ScreenShot
Created | 2023.03.09 10:01 | Machine | s1_win7_x6403 |
Filename | cred64.dll | ||
Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 47 detected (Convagent, malicious, high confidence, Mikey, Trojanpws, Artemis, Vdyf, TrojanPSW, confidence, 100%, Genus, Attribute, HighConfidence, Amadey, score, Zusy, TrojanX, Gencirc, Steal, fvghl, Sabsik, Detected, ai score=89, PasswordStealer, R002H0CC423, 8Idbp2vqW9I, susgen, Chgt) | ||
md5 | 7b4ebf09cf37a88ab510a9fc4657f15e | ||
sha256 | 1819b02e5de2331b27a7d8d58acb27d26fa35b85fc9ce6fcbb742705f712d3a2 | ||
ssdeep | 24576:iMq/RX0hoa8wrC+azFbtZhUYFauTZyRMX3:iioa8wrCHz3ZhUYRAE3 | ||
imphash | 7440c982ea49d693b3f3d5cb31294fdf | ||
impfuzzy | 96:YtpvZtu7Ze6BF1V5g4uP6xQhDtQ8Bg99tFMTk:Yhtu7Z3FIB+7yTk |
Network IP location
Signature (7cnts)
Level | Description |
---|---|
danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
info | Checks if process is being debugged by a debugger |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | This executable has a PDB path |
info | Tries to locate where the browsers are installed |
Rules (7cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Ave_Maria_Zero | Remote Access Trojan that is also called WARZONE RAT | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsDLL | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x1800d3048 CryptUnprotectData
KERNEL32.dll
0x1800d3058 OutputDebugStringA
0x1800d3060 LockFile
0x1800d3068 LeaveCriticalSection
0x1800d3070 InitializeCriticalSection
0x1800d3078 SetFilePointer
0x1800d3080 GetFullPathNameA
0x1800d3088 SetEndOfFile
0x1800d3090 UnlockFileEx
0x1800d3098 GetTempPathW
0x1800d30a0 CreateMutexW
0x1800d30a8 WaitForSingleObject
0x1800d30b0 CreateFileW
0x1800d30b8 GetFileAttributesW
0x1800d30c0 GetCurrentThreadId
0x1800d30c8 UnmapViewOfFile
0x1800d30d0 HeapValidate
0x1800d30d8 HeapSize
0x1800d30e0 MultiByteToWideChar
0x1800d30e8 Sleep
0x1800d30f0 GetTempPathA
0x1800d30f8 FormatMessageW
0x1800d3100 GetDiskFreeSpaceA
0x1800d3108 GetLastError
0x1800d3110 GetFileAttributesA
0x1800d3118 GetFileAttributesExW
0x1800d3120 OutputDebugStringW
0x1800d3128 CreateFileA
0x1800d3130 LoadLibraryA
0x1800d3138 WaitForSingleObjectEx
0x1800d3140 DeleteFileA
0x1800d3148 DeleteFileW
0x1800d3150 HeapReAlloc
0x1800d3158 CloseHandle
0x1800d3160 GetSystemInfo
0x1800d3168 LoadLibraryW
0x1800d3170 HeapAlloc
0x1800d3178 HeapCompact
0x1800d3180 HeapDestroy
0x1800d3188 UnlockFile
0x1800d3190 GetProcAddress
0x1800d3198 CreateFileMappingA
0x1800d31a0 LocalFree
0x1800d31a8 LockFileEx
0x1800d31b0 GetFileSize
0x1800d31b8 DeleteCriticalSection
0x1800d31c0 GetCurrentProcessId
0x1800d31c8 GetProcessHeap
0x1800d31d0 SystemTimeToFileTime
0x1800d31d8 FreeLibrary
0x1800d31e0 WideCharToMultiByte
0x1800d31e8 GetSystemTimeAsFileTime
0x1800d31f0 GetSystemTime
0x1800d31f8 FormatMessageA
0x1800d3200 CreateFileMappingW
0x1800d3208 MapViewOfFile
0x1800d3210 QueryPerformanceCounter
0x1800d3218 GetTickCount
0x1800d3220 FlushFileBuffers
0x1800d3228 SetHandleInformation
0x1800d3230 FindFirstFileA
0x1800d3238 Wow64DisableWow64FsRedirection
0x1800d3240 K32GetModuleFileNameExW
0x1800d3248 FindNextFileA
0x1800d3250 CreatePipe
0x1800d3258 PeekNamedPipe
0x1800d3260 lstrlenA
0x1800d3268 FindClose
0x1800d3270 GetCurrentDirectoryA
0x1800d3278 lstrcatA
0x1800d3280 OpenProcess
0x1800d3288 SetCurrentDirectoryA
0x1800d3290 CreateToolhelp32Snapshot
0x1800d3298 ProcessIdToSessionId
0x1800d32a0 CopyFileA
0x1800d32a8 Wow64RevertWow64FsRedirection
0x1800d32b0 Process32NextW
0x1800d32b8 Process32FirstW
0x1800d32c0 CreateThread
0x1800d32c8 CreateProcessA
0x1800d32d0 CreateDirectoryA
0x1800d32d8 WriteConsoleW
0x1800d32e0 WriteFile
0x1800d32e8 GetFullPathNameW
0x1800d32f0 EnterCriticalSection
0x1800d32f8 HeapFree
0x1800d3300 HeapCreate
0x1800d3308 TryEnterCriticalSection
0x1800d3310 ReadFile
0x1800d3318 AreFileApisANSI
0x1800d3320 GetDiskFreeSpaceW
0x1800d3328 ReadConsoleW
0x1800d3330 SetFilePointerEx
0x1800d3338 GetConsoleMode
0x1800d3340 GetConsoleCP
0x1800d3348 SetEnvironmentVariableW
0x1800d3350 FreeEnvironmentStringsW
0x1800d3358 GetEnvironmentStringsW
0x1800d3360 GetCommandLineW
0x1800d3368 GetCommandLineA
0x1800d3370 GetOEMCP
0x1800d3378 GetACP
0x1800d3380 IsValidCodePage
0x1800d3388 FindNextFileW
0x1800d3390 FindFirstFileExW
0x1800d3398 SetStdHandle
0x1800d33a0 GetCurrentDirectoryW
0x1800d33a8 RtlCaptureContext
0x1800d33b0 RtlLookupFunctionEntry
0x1800d33b8 RtlVirtualUnwind
0x1800d33c0 IsDebuggerPresent
0x1800d33c8 UnhandledExceptionFilter
0x1800d33d0 SetUnhandledExceptionFilter
0x1800d33d8 GetStartupInfoW
0x1800d33e0 IsProcessorFeaturePresent
0x1800d33e8 GetModuleHandleW
0x1800d33f0 InitializeSListHead
0x1800d33f8 SetLastError
0x1800d3400 InitializeCriticalSectionAndSpinCount
0x1800d3408 SwitchToThread
0x1800d3410 TlsAlloc
0x1800d3418 TlsGetValue
0x1800d3420 TlsSetValue
0x1800d3428 TlsFree
0x1800d3430 EncodePointer
0x1800d3438 DecodePointer
0x1800d3440 GetCPInfo
0x1800d3448 CompareStringW
0x1800d3450 LCMapStringW
0x1800d3458 GetLocaleInfoW
0x1800d3460 GetStringTypeW
0x1800d3468 RtlUnwindEx
0x1800d3470 RtlPcToFileHeader
0x1800d3478 RaiseException
0x1800d3480 InterlockedFlushSList
0x1800d3488 LoadLibraryExW
0x1800d3490 ExitThread
0x1800d3498 FreeLibraryAndExitThread
0x1800d34a0 GetModuleHandleExW
0x1800d34a8 GetDriveTypeW
0x1800d34b0 GetFileInformationByHandle
0x1800d34b8 GetFileType
0x1800d34c0 SystemTimeToTzSpecificLocalTime
0x1800d34c8 FileTimeToSystemTime
0x1800d34d0 GetCurrentProcess
0x1800d34d8 TerminateProcess
0x1800d34e0 ExitProcess
0x1800d34e8 GetModuleFileNameW
0x1800d34f0 IsValidLocale
0x1800d34f8 GetUserDefaultLCID
0x1800d3500 EnumSystemLocalesW
0x1800d3508 GetTimeZoneInformation
0x1800d3510 GetStdHandle
ADVAPI32.dll
0x1800d3000 RegQueryValueExA
0x1800d3008 RegEnumValueW
0x1800d3010 RegCloseKey
0x1800d3018 RegQueryInfoKeyW
0x1800d3020 GetUserNameW
0x1800d3028 RegOpenKeyExA
0x1800d3030 ConvertSidToStringSidW
0x1800d3038 LookupAccountNameW
SHELL32.dll
0x1800d3520 SHGetFolderPathA
0x1800d3528 SHFileOperationA
WININET.dll
0x1800d3538 HttpOpenRequestA
0x1800d3540 InternetWriteFile
0x1800d3548 InternetReadFile
0x1800d3550 InternetConnectA
0x1800d3558 HttpSendRequestA
0x1800d3560 InternetCloseHandle
0x1800d3568 InternetOpenA
0x1800d3570 HttpAddRequestHeadersA
0x1800d3578 HttpSendRequestExW
0x1800d3580 HttpEndRequestA
0x1800d3588 InternetOpenW
crypt.dll
0x1800d3598 BCryptOpenAlgorithmProvider
0x1800d35a0 BCryptSetProperty
0x1800d35a8 BCryptGenerateSymmetricKey
0x1800d35b0 BCryptDecrypt
EAT(Export Address Table) Library
0x1800a6300 Main
0x180004440 Save
CRYPT32.dll
0x1800d3048 CryptUnprotectData
KERNEL32.dll
0x1800d3058 OutputDebugStringA
0x1800d3060 LockFile
0x1800d3068 LeaveCriticalSection
0x1800d3070 InitializeCriticalSection
0x1800d3078 SetFilePointer
0x1800d3080 GetFullPathNameA
0x1800d3088 SetEndOfFile
0x1800d3090 UnlockFileEx
0x1800d3098 GetTempPathW
0x1800d30a0 CreateMutexW
0x1800d30a8 WaitForSingleObject
0x1800d30b0 CreateFileW
0x1800d30b8 GetFileAttributesW
0x1800d30c0 GetCurrentThreadId
0x1800d30c8 UnmapViewOfFile
0x1800d30d0 HeapValidate
0x1800d30d8 HeapSize
0x1800d30e0 MultiByteToWideChar
0x1800d30e8 Sleep
0x1800d30f0 GetTempPathA
0x1800d30f8 FormatMessageW
0x1800d3100 GetDiskFreeSpaceA
0x1800d3108 GetLastError
0x1800d3110 GetFileAttributesA
0x1800d3118 GetFileAttributesExW
0x1800d3120 OutputDebugStringW
0x1800d3128 CreateFileA
0x1800d3130 LoadLibraryA
0x1800d3138 WaitForSingleObjectEx
0x1800d3140 DeleteFileA
0x1800d3148 DeleteFileW
0x1800d3150 HeapReAlloc
0x1800d3158 CloseHandle
0x1800d3160 GetSystemInfo
0x1800d3168 LoadLibraryW
0x1800d3170 HeapAlloc
0x1800d3178 HeapCompact
0x1800d3180 HeapDestroy
0x1800d3188 UnlockFile
0x1800d3190 GetProcAddress
0x1800d3198 CreateFileMappingA
0x1800d31a0 LocalFree
0x1800d31a8 LockFileEx
0x1800d31b0 GetFileSize
0x1800d31b8 DeleteCriticalSection
0x1800d31c0 GetCurrentProcessId
0x1800d31c8 GetProcessHeap
0x1800d31d0 SystemTimeToFileTime
0x1800d31d8 FreeLibrary
0x1800d31e0 WideCharToMultiByte
0x1800d31e8 GetSystemTimeAsFileTime
0x1800d31f0 GetSystemTime
0x1800d31f8 FormatMessageA
0x1800d3200 CreateFileMappingW
0x1800d3208 MapViewOfFile
0x1800d3210 QueryPerformanceCounter
0x1800d3218 GetTickCount
0x1800d3220 FlushFileBuffers
0x1800d3228 SetHandleInformation
0x1800d3230 FindFirstFileA
0x1800d3238 Wow64DisableWow64FsRedirection
0x1800d3240 K32GetModuleFileNameExW
0x1800d3248 FindNextFileA
0x1800d3250 CreatePipe
0x1800d3258 PeekNamedPipe
0x1800d3260 lstrlenA
0x1800d3268 FindClose
0x1800d3270 GetCurrentDirectoryA
0x1800d3278 lstrcatA
0x1800d3280 OpenProcess
0x1800d3288 SetCurrentDirectoryA
0x1800d3290 CreateToolhelp32Snapshot
0x1800d3298 ProcessIdToSessionId
0x1800d32a0 CopyFileA
0x1800d32a8 Wow64RevertWow64FsRedirection
0x1800d32b0 Process32NextW
0x1800d32b8 Process32FirstW
0x1800d32c0 CreateThread
0x1800d32c8 CreateProcessA
0x1800d32d0 CreateDirectoryA
0x1800d32d8 WriteConsoleW
0x1800d32e0 WriteFile
0x1800d32e8 GetFullPathNameW
0x1800d32f0 EnterCriticalSection
0x1800d32f8 HeapFree
0x1800d3300 HeapCreate
0x1800d3308 TryEnterCriticalSection
0x1800d3310 ReadFile
0x1800d3318 AreFileApisANSI
0x1800d3320 GetDiskFreeSpaceW
0x1800d3328 ReadConsoleW
0x1800d3330 SetFilePointerEx
0x1800d3338 GetConsoleMode
0x1800d3340 GetConsoleCP
0x1800d3348 SetEnvironmentVariableW
0x1800d3350 FreeEnvironmentStringsW
0x1800d3358 GetEnvironmentStringsW
0x1800d3360 GetCommandLineW
0x1800d3368 GetCommandLineA
0x1800d3370 GetOEMCP
0x1800d3378 GetACP
0x1800d3380 IsValidCodePage
0x1800d3388 FindNextFileW
0x1800d3390 FindFirstFileExW
0x1800d3398 SetStdHandle
0x1800d33a0 GetCurrentDirectoryW
0x1800d33a8 RtlCaptureContext
0x1800d33b0 RtlLookupFunctionEntry
0x1800d33b8 RtlVirtualUnwind
0x1800d33c0 IsDebuggerPresent
0x1800d33c8 UnhandledExceptionFilter
0x1800d33d0 SetUnhandledExceptionFilter
0x1800d33d8 GetStartupInfoW
0x1800d33e0 IsProcessorFeaturePresent
0x1800d33e8 GetModuleHandleW
0x1800d33f0 InitializeSListHead
0x1800d33f8 SetLastError
0x1800d3400 InitializeCriticalSectionAndSpinCount
0x1800d3408 SwitchToThread
0x1800d3410 TlsAlloc
0x1800d3418 TlsGetValue
0x1800d3420 TlsSetValue
0x1800d3428 TlsFree
0x1800d3430 EncodePointer
0x1800d3438 DecodePointer
0x1800d3440 GetCPInfo
0x1800d3448 CompareStringW
0x1800d3450 LCMapStringW
0x1800d3458 GetLocaleInfoW
0x1800d3460 GetStringTypeW
0x1800d3468 RtlUnwindEx
0x1800d3470 RtlPcToFileHeader
0x1800d3478 RaiseException
0x1800d3480 InterlockedFlushSList
0x1800d3488 LoadLibraryExW
0x1800d3490 ExitThread
0x1800d3498 FreeLibraryAndExitThread
0x1800d34a0 GetModuleHandleExW
0x1800d34a8 GetDriveTypeW
0x1800d34b0 GetFileInformationByHandle
0x1800d34b8 GetFileType
0x1800d34c0 SystemTimeToTzSpecificLocalTime
0x1800d34c8 FileTimeToSystemTime
0x1800d34d0 GetCurrentProcess
0x1800d34d8 TerminateProcess
0x1800d34e0 ExitProcess
0x1800d34e8 GetModuleFileNameW
0x1800d34f0 IsValidLocale
0x1800d34f8 GetUserDefaultLCID
0x1800d3500 EnumSystemLocalesW
0x1800d3508 GetTimeZoneInformation
0x1800d3510 GetStdHandle
ADVAPI32.dll
0x1800d3000 RegQueryValueExA
0x1800d3008 RegEnumValueW
0x1800d3010 RegCloseKey
0x1800d3018 RegQueryInfoKeyW
0x1800d3020 GetUserNameW
0x1800d3028 RegOpenKeyExA
0x1800d3030 ConvertSidToStringSidW
0x1800d3038 LookupAccountNameW
SHELL32.dll
0x1800d3520 SHGetFolderPathA
0x1800d3528 SHFileOperationA
WININET.dll
0x1800d3538 HttpOpenRequestA
0x1800d3540 InternetWriteFile
0x1800d3548 InternetReadFile
0x1800d3550 InternetConnectA
0x1800d3558 HttpSendRequestA
0x1800d3560 InternetCloseHandle
0x1800d3568 InternetOpenA
0x1800d3570 HttpAddRequestHeadersA
0x1800d3578 HttpSendRequestExW
0x1800d3580 HttpEndRequestA
0x1800d3588 InternetOpenW
crypt.dll
0x1800d3598 BCryptOpenAlgorithmProvider
0x1800d35a0 BCryptSetProperty
0x1800d35a8 BCryptGenerateSymmetricKey
0x1800d35b0 BCryptDecrypt
EAT(Export Address Table) Library
0x1800a6300 Main
0x180004440 Save