Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 5, 2023, 2:20 p.m.	March 5, 2023, 2:38 p.m.

Size	1.0MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`2cf7028f2e221b5c48ce27381282d7ae`
SHA256	`5636145ced6e73f725835d37f75395017a69a860236a01195dc4b11bdc2be021`
CRC32	`5A8C418F`
ssdeep	`24576:JMq/RX0hoa8wrC+azFbtZhUYFauTZyRMlH:Jioa8wrCHz3ZhUYRAuH`
PDB Path	D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb
Yara	OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) Ave_Maria_Zero - Remote Access Trojan that is also called WARZONE RAT UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE64 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
872
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
  2292
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,
2228
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
2136
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
  2332

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 5, 2023, 2:20 p.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 5, 2023, 2:20 p.m.			0	0
IsDebuggerPresent March 5, 2023, 2:20 p.m.			0	0

pdb_path

D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

section

_RDATA

Time & API	Arguments	Status	Return	Repeated
__exception__ March 5, 2023, 2:20 p.m.	stacktrace: Save+0x8d733 Main-0x1478d cred64+0x91b73 @ 0x7fef3da1b73 Save+0x8f34b Main-0x12b75 cred64+0x9378b @ 0x7fef3da378b Save+0x903d3 Main-0x11aed cred64+0x94813 @ 0x7fef3da4813 Save+0x9077f Main-0x11741 cred64+0x94bbf @ 0x7fef3da4bbf Save+0xa18a8 Main-0x618 cred64+0xa5ce8 @ 0x7fef3db5ce8 Main+0x65 cred64+0xa6365 @ 0x7fef3db6365 rundll32+0x2f42 @ 0xffd62f42 rundll32+0x3b7a @ 0xffd63b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 50 e8 fa exception.instruction: cmp byte ptr [rax + r8], dil exception.exception_code: 0xc0000005 exception.symbol: Save+0x8d733 Main-0x1478d cred64+0x91b73 exception.address: 0x7fef3da1b73 registers.r14: 0 registers.r15: 0 registers.rcx: 1099511627775 registers.rsi: 0 registers.r10: 273 registers.rbx: 0 registers.rsp: 1179024 registers.r11: 1173920 registers.r8: 0 registers.r9: 236236177417 registers.rdx: 3256352 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 0	1	0	0

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Mikey.143765
McAfee	Artemis!2CF7028F2E22
Malwarebytes	Spyware.PasswordStealer
Sangfor	Infostealer.Win32.Agent.V21i
K7AntiVirus	Password-Stealer ( 0059c99d1 )
K7GW	Password-Stealer ( 0059c99d1 )
Symantec	ML.Attribute.HighConfidence
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Alibaba	TrojanPSW:Win64/Generic.370d8236
ViRobot	Trojan.Win.Z.Mikey.1088512.C
Sophos	Troj/Steal-DCI
VIPRE	Gen:Variant.Mikey.143765
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Gen:Variant.Mikey.143765 (B)
Avira	TR/PSW.Agent.hrjiu
MAX	malware (ai score=83)
Gridinsoft	Ransom.Win64.Sabsik.cl
Arcabit	Trojan.Mikey.D23195
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5288456
Rising	Stealer.Agent!8.C2 (TFE:5:8Idbp2vqW9I)
Ikarus	Win32.Outbreak
Fortinet	W64/Agent.CW!tr.pws

cred64.dll