Threat Type: Hacking Tool
In the wild: Yes
Dropped by other malware, Downloaded from the Internet
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.
24 Sep 2020
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be dropped by the following malware:
This Hacking Tool does the following:
- It has the following modules with different capabilities:
- standard - contains common commands to operate the tool such as exit, cls, cd
- privilege - used to manipulate privilege/rights
- crypto - uses CryptoAPI functions which has the capability to list and export certificates
- sekurlsa - has the capability to extract Windows passwords, keys, pin codes, tickets
- kerberos - uses Microsoft Kerberos API which has the capability to manipulate Kerberos tickets
- lsadump - has the capability to dump Windows credentials
- vault - used to manipulate vault credentials
- token - used to manipulate Windows authentication tokens
- event - used to clear/drop event logs
- ts - contains remote desktop capabilities
- process - used to manipulate processes
- service - used to manipulate services
- net - used to display information about Windows users
- misc - contains miscellaneous commands such as open cmd, open regedit and open taskmanager
- sid - used to manipulate SID(Security Identifiers)
- minesweeper - helps read the location of the mines on the game 'minesweeper' straight from memory
- dpapi - used to work with DPAPI (Data Protection Application Programming Interface)
- busylight - provides additional information for and control of connected BusyLights
- system environment - provides the ability to manage system environment variables
- rpc - provides remote control of mimikatz
- sr98 - RF module for SR98 device and T5577 target
- rdm - RF module for RDM(830 AL) device
- acr - ACR module
28 Aug 2018
Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Scan your computer with your Trend Micro product to delete files detected as HackTool.Win32.MIMIKATZ.SMGD. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.