popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cred64.dll

Malicious Library UPX PE64 PE File DLL OS Processor Check
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Dec. 11, 2023, 7:16 p.m. Dec. 11, 2023, 7:20 p.m.
Size 1.2MB
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 b5cdfc4ca11aa7705c605fd93538a310
SHA256 92342e62a3f51b7e205863f58b6a0e0145c4fecc31d40049b91e97ed0bb710ca
CRC32 3B58739B
ssdeep 24576:sxYTyT6AMgQZvBHa726ZwccIIF1cV6n6zyYkEFzd6:BAMgQ7672swJIR06yF
PDB Path D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsDLL - (no description)
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
185.172.128.5 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb
file C:\Program Files (x86)\Google\Chrome\Application\Psi\profiles\default\accounts.xml
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path
section _RDATA
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://185.172.128.5/v8sjh3hs8/index.php
request POST http://185.172.128.5/v8sjh3hs8/index.php
request POST http://185.172.128.5/v8sjh3hs8/index.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2788
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002a90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x0000000000000130
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: csrss.exe
process_identifier: 304
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: wininit.exe
process_identifier: 352
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: csrss.exe
process_identifier: 360
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: winlogon.exe
process_identifier: 400
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: services.exe
process_identifier: 444
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: lsass.exe
process_identifier: 460
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: lsm.exe
process_identifier: 468
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: svchost.exe
process_identifier: 572
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: svchost.exe
process_identifier: 652
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: svchost.exe
process_identifier: 724
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: svchost.exe
process_identifier: 784
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: svchost.exe
process_identifier: 832
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: audiodg.exe
process_identifier: 900
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: svchost.exe
process_identifier: 992
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: spoolsv.exe
process_identifier: 324
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: svchost.exe
process_identifier: 1048
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: srvany.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: KMService.exe
process_identifier: 1436
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: conhost.exe
process_identifier: 1448
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: taskhost.exe
process_identifier: 1600
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: sppsvc.exe
process_identifier: 1820
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: svchost.exe
process_identifier: 1896
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: dwm.exe
process_identifier: 1260
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: explorer.exe
process_identifier: 1452
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: pw.exe
process_identifier: 988
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: SearchIndexer.exe
process_identifier: 1160
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: SearchProtocolHost.exe
process_identifier: 936
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: SearchFilterHost.exe
process_identifier: 2000
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: mobsync.exe
process_identifier: 2280
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: pw.exe
process_identifier: 2324
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: taskhost.exe
process_identifier: 2372
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: rundll32.exe
process_identifier: 2548
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: rundll32.exe
process_identifier: 2788
1 1 0
cmdline netsh wlan show profiles
host 185.172.128.5
file C:\Users\test22\AppData\Roaming\Electrum\wallets
file C:\Users\test22\AppData\Roaming\Litecoin\wallets
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
file C:\Windows\.purple\accounts.xml
file C:\util\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final\.purple\accounts.xml
file C:\Windows\System32\.purple\accounts.xml
file C:\Program Files\Windows Photo Viewer\.purple\accounts.xml
file C:\.purple\accounts.xml
file C:\SystemRoot\System32\.purple\accounts.xml
file C:\Program Files\_Sandboxie\.purple\accounts.xml
file C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file C:\Program Files\Windows NT\Accessories\.purple\accounts.xml
file C:\util\.purple\accounts.xml
file C:\Python27\.purple\accounts.xml
file C:\Program Files (x86)\Microsoft Office\Office12\.purple\accounts.xml
file C:\Users\test22\Downloads\.purple\accounts.xml
file C:\Program Files (x86)\Google\Chrome\Application\.purple\accounts.xml
file C:\Program Files (x86)\Hnc\Hwp80\.purple\accounts.xml
file C:\Program Files\_Wireshark\.purple\accounts.xml
file C:\Windows\SysWOW64\.purple\accounts.xml
file C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
Bkav W64.AIDetectMalware
Lionic Trojan.Win32.Nymaim.4!c
MicroWorld-eScan Gen:Variant.Zusy.477261
FireEye Gen:Variant.Zusy.477261
Malwarebytes Spyware.PasswordStealer
Zillya Trojan.Stealer.Win32.165165
Sangfor Infostealer.Win64.Nymaim.Vkix
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanPSW:Win64/Nymaim.e7f13c13
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win64/PSW.Agent.CW
Cynet Malicious (score: 100)
Kaspersky Trojan.Win32.Nymaim.ccba
BitDefender Gen:Variant.Zusy.477261
Avast Win64:PWSX-gen [Trj]
Tencent Malware.Win32.Gencirc.11b921ee
TACHYON Trojan-Spy/W64.InfoStealer.1257472
Sophos Mal/Generic-S
F-Secure Trojan.TR/PSW.Agent.uwaig
VIPRE Gen:Variant.Zusy.477261
TrendMicro TROJ_GEN.R002C0DL723
Emsisoft Gen:Variant.Zusy.477261 (B)
Ikarus Trojan-PSW.Agent
Webroot W32.Trojan.Gen
Varist W64/ABRisk.GWXI-0554
Avira TR/PSW.Agent.uwaig
Antiy-AVL Trojan/Win64.Amadey
Kingsoft Win32.Troj.Unknown.a
Microsoft Trojan:Win64/Amadey.RDL!MTB
Gridinsoft Trojan.Win64.Agent.ns
Xcitium Malware@#2wrdlca76s6ty
Arcabit Trojan.Zusy.D7484D
ViRobot Trojan.Win.Z.Zusy.1257472.AB
ZoneAlarm Trojan.Win32.Nymaim.ccba
GData Gen:Variant.Zusy.477261
Google Detected
AhnLab-V3 Trojan/Win.Generic.C5288456
ALYac Gen:Variant.Zusy.477261
MAX malware (ai score=83)
Cylance unsafe
Panda Trj/GdSda.A
TrendMicro-HouseCall TROJ_GEN.R002C0DL723
Rising Stealer.Agent!8.C2 (TFE:5:PmswK9jgQcH)
Fortinet W64/Agent.CW!tr.pws
AVG Win64:PWSX-gen [Trj]
DeepInstinct MALICIOUS