ScreenShot
| Created | 2021.07.04 11:05 | Machine | s1_win7_x6402 |
| Filename | cred.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 54 detected (HearaBenRAP, malicious, high confidence, score, DeepScan, PasswordStealer, Decred, confidence, 100%, TrojanPSW, CryptInject, Eldorado, Attribute, HighConfidence, Delf, Zusy, iabzce, PWSX, CLASSIC, AGEN, AMADEY, SMYAAA, GenericRXMS, R + Troj, ASMalwS, PSWTroj, kcloud, ai score=87, TScope, Unsafe, Gencirc, Static AI, Suspicious PE, susgen, GdSda, HgkASXYA) | ||
| md5 | 41b6d9d1610bfd9497db3091dfc84b88 | ||
| sha256 | fa07c8de6db23c1be2ee8da97c5621f7fc006469f84e2835195fc943de43d544 | ||
| ssdeep | 3072:WeZmogDk+yTMLObNlEB+VSdQgXHOPz2XPLekO9:WeZkg9ThNlIWzk | ||
| imphash | a02ab1a937fc1433a9abad7bc2badee6 | ||
| impfuzzy | 96:8cfpHYo3O5c/4A4RS8psUtq+yPomaDwPOQI:P31AIPom3POQI | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_PWS_Loki_Zero | Win32 PWS Loki | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x41e104 DeleteCriticalSection
0x41e108 LeaveCriticalSection
0x41e10c EnterCriticalSection
0x41e110 InitializeCriticalSection
0x41e114 VirtualFree
0x41e118 VirtualAlloc
0x41e11c LocalFree
0x41e120 LocalAlloc
0x41e124 GetVersion
0x41e128 GetCurrentThreadId
0x41e12c InterlockedDecrement
0x41e130 InterlockedIncrement
0x41e134 VirtualQuery
0x41e138 WideCharToMultiByte
0x41e13c MultiByteToWideChar
0x41e140 lstrlenA
0x41e144 lstrcpynA
0x41e148 LoadLibraryExA
0x41e14c GetThreadLocale
0x41e150 GetStartupInfoA
0x41e154 GetProcAddress
0x41e158 GetModuleHandleA
0x41e15c GetModuleFileNameA
0x41e160 GetLocaleInfoA
0x41e164 GetLastError
0x41e168 GetCommandLineA
0x41e16c FreeLibrary
0x41e170 FindFirstFileA
0x41e174 FindClose
0x41e178 ExitProcess
0x41e17c WriteFile
0x41e180 UnhandledExceptionFilter
0x41e184 SetFilePointer
0x41e188 SetEndOfFile
0x41e18c RtlUnwind
0x41e190 ReadFile
0x41e194 RaiseException
0x41e198 GetStdHandle
0x41e19c GetFileSize
0x41e1a0 GetFileType
0x41e1a4 CreateFileA
0x41e1a8 CloseHandle
user32.dll
0x41e1b0 GetKeyboardType
0x41e1b4 LoadStringA
0x41e1b8 MessageBoxA
0x41e1bc CharNextA
advapi32.dll
0x41e1c4 RegQueryValueExA
0x41e1c8 RegOpenKeyExA
0x41e1cc RegCloseKey
oleaut32.dll
0x41e1d4 SysFreeString
0x41e1d8 SysReAllocStringLen
0x41e1dc SysAllocStringLen
kernel32.dll
0x41e1e4 TlsSetValue
0x41e1e8 TlsGetValue
0x41e1ec TlsFree
0x41e1f0 TlsAlloc
0x41e1f4 LocalFree
0x41e1f8 LocalAlloc
advapi32.dll
0x41e200 RegQueryValueExA
0x41e204 RegQueryInfoKeyA
0x41e208 RegOpenKeyExA
0x41e20c RegOpenKeyA
0x41e210 RegFlushKey
0x41e214 RegEnumValueA
0x41e218 RegEnumKeyA
0x41e21c RegEnumKeyExA
0x41e220 RegCreateKeyExA
0x41e224 RegCloseKey
0x41e228 OpenThreadToken
0x41e22c OpenProcessToken
0x41e230 IsValidSid
0x41e234 GetTokenInformation
0x41e238 GetSidSubAuthorityCount
0x41e23c GetSidSubAuthority
0x41e240 GetSidIdentifierAuthority
kernel32.dll
0x41e248 WriteFile
0x41e24c WideCharToMultiByte
0x41e250 WaitForSingleObject
0x41e254 VirtualQuery
0x41e258 SetLastError
0x41e25c SetFilePointer
0x41e260 SetEvent
0x41e264 SetEndOfFile
0x41e268 ResetEvent
0x41e26c ReadFile
0x41e270 OpenProcess
0x41e274 LocalFree
0x41e278 LoadLibraryA
0x41e27c LeaveCriticalSection
0x41e280 InitializeCriticalSection
0x41e284 HeapFree
0x41e288 HeapAlloc
0x41e28c GetVersionExA
0x41e290 GetThreadLocale
0x41e294 GetStringTypeExA
0x41e298 GetStdHandle
0x41e29c GetProcessHeap
0x41e2a0 GetProcAddress
0x41e2a4 GetModuleHandleA
0x41e2a8 GetModuleFileNameA
0x41e2ac GetLocaleInfoA
0x41e2b0 GetLocalTime
0x41e2b4 GetLastError
0x41e2b8 GetFullPathNameA
0x41e2bc GetDiskFreeSpaceA
0x41e2c0 GetDateFormatA
0x41e2c4 GetCurrentThreadId
0x41e2c8 GetCurrentThread
0x41e2cc GetCurrentProcess
0x41e2d0 GetCPInfo
0x41e2d4 GetACP
0x41e2d8 FormatMessageA
0x41e2dc FindFirstFileA
0x41e2e0 FindClose
0x41e2e4 FileTimeToLocalFileTime
0x41e2e8 FileTimeToDosDateTime
0x41e2ec EnumCalendarInfoA
0x41e2f0 EnterCriticalSection
0x41e2f4 DeleteCriticalSection
0x41e2f8 CreateMutexA
0x41e2fc CreateFileA
0x41e300 CreateEventA
0x41e304 CompareStringA
0x41e308 CloseHandle
user32.dll
0x41e310 MessageBoxA
0x41e314 LoadStringA
0x41e318 GetSystemMetrics
0x41e31c CharNextA
0x41e320 CharUpperBuffA
0x41e324 CharToOemA
kernel32.dll
0x41e32c Sleep
wsock32.dll
0x41e334 WSACleanup
0x41e338 WSAStartup
0x41e33c gethostname
0x41e340 gethostbyname
0x41e344 socket
0x41e348 send
0x41e34c recv
0x41e350 inet_ntoa
0x41e354 htons
0x41e358 connect
0x41e35c closesocket
oleaut32.dll
0x41e364 SafeArrayPtrOfIndex
0x41e368 SafeArrayGetUBound
0x41e36c SafeArrayGetLBound
0x41e370 SafeArrayCreate
0x41e374 VariantChangeType
0x41e378 VariantCopy
0x41e37c VariantClear
0x41e380 VariantInit
crypt32.dll
0x41e388 CryptUnprotectData
EAT(Export Address Table) Library
0x41a1b4 Main
kernel32.dll
0x41e104 DeleteCriticalSection
0x41e108 LeaveCriticalSection
0x41e10c EnterCriticalSection
0x41e110 InitializeCriticalSection
0x41e114 VirtualFree
0x41e118 VirtualAlloc
0x41e11c LocalFree
0x41e120 LocalAlloc
0x41e124 GetVersion
0x41e128 GetCurrentThreadId
0x41e12c InterlockedDecrement
0x41e130 InterlockedIncrement
0x41e134 VirtualQuery
0x41e138 WideCharToMultiByte
0x41e13c MultiByteToWideChar
0x41e140 lstrlenA
0x41e144 lstrcpynA
0x41e148 LoadLibraryExA
0x41e14c GetThreadLocale
0x41e150 GetStartupInfoA
0x41e154 GetProcAddress
0x41e158 GetModuleHandleA
0x41e15c GetModuleFileNameA
0x41e160 GetLocaleInfoA
0x41e164 GetLastError
0x41e168 GetCommandLineA
0x41e16c FreeLibrary
0x41e170 FindFirstFileA
0x41e174 FindClose
0x41e178 ExitProcess
0x41e17c WriteFile
0x41e180 UnhandledExceptionFilter
0x41e184 SetFilePointer
0x41e188 SetEndOfFile
0x41e18c RtlUnwind
0x41e190 ReadFile
0x41e194 RaiseException
0x41e198 GetStdHandle
0x41e19c GetFileSize
0x41e1a0 GetFileType
0x41e1a4 CreateFileA
0x41e1a8 CloseHandle
user32.dll
0x41e1b0 GetKeyboardType
0x41e1b4 LoadStringA
0x41e1b8 MessageBoxA
0x41e1bc CharNextA
advapi32.dll
0x41e1c4 RegQueryValueExA
0x41e1c8 RegOpenKeyExA
0x41e1cc RegCloseKey
oleaut32.dll
0x41e1d4 SysFreeString
0x41e1d8 SysReAllocStringLen
0x41e1dc SysAllocStringLen
kernel32.dll
0x41e1e4 TlsSetValue
0x41e1e8 TlsGetValue
0x41e1ec TlsFree
0x41e1f0 TlsAlloc
0x41e1f4 LocalFree
0x41e1f8 LocalAlloc
advapi32.dll
0x41e200 RegQueryValueExA
0x41e204 RegQueryInfoKeyA
0x41e208 RegOpenKeyExA
0x41e20c RegOpenKeyA
0x41e210 RegFlushKey
0x41e214 RegEnumValueA
0x41e218 RegEnumKeyA
0x41e21c RegEnumKeyExA
0x41e220 RegCreateKeyExA
0x41e224 RegCloseKey
0x41e228 OpenThreadToken
0x41e22c OpenProcessToken
0x41e230 IsValidSid
0x41e234 GetTokenInformation
0x41e238 GetSidSubAuthorityCount
0x41e23c GetSidSubAuthority
0x41e240 GetSidIdentifierAuthority
kernel32.dll
0x41e248 WriteFile
0x41e24c WideCharToMultiByte
0x41e250 WaitForSingleObject
0x41e254 VirtualQuery
0x41e258 SetLastError
0x41e25c SetFilePointer
0x41e260 SetEvent
0x41e264 SetEndOfFile
0x41e268 ResetEvent
0x41e26c ReadFile
0x41e270 OpenProcess
0x41e274 LocalFree
0x41e278 LoadLibraryA
0x41e27c LeaveCriticalSection
0x41e280 InitializeCriticalSection
0x41e284 HeapFree
0x41e288 HeapAlloc
0x41e28c GetVersionExA
0x41e290 GetThreadLocale
0x41e294 GetStringTypeExA
0x41e298 GetStdHandle
0x41e29c GetProcessHeap
0x41e2a0 GetProcAddress
0x41e2a4 GetModuleHandleA
0x41e2a8 GetModuleFileNameA
0x41e2ac GetLocaleInfoA
0x41e2b0 GetLocalTime
0x41e2b4 GetLastError
0x41e2b8 GetFullPathNameA
0x41e2bc GetDiskFreeSpaceA
0x41e2c0 GetDateFormatA
0x41e2c4 GetCurrentThreadId
0x41e2c8 GetCurrentThread
0x41e2cc GetCurrentProcess
0x41e2d0 GetCPInfo
0x41e2d4 GetACP
0x41e2d8 FormatMessageA
0x41e2dc FindFirstFileA
0x41e2e0 FindClose
0x41e2e4 FileTimeToLocalFileTime
0x41e2e8 FileTimeToDosDateTime
0x41e2ec EnumCalendarInfoA
0x41e2f0 EnterCriticalSection
0x41e2f4 DeleteCriticalSection
0x41e2f8 CreateMutexA
0x41e2fc CreateFileA
0x41e300 CreateEventA
0x41e304 CompareStringA
0x41e308 CloseHandle
user32.dll
0x41e310 MessageBoxA
0x41e314 LoadStringA
0x41e318 GetSystemMetrics
0x41e31c CharNextA
0x41e320 CharUpperBuffA
0x41e324 CharToOemA
kernel32.dll
0x41e32c Sleep
wsock32.dll
0x41e334 WSACleanup
0x41e338 WSAStartup
0x41e33c gethostname
0x41e340 gethostbyname
0x41e344 socket
0x41e348 send
0x41e34c recv
0x41e350 inet_ntoa
0x41e354 htons
0x41e358 connect
0x41e35c closesocket
oleaut32.dll
0x41e364 SafeArrayPtrOfIndex
0x41e368 SafeArrayGetUBound
0x41e36c SafeArrayGetLBound
0x41e370 SafeArrayCreate
0x41e374 VariantChangeType
0x41e378 VariantCopy
0x41e37c VariantClear
0x41e380 VariantInit
crypt32.dll
0x41e388 CryptUnprotectData
EAT(Export Address Table) Library
0x41a1b4 Main