Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 12, 2023, 6:47 p.m.	Aug. 12, 2023, 6:51 p.m.

Size	1.1MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`18cd6fceb5601ba45c40b33d28a87f92`
SHA256	`c28beecf5755aefbd585bd5e88e910c7ffb78780b48d2b01d116583c684741c8`
CRC32	`1B23DD61`
ssdeep	`24576:eaS3LyrV872cT+RZCPrZ1sw1yolNVAmthaH:xV872cTsZKZ1sfWxthaH`
PDB Path	D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb
Yara	OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file IsDLL - (no description) infoStealer_browser_b_Zero - browser info stealer IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
1280
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
  2212
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,
2144
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
2056
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
  2252

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Aug. 12, 2023, 6:47 p.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 12, 2023, 6:47 p.m.			0	0
IsDebuggerPresent Aug. 12, 2023, 6:47 p.m.			0	0

pdb_path

D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

section

_RDATA

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 12, 2023, 6:47 p.m.	stacktrace: Save+0x8d973 Main-0x1478d cred64+0x91e43 @ 0x7fef3da1e43 Save+0x8f58b Main-0x12b75 cred64+0x93a5b @ 0x7fef3da3a5b Save+0x90613 Main-0x11aed cred64+0x94ae3 @ 0x7fef3da4ae3 Save+0x909bf Main-0x11741 cred64+0x94e8f @ 0x7fef3da4e8f Save+0xa1ae8 Main-0x618 cred64+0xa5fb8 @ 0x7fef3db5fb8 Main+0x65 cred64+0xa6635 @ 0x7fef3db6635 rundll32+0x2f42 @ 0xff8e2f42 rundll32+0x3b7a @ 0xff8e3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 50 e8 fa exception.instruction: cmp byte ptr [rax + r8], dil exception.exception_code: 0xc0000005 exception.symbol: Save+0x8d973 Main-0x1478d cred64+0x91e43 exception.address: 0x7fef3da1e43 registers.r14: 0 registers.r15: 0 registers.rcx: 1099511627775 registers.rsi: 0 registers.r10: 550 registers.rbx: 0 registers.rsp: 2685584 registers.r11: 2680480 registers.r8: 0 registers.r9: 231940751370 registers.rdx: 4435888 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 0	1	0	0

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.SpyBot.1283
MicroWorld-eScan	Gen:Variant.Zusy.477261
FireEye	Gen:Variant.Zusy.477261
Malwarebytes	Amadey.Trojan.Downloader.DDS
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanPSW:Win64/Stealer.04a73558
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Zusy.D7484D
Cyren	W64/Zusy.RV.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.G
Cynet	Malicious (score: 100)
TrendMicro-HouseCall	TROJ_GEN.R002C0DHB23
ClamAV	Win.Malware.Zusy-9985435-0
Kaspersky	Trojan-PSW.Win64.Stealer.cee
BitDefender	Gen:Variant.Zusy.477261
Avast	Win64:PWSX-gen [Trj]
Tencent	Win64.Trojan-QQPass.QQRob.Wylw
Emsisoft	Gen:Variant.Zusy.477261 (B)
F-Secure	Heuristic.HEUR/AGEN.1301090
VIPRE	Gen:Variant.Zusy.477261
TrendMicro	TROJ_GEN.R002C0DHB23
McAfee-GW-Edition	BehavesLike.Win64.Dropper.th
Sophos	Troj/Steal-DCI
Webroot	W32.Trojan.Amadey
Avira	HEUR/AGEN.1301090
MAX	malware (ai score=88)
Gridinsoft	Trojan.Win64.Downloader.ns
Microsoft	Trojan:Win32/Amadey!ic
ViRobot	Trojan.Win.Z.Zusy.1110016.D
ZoneAlarm	Trojan-PSW.Win64.Stealer.cee
GData	Gen:Variant.Zusy.477261
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R595469
Cylance	unsafe
Panda	Trj/GdSda.A
Rising	Stealer.Convagent!8.1326D (TFE:5:7c4j9hQ2SPS)
Ikarus	Win32.Outbreak
Fortinet	W32/Amadey.G!tr.dldr
AVG	Win64:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

cred64.dll