popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

secretsdump.exe

Gen1 Generic Malware Malicious Library UPX .NET DLL PE File OS Processor Check PE32 DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 5, 2024, 10:34 a.m. Aug. 5, 2024, 10:42 a.m.
Size 5.9MB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 96ec8798bba011d5be952e0e6398795d
SHA256 c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37
CRC32 4225E9B9
ssdeep 98304:gP9cgRyyVyGHAeBSut+aFNnLlPLeqNZ8hY/1KbxabdDk1duupRWQgWseI9eIfbkr:C9hlX+aFFLlPKQ8hY/DkWWst9e4ge+
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: I
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: mpacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: sage: secretsdump.exe [-h] [-debug] [-system SYSTEM] [-bootkey BOOTKEY] [-security SECURITY] [-sam SAM] [-ntds NTDS] [-resumefile RESUMEFILE] [-outputfile OUTPUTFILE] [-use-vss] [-exec-method [{smbexec,wmiexec,mmcexec}]] [-just-dc-user USERNAME] [-just-dc] [-just-dc-ntlm] [-pwd-last-set] [-user-status] [-history] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-target-ip ip address] target Performs various techniques to dump secrets from the remote machine without executing any agent there. positional arguments: target [[domain/]username[:password]@]<targetName or address> or LOCAL (if you want to parse local files) optional arguments: -h, --help show this help message and exit -debug Turn DEBUG output ON -system SYSTEM SYSTEM hive to parse -bootkey BOOTKEY bootkey for SYSTEM hive -security SECURITY SECURITY hive to parse -sam SAM SAM hive to parse -ntds NTDS NTDS.DIT file to parse -resumefile RESUMEFILE resume file name to resume NTDS.DIT session dump (only available to DRSUAPI approach). This file will also be used to keep updating the session's state -outputfile OUTPUTFILE base output filename. Extensions will be added for sam, secrets, cached and ntds -use-vss Use the VSS method insead of default DRSUAPI -exec-method [{smbexec,wmiexec,mmcexec}] Remote exec method to use at target (only when using -use-vss). Default: smbexec display options: -just-dc-user USERNAME Extract only NTDS.DIT data for the user specified. Only available for DRSUAPI approach. Implies also -just-dc switch -just-dc Extract only NTDS.DIT data (NTLM hashes and Kerberos keys) -just-dc-ntlm Extract only NTDS.DIT data (NTLM hashes only) -pwd-last-set Shows pwdLastSet attribute for each NTDS.DIT account. Doesn't apply to -outputfile data -user-status Display whether or not the user is disabled -history Dump password history, and LSA secrets OldVal authentication: -hashes LMHASH:NTHASH NTLM hashes, format is LMHASH:NTHASH -no-pass don't ask for password (useful for -k) -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits) connection: -dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter -target-ip ip address IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it
console_handle: 0x00000007
1 1 0
section .gfids
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\_MEI10762\pywintypes27.dll
file C:\Users\test22\AppData\Local\Temp\_MEI10762\msvcp90.dll
file C:\Users\test22\AppData\Local\Temp\_MEI10762\msvcr90.dll
file C:\Users\test22\AppData\Local\Temp\_MEI10762\msvcm90.dll
file C:\Users\test22\AppData\Local\Temp\_MEI10762\python27.dll
file C:\Users\test22\AppData\Local\Temp\_MEI10762\Crypto.Cipher._DES3.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\bz2.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\Crypto.Util.strxor.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\_socket.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\pywintypes27.dll
file C:\Users\test22\AppData\Local\Temp\_MEI10762\select.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\_ssl.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\msvcr90.dll
file C:\Users\test22\AppData\Local\Temp\_MEI10762\Crypto.Cipher._ARC4.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\win32pipe.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\msvcp90.dll
file C:\Users\test22\AppData\Local\Temp\_MEI10762\Crypto.Util._counter.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\pyexpat.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\python27.dll
file C:\Users\test22\AppData\Local\Temp\_MEI10762\msvcm90.dll
file C:\Users\test22\AppData\Local\Temp\_MEI10762\win32api.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\Crypto.Random.OSRNG.winrandom.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\win32evtlog.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\_ctypes.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\_hashlib.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\Crypto.Hash._SHA256.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\Crypto.Cipher._DES.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\Crypto.Cipher._AES.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\unicodedata.pyd
file C:\Users\test22\AppData\Local\Temp\_MEI10762\Crypto.Hash._MD4.pyd
Bkav W32.AIDetectMalware
Lionic Hacktool.Win32.Misc.3!c
Cynet Malicious (score: 99)
CAT-QuickHeal HackTool.CiR
Skyhigh HTool-DumpSecrets
ALYac Misc.Riskware.Impacket
Cylance Unsafe
VIPRE Gen:Application.Impacket.1
Sangfor Hacktool.Win32.Impacket.Vrjz
K7AntiVirus Riskware ( 0040eff71 )
BitDefender Gen:Application.Impacket.1
K7GW Riskware ( 0040eff71 )
Cybereason malicious.8bba01
Arcabit Application.Impacket.1 [many]
ESET-NOD32 multiple detections
McAfee Artemis!96EC8798BBA0
Avast FileRepMalware [Misc]
Kaspersky UDS:HackTool.Python.Impacket.a
Alibaba Hacktool:Win32/Secretdmp.190417
MicroWorld-eScan Gen:Application.Impacket.1
Rising HackTool.SecretDump/PYC!1.F0AC (CLASSIC)
Emsisoft Gen:Application.Impacket.1 (B)
F-Secure PrivacyRisk.SPR/Tool.Impacket
DrWeb Tool.Impacket.7
TrendMicro HackTool.Win32.Mpacket.SM
McAfeeD ti!C3405D9C9D59
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.96ec8798bba011d5
Sophos Impacket (PUA)
Webroot PUA.Gen
Google Detected
Avira SPR/Tool.Impacket
MAX malware (ai score=100)
Kingsoft Win32.Troj.Unknown.a
Gridinsoft Trojan.Win32.PyInstaller.cc
Microsoft Trojan:Win32/Skeeyah.B!rfn
ViRobot HackTool.S.Impacket.6221727
ZoneAlarm HEUR:HackTool.Python.Impacket.gen
GData Gen:Application.Impacket.1 (14x)
Varist W32/Trojan.ZOUV-9006
AhnLab-V3 HackTool/Win.impacket.C4777703
DeepInstinct MALICIOUS
Malwarebytes Neshta.Virus.FileInfector.DDS
Panda PUP/Hacktool
TrendMicro-HouseCall HackTool.Win32.Mpacket.SM
Tencent Win32.Hacktool.Impacket.Xylw
MaxSecure Trojan.Malware.109441793.susgen
Fortinet Riskware/Secretdmp
AVG FileRepMalware [Misc]
Paloalto generic.ml