Report - cred64.dll

Ave Maria WARZONE RAT UPX Malicious Library OS Processor Check DLL PE File PE64
ScreenShot
Created 2023.03.09 09:59 Machine s1_win7_x6401
Filename cred64.dll
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
AI Score
5
Behavior Score
2.8
ZERO API file : malware
VT API (file) 42 detected (Convagent, malicious, high confidence, Mikey, Artemis, Vrji, confidence, 100%, TrojanPSW, Genus, Attribute, HighConfidence, Amadey, score, Zusy, jvbgiv, TrojanX, QQPass, QQRob, Ltgl, Steal, BadFile, xkuqx, Sabsik, Wacatac, Detected, ai score=86, PasswordStealer, R002H0CC623, 8Idbp2vqW9I, Chgt)
md5 d0bf0d14fe6110f185c8b98423c7b152
sha256 29d6627890f7bc1f2ad490bcf08f16f57c14f6ac6015633beb6e5079d3360e64
ssdeep 24576:AMq/RX0hoa8wrC+azFbtZhUYFauTZyRMEB:Aioa8wrCHz3ZhUYRADB
imphash 7440c982ea49d693b3f3d5cb31294fdf
impfuzzy 96:YtpvZtu7Ze6BF1V5g4uP6xQhDtQ8Bg99tFMTk:Yhtu7Z3FIB+7yTk
  Network IP location

Signature (8cnts)

Level Description
danger File has been identified by 42 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info This executable has a PDB path
info Tries to locate where the browsers are installed

Rules (7cnts)

Level Name Description Collection
danger Ave_Maria_Zero Remote Access Trojan that is also called WARZONE RAT binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

CRYPT32.dll
 0x1800d3048 CryptUnprotectData
KERNEL32.dll
 0x1800d3058 OutputDebugStringA
 0x1800d3060 LockFile
 0x1800d3068 LeaveCriticalSection
 0x1800d3070 InitializeCriticalSection
 0x1800d3078 SetFilePointer
 0x1800d3080 GetFullPathNameA
 0x1800d3088 SetEndOfFile
 0x1800d3090 UnlockFileEx
 0x1800d3098 GetTempPathW
 0x1800d30a0 CreateMutexW
 0x1800d30a8 WaitForSingleObject
 0x1800d30b0 CreateFileW
 0x1800d30b8 GetFileAttributesW
 0x1800d30c0 GetCurrentThreadId
 0x1800d30c8 UnmapViewOfFile
 0x1800d30d0 HeapValidate
 0x1800d30d8 HeapSize
 0x1800d30e0 MultiByteToWideChar
 0x1800d30e8 Sleep
 0x1800d30f0 GetTempPathA
 0x1800d30f8 FormatMessageW
 0x1800d3100 GetDiskFreeSpaceA
 0x1800d3108 GetLastError
 0x1800d3110 GetFileAttributesA
 0x1800d3118 GetFileAttributesExW
 0x1800d3120 OutputDebugStringW
 0x1800d3128 CreateFileA
 0x1800d3130 LoadLibraryA
 0x1800d3138 WaitForSingleObjectEx
 0x1800d3140 DeleteFileA
 0x1800d3148 DeleteFileW
 0x1800d3150 HeapReAlloc
 0x1800d3158 CloseHandle
 0x1800d3160 GetSystemInfo
 0x1800d3168 LoadLibraryW
 0x1800d3170 HeapAlloc
 0x1800d3178 HeapCompact
 0x1800d3180 HeapDestroy
 0x1800d3188 UnlockFile
 0x1800d3190 GetProcAddress
 0x1800d3198 CreateFileMappingA
 0x1800d31a0 LocalFree
 0x1800d31a8 LockFileEx
 0x1800d31b0 GetFileSize
 0x1800d31b8 DeleteCriticalSection
 0x1800d31c0 GetCurrentProcessId
 0x1800d31c8 GetProcessHeap
 0x1800d31d0 SystemTimeToFileTime
 0x1800d31d8 FreeLibrary
 0x1800d31e0 WideCharToMultiByte
 0x1800d31e8 GetSystemTimeAsFileTime
 0x1800d31f0 GetSystemTime
 0x1800d31f8 FormatMessageA
 0x1800d3200 CreateFileMappingW
 0x1800d3208 MapViewOfFile
 0x1800d3210 QueryPerformanceCounter
 0x1800d3218 GetTickCount
 0x1800d3220 FlushFileBuffers
 0x1800d3228 SetHandleInformation
 0x1800d3230 FindFirstFileA
 0x1800d3238 Wow64DisableWow64FsRedirection
 0x1800d3240 K32GetModuleFileNameExW
 0x1800d3248 FindNextFileA
 0x1800d3250 CreatePipe
 0x1800d3258 PeekNamedPipe
 0x1800d3260 lstrlenA
 0x1800d3268 FindClose
 0x1800d3270 GetCurrentDirectoryA
 0x1800d3278 lstrcatA
 0x1800d3280 OpenProcess
 0x1800d3288 SetCurrentDirectoryA
 0x1800d3290 CreateToolhelp32Snapshot
 0x1800d3298 ProcessIdToSessionId
 0x1800d32a0 CopyFileA
 0x1800d32a8 Wow64RevertWow64FsRedirection
 0x1800d32b0 Process32NextW
 0x1800d32b8 Process32FirstW
 0x1800d32c0 CreateThread
 0x1800d32c8 CreateProcessA
 0x1800d32d0 CreateDirectoryA
 0x1800d32d8 WriteConsoleW
 0x1800d32e0 WriteFile
 0x1800d32e8 GetFullPathNameW
 0x1800d32f0 EnterCriticalSection
 0x1800d32f8 HeapFree
 0x1800d3300 HeapCreate
 0x1800d3308 TryEnterCriticalSection
 0x1800d3310 ReadFile
 0x1800d3318 AreFileApisANSI
 0x1800d3320 GetDiskFreeSpaceW
 0x1800d3328 ReadConsoleW
 0x1800d3330 SetFilePointerEx
 0x1800d3338 GetConsoleMode
 0x1800d3340 GetConsoleCP
 0x1800d3348 SetEnvironmentVariableW
 0x1800d3350 FreeEnvironmentStringsW
 0x1800d3358 GetEnvironmentStringsW
 0x1800d3360 GetCommandLineW
 0x1800d3368 GetCommandLineA
 0x1800d3370 GetOEMCP
 0x1800d3378 GetACP
 0x1800d3380 IsValidCodePage
 0x1800d3388 FindNextFileW
 0x1800d3390 FindFirstFileExW
 0x1800d3398 SetStdHandle
 0x1800d33a0 GetCurrentDirectoryW
 0x1800d33a8 RtlCaptureContext
 0x1800d33b0 RtlLookupFunctionEntry
 0x1800d33b8 RtlVirtualUnwind
 0x1800d33c0 IsDebuggerPresent
 0x1800d33c8 UnhandledExceptionFilter
 0x1800d33d0 SetUnhandledExceptionFilter
 0x1800d33d8 GetStartupInfoW
 0x1800d33e0 IsProcessorFeaturePresent
 0x1800d33e8 GetModuleHandleW
 0x1800d33f0 InitializeSListHead
 0x1800d33f8 SetLastError
 0x1800d3400 InitializeCriticalSectionAndSpinCount
 0x1800d3408 SwitchToThread
 0x1800d3410 TlsAlloc
 0x1800d3418 TlsGetValue
 0x1800d3420 TlsSetValue
 0x1800d3428 TlsFree
 0x1800d3430 EncodePointer
 0x1800d3438 DecodePointer
 0x1800d3440 GetCPInfo
 0x1800d3448 CompareStringW
 0x1800d3450 LCMapStringW
 0x1800d3458 GetLocaleInfoW
 0x1800d3460 GetStringTypeW
 0x1800d3468 RtlUnwindEx
 0x1800d3470 RtlPcToFileHeader
 0x1800d3478 RaiseException
 0x1800d3480 InterlockedFlushSList
 0x1800d3488 LoadLibraryExW
 0x1800d3490 ExitThread
 0x1800d3498 FreeLibraryAndExitThread
 0x1800d34a0 GetModuleHandleExW
 0x1800d34a8 GetDriveTypeW
 0x1800d34b0 GetFileInformationByHandle
 0x1800d34b8 GetFileType
 0x1800d34c0 SystemTimeToTzSpecificLocalTime
 0x1800d34c8 FileTimeToSystemTime
 0x1800d34d0 GetCurrentProcess
 0x1800d34d8 TerminateProcess
 0x1800d34e0 ExitProcess
 0x1800d34e8 GetModuleFileNameW
 0x1800d34f0 IsValidLocale
 0x1800d34f8 GetUserDefaultLCID
 0x1800d3500 EnumSystemLocalesW
 0x1800d3508 GetTimeZoneInformation
 0x1800d3510 GetStdHandle
ADVAPI32.dll
 0x1800d3000 RegQueryValueExA
 0x1800d3008 RegEnumValueW
 0x1800d3010 RegCloseKey
 0x1800d3018 RegQueryInfoKeyW
 0x1800d3020 GetUserNameW
 0x1800d3028 RegOpenKeyExA
 0x1800d3030 ConvertSidToStringSidW
 0x1800d3038 LookupAccountNameW
SHELL32.dll
 0x1800d3520 SHGetFolderPathA
 0x1800d3528 SHFileOperationA
WININET.dll
 0x1800d3538 HttpOpenRequestA
 0x1800d3540 InternetWriteFile
 0x1800d3548 InternetReadFile
 0x1800d3550 InternetConnectA
 0x1800d3558 HttpSendRequestA
 0x1800d3560 InternetCloseHandle
 0x1800d3568 InternetOpenA
 0x1800d3570 HttpAddRequestHeadersA
 0x1800d3578 HttpSendRequestExW
 0x1800d3580 HttpEndRequestA
 0x1800d3588 InternetOpenW
crypt.dll
 0x1800d3598 BCryptOpenAlgorithmProvider
 0x1800d35a0 BCryptSetProperty
 0x1800d35a8 BCryptGenerateSymmetricKey
 0x1800d35b0 BCryptDecrypt

EAT(Export Address Table) Library

0x1800a6300 Main
0x180004440 Save


Similarity measure (PE file only) - Checking for service failure