ScreenShot
| Created | 2022.12.10 15:08 | Machine | s1_win7_x6403 |
| Filename | cred64.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 14 detected (AIDetect, malware2, Unsafe, ZedlaF, @N5@auS@bnc, malicious, high confidence, Delf, Bingoml, hodg, Generic@AI, RDML, SdemjUJ+fCrlqM02Vc7s7w, high, score, FileRepMalware, Misc) | ||
| md5 | 2b62e02b3581980ee5a1dda42fa4f3fe | ||
| sha256 | 8c46c2af1cb25bfa8fbbf9d683d72d30ddb2e5d0ecc6bba997b24714cf2b8c91 | ||
| ssdeep | 196608:ZQoqS56OZEssxxpKIIue41Cf7sgZz6kmAZQ/9RWB0:dMOevKiB1CfQgplmz/9a0 | ||
| imphash | b7591dfa4fbbd161e8564f9dd58a4133 | ||
| impfuzzy | 12:f+pZ1ndYq1EBwDsH17PgAw8sZGMZGqAJcDW:f+pZ1Oq1mw403dNDW | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 14 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x860000 GetVersion
user32.dll
0x860008 GetKeyboardType
advapi32.dll
0x860010 RegQueryValueExA
oleaut32.dll
0x860018 SysFreeString
kernel32.dll
0x860020 TlsSetValue
advapi32.dll
0x860028 RegQueryValueExA
kernel32.dll
0x860030 GetVersionExA
user32.dll
0x860038 MessageBoxA
kernel32.dll
0x860040 Sleep
wsock32.dll
0x860048 WSACleanup
oleaut32.dll
0x860050 SafeArrayPtrOfIndex
crypt32.dll
0x860058 CryptUnprotectData
kernel32.dll
0x860060 GetSystemTimeAsFileTime
user32.dll
0x860068 CharUpperBuffW
kernel32.dll
0x860070 LocalAlloc
0x860074 LocalFree
0x860078 GetModuleFileNameW
0x86007c ExitProcess
0x860080 LoadLibraryA
0x860084 GetModuleHandleA
0x860088 GetProcAddress
EAT(Export Address Table) Library
0x41a3dc Main
0x41a898 Save
kernel32.dll
0x860000 GetVersion
user32.dll
0x860008 GetKeyboardType
advapi32.dll
0x860010 RegQueryValueExA
oleaut32.dll
0x860018 SysFreeString
kernel32.dll
0x860020 TlsSetValue
advapi32.dll
0x860028 RegQueryValueExA
kernel32.dll
0x860030 GetVersionExA
user32.dll
0x860038 MessageBoxA
kernel32.dll
0x860040 Sleep
wsock32.dll
0x860048 WSACleanup
oleaut32.dll
0x860050 SafeArrayPtrOfIndex
crypt32.dll
0x860058 CryptUnprotectData
kernel32.dll
0x860060 GetSystemTimeAsFileTime
user32.dll
0x860068 CharUpperBuffW
kernel32.dll
0x860070 LocalAlloc
0x860074 LocalFree
0x860078 GetModuleFileNameW
0x86007c ExitProcess
0x860080 LoadLibraryA
0x860084 GetModuleHandleA
0x860088 GetProcAddress
EAT(Export Address Table) Library
0x41a3dc Main
0x41a898 Save