Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 27, 2023, 10:18 a.m.	March 27, 2023, 10:25 a.m.

Size	1.0MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`3e762ef2e32a7b9e5fa494e295b15edb`
SHA256	`267e7db5908dc08ce3b81324bd5f8cde1f697a9cebee2ed8c050671b8a4b474b`
CRC32	`CCD23815`
ssdeep	`24576:YdaH8CpPW2AnZVrZ+7xr1bZfVahxs43ICM:eF2AnZVrZSxhZfVaD3`
PDB Path	D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) IsPE64 - (no description) Ave_Maria_Zero - Remote Access Trojan that is also called WARZONE RAT PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
2136
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
  2288
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,
2220
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
1256
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
  2328

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
142.250.204.142	Active	Moloch
142.250.204.65	Active	Moloch
142.250.204.67	Active	Moloch
142.250.66.138	Active	Moloch
142.251.220.3	Active	Moloch
142.251.220.45	Active	Moloch
172.217.24.238	Active	Moloch
172.217.24.68	Active	Moloch
172.217.27.35	Active	Moloch
216.58.200.227	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 27, 2023, 10:18 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 27, 2023, 10:18 a.m.			0	0
IsDebuggerPresent March 27, 2023, 10:18 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 27, 2023, 10:18 a.m.	stacktrace: Save+0x8d733 Main-0x1371d cred64+0x91303 @ 0x7fef3ee1303 Save+0x8f34b Main-0x11b05 cred64+0x92f1b @ 0x7fef3ee2f1b Save+0x903d3 Main-0x10a7d cred64+0x93fa3 @ 0x7fef3ee3fa3 Save+0x9077f Main-0x106d1 cred64+0x9434f @ 0x7fef3ee434f Save+0xa0838 Main-0x618 cred64+0xa4408 @ 0x7fef3ef4408 Main+0x65 cred64+0xa4a85 @ 0x7fef3ef4a85 rundll32+0x2f42 @ 0xfff32f42 rundll32+0x3b7a @ 0xfff33b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 50 e8 7a exception.instruction: cmp byte ptr [rax + r8], dil exception.exception_code: 0xc0000005 exception.symbol: Save+0x8d733 Main-0x1371d cred64+0x91303 exception.address: 0x7fef3ee1303 registers.r14: 0 registers.r15: 0 registers.rcx: 1099511627775 registers.rsi: 0 registers.r10: 586 registers.rbx: 0 registers.rsp: 1178736 registers.r11: 1173632 registers.r8: 0 registers.r9: 236236177417 registers.rdx: 2207776 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 0	1	0	0

Communicates with host for which no DNS query was performed (10 events)

host	142.250.204.142
host	142.250.204.65
host	142.250.204.67
host	142.250.66.138
host	142.251.220.3
host	142.251.220.45
host	172.217.24.238
host	172.217.24.68
host	172.217.27.35
host	216.58.200.227

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.FlaVoredP.Trojan
Lionic	Trojan.Win32.Stealer.12!c
MicroWorld-eScan	Gen:Variant.Mikey.143765
FireEye	Gen:Variant.Mikey.143765
ALYac	Trojan.Agent.Amadey
Malwarebytes	Spyware.PasswordStealer
Sangfor	Infostealer.Win64.Agent.Vr39
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanPSW:Win32/Amadey.0c7316ee
K7GW	Password-Stealer ( 0059c99d1 )
K7AntiVirus	Password-Stealer ( 0059c99d1 )
Arcabit	Trojan.Mikey.D23195
VirIT	Trojan.Win64.Agent.BUQ
Cyren	W64/Kryptik.ISH.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.G
Cynet	Malicious (score: 100)
Paloalto	generic.ml
ClamAV	Win.Malware.Zusy-9985435-0
Kaspersky	Trojan-PSW.Win32.Stealer.azak
BitDefender	Gen:Variant.Mikey.143765
NANO-Antivirus	Trojan.Win64.Stealer.juxsgz
Avast	Win64:TrojanX-gen [Trj]
Tencent	Win32.Trojan-QQPass.QQRob.Itgl
Emsisoft	Gen:Variant.Mikey.143765 (B)
DrWeb	Trojan.SpyBot.1180
VIPRE	Gen:Variant.Mikey.143765
TrendMicro	TROJ_GEN.R002C0DB623
McAfee-GW-Edition	BehavesLike.Win64.Dropper.th
Sophos	Troj/Steal-DCI
Avira	HEUR/AGEN.1301090
Antiy-AVL	Trojan[PSW]/Win32.Stealer
Gridinsoft	Trojan.Win64.Agent.cl
Microsoft	Trojan:Win64/Amadey.CA!MTB
GData	Gen:Variant.Mikey.143765
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R551446
McAfee	PWS-FDOE!3E762EF2E32A
MAX	malware (ai score=83)
VBA32	TrojanPSW.Stealer
TrendMicro-HouseCall	TROJ_GEN.R002C0DB623
Rising	Stealer.Agent!8.C2 (TFE:5:8Idbp2vqW9I)
Yandex	Trojan.PWS.Agent!ZVaEsLSYcU0
Ikarus	Trojan-PSW.Agent
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W64/Agent.CW!tr.pws
AVG	Win64:TrojanX-gen [Trj]
Panda	Trj/CI.A

cred64.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All