Analisado por: Jay Garcia   
 Modificado por: : Mc Justine De Guzman

 Plataforma:

Windows

 Classificao do risco total:
 Potencial de dano:
 Potencial de distribuição:
 infecção relatada:
 Exposição das informações:
Baixo
Medium
Alto
Crítico

  • Tipo de grayware:
    Hacking Tool

  • Destrutivo:
    Não

  • Criptografado:
    Sim

  • In the Wild:
    Sim

  Visão geral

Canal de infecção: Eliminado por otro tipo de malware, Descargado de Internet

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Puede haberlo infiltrado otro malware.

  Detalhes técnicos

Tipo de compactação: 862,720 bytes
Tipo de arquivo: EXE
Residente na memória: Não
Data de recebimento das amostras iniciais: 24 de setembro de 2020

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Puede haberlo infiltrado el malware siguiente:

  • Ransom.Win32.ZHEN.THIBDBO

Otros detalles

Hace lo siguiente:

  • It has the following modules with different capabilities:
    • standard - contains common commands to operate the tool such as exit, cls, cd
    • privilege - used to manipulate privilege/rights
    • crypto - uses CryptoAPI functions which has the capability to list and export certificates
    • sekurlsa - has the capability to extract Windows passwords, keys, pin codes, tickets
    • kerberos - uses Microsoft Kerberos API which has the capability to manipulate Kerberos tickets
    • lsadump - has the capability to dump Windows credentials
    • vault - used to manipulate vault credentials
    • token - used to manipulate Windows authentication tokens
    • event - used to clear/drop event logs
    • ts - contains remote desktop capabilities
    • process - used to manipulate processes
    • service - used to manipulate services
    • net - used to display information about Windows users
    • misc - contains miscellaneous commands such as open cmd, open regedit and open taskmanager
    • sid - used to manipulate SID(Security Identifiers)
    • minesweeper - helps read the location of the mines on the game 'minesweeper' straight from memory
    • dpapi - used to work with DPAPI (Data Protection Application Programming Interface)
    • busylight - provides additional information for and control of connected BusyLights
    • system environment - provides the ability to manage system environment variables
    • rpc - provides remote control of mimikatz
    • sr98 - RF module for SR98 device and T5577 target
    • rdm - RF module for RDM(830 AL) device
    • acr - ACR module

  Solução

Mecanismo de varredura mínima: 9.850
SSAPI Pattern File: 1.993.00
SSAPI Pattern Release Date: 28 de agosto de 2018

Step 2

Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como HackTool.Win32.MIMIKATZ.SMGD En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.


Participe da nossa pesquisa!