cred.dll

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 19, 2021, 2:57 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 19, 2021, 2:57 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://185.215.113.54//gf4EdsW/index.php

Performs some HTTP requests (1 event)

request

POST http://185.215.113.54//gf4EdsW/index.php

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.54//gf4EdsW/index.php

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765b1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d30000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b94000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c71000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b11000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ac1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 19, 2021, 2:57 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ab1000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (43 events)

description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Create a windows service				rule	create_service
description	Create a COM server				rule	create_com_service
description	Communications over UDP network				rule	network_udp_sock
description	Listen for incoming communication				rule	network_tcp_listen
description	Communications over P2P network				rule	network_p2p_win
description	Communications over HTTP				rule	network_http
description	File downloader/dropper				rule	network_dropper
description	Communications over FTP				rule	network_ftp
description	Communications over RAW socket				rule	network_tcp_socket
description	Communications use DNS				rule	network_dns
description	Communication using dga				rule	network_dga
description	Escalade priviledges				rule	escalate_priv
description	Take screenshot				rule	screenshot
description	Run a keylogger				rule	keylogger
description	Steal credential				rule	cred_local
description	Record Audio				rule	sniff_audio
description	APC queue tasks migration				rule	migrate_apc
description	Malware can spread east-west file				rule	spreading_file
description	Malware can spread east-west using share drive				rule	spreading_share
description	Create or check mutex				rule	win_mutex
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_private_profile
description	Affect private profile				rule	win_files_operation
description	Match Winsock 2 API library declaration				rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration				rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call				rule	Str_Win32_Internet_API
description	Match Windows Http API call				rule	Str_Win32_Http_API
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerCheck__RemoteAPI
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__ConsoleCtrl
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	(no description)				rule	Check_Dlls
description	Checks if being debugged				rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert				rule	antisb_threatExpert
description	Bypass DEP				rule	disable_dep
description	Affect hook table				rule	win_hook

Communicates with host for which no DNS query was performed (1 event)

host	185.215.113.54

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Harvests credentials from local email clients (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	DeepScan:Generic.Malware.FPf.2B859687
FireEye	Generic.mg.808900cf5256e33b
McAfee	GenericRXAA-AA!808900CF5256
Cylance	Unsafe
Sangfor	Trojan.Win32.CryptInject.SBR
CrowdStrike	win/malicious_confidence_80% (W)
Alibaba	TrojanPSW:Win32/CryptInject.011647b5
K7GW	Password-Stealer ( 0055f59a1 )
K7AntiVirus	Password-Stealer ( 0055f59a1 )
Arcabit	DeepScan:Generic.Malware.FPf.2B859687
Cyren	W32/Trojan.CEBC-2962
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Malware.Zusy-9753108-0
Kaspersky	HEUR:Trojan-PSW.Win32.Decred.a
BitDefender	DeepScan:Generic.Malware.FPf.2B859687
NANO-Antivirus	Trojan.Win32.Decred.ibdkzx
Paloalto	generic.ml
Tencent	Malware.Win32.Gencirc.11bad9dd
Ad-Aware	DeepScan:Generic.Malware.FPf.2B859687
Sophos	Mal/Generic-S
DrWeb	Trojan.PWS.Stealer.29625
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.AMADEY.SMYAAA-A
McAfee-GW-Edition	BehavesLike.Win32.Worm.ch
Emsisoft	Trojan-PSW.Delf (A)
ESET-NOD32	a variant of Win32/PSW.Delf.OTR
Avira	HEUR/AGEN.1137247
Microsoft	Trojan:Win32/CryptInject.SBR!MSR
ViRobot	Trojan.Win32.Z.Delf.127488.AI
GData	DeepScan:Generic.Malware.FPf.2B859687
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Delf.C4208366
ALYac	DeepScan:Generic.Malware.FPf.2B859687
MAX	malware (ai score=82)
VBA32	TScope.Trojan.Delf
Malwarebytes	Spyware.PasswordStealer
TrendMicro-HouseCall	TrojanSpy.Win32.AMADEY.SMYAAA-A
Rising	Stealer.Agent!1.C48C (CLOUD)
Ikarus	Trojan-PSW.Delf
eGambit	Unsafe.AI_Score_93%
Fortinet	W32/Delf.QYF!tr.spy
MaxSecure	Trojan.Malware.74794127.susgen
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
Qihoo-360	Win32/Trojan.CryptInject.HgkASQgA