlobalSign
Status
Issuer None
Valid from 1:00 PM 9/1/1998
Valid to 1:00 PM 1/28/2028
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, OCSP Signing, EFS, IPSEC Tunnel, IPSEC User, IPSEC IKE Intermediate
Algorithm sha1RSA
Thumbprint B1BC968BD4F49D622AA89A81F2150152A41D829C
Serial number 04 00 00 00 00 01 15 4B 5A C3 94
Counter signers
[+] GlobalSign Time Stamping Authority
Status
Issuer None
Valid from 10:32 AM 12/21/2009
Valid to 10:32 AM 12/22/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint AEDF7DF76BBA2410D67DBAF18F5BA15B417E496C
Serial number 01 00 00 00 00 01 25 B0 B4 CC 01
[+] GlobalSign Timestamping CA
Status
Issuer None
Valid from 12:00 PM 3/18/2009
Valid to 1:00 PM 1/28/2028
Valid usage All
Algorithm sha1RSA
Thumbrint 958D23902D5448314F2F811034356A58255CDC9B
Serial number 04 00 00 00 00 01 20 19 C1 90 66
[+] GlobalSign
Status
Issuer None
Valid from 1:00 PM 9/1/1998
Valid to 1:00 PM 1/28/2028
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, OCSP Signing, EFS, IPSEC Tunnel, IPSEC User, IPSEC IKE Intermediate
Algorithm sha1RSA
Thumbrint B1BC968BD4F49D622AA89A81F2150152A41D829C
Serial number 04 00 00 00 00 01 15 4B 5A C3 94
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-06-18 15:22:56
Entry Point 0x0003AC7F
Number of sections 5
PE sections
Overlays
MD5 ec1affd778dc96bb1fc2ffcccfc44309
File type data
Offset 549888
Size 7152
Entropy 7.47
PE imports
CryptDestroyKey
RegCloseKey
LookupAccountSidW
DuplicateTokenEx
OpenSCManagerW
ConvertSidToStringSidW
OpenServiceW
AdjustTokenPrivileges
ControlService
LookupPrivilegeValueW
DeleteService
RegQueryValueExW
CloseServiceHandle
CryptGetKeyParam
OpenProcessToken
DeregisterEventSource
RegOpenKeyExW
SetServiceObjectSecurity
RegisterEventSourceA
CreateServiceW
GetTokenInformation
LookupPrivilegeNameW
CryptReleaseContext
EnumServicesStatusExW
CryptAcquireContextW
BuildSecurityDescriptorW
IsTextUnicode
CryptGetProvParam
StartServiceW
CryptGetUserKey
RevertToSelf
CryptEnumProvidersW
FreeSid
CredFree
CredEnumerateW
QueryServiceObjectSecurity
CryptExportKey
AllocateAndInitializeSid
ImpersonateLoggedOnUser
CreateProcessWithLogonW
ReportEventA
CertEnumCertificatesInStore
CryptAcquireCertificatePrivateKey
CertOpenStore
CertFreeCertificateContext
CertCloseStore
CertAddCertificateContextToStore
CertGetCertificateContextProperty
CertGetNameStringW
CertEnumSystemStore
PFXExportCertStoreEx
GetStdHandle
WaitForSingleObject
CreateJobObjectW
EncodePointer
SetConsoleCursorPosition
GetProcessId
DisconnectNamedPipe
GetCurrentProcess
GetConsoleMode
GetLocaleInfoA
ExitProcess
FreeEnvironmentStringsW
GetLocaleInfoW
SetStdHandle
WideCharToMultiByte
InterlockedExchange
WriteFile
GetSystemTimeAsFileTime
Thread32First
HeapReAlloc
GetStringTypeW
ConnectNamedPipe
GetOEMCP
LocalFree
FormatMessageW
ResumeThread
InitializeCriticalSection
InterlockedDecrement
SetLastError
OpenThread
WriteProcessMemory
GetModuleFileNameW
IsDebuggerPresent
HeapAlloc
HeapSetInformation
EnumSystemLocalesA
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
TerminateJobObject
SetFilePointer
DeleteCriticalSection
SetUnhandledExceptionFilter
Module32NextW
IsProcessorFeaturePresent
DecodePointer
SetEnvironmentVariableA
TerminateProcess
SetEndOfFile
GetVersion
LeaveCriticalSection
WriteConsoleW
CreateToolhelp32Snapshot
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
TerminateThread
LoadLibraryW
GetVersionExW
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
FlushFileBuffers
FillConsoleOutputCharacterW
RtlUnwind
CreateRemoteThread
OpenProcess
GetStartupInfoW
ReadProcessMemory
GetUserDefaultLCID
GetConsoleScreenBufferInfo
VirtualProtectEx
GetProcessHeap
AssignProcessToJobObject
GetComputerNameExW
Thread32Next
IsValidLocale
DuplicateHandle
GetProcAddress
CreateFileW
GetFileType
TlsSetValue
CreateFileA
GetCurrentThreadId
InterlockedIncrement
GetNativeSystemInfo
GetLastError
LCMapStringW
VirtualAllocEx
CreateNamedPipeW
GetConsoleCP
CompareStringW
GetEnvironmentStringsW
Process32NextW
Module32FirstW
GetCurrentDirectoryW
VirtualFreeEx
GetCurrentProcessId
GetCommandLineW
GetCPInfo
HeapSize
InterlockedCompareExchange
Process32FirstW
SuspendThread
SetConsoleTitleW
RaiseException
TlsFree
GetModuleHandleA
ReadFile
CloseHandle
GetACP
GetModuleHandleW
IsValidCodePage
HeapCreate
CreateProcessW
Sleep
IsBadReadPtr
GetModuleInformation
PathCanonicalizeW
PathIsRelativeW
PathCombineW
GetUserNameExW
GetUserObjectInformationW
PostThreadMessageW
WaitForInputIdle
GetDesktopWindow
MessageBoxA
GetProcessWindowStation
WTSOpenServerW
WTSCloseServer
WTSEnumerateProcessesW
WTSFreeMemory
WTSEnumerateSessionsW
Number of PE resources by type
RT_ICON 11
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
FRENCH 13
PE resources
ExifTool file metadata
SubsystemVersion
5.1

InitializedDataSize
216064

ImageVersion
0.0

ProductName
mimikatz

FileVersionNumber
1.0.0.0

UninitializedDataSize
0

LanguageCode
French

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
10.0

FileTypeExtension
exe

MIMEType
application/octet-stream

Subsystem
Windows command line

FileVersion
1.0.0.0

TimeStamp
2012:06:18 16:22:56+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
mimikatz

ProductVersion
1.0.0.0

FileDescription
mimikatz pour Windows

OSVersion
5.1

FileOS
Windows NT 32-bit

LegalCopyright
Copyright (C) 2012 Gentil Kiwi

MachineType
Intel 386 or later, and compatibles

CompanyName
Gentil Kiwi

CodeSize
348160

FileSubtype
0

ProductVersionNumber
1.0.0.0

EntryPoint
0x3ac7f

ObjectFileType
Executable application

File identification
MD5 c6939f0bdda9f37a804650019d602c4f
SHA1 cbf3be0f3f8008551f18e628a5bad218da3fd072
SHA256 d5ba21ae92e13bfa6daab80c3df7230d77ea3e8060da93453d374fc72317b69c
ssdeep
12288:ftvkhqC8LSbWIvqN8YZtdaNRxkLeVxRlkbzMvo9oHTOfJ:ftvkzNYHdqRxNVxgbz8o9oHmJ

authentihash 8e0fa77ddc0e68137dac973c9bce1102ad4d11bead75049ad9740a417f37f0c8
imphash 8c5f50e4f0bc5d7f5117959349c272cf
File size 544.0 KB ( 557040 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2012-06-19 15:32:00 UTC ( 5 years, 5 months ago )
Last submission 2016-01-13 06:46:48 UTC ( 1 year, 10 months ago )
File names mimikatz
mimikatz.exe
d5ba21ae92e13bfa6daab80c3df7230d77ea3e8060da93453d374fc72317b69c.vir
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Runtime DLLs
UDP communications