popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cred.dll

Generic Malware Malicious Library UPX PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 3, 2025, 6:39 p.m. March 3, 2025, 6:44 p.m.
Size 1.0MB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 fc52003eaa47548631ca1626dcb0ccdd
SHA256 7903ec9b85af53925ad71d67040d7eff54e30c998c958f99745a9c5068b91101
CRC32 F520107B
ssdeep 24576:cf5xDRatdGrtrQHB8/cWmGwDMlH2UaX1AIENFoeesKPnXzlnB4BtD:cf5xVa0GHbGdeD/zJotD
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsDLL - (no description)
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
Save+0x8f320 Main-0x1e810 cred+0x93900 @ 0x73643900
Save+0x8fb52 Main-0x1dfde cred+0x94132 @ 0x73644132
Save+0xad4b1 Main-0x67f cred+0xb1a91 @ 0x73661a91
Main+0x60 cred+0xb2170 @ 0x73662170
rundll32+0x137d @ 0x78137d
rundll32+0x1326 @ 0x781326
rundll32+0x1901 @ 0x781901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8a 06 88 07 46 47 49 75 f7 8d a4 24 00 00 00 00
exception.instruction: mov al, byte ptr [esi]
exception.exception_code: 0xc0000005
exception.symbol: Main+0x104bd cred+0xc25cd
exception.address: 0x736725cd
registers.esp: 2421684
registers.edi: 0
registers.eax: 1
registers.ebp: 2421724
registers.edx: 1
registers.ebx: 0
registers.esi: 0
registers.ecx: 1
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73697000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75d41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76161000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73540000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73384000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73452000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73697000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75d41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76161000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73540000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73451000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73384000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73452000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bf1000
process_handle: 0xffffffff
1 0 0
Lionic Trojan.Win32.Amadey.4!c
Cynet Malicious (score: 100)
CTX dll.trojan.amadey
ALYac Gen:Variant.Lazy.492566
Cylance Unsafe
VIPRE Gen:Variant.Lazy.492566
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
K7GW Trojan-Downloader ( 005a0ec91 )
K7AntiVirus Trojan-Downloader ( 005a0ec91 )
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
APEX Malicious
Paloalto generic.ml
ClamAV Win.Keylogger.Zusy-10017136-0
Alibaba TrojanDownloader:Win32/Amadey.b69a8f39
MicroWorld-eScan Gen:Variant.Lazy.492566
Emsisoft Gen:Variant.Lazy.492566 (B)
F-Secure Heuristic.HEUR/AGEN.1374093
TrendMicro TROJ_GEN.R002C0DC125
McAfeeD ti!7903EC9B85AF
Sophos Troj/Steal-DCI
Avira HEUR/AGEN.1374093
Antiy-AVL Trojan[Spy]/Win32.Stealer
Kingsoft Win32.Troj.Unknown.a
Gridinsoft Trojan.Win32.Downloader.sa
Arcabit Trojan.Lazy.D78416
ViRobot Trojan.Win.Z.Lazy.1087488.E
Microsoft Trojan:Win32/Amadey.SGJP!MTB
Google Detected
AhnLab-V3 Trojan/Win.Generic.C5684584
Malwarebytes Spyware.PasswordStealer.AMD
Ikarus Trojan-PSW.Agent
TrendMicro-HouseCall TROJ_GEN.R002C0DC125
Tencent Win32.Trojan.Agen.Rqil
Fortinet W32/Amadey.G!tr.dldr
alibabacloud Software:Win/Amadey.G