Sample details: 6b480fac7caca2f85be9a0cfe79aedfc --

Hashes
MD5: 6b480fac7caca2f85be9a0cfe79aedfc
SHA1: a249278a668d4df30af9f5d67ebb7d2cd160beaa
SHA256: a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852
SSDEEP: 768:11r1OG4n1D+TC/spVQ9pSobvWv11qlCiSvsljWVHkiMr:/r1cVFxbvo1QlLSvslaJkiMr
Details
File Type: PE32+
Added: 2018-06-20 17:35:16
Yara Hits
YRP/Microsoft_Visual_Cpp_80_DLL | YRP/IsPE64 | YRP/HasOverlay | YRP/HasDigitalSignature | YRP/HasDebugData | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings | YRP/mimikatz | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://122.147.225.142/x64/mimidrv.sys
Strings
		!This program cannot be run in DOS mode.
h.rdata
H.data
.pdata
B.reloc
SUVWATAUAVAWH
(A_A^A]A\_^][
UVWATAUH
A]A\_^]
x ATAUAVH
0A^A]A\
WATAUH
UVWATAUH
PA]A\_^]
WATAUH
0A]A\_
ATAUAVH
A^A]A\
WATAUAVAWH
A_A^A]A\_
WATAUH
HcD$hH
 A]A\_
WATAUH
@A]A\_
WATAUH
@A]A\_
WATAUH
@A]A\_
WATAUH
WATAUAVAWH
A_A^A]A\_
WATAUH
@A]A\_
UVWATAUAVAWH
A_A^A]A\_^]
fffffff
fffffff
WATAUAVAWH
)IcyHM
A;<$sn
A;<$s[H
A_A^A]A\_
mimikatz.exe
cmd.exe
c:\security\mimikatz\mimidrv\objfre_wnet_amd64\amd64\mimidrv.pdb
@SVWATAUAVAWH
t{E97s
A_A^A]A\_^[
IoDeleteSymbolicLink
NtBuildNumber
RtlInitUnicodeString
IoDeleteDevice
MmGetSystemRoutineAddress
_vsnwprintf
KeBugCheck
IofCompleteRequest
IoCreateSymbolicLink
IoCreateDevice
PsProcessType
PsGetProcessImageFileName
PsLookupProcessByProcessId
PsReferencePrimaryToken
ZwOpenProcessTokenEx
IoGetCurrentProcess
ZwSetInformationProcess
ZwClose
ZwDuplicateToken
PsInitialSystemProcess
RtlCompareMemory
ObfDereferenceObject
ObOpenObjectByPointer
PsGetProcessId
PsDereferencePrimaryToken
ExAllocatePoolWithTag
ExFreePoolWithTag
IoFreeMdl
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
ZwUnloadKey
IoEnumerateRegisteredFiltersList
KeBugCheckEx
ntoskrnl.exe
FltObjectDereference
FltEnumerateFilters
FltEnumerateInstances
FltGetFilterInformation
FltGetVolumeFromInstance
FLTMGR.SYS
PsGetVersion
ExAllocatePoolWithQuotaTag
ZwQuerySystemInformation
RtlUnwindEx
GlobalSign nv-sa1
Root CA1
GlobalSign Root CA0
110413100000Z
190413100000Z0Q1
GlobalSign nv-sa1'0%
GlobalSign CodeSigning CA - G20
CFo~(DP
&https://www.globalsign.com/repository/03
"http://crl.globalsign.net/root.crl0
GlobalSign nv-sa1'0%
GlobalSign CodeSigning CA - G20
110628094616Z
140628094616Z0&1
Benjamin Delpy0
&https://www.globalsign.com/repository/0	
-http://crl.globalsign.com/gs/gscodesigng2.crl0P
4http://secure.globalsign.com/cacert/gscodesigng2.crt0
Washington1
Redmond1
Microsoft Corporation1)0'
 Microsoft Code Verification Root0
060523170051Z
160523171051Z0W1
GlobalSign nv-sa1
Root CA1
GlobalSign Root CA0
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
GlobalSign nv-sa1'0%
GlobalSign CodeSigning CA - G2
$http://blog.gentilkiwi.com/mimikatz 0
$N^I;?