ScreenShot
| Created | 2023.01.27 10:15 | Machine | s1_win7_x6401 |
| Filename | cred.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 38 detected (Zusy, Unsafe, Save, ZedlaF, 1u4@aGov3cgi, Attribute, HighConfidence, malicious, high confidence, score, juilzu, PWSX, Gencirc, S + Troj, Steal, Amadey, Detected, Artemis, ai score=84, PasswordStealer, U9P1qqwbTJD, jIftDANpk2E, GdSda) | ||
| md5 | e2ee20e2f0a8853cae1772d095543799 | ||
| sha256 | 18f33da5db9ab9b2339158aaef6663ff97fa2994395211cf23626ffa7c1db9ae | ||
| ssdeep | 24576:fMxb+U4AFWNkTbWgp6d461tnfpgOH+Rwj5u:fYtaNbhZ+aj5u | ||
| imphash | bb5ecce76cda9939b2d9969f610cfd03 | ||
| impfuzzy | 96:YtpvZtu7Ze6BF1V5g4uI6xQpNtB2Jk9vFs0Dk:Yhtu7Z3F559hDk | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks if process is being debugged by a debugger |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Ave_Maria_Zero | Remote Access Trojan that is also called WARZONE RAT | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x100b8024 CryptUnprotectData
KERNEL32.dll
0x100b802c OutputDebugStringA
0x100b8030 LockFile
0x100b8034 LeaveCriticalSection
0x100b8038 InitializeCriticalSection
0x100b803c SetFilePointer
0x100b8040 GetFullPathNameA
0x100b8044 SetEndOfFile
0x100b8048 UnlockFileEx
0x100b804c GetTempPathW
0x100b8050 CreateMutexW
0x100b8054 WaitForSingleObject
0x100b8058 CreateFileW
0x100b805c GetFileAttributesW
0x100b8060 GetCurrentThreadId
0x100b8064 UnmapViewOfFile
0x100b8068 HeapValidate
0x100b806c HeapSize
0x100b8070 MultiByteToWideChar
0x100b8074 Sleep
0x100b8078 GetTempPathA
0x100b807c FormatMessageW
0x100b8080 GetDiskFreeSpaceA
0x100b8084 GetLastError
0x100b8088 GetFileAttributesA
0x100b808c GetFileAttributesExW
0x100b8090 OutputDebugStringW
0x100b8094 CreateFileA
0x100b8098 LoadLibraryA
0x100b809c WaitForSingleObjectEx
0x100b80a0 DeleteFileA
0x100b80a4 DeleteFileW
0x100b80a8 HeapReAlloc
0x100b80ac CloseHandle
0x100b80b0 GetSystemInfo
0x100b80b4 LoadLibraryW
0x100b80b8 HeapAlloc
0x100b80bc HeapCompact
0x100b80c0 HeapDestroy
0x100b80c4 UnlockFile
0x100b80c8 GetProcAddress
0x100b80cc CreateFileMappingA
0x100b80d0 LocalFree
0x100b80d4 LockFileEx
0x100b80d8 GetFileSize
0x100b80dc DeleteCriticalSection
0x100b80e0 GetCurrentProcessId
0x100b80e4 GetProcessHeap
0x100b80e8 SystemTimeToFileTime
0x100b80ec FreeLibrary
0x100b80f0 WideCharToMultiByte
0x100b80f4 GetSystemTimeAsFileTime
0x100b80f8 GetSystemTime
0x100b80fc FormatMessageA
0x100b8100 CreateFileMappingW
0x100b8104 MapViewOfFile
0x100b8108 QueryPerformanceCounter
0x100b810c GetTickCount
0x100b8110 FlushFileBuffers
0x100b8114 SetHandleInformation
0x100b8118 FindFirstFileA
0x100b811c Wow64DisableWow64FsRedirection
0x100b8120 K32GetModuleFileNameExW
0x100b8124 FindNextFileA
0x100b8128 CreatePipe
0x100b812c PeekNamedPipe
0x100b8130 lstrlenA
0x100b8134 FindClose
0x100b8138 GetCurrentDirectoryA
0x100b813c lstrcatA
0x100b8140 OpenProcess
0x100b8144 SetCurrentDirectoryA
0x100b8148 CreateToolhelp32Snapshot
0x100b814c ProcessIdToSessionId
0x100b8150 CopyFileA
0x100b8154 Wow64RevertWow64FsRedirection
0x100b8158 Process32NextW
0x100b815c Process32FirstW
0x100b8160 CreateThread
0x100b8164 CreateProcessA
0x100b8168 CreateDirectoryA
0x100b816c ReadConsoleW
0x100b8170 WriteFile
0x100b8174 GetFullPathNameW
0x100b8178 EnterCriticalSection
0x100b817c HeapFree
0x100b8180 HeapCreate
0x100b8184 TryEnterCriticalSection
0x100b8188 ReadFile
0x100b818c AreFileApisANSI
0x100b8190 GetDiskFreeSpaceW
0x100b8194 SetFilePointerEx
0x100b8198 GetConsoleMode
0x100b819c GetConsoleCP
0x100b81a0 SetEnvironmentVariableW
0x100b81a4 FreeEnvironmentStringsW
0x100b81a8 GetEnvironmentStringsW
0x100b81ac GetCommandLineW
0x100b81b0 GetCommandLineA
0x100b81b4 GetOEMCP
0x100b81b8 GetACP
0x100b81bc IsValidCodePage
0x100b81c0 FindNextFileW
0x100b81c4 FindFirstFileExW
0x100b81c8 SetStdHandle
0x100b81cc GetCurrentDirectoryW
0x100b81d0 GetStdHandle
0x100b81d4 GetTimeZoneInformation
0x100b81d8 IsProcessorFeaturePresent
0x100b81dc IsDebuggerPresent
0x100b81e0 UnhandledExceptionFilter
0x100b81e4 SetUnhandledExceptionFilter
0x100b81e8 GetStartupInfoW
0x100b81ec GetModuleHandleW
0x100b81f0 InitializeSListHead
0x100b81f4 GetCurrentProcess
0x100b81f8 TerminateProcess
0x100b81fc SetLastError
0x100b8200 InitializeCriticalSectionAndSpinCount
0x100b8204 SwitchToThread
0x100b8208 TlsAlloc
0x100b820c TlsGetValue
0x100b8210 TlsSetValue
0x100b8214 TlsFree
0x100b8218 EncodePointer
0x100b821c DecodePointer
0x100b8220 GetCPInfo
0x100b8224 CompareStringW
0x100b8228 LCMapStringW
0x100b822c GetLocaleInfoW
0x100b8230 GetStringTypeW
0x100b8234 RaiseException
0x100b8238 InterlockedFlushSList
0x100b823c RtlUnwind
0x100b8240 LoadLibraryExW
0x100b8244 ExitThread
0x100b8248 FreeLibraryAndExitThread
0x100b824c GetModuleHandleExW
0x100b8250 GetDriveTypeW
0x100b8254 GetFileInformationByHandle
0x100b8258 GetFileType
0x100b825c SystemTimeToTzSpecificLocalTime
0x100b8260 FileTimeToSystemTime
0x100b8264 ExitProcess
0x100b8268 GetModuleFileNameW
0x100b826c IsValidLocale
0x100b8270 GetUserDefaultLCID
0x100b8274 EnumSystemLocalesW
0x100b8278 WriteConsoleW
ADVAPI32.dll
0x100b8000 GetUserNameW
0x100b8004 RegEnumValueW
0x100b8008 RegCloseKey
0x100b800c RegQueryInfoKeyW
0x100b8010 RegQueryValueExA
0x100b8014 RegOpenKeyExA
0x100b8018 ConvertSidToStringSidW
0x100b801c LookupAccountNameW
SHELL32.dll
0x100b8280 SHFileOperationA
0x100b8284 SHGetFolderPathA
WININET.dll
0x100b828c HttpOpenRequestA
0x100b8290 InternetReadFile
0x100b8294 InternetConnectA
0x100b8298 HttpSendRequestA
0x100b829c InternetCloseHandle
0x100b82a0 InternetOpenA
0x100b82a4 HttpAddRequestHeadersA
0x100b82a8 HttpSendRequestExW
0x100b82ac HttpEndRequestA
0x100b82b0 InternetOpenW
0x100b82b4 InternetWriteFile
crypt.dll
0x100b82bc BCryptOpenAlgorithmProvider
0x100b82c0 BCryptSetProperty
0x100b82c4 BCryptGenerateSymmetricKey
0x100b82c8 BCryptDecrypt
EAT(Export Address Table) Library
0x10093780 Main
0x10003700 Save
CRYPT32.dll
0x100b8024 CryptUnprotectData
KERNEL32.dll
0x100b802c OutputDebugStringA
0x100b8030 LockFile
0x100b8034 LeaveCriticalSection
0x100b8038 InitializeCriticalSection
0x100b803c SetFilePointer
0x100b8040 GetFullPathNameA
0x100b8044 SetEndOfFile
0x100b8048 UnlockFileEx
0x100b804c GetTempPathW
0x100b8050 CreateMutexW
0x100b8054 WaitForSingleObject
0x100b8058 CreateFileW
0x100b805c GetFileAttributesW
0x100b8060 GetCurrentThreadId
0x100b8064 UnmapViewOfFile
0x100b8068 HeapValidate
0x100b806c HeapSize
0x100b8070 MultiByteToWideChar
0x100b8074 Sleep
0x100b8078 GetTempPathA
0x100b807c FormatMessageW
0x100b8080 GetDiskFreeSpaceA
0x100b8084 GetLastError
0x100b8088 GetFileAttributesA
0x100b808c GetFileAttributesExW
0x100b8090 OutputDebugStringW
0x100b8094 CreateFileA
0x100b8098 LoadLibraryA
0x100b809c WaitForSingleObjectEx
0x100b80a0 DeleteFileA
0x100b80a4 DeleteFileW
0x100b80a8 HeapReAlloc
0x100b80ac CloseHandle
0x100b80b0 GetSystemInfo
0x100b80b4 LoadLibraryW
0x100b80b8 HeapAlloc
0x100b80bc HeapCompact
0x100b80c0 HeapDestroy
0x100b80c4 UnlockFile
0x100b80c8 GetProcAddress
0x100b80cc CreateFileMappingA
0x100b80d0 LocalFree
0x100b80d4 LockFileEx
0x100b80d8 GetFileSize
0x100b80dc DeleteCriticalSection
0x100b80e0 GetCurrentProcessId
0x100b80e4 GetProcessHeap
0x100b80e8 SystemTimeToFileTime
0x100b80ec FreeLibrary
0x100b80f0 WideCharToMultiByte
0x100b80f4 GetSystemTimeAsFileTime
0x100b80f8 GetSystemTime
0x100b80fc FormatMessageA
0x100b8100 CreateFileMappingW
0x100b8104 MapViewOfFile
0x100b8108 QueryPerformanceCounter
0x100b810c GetTickCount
0x100b8110 FlushFileBuffers
0x100b8114 SetHandleInformation
0x100b8118 FindFirstFileA
0x100b811c Wow64DisableWow64FsRedirection
0x100b8120 K32GetModuleFileNameExW
0x100b8124 FindNextFileA
0x100b8128 CreatePipe
0x100b812c PeekNamedPipe
0x100b8130 lstrlenA
0x100b8134 FindClose
0x100b8138 GetCurrentDirectoryA
0x100b813c lstrcatA
0x100b8140 OpenProcess
0x100b8144 SetCurrentDirectoryA
0x100b8148 CreateToolhelp32Snapshot
0x100b814c ProcessIdToSessionId
0x100b8150 CopyFileA
0x100b8154 Wow64RevertWow64FsRedirection
0x100b8158 Process32NextW
0x100b815c Process32FirstW
0x100b8160 CreateThread
0x100b8164 CreateProcessA
0x100b8168 CreateDirectoryA
0x100b816c ReadConsoleW
0x100b8170 WriteFile
0x100b8174 GetFullPathNameW
0x100b8178 EnterCriticalSection
0x100b817c HeapFree
0x100b8180 HeapCreate
0x100b8184 TryEnterCriticalSection
0x100b8188 ReadFile
0x100b818c AreFileApisANSI
0x100b8190 GetDiskFreeSpaceW
0x100b8194 SetFilePointerEx
0x100b8198 GetConsoleMode
0x100b819c GetConsoleCP
0x100b81a0 SetEnvironmentVariableW
0x100b81a4 FreeEnvironmentStringsW
0x100b81a8 GetEnvironmentStringsW
0x100b81ac GetCommandLineW
0x100b81b0 GetCommandLineA
0x100b81b4 GetOEMCP
0x100b81b8 GetACP
0x100b81bc IsValidCodePage
0x100b81c0 FindNextFileW
0x100b81c4 FindFirstFileExW
0x100b81c8 SetStdHandle
0x100b81cc GetCurrentDirectoryW
0x100b81d0 GetStdHandle
0x100b81d4 GetTimeZoneInformation
0x100b81d8 IsProcessorFeaturePresent
0x100b81dc IsDebuggerPresent
0x100b81e0 UnhandledExceptionFilter
0x100b81e4 SetUnhandledExceptionFilter
0x100b81e8 GetStartupInfoW
0x100b81ec GetModuleHandleW
0x100b81f0 InitializeSListHead
0x100b81f4 GetCurrentProcess
0x100b81f8 TerminateProcess
0x100b81fc SetLastError
0x100b8200 InitializeCriticalSectionAndSpinCount
0x100b8204 SwitchToThread
0x100b8208 TlsAlloc
0x100b820c TlsGetValue
0x100b8210 TlsSetValue
0x100b8214 TlsFree
0x100b8218 EncodePointer
0x100b821c DecodePointer
0x100b8220 GetCPInfo
0x100b8224 CompareStringW
0x100b8228 LCMapStringW
0x100b822c GetLocaleInfoW
0x100b8230 GetStringTypeW
0x100b8234 RaiseException
0x100b8238 InterlockedFlushSList
0x100b823c RtlUnwind
0x100b8240 LoadLibraryExW
0x100b8244 ExitThread
0x100b8248 FreeLibraryAndExitThread
0x100b824c GetModuleHandleExW
0x100b8250 GetDriveTypeW
0x100b8254 GetFileInformationByHandle
0x100b8258 GetFileType
0x100b825c SystemTimeToTzSpecificLocalTime
0x100b8260 FileTimeToSystemTime
0x100b8264 ExitProcess
0x100b8268 GetModuleFileNameW
0x100b826c IsValidLocale
0x100b8270 GetUserDefaultLCID
0x100b8274 EnumSystemLocalesW
0x100b8278 WriteConsoleW
ADVAPI32.dll
0x100b8000 GetUserNameW
0x100b8004 RegEnumValueW
0x100b8008 RegCloseKey
0x100b800c RegQueryInfoKeyW
0x100b8010 RegQueryValueExA
0x100b8014 RegOpenKeyExA
0x100b8018 ConvertSidToStringSidW
0x100b801c LookupAccountNameW
SHELL32.dll
0x100b8280 SHFileOperationA
0x100b8284 SHGetFolderPathA
WININET.dll
0x100b828c HttpOpenRequestA
0x100b8290 InternetReadFile
0x100b8294 InternetConnectA
0x100b8298 HttpSendRequestA
0x100b829c InternetCloseHandle
0x100b82a0 InternetOpenA
0x100b82a4 HttpAddRequestHeadersA
0x100b82a8 HttpSendRequestExW
0x100b82ac HttpEndRequestA
0x100b82b0 InternetOpenW
0x100b82b4 InternetWriteFile
crypt.dll
0x100b82bc BCryptOpenAlgorithmProvider
0x100b82c0 BCryptSetProperty
0x100b82c4 BCryptGenerateSymmetricKey
0x100b82c8 BCryptDecrypt
EAT(Export Address Table) Library
0x10093780 Main
0x10003700 Save