Trojan:MSIL/Mimikatz.B represents a particularly dangerous class of credential-harvesting malware that exploits a modified version of the legitimate post-exploitation tool Mimikatz. Written in Microsoft Intermediate Language (MSIL), this trojan variant infiltrates Windows systems to extract authentication credentials, security tokens, and password hashes directly from memory. Unlike the original Mimikatz — which security professionals use for legitimate penetration testing — this weaponized variant operates silently in the background, exfiltrating your login credentials to remote attackers who can then access your accounts, corporate networks, or financial information.
What makes this threat particularly insidious is its ability to harvest credentials without triggering traditional antivirus alarms. Because it's based on a known security tool, many detection systems struggle to distinguish between legitimate administrative use and malicious deployment. The MSIL implementation also means it can run on any Windows system with the .NET Framework installed — essentially every Windows machine from Vista forward.
Threat Profile
| Attribute | Details |
|---|---|
| Threat Type | Credential-harvesting trojan, password stealer, post-exploitation malware |
| Family | Mimikatz-based trojans (weaponized variants of legitimate security tool) |
| Platform | Windows (all versions with .NET Framework 2.0 or later) |
| Language | MSIL (Microsoft Intermediate Language / .NET compiled code) |
| Primary Payload | Credential extraction, password hash dumping, Kerberos ticket theft |
| Persistence Method | Registry Run keys, scheduled tasks, service installation (varies by variant) |
| Aliases | MSIL/Mimikatz.B, Mimikatz.B, PWS:MSIL/Mimikatz (detection names vary by vendor) |
| Distribution Vectors | Phishing attachments, exploit kits, bundled with other malware, compromised software installers |
| Typical Capabilities | Dump LSASS process memory, extract plaintext passwords, harvest NTLM hashes, steal Kerberos tickets, export cached credentials |
| Network Behavior | Command-and-control communication for exfiltrating stolen credentials (C2 servers vary) |
| Common Artifacts | Suspicious .NET assemblies in temp folders, unusual LSASS process access, modified security policy settings |
| Detection Difficulty | Moderate to High — legitimate Mimikatz signatures often cause false positives; attackers obfuscate malicious variants |
| Removal Complexity | Moderate — the trojan itself can be removed, but credential compromise requires extensive password rotation |
How It Spreads
Trojan:MSIL/Mimikatz.B typically arrives as a secondary payload delivered by other malware rather than as an initial infection vector. Attackers who've already gained a foothold on your system — through a document macro virus, a browser exploit, or a malicious email attachment — will then deploy this credential stealer to escalate their access. The trojan often comes bundled with dropper malware that establishes persistence before executing the Mimikatz component to harvest authentication data.
In many cases, users inadvertently install this threat when downloading cracked software, pirated games, or "free" versions of paid applications from untrusted websites. These seemingly legitimate installers contain the trojan hidden within their installation routine. Similarly, malicious browser extensions and fake system utilities frequently serve as delivery mechanisms. Once the initial infection occurs, the Mimikatz component activates to extract whatever credentials it can access based on your user privileges.
Common distribution methods include:
- Phishing emails with weaponized attachments — Office documents with malicious macros that download and execute the trojan
- Drive-by download attacks — Compromised websites that exploit browser vulnerabilities to silently install malware
- Software bundling — Legitimate-looking applications from third-party download sites that include hidden trojan components
- Exploit kits — Automated attack frameworks that scan for system vulnerabilities and deploy appropriate payloads
- Trojanized tools — Fake system optimizers, registry cleaners, or driver updaters that actually install credential stealers
- Lateral movement — Spreading from one infected machine to others on the same network using stolen administrative credentials
- Remote Desktop Protocol (RDP) attacks — Brute-force attacks on exposed RDP services that, once successful, deploy the trojan for further credential theft
What It Does On Your Machine
Once active, Trojan:MSIL/Mimikatz.B targets the Local Security Authority Subsystem Service (LSASS) process — a critical Windows component that handles user authentication and stores credentials in memory. The trojan injects code into this process or reads its memory space directly to extract plaintext passwords, NTLM hashes (encrypted password representations), and Kerberos authentication tickets. This happens completely silently, with no visible windows or user prompts. If you're logged into Windows when the infection occurs, your current password is almost certainly compromised within seconds.
The malware doesn't stop with your local Windows password. It actively searches for cached credentials from other applications — your browser's saved passwords, email client authentication tokens, VPN credentials, and anything else stored in Windows Credential Manager. Modern variants can also target browser password vaults directly, extracting login information for banking sites, social media accounts, and corporate systems. The stolen data gets packaged and transmitted to a remote command-and-control server, often using encrypted connections to avoid network monitoring detection.
Beyond immediate credential theft, the trojan typically establishes persistence mechanisms to survive system reboots. It may install itself as a scheduled task that runs periodically to capture new credentials as you log into different services. Some variants modify Windows security policies to reduce logging levels or disable security features that would otherwise detect the memory access. You might notice slight system slowdowns when the trojan activates — LSASS memory dumping is processor-intensive — but most users attribute this to normal Windows behavior.
The real damage extends far beyond your personal computer. If you use the infected machine for work and have access to corporate networks, the stolen credentials can provide attackers with entry points into your employer's systems. This is precisely how many major data breaches begin — an employee's compromised home computer provides the initial foothold for a sophisticated attack on corporate infrastructure.
Manual Removal — Step by Step
Immediately Disconnect From All Networks
Before doing anything else, physically disconnect your computer from the internet. Unplug the ethernet cable or turn off your Wi-Fi adapter. If you're on a corporate network, disconnect from the VPN as well. This prevents the trojan from exfiltrating any additional credentials and stops attackers from accessing your machine remotely while you work on removal. Do not reconnect until the entire removal process is complete and verified.
Boot Into Safe Mode With Networking
Restart your computer and boot into Safe Mode with Networking (you'll need networking to download removal tools in later steps). On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart, and press F5 for Safe Mode with Networking. Safe Mode loads only essential Windows components, preventing most malware from activating its persistence mechanisms during the removal process.
Terminate Suspicious Processes
Open Task Manager (Ctrl+Shift+Esc) and carefully examine running processes. Look for unfamiliar executables, especially those with random names running from AppData folders, or multiple instances of legitimate-sounding processes like "svchost.exe" running from unusual locations. Right-click suspicious processes, select "Open file location," and note the path before ending the process. Legitimate Windows processes always run from C:\Windows\System32, not user folders.
Remove Persistence Mechanisms
Press Win+R, type "msconfig," and check the Startup tab (or use Task Manager's Startup tab on Windows 8+). Disable any suspicious entries, especially those pointing to executables in AppData or ProgramData folders. Then open Task Scheduler (search for it in the Start menu) and review all scheduled tasks. Delete any tasks that run unfamiliar executables, particularly those set to run at startup or at regular intervals. Pay special attention to tasks with generic names like "SystemUpdate" or "HealthCheck" that aren't from Microsoft.
Delete Malicious Files and Folders
Navigate to the file locations you identified earlier. Delete the entire parent folders, not just the executable files — trojans often store configuration files, logs, and additional components in the same directory. Common locations include subfolders within %LOCALAPPDATA%, %APPDATA%, %TEMP%, and C:\ProgramData. You may need to enable "Show hidden files" in File Explorer options to see these directories. Empty the Recycle Bin immediately after deletion.
Clean the Registry
Press Win+R, type "regedit," and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Delete any suspicious entries that reference the files you just removed. Use Ctrl+F to search the entire registry for the malware's file names or folder paths, deleting any additional references. Be extremely careful here — deleting wrong registry keys can break Windows. If you're not confident, skip this step and let antivirus software handle registry cleanup.
Run Comprehensive Antimalware Scans
Download and install Malwarebytes (free version is sufficient) and run a full system scan. Follow up with Windows Defender's offline scan feature (Windows Security > Virus & threat protection > Scan options > Microsoft Defender Offline scan). These scans should catch any remaining components or rootkit elements that manual removal missed. Quarantine or delete everything they find. Consider running a second-opinion scanner like Kaspersky's free rescue disk for additional confirmation.
Change All Passwords — But Not Yet
Do not change passwords on the infected computer, even after cleaning, because keyloggers might still be active. Instead, use a known-clean device (your phone, a different computer) to change passwords for every account you've accessed from the infected machine — email, banking, social media, work accounts, everything. Enable two-factor authentication wherever possible. If you've used the same password across multiple sites, change them all. This step is tedious but absolutely critical.
Monitor for Suspicious Account Activity
Check your email accounts for unfamiliar login alerts or password reset requests. Review your bank and credit card statements for unauthorized transactions. Enable login notifications and account alerts wherever possible. If you used this computer for work, immediately notify your IT department — they need to revoke your credentials and monitor for lateral movement within corporate systems. Credential theft often leads to identity theft or corporate breaches weeks or months after the initial infection.
Reboot and Verify
Restart your computer normally (not in Safe Mode) and run another full antivirus scan to confirm the infection is gone. Monitor Task Manager for several hours during normal use to ensure no suspicious processes reappear. Check your startup items one final time. Only after you're confident the system is clean should you reconnect to the internet. Continue monitoring system behavior for at least a week — some trojans have delayed reactivation mechanisms.
Prevention
- Maintain up-to-date antivirus protection with real-time scanning enabled. Windows Defender is adequate for most users if kept current, but consider adding Malwarebytes Premium for enhanced behavior-based detection of credential stealers and zero-day threats.
- Keep Windows and all applications patched. Enable automatic updates for Windows, browsers, Java, Adobe products, and any other software you use regularly. Most credential-stealing trojans arrive through exploit kits that target known vulnerabilities in outdated software.
- Exercise extreme caution with email attachments, even from known senders. Never enable macros in Office documents unless you're absolutely certain of the file's legitimacy and have verified with the sender through a separate communication channel. When in doubt, don't open it.
- Download software only from official sources — vendor websites or the Microsoft Store, never from third-party download portals, torrent sites, or file-sharing services. "Free" versions of paid software almost always contain bundled malware. If you can't afford software, look for legitimate free alternatives, not pirated copies.
- Use strong, unique passwords for every account and store them in a reputable password manager like Bitwarden or 1Password. This limits the damage when credentials are stolen — attackers can't use a compromised password to access your other accounts if each one is unique.
- Enable two-factor authentication (2FA) everywhere possible, especially for email, banking, and any accounts with access to sensitive information. Even if a trojan steals your password, 2FA prevents unauthorized access without the second authentication factor.
- Restrict user privileges on your daily-use account. Create a standard user account for everyday tasks and only use an administrator account when installing software or making system changes. Credential-stealing trojans can only harvest credentials for the currently logged-in user — limiting that user's privileges contains the damage.
- Monitor your network traffic if you're comfortable with the technology. Tools like GlassWire can alert you to applications making unusual outbound connections, helping you detect credential exfiltration before significant damage occurs.
Bring It In
Credential-stealing trojans like MSIL/Mimikatz.B create ripple effects that extend far beyond your computer. Even after successful removal, you face weeks of password changes, account monitoring, and anxiety about what information attackers accessed before you discovered the infection. The manual removal steps outlined above work, but they're time-consuming and technically demanding — and they don't address the forensic question of what credentials were compromised and when.
Computer Repair Roswell provides comprehensive malware removal service that includes not just cleaning the infection, but analyzing system logs to determine the infection timeline, identifying which credentials were at risk, and providing specific guidance on account remediation. We'll walk you through the password rotation process, help you enable two-factor authentication, and verify that your system is genuinely clean before returning it to you. Same-day service is available for emergency situations. Call us at (770) 667-9487 or stop by our shop at 1335 Hembree Road in Roswell. We're here Monday through Saturday to get your system secure again.