Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 2, 2023, 10:04 a.m.	Nov. 2, 2023, 10:07 a.m.

Size	1.2MB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`0111e5a2a49918b9c34cbfbf6380f3f3`
SHA256	`4643d18bb8be79c2e3178bc3978d201c596ab70a347e8cf1e8fdbe3028d69d7c`
CRC32	`3012B62C`
ssdeep	`24576:RAwtSMdHL4+3MQL+RoZk9LZ/zedfjMTUmXbc5Pf8Vd3rsx:Nc+3MQLQoZyZ/zEfc6P0D`
PDB Path	D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE64 - (no description) anti_vm_detect - Possibly employs anti-virtualization techniques OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
2564
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Main
  2796
  - netsh.exe netsh wlan show profiles
    2940
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
2648
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,Save
  2832
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\cred64.dll,
2740
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
167.235.20.126	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 2, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 2, 2023, 9:57 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\StealerDLL\x64\Release\STEALERDLL.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\Psi\profiles\default\accounts.xml
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://167.235.20.126/bjdm32DP/index.php

Performs some HTTP requests (1 event)

request

POST http://167.235.20.126/bjdm32DP/index.php

Sends data using the HTTP POST Method (1 event)

request

POST http://167.235.20.126/bjdm32DP/index.php

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 2, 2023, 9:57 a.m.	process_identifier: 2796 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2023, 9:57 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2023, 9:58 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (5 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 2, 2023, 9:57 a.m.	snapshot_handle: 0x0000000000000130 process_name: taskhost.exe process_identifier: 2368	1	1
Process32NextW Nov. 2, 2023, 9:57 a.m.	snapshot_handle: 0x0000000000000130 process_name: rundll32.exe process_identifier: 2564	1	1
Process32NextW Nov. 2, 2023, 9:57 a.m.	snapshot_handle: 0x0000000000000130 process_name: rundll32.exe process_identifier: 2796	1	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

netsh wlan show profiles

Communicates with host for which no DNS query was performed (1 event)

host

167.235.20.126

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets
file	C:\Users\test22\AppData\Roaming\Litecoin\wallets

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (18 events)

file	C:\Windows\.purple\accounts.xml
file	C:\util\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final\.purple\accounts.xml
file	C:\Windows\System32\.purple\accounts.xml
file	C:\Program Files\Windows Photo Viewer\.purple\accounts.xml
file	C:\.purple\accounts.xml
file	C:\SystemRoot\System32\.purple\accounts.xml
file	C:\Program Files\_Sandboxie\.purple\accounts.xml
file	C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file	C:\Program Files\Windows NT\Accessories\.purple\accounts.xml
file	C:\util\.purple\accounts.xml
file	C:\Python27\.purple\accounts.xml
file	C:\Program Files (x86)\Microsoft Office\Office12\.purple\accounts.xml
file	C:\Users\test22\Downloads\.purple\accounts.xml
file	C:\Program Files (x86)\Google\Chrome\Application\.purple\accounts.xml
file	C:\Program Files (x86)\Hnc\Hwp80\.purple\accounts.xml
file	C:\Program Files\_Wireshark\.purple\accounts.xml
file	C:\Windows\SysWOW64\.purple\accounts.xml
file	C:\Program Files (x86)\EditPlus\.purple\accounts.xml

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.477261
Skyhigh	BehavesLike.Win64.Dropper.th
McAfee	Artemis!0111E5A2A499
VIPRE	Gen:Variant.Zusy.477261
Sangfor	Trojan.Win32.Save.a
BitDefender	Gen:Variant.Zusy.477261
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.G
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan-Spy.Win32.Stealer
FireEye	Gen:Variant.Zusy.477261
Emsisoft	Gen:Variant.Zusy.477261 (B)
Ikarus	Trojan-PSW.Agent
GData	Gen:Variant.Zusy.477261
Google	Detected
Arcabit	Trojan.Zusy.D7484D
ZoneAlarm	UDS:Trojan-Spy.Win32.Stealer
Microsoft	Trojan:Win32/Wacatac.B!ml
AhnLab-V3	Trojan/Win.Generic.C5288456
ALYac	Gen:Variant.Zusy.477261
MAX	malware (ai score=87)
DeepInstinct	MALICIOUS
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win64:PWSX-gen [Trj]
Avast	Win64:PWSX-gen [Trj]

cred64.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All