popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cred64.dll

Browser Login Data Stealer Amadey Malicious Library UPX PE64 PE File DLL OS Processor Check
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 27, 2023, 6:01 p.m. Oct. 27, 2023, 6:04 p.m.
Size 1.1MB
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 1c27631e70908879e1a5a8f3686e0d46
SHA256 478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9
CRC32 487753B1
ssdeep 24576:OGKcuUK9Jyi+Uj+TGHWTZNyMuB/J/TO/pYmea+Xo45qG:o9Jyi+UjyGGZNyMur/TO/qb4Uq
PDB Path D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • infoStealer_browser_b_Zero - browser info stealer
  • PE_Header_Zero - PE File Signature
  • IsDLL - (no description)
  • IsPE64 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
185.196.8.176 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb
file C:\Program Files (x86)\Google\Chrome\Application\.purple\accounts.xml
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path
section _RDATA
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://185.196.8.176/7jshasdS/index.php
request POST http://185.196.8.176/7jshasdS/index.php
request POST http://185.196.8.176/7jshasdS/index.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2820
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004710000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: csrss.exe
process_identifier: 304
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: wininit.exe
process_identifier: 352
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: csrss.exe
process_identifier: 360
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: winlogon.exe
process_identifier: 400
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: lsm.exe
process_identifier: 468
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: svchost.exe
process_identifier: 572
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: svchost.exe
process_identifier: 652
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: svchost.exe
process_identifier: 724
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: svchost.exe
process_identifier: 784
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: svchost.exe
process_identifier: 832
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: audiodg.exe
process_identifier: 900
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: svchost.exe
process_identifier: 992
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: spoolsv.exe
process_identifier: 324
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: svchost.exe
process_identifier: 1048
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: srvany.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: KMService.exe
process_identifier: 1436
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: conhost.exe
process_identifier: 1448
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: taskhost.exe
process_identifier: 1600
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: svchost.exe
process_identifier: 1896
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: dwm.exe
process_identifier: 1260
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: explorer.exe
process_identifier: 1452
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: pw.exe
process_identifier: 988
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: SearchIndexer.exe
process_identifier: 1160
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: SearchProtocolHost.exe
process_identifier: 936
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: SearchFilterHost.exe
process_identifier: 2000
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: mobsync.exe
process_identifier: 2276
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: pw.exe
process_identifier: 2320
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: taskhost.exe
process_identifier: 2368
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: rundll32.exe
process_identifier: 2548
1 1 0

Process32NextW

 snapshot_handle: 0x000000000000013c
process_name: rundll32.exe
process_identifier: 2784
1 1 0
cmdline netsh wlan show profiles
host 185.196.8.176
file C:\Users\test22\AppData\Roaming\Electrum\wallets
file C:\Users\test22\AppData\Roaming\Litecoin\wallets
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Windows\.purple\accounts.xml
file C:\util\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final\.purple\accounts.xml
file C:\Windows\System32\.purple\accounts.xml
file C:\Program Files\Windows Photo Viewer\.purple\accounts.xml
file C:\.purple\accounts.xml
file C:\SystemRoot\System32\.purple\accounts.xml
file C:\Program Files\_Sandboxie\.purple\accounts.xml
file C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file C:\Program Files\Windows NT\Accessories\.purple\accounts.xml
file C:\util\.purple\accounts.xml
file C:\Python27\.purple\accounts.xml
file C:\Program Files (x86)\Microsoft Office\Office12\.purple\accounts.xml
file C:\Users\test22\Downloads\.purple\accounts.xml
file C:\Program Files (x86)\Google\Chrome\Application\.purple\accounts.xml
file C:\Program Files (x86)\Hnc\Hwp80\.purple\accounts.xml
file C:\Program Files\_Wireshark\.purple\accounts.xml
file C:\Windows\SysWOW64\.purple\accounts.xml
file C:\Program Files (x86)\EditPlus\.purple\accounts.xml
Lionic Trojan.Win32.Stealer.12!c
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.477261
FireEye Gen:Variant.Zusy.477261
Skyhigh BehavesLike.Win64.Dropper.th
ALYac Gen:Variant.Zusy.477261
Cylance unsafe
Zillya Downloader.Amadey.Win32.285
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Gen:Variant.Zusy.477261
K7GW Trojan-Downloader ( 005a0ec91 )
K7AntiVirus Trojan-Downloader ( 005a0ec91 )
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/TrojanDownloader.Amadey.G
ClamAV Win.Malware.Zusy-9985435-0
Kaspersky Trojan-Spy.Win32.Stealer.exhd
Alibaba TrojanSpy:Win32/Amadey.ca3e78c6
ViRobot Trojan.Win.Z.Zusy.1186816.A
Rising Stealer.Agent!8.C2 (CLOUD)
Sophos Mal/Generic-S
F-Secure Trojan.TR/Spy.Stealer.npwfq
VIPRE Gen:Variant.Zusy.477261
TrendMicro TROJ_GEN.R002C0DJL23
Emsisoft Gen:Variant.Zusy.477261 (B)
Ikarus Trojan-PSW.Agent
MAX malware (ai score=86)
GData Gen:Variant.Zusy.477261
Google Detected
Avira TR/Spy.Stealer.npwfq
Varist W64/ABRisk.KRAQ-2856
Antiy-AVL Trojan[Downloader]/Win32.Amadey
Gridinsoft Malware.Win64.Downloader.cc
Arcabit Trojan.Zusy.D7484D
ZoneAlarm Trojan-Spy.Win32.Stealer.exhd
Microsoft Trojan:Win64/Amadey.CAV!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.C5288456
McAfee Artemis!1C27631E7090
DeepInstinct MALICIOUS
VBA32 TrojanSpy.Stealer
Malwarebytes Malware.AI.3937813451
Panda Trj/GdSda.A
TrendMicro-HouseCall TROJ_GEN.R002C0DJL23
Tencent Malware.Win32.Gencirc.11b7b94d
SentinelOne Static AI - Suspicious PE
MaxSecure Trojan.Malware.300983.susgen
AVG Win64:PWSX-gen [Trj]
Avast Win64:PWSX-gen [Trj]