Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 12, 2022, 5:50 p.m.	Dec. 12, 2022, 5:52 p.m.

Size	1.0MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`943b635cf33d020caf36cfc2b608ff03`
SHA256	`ee4ff738ffcd156bdb2e725d83a8ef0ba0aa0d06a97af8be93a4ffd995c4e114`
CRC32	`86FD3052`
ssdeep	`24576:wVaH8jJPWhQnZzrZ+7xr1rZfVlVxd43vpC5m:uAhQnZzrZSxxZfVleh`
PDB Path	D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb
Yara	OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsDLL - (no description) Ave_Maria_Zero - Remote Access Trojan that is also called WARZONE RAT PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
2656
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
  2812
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
2572
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
  2852
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,
2752

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 12, 2022, 5:42 p.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 12, 2022, 5:42 p.m.			0	0
IsDebuggerPresent Dec. 12, 2022, 5:42 p.m.			0	0

pdb_path

D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

section

_RDATA

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 12, 2022, 5:42 p.m.	stacktrace: Save+0x8d733 Main-0x1371d cred64+0x91303 @ 0x7fef41f1303 Save+0x8f34b Main-0x11b05 cred64+0x92f1b @ 0x7fef41f2f1b Save+0x903d3 Main-0x10a7d cred64+0x93fa3 @ 0x7fef41f3fa3 Save+0x9077f Main-0x106d1 cred64+0x9434f @ 0x7fef41f434f Save+0xa0838 Main-0x618 cred64+0xa4408 @ 0x7fef4204408 Main+0x65 cred64+0xa4a85 @ 0x7fef4204a85 rundll32+0x2f42 @ 0xff142f42 rundll32+0x3b7a @ 0xff143b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 50 e8 7a exception.instruction: cmp byte ptr [rax + r8], dil exception.exception_code: 0xc0000005 exception.symbol: Save+0x8d733 Main-0x1371d cred64+0x91303 exception.address: 0x7fef41f1303 registers.r14: 0 registers.r15: 0 registers.rcx: 1099511627775 registers.rsi: 0 registers.r10: 182 registers.rbx: 0 registers.rsp: 1505680 registers.r11: 1500576 registers.r8: 0 registers.r9: 253416505352 registers.rdx: 1945472 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 0	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 12, 2022, 5:42 p.m.	process_identifier: 2812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory Dec. 12, 2022, 5:42 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Tedy.217120
FireEye	Gen:Variant.Tedy.217120
ALYac	Gen:Variant.Tedy.217120
Cylance	Unsafe
VIPRE	Gen:Variant.Tedy.217120
Sangfor	Trojan.Win32.Agent.Vjgy
Alibaba	TrojanPSW:Win32/Stealer.bbde3922
Arcabit	Trojan.Tedy.D35020
Symantec	ML.Attribute.HighConfidence
Cynet	Malicious (score: 100)
Kaspersky	Trojan-PSW.Win32.Stealer.awrk
BitDefender	Gen:Variant.Tedy.217120
Avast	Win64:TrojanX-gen [Trj]
Tencent	Win32.Trojan-QQPass.QQRob.Fwnw
Ad-Aware	Gen:Variant.Tedy.217120
Emsisoft	Gen:Variant.Tedy.217120 (B)
F-Secure	Trojan.TR/Redcap.heord
McAfee-GW-Edition	BehavesLike.Win64.Dropper.th
Webroot	W32.Trojan.Gen
Avira	TR/Redcap.heord
Antiy-AVL	Trojan/Multi.Generic
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan-PSW.Win32.Stealer.awrk
GData	Gen:Variant.Tedy.217120
AhnLab-V3	Trojan/Win.Generic.C5288456
McAfee	Artemis!943B635CF33D
MAX	malware (ai score=87)
Malwarebytes	Malware.AI.3949938570
TrendMicro-HouseCall	TROJ_GEN.R002H07L922
Fortinet	W32/PossibleThreat
AVG	Win64:TrojanX-gen [Trj]

cred64.dll