Report - cred.dll

PWS Loki[b] Loki[m] PE File DLL PE32
ScreenShot
Created 2021.07.04 11:05 Machine s1_win7_x6402
Filename cred.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
7
Behavior Score
5.8
ZERO API file : clean
VT API (file) 54 detected (HearaBenRAP, malicious, high confidence, score, DeepScan, PasswordStealer, Decred, confidence, 100%, TrojanPSW, CryptInject, Eldorado, Attribute, HighConfidence, Delf, Zusy, iabzce, PWSX, CLASSIC, AGEN, AMADEY, SMYAAA, GenericRXMS, R + Troj, ASMalwS, PSWTroj, kcloud, ai score=87, TScope, Unsafe, Gencirc, Static AI, Suspicious PE, susgen, GdSda, HgkASXYA)
md5 41b6d9d1610bfd9497db3091dfc84b88
sha256 fa07c8de6db23c1be2ee8da97c5621f7fc006469f84e2835195fc943de43d544
ssdeep 3072:WeZmogDk+yTMLObNlEB+VSdQgXHOPz2XPLekO9:WeZkg9ThNlIWzk
imphash a02ab1a937fc1433a9abad7bc2badee6
impfuzzy 96:8cfpHYo3O5c/4A4RS8psUtq+yPomaDwPOQI:P31AIPom3POQI
  Network IP location

Signature (12cnts)

Level Description
danger File has been identified by 54 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
danger Win32_PWS_Loki_Zero Win32 PWS Loki binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.215.113.55//t5BnOoke2/index.php Unknown 185.215.113.55 clean
185.215.113.55 Unknown 185.215.113.55 clean

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x41e104 DeleteCriticalSection
 0x41e108 LeaveCriticalSection
 0x41e10c EnterCriticalSection
 0x41e110 InitializeCriticalSection
 0x41e114 VirtualFree
 0x41e118 VirtualAlloc
 0x41e11c LocalFree
 0x41e120 LocalAlloc
 0x41e124 GetVersion
 0x41e128 GetCurrentThreadId
 0x41e12c InterlockedDecrement
 0x41e130 InterlockedIncrement
 0x41e134 VirtualQuery
 0x41e138 WideCharToMultiByte
 0x41e13c MultiByteToWideChar
 0x41e140 lstrlenA
 0x41e144 lstrcpynA
 0x41e148 LoadLibraryExA
 0x41e14c GetThreadLocale
 0x41e150 GetStartupInfoA
 0x41e154 GetProcAddress
 0x41e158 GetModuleHandleA
 0x41e15c GetModuleFileNameA
 0x41e160 GetLocaleInfoA
 0x41e164 GetLastError
 0x41e168 GetCommandLineA
 0x41e16c FreeLibrary
 0x41e170 FindFirstFileA
 0x41e174 FindClose
 0x41e178 ExitProcess
 0x41e17c WriteFile
 0x41e180 UnhandledExceptionFilter
 0x41e184 SetFilePointer
 0x41e188 SetEndOfFile
 0x41e18c RtlUnwind
 0x41e190 ReadFile
 0x41e194 RaiseException
 0x41e198 GetStdHandle
 0x41e19c GetFileSize
 0x41e1a0 GetFileType
 0x41e1a4 CreateFileA
 0x41e1a8 CloseHandle
user32.dll
 0x41e1b0 GetKeyboardType
 0x41e1b4 LoadStringA
 0x41e1b8 MessageBoxA
 0x41e1bc CharNextA
advapi32.dll
 0x41e1c4 RegQueryValueExA
 0x41e1c8 RegOpenKeyExA
 0x41e1cc RegCloseKey
oleaut32.dll
 0x41e1d4 SysFreeString
 0x41e1d8 SysReAllocStringLen
 0x41e1dc SysAllocStringLen
kernel32.dll
 0x41e1e4 TlsSetValue
 0x41e1e8 TlsGetValue
 0x41e1ec TlsFree
 0x41e1f0 TlsAlloc
 0x41e1f4 LocalFree
 0x41e1f8 LocalAlloc
advapi32.dll
 0x41e200 RegQueryValueExA
 0x41e204 RegQueryInfoKeyA
 0x41e208 RegOpenKeyExA
 0x41e20c RegOpenKeyA
 0x41e210 RegFlushKey
 0x41e214 RegEnumValueA
 0x41e218 RegEnumKeyA
 0x41e21c RegEnumKeyExA
 0x41e220 RegCreateKeyExA
 0x41e224 RegCloseKey
 0x41e228 OpenThreadToken
 0x41e22c OpenProcessToken
 0x41e230 IsValidSid
 0x41e234 GetTokenInformation
 0x41e238 GetSidSubAuthorityCount
 0x41e23c GetSidSubAuthority
 0x41e240 GetSidIdentifierAuthority
kernel32.dll
 0x41e248 WriteFile
 0x41e24c WideCharToMultiByte
 0x41e250 WaitForSingleObject
 0x41e254 VirtualQuery
 0x41e258 SetLastError
 0x41e25c SetFilePointer
 0x41e260 SetEvent
 0x41e264 SetEndOfFile
 0x41e268 ResetEvent
 0x41e26c ReadFile
 0x41e270 OpenProcess
 0x41e274 LocalFree
 0x41e278 LoadLibraryA
 0x41e27c LeaveCriticalSection
 0x41e280 InitializeCriticalSection
 0x41e284 HeapFree
 0x41e288 HeapAlloc
 0x41e28c GetVersionExA
 0x41e290 GetThreadLocale
 0x41e294 GetStringTypeExA
 0x41e298 GetStdHandle
 0x41e29c GetProcessHeap
 0x41e2a0 GetProcAddress
 0x41e2a4 GetModuleHandleA
 0x41e2a8 GetModuleFileNameA
 0x41e2ac GetLocaleInfoA
 0x41e2b0 GetLocalTime
 0x41e2b4 GetLastError
 0x41e2b8 GetFullPathNameA
 0x41e2bc GetDiskFreeSpaceA
 0x41e2c0 GetDateFormatA
 0x41e2c4 GetCurrentThreadId
 0x41e2c8 GetCurrentThread
 0x41e2cc GetCurrentProcess
 0x41e2d0 GetCPInfo
 0x41e2d4 GetACP
 0x41e2d8 FormatMessageA
 0x41e2dc FindFirstFileA
 0x41e2e0 FindClose
 0x41e2e4 FileTimeToLocalFileTime
 0x41e2e8 FileTimeToDosDateTime
 0x41e2ec EnumCalendarInfoA
 0x41e2f0 EnterCriticalSection
 0x41e2f4 DeleteCriticalSection
 0x41e2f8 CreateMutexA
 0x41e2fc CreateFileA
 0x41e300 CreateEventA
 0x41e304 CompareStringA
 0x41e308 CloseHandle
user32.dll
 0x41e310 MessageBoxA
 0x41e314 LoadStringA
 0x41e318 GetSystemMetrics
 0x41e31c CharNextA
 0x41e320 CharUpperBuffA
 0x41e324 CharToOemA
kernel32.dll
 0x41e32c Sleep
wsock32.dll
 0x41e334 WSACleanup
 0x41e338 WSAStartup
 0x41e33c gethostname
 0x41e340 gethostbyname
 0x41e344 socket
 0x41e348 send
 0x41e34c recv
 0x41e350 inet_ntoa
 0x41e354 htons
 0x41e358 connect
 0x41e35c closesocket
oleaut32.dll
 0x41e364 SafeArrayPtrOfIndex
 0x41e368 SafeArrayGetUBound
 0x41e36c SafeArrayGetLBound
 0x41e370 SafeArrayCreate
 0x41e374 VariantChangeType
 0x41e378 VariantCopy
 0x41e37c VariantClear
 0x41e380 VariantInit
crypt32.dll
 0x41e388 CryptUnprotectData

EAT(Export Address Table) Library

0x41a1b4 Main


Similarity measure (PE file only) - Checking for service failure