Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 16, 2023, 11 a.m.	Oct. 16, 2023, 11:08 a.m.

Size	1.1MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`7d6c819c7accbd9abe8f6c4eb087eea2`
SHA256	`2d93ffc4f232bcc5f7c2a19d8fcbaa50884e60a027804fcecc3c40d120eedc8c`
CRC32	`9A0F412E`
ssdeep	`24576:Qc6T3/YiaASvUn+J35XBMZZ9+xyc30w/tDMJIy:1iaASvUnI5XAZ9iyET`
PDB Path	D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file infoStealer_browser_b_Zero - browser info stealer PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE64 - (no description) OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,
2220
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
2136
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
  2288
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
1792
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
  2328

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Oct. 16, 2023, 10:53 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Oct. 16, 2023, 10:53 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2023, 10:53 a.m.			0	0
IsDebuggerPresent Oct. 16, 2023, 10:53 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 16, 2023, 10:53 a.m.	stacktrace: Main-0x20f3d cred64+0x921b3 @ 0x7fef3d821b3 Main-0x1f305 cred64+0x93deb @ 0x7fef3d83deb Main-0x1d592 cred64+0x95b5e @ 0x7fef3d85b5e Main-0x1ccb1 cred64+0x9643f @ 0x7fef3d8643f Main-0x988 cred64+0xb2768 @ 0x7fef3da2768 Save+0x5f cred64+0xb384f @ 0x7fef3da384f rundll32+0x2f42 @ 0xff372f42 rundll32+0x3b7a @ 0xff373b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 70 e8 ca exception.instruction: cmp byte ptr [rax + r8], dil exception.exception_code: 0xc0000005 exception.symbol: Main-0x20f3d cred64+0x921b3 exception.address: 0x7fef3d821b3 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 6 registers.rbx: 0 registers.rsp: 1441040 registers.r11: 3 registers.r8: 0 registers.r9: 12 registers.rdx: 64 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 0	1	0	0
__exception__ Oct. 16, 2023, 10:53 a.m.	stacktrace: Main-0x20f3d cred64+0x921b3 @ 0x7fef3d821b3 Main-0x1f305 cred64+0x93deb @ 0x7fef3d83deb Main-0x1d592 cred64+0x95b5e @ 0x7fef3d85b5e Main-0x1ccb1 cred64+0x9643f @ 0x7fef3d8643f Main-0x988 cred64+0xb2768 @ 0x7fef3da2768 Main+0x65 Save-0x69b cred64+0xb3155 @ 0x7fef3da3155 rundll32+0x2f42 @ 0xff372f42 rundll32+0x3b7a @ 0xff373b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 70 e8 ca exception.instruction: cmp byte ptr [rax + r8], dil exception.exception_code: 0xc0000005 exception.symbol: Main-0x20f3d cred64+0x921b3 exception.address: 0x7fef3d821b3 registers.r14: 0 registers.r15: 0 registers.rcx: 1099511627775 registers.rsi: 0 registers.r10: 39 registers.rbx: 0 registers.rsp: 784496 registers.r11: 779392 registers.r8: 0 registers.r9: 519691960360 registers.rdx: 1855936 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 0	1	0	0

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.477261
Skyhigh	BehavesLike.Win64.Emotet.th
ALYac	Gen:Variant.Zusy.477261
Malwarebytes	Spyware.Amadey
VIPRE	Gen:Variant.Zusy.477261
Sangfor	Infostealer.Win32.Amadey.V55f
K7AntiVirus	Trojan-Downloader ( 005a0ec91 )
Alibaba	TrojanSpy:Win32/Amadey.8fef3995
K7GW	Trojan-Downloader ( 005a0ec91 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Zusy.D7484D
Symantec	Trojan Horse
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.G
Cynet	Malicious (score: 100)
ClamAV	Win.Malware.Zusy-9985435-0
Kaspersky	Trojan-Spy.Win32.Stealer.ewuw
BitDefender	Gen:Variant.Zusy.477261
NANO-Antivirus	Trojan.Win64.Stealer.kcgcns
Avast	Win64:PWSX-gen [Trj]
Tencent	Win32.Trojan-Spy.Stealer.Uwhl
Emsisoft	Gen:Variant.Zusy.477261 (B)
F-Secure	Trojan.TR/Redcap.vbflx
DrWeb	Trojan.SpyBot.840
TrendMicro	TROJ_GEN.R06CC0DJC23
FireEye	Gen:Variant.Zusy.477261
Sophos	Mal/Generic-S
Ikarus	Trojan-PSW.Agent
Webroot	W32.Trojan.Gen
Varist	W64/ABRisk.BYIW-8550
Avira	TR/Redcap.vbflx
Antiy-AVL	Trojan[Downloader]/Win32.Amadey
Gridinsoft	Malware.Win64.Downloader.cc
Xcitium	Malware@#1x39hojvzwj79
Microsoft	Trojan:Win64/Amadey.CAV!MTB
ViRobot	Trojan.Win.Z.Zusy.1174528
ZoneAlarm	Trojan-Spy.Win32.Stealer.ewuw
GData	Gen:Variant.Zusy.477261
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5288456
McAfee	Artemis!7D6C819C7ACC
MAX	malware (ai score=89)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R06CC0DJC23
Rising	Stealer.Agent!8.C2 (CLOUD)
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win64:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

cred64.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All