popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cred64.dll

Malicious Library UPX PE64 PE File DLL OS Processor Check
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Dec. 6, 2023, 12:11 p.m. Dec. 6, 2023, 12:25 p.m.
Size 1.2MB
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 1afaa1fcda6635e17dce5b5bf27f3c79
SHA256 47285ebb39fa6bad4510a3a4a768edf8e9d440f29e8ed1bc9bfe5ebe8a329db9
CRC32 E988F798
ssdeep 24576:XxY0oT6nngQZvBH0rInUFh8f1cF616zXpaIm:nnngQ7UrIUFhzEAA
PDB Path D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsDLL - (no description)
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
brodoyouevenlift.co.za
A 89.191.234.91
89.191.234.91
yeahweliftbro.cz
IP Address Status Action
164.124.101.2 Active Moloch
185.196.8.195 Active Moloch
89.191.234.91 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path
section _RDATA
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://185.196.8.195/u6vhSc3PPq/index.php
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://brodoyouevenlift.co.za/jjuhhsa73/index.php
request POST http://185.196.8.195/u6vhSc3PPq/index.php
request POST http://brodoyouevenlift.co.za/jjuhhsa73/index.php
request POST http://185.196.8.195/u6vhSc3PPq/index.php
request POST http://brodoyouevenlift.co.za/jjuhhsa73/index.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000047c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x0000000000000128
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: smss.exe
process_identifier: 232
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: csrss.exe
process_identifier: 308
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: wininit.exe
process_identifier: 344
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: csrss.exe
process_identifier: 356
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: winlogon.exe
process_identifier: 392
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: services.exe
process_identifier: 436
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: lsass.exe
process_identifier: 452
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: lsm.exe
process_identifier: 460
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: svchost.exe
process_identifier: 560
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: svchost.exe
process_identifier: 636
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: svchost.exe
process_identifier: 716
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: svchost.exe
process_identifier: 780
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: audiodg.exe
process_identifier: 896
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: svchost.exe
process_identifier: 984
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: svchost.exe
process_identifier: 340
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: spoolsv.exe
process_identifier: 1060
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: taskhost.exe
process_identifier: 1112
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: svchost.exe
process_identifier: 1120
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: dwm.exe
process_identifier: 1192
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: explorer.exe
process_identifier: 1236
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: svchost.exe
process_identifier: 1744
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: pw.exe
process_identifier: 1888
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: SearchIndexer.exe
process_identifier: 1652
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: mobsync.exe
process_identifier: 536
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: pw.exe
process_identifier: 1448
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: taskhost.exe
process_identifier: 912
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: wsqmcons.exe
process_identifier: 2004
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: sdclt.exe
process_identifier: 1540
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: cmd.exe
process_identifier: 1476
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: SearchProtocolHost.exe
process_identifier: 632
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: conhost.exe
process_identifier: 1572
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: SearchFilterHost.exe
process_identifier: 1960
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: rundll32.exe
process_identifier: 884
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: pw.exe
process_identifier: 1532
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000128
process_name: rundll32.exe
process_identifier: 2252
1 1 0
cmdline netsh wlan show profiles
host 185.196.8.195
file C:\Users\test22\AppData\Roaming\Electrum\wallets
file C:\Users\test22\AppData\Roaming\Litecoin\wallets
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
file C:\Windows\.purple\accounts.xml
file C:\Python27\.purple\accounts.xml
file C:\Windows\System32\.purple\accounts.xml
file C:\.purple\accounts.xml
file C:\SystemRoot\System32\.purple\accounts.xml
file C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file C:\Program Files (x86)\Microsoft Office\Office15\.purple\accounts.xml
file C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\.purple\accounts.xml
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file C:\Windows\SysWOW64\.purple\accounts.xml
file C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\.purple\accounts.xml
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server
registry HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Server
Bkav W64.AIDetectMalware
Lionic Trojan.Win32.Nymaim.4!c
MicroWorld-eScan Gen:Variant.Zusy.477261
ALYac Gen:Variant.Zusy.477261
Malwarebytes Spyware.Stealer
VIPRE Gen:Variant.Zusy.477261
Sangfor Infostealer.Win64.Zusy.Vnvt
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanPSW:Win64/Amadey.bbc9fb02
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win64/PSW.Agent.CW
Kaspersky Trojan.Win32.Nymaim.ccav
BitDefender Gen:Variant.Zusy.477261
Avast Win64:PWSX-gen [Trj]
Tencent Win32.Trojan.Nymaim.Bnhl
Emsisoft Gen:Variant.Zusy.477261 (B)
F-Secure Trojan.TR/PSW.Agent.sbcuh
TrendMicro TROJ_GEN.R002C0DL423
FireEye Gen:Variant.Zusy.477261
Sophos Mal/Generic-S
Ikarus Trojan-PSW.Agent
Google Detected
Avira TR/PSW.Agent.sbcuh
Antiy-AVL Trojan/Win32.Nymaim
Kingsoft Win32.Trojan.Nymaim.ccav
Microsoft Trojan:Win64/Amadey.RDL!MTB
Gridinsoft Malware.Win64.Agent.cc
Arcabit Trojan.Zusy.D7484D
ViRobot Trojan.Win.Z.Zusy.1257984.G
ZoneAlarm Trojan.Win32.Nymaim.ccav
GData Gen:Variant.Zusy.477261
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.C5288456
MAX malware (ai score=83)
Cylance unsafe
Panda Trj/GdSda.A
TrendMicro-HouseCall TROJ_GEN.R002C0DL423
Rising Stealer.Agent!8.C2 (TFE:5:PmswK9jgQcH)
MaxSecure Trojan.Malware.300983.susgen
Fortinet W64/Agent.CW!tr.pws
AVG Win64:PWSX-gen [Trj]
DeepInstinct MALICIOUS