ScreenShot
| Created | 2023.10.27 18:04 | Machine | s1_win7_x6401 |
| Filename | cred64.dll | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 49 detected (malicious, high confidence, Zusy, unsafe, Amadey, Save, confidence, 100%, Attribute, HighConfidence, exhd, CLOUD, npwfq, R002C0DJL23, ai score=86, Detected, ABRisk, KRAQ, score, Artemis, GdSda, Gencirc, Static AI, Suspicious PE, susgen, PWSX) | ||
| md5 | 1c27631e70908879e1a5a8f3686e0d46 | ||
| sha256 | 478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9 | ||
| ssdeep | 24576:OGKcuUK9Jyi+Uj+TGHWTZNyMuB/J/TO/pYmea+Xo45qG:o9Jyi+UjyGGZNyMur/TO/qb4Uq | ||
| imphash | 0633f68a2d02b7a4575eabf00b4ef4e8 | ||
| impfuzzy | 96:gZtu7Ze6BF1V5g4uL0aR6x50DtQ8Bg99tFQRNTk:Gtu7Z3F/aH+7+Tk | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | infoStealer_browser_b_Zero | browser info stealer | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x1800e9068 CryptUnprotectData
KERNEL32.dll
0x1800e9078 SetFilePointer
0x1800e9080 GetFullPathNameA
0x1800e9088 SetEndOfFile
0x1800e9090 UnlockFileEx
0x1800e9098 GetTempPathW
0x1800e90a0 CreateMutexW
0x1800e90a8 WaitForSingleObject
0x1800e90b0 CreateFileW
0x1800e90b8 GetFileAttributesW
0x1800e90c0 GetCurrentThreadId
0x1800e90c8 UnmapViewOfFile
0x1800e90d0 HeapValidate
0x1800e90d8 HeapSize
0x1800e90e0 MultiByteToWideChar
0x1800e90e8 Sleep
0x1800e90f0 GetTempPathA
0x1800e90f8 FormatMessageW
0x1800e9100 GetDiskFreeSpaceA
0x1800e9108 GetLastError
0x1800e9110 GetFileAttributesA
0x1800e9118 GetFileAttributesExW
0x1800e9120 OutputDebugStringW
0x1800e9128 CreateFileA
0x1800e9130 LoadLibraryA
0x1800e9138 WaitForSingleObjectEx
0x1800e9140 DeleteFileA
0x1800e9148 DeleteFileW
0x1800e9150 HeapReAlloc
0x1800e9158 CloseHandle
0x1800e9160 GetSystemInfo
0x1800e9168 LoadLibraryW
0x1800e9170 HeapAlloc
0x1800e9178 HeapCompact
0x1800e9180 HeapDestroy
0x1800e9188 UnlockFile
0x1800e9190 GetProcAddress
0x1800e9198 CreateFileMappingA
0x1800e91a0 LocalFree
0x1800e91a8 LockFileEx
0x1800e91b0 GetFileSize
0x1800e91b8 DeleteCriticalSection
0x1800e91c0 GetCurrentProcessId
0x1800e91c8 GetProcessHeap
0x1800e91d0 SystemTimeToFileTime
0x1800e91d8 FreeLibrary
0x1800e91e0 WideCharToMultiByte
0x1800e91e8 GetSystemTimeAsFileTime
0x1800e91f0 GetSystemTime
0x1800e91f8 FormatMessageA
0x1800e9200 CreateFileMappingW
0x1800e9208 MapViewOfFile
0x1800e9210 QueryPerformanceCounter
0x1800e9218 GetTickCount
0x1800e9220 FlushFileBuffers
0x1800e9228 SetHandleInformation
0x1800e9230 FindFirstFileA
0x1800e9238 Wow64DisableWow64FsRedirection
0x1800e9240 K32GetModuleFileNameExW
0x1800e9248 FindNextFileA
0x1800e9250 CreatePipe
0x1800e9258 PeekNamedPipe
0x1800e9260 lstrlenA
0x1800e9268 FindClose
0x1800e9270 GetCurrentDirectoryA
0x1800e9278 lstrcatA
0x1800e9280 OpenProcess
0x1800e9288 SetCurrentDirectoryA
0x1800e9290 CreateToolhelp32Snapshot
0x1800e9298 ProcessIdToSessionId
0x1800e92a0 CopyFileA
0x1800e92a8 Wow64RevertWow64FsRedirection
0x1800e92b0 Process32NextW
0x1800e92b8 Process32FirstW
0x1800e92c0 CreateThread
0x1800e92c8 CreateProcessA
0x1800e92d0 CreateDirectoryA
0x1800e92d8 WriteConsoleW
0x1800e92e0 LeaveCriticalSection
0x1800e92e8 LockFile
0x1800e92f0 OutputDebugStringA
0x1800e92f8 GetDiskFreeSpaceW
0x1800e9300 WriteFile
0x1800e9308 GetFullPathNameW
0x1800e9310 EnterCriticalSection
0x1800e9318 HeapFree
0x1800e9320 HeapCreate
0x1800e9328 TryEnterCriticalSection
0x1800e9330 ReadFile
0x1800e9338 AreFileApisANSI
0x1800e9340 InitializeCriticalSection
0x1800e9348 ReadConsoleW
0x1800e9350 SetFilePointerEx
0x1800e9358 GetConsoleMode
0x1800e9360 GetConsoleCP
0x1800e9368 SetEnvironmentVariableW
0x1800e9370 FreeEnvironmentStringsW
0x1800e9378 GetEnvironmentStringsW
0x1800e9380 GetCommandLineW
0x1800e9388 GetCommandLineA
0x1800e9390 GetOEMCP
0x1800e9398 GetACP
0x1800e93a0 IsValidCodePage
0x1800e93a8 FindNextFileW
0x1800e93b0 FindFirstFileExW
0x1800e93b8 SetStdHandle
0x1800e93c0 GetCurrentDirectoryW
0x1800e93c8 RtlCaptureContext
0x1800e93d0 RtlLookupFunctionEntry
0x1800e93d8 RtlVirtualUnwind
0x1800e93e0 IsDebuggerPresent
0x1800e93e8 UnhandledExceptionFilter
0x1800e93f0 SetUnhandledExceptionFilter
0x1800e93f8 GetStartupInfoW
0x1800e9400 IsProcessorFeaturePresent
0x1800e9408 GetModuleHandleW
0x1800e9410 InitializeSListHead
0x1800e9418 SetLastError
0x1800e9420 InitializeCriticalSectionAndSpinCount
0x1800e9428 SwitchToThread
0x1800e9430 TlsAlloc
0x1800e9438 TlsGetValue
0x1800e9440 TlsSetValue
0x1800e9448 TlsFree
0x1800e9450 EncodePointer
0x1800e9458 DecodePointer
0x1800e9460 GetCPInfo
0x1800e9468 CompareStringW
0x1800e9470 LCMapStringW
0x1800e9478 GetLocaleInfoW
0x1800e9480 GetStringTypeW
0x1800e9488 RtlUnwindEx
0x1800e9490 RtlPcToFileHeader
0x1800e9498 RaiseException
0x1800e94a0 InterlockedFlushSList
0x1800e94a8 LoadLibraryExW
0x1800e94b0 ExitThread
0x1800e94b8 FreeLibraryAndExitThread
0x1800e94c0 GetModuleHandleExW
0x1800e94c8 GetDriveTypeW
0x1800e94d0 GetFileInformationByHandle
0x1800e94d8 GetFileType
0x1800e94e0 SystemTimeToTzSpecificLocalTime
0x1800e94e8 FileTimeToSystemTime
0x1800e94f0 GetCurrentProcess
0x1800e94f8 TerminateProcess
0x1800e9500 ExitProcess
0x1800e9508 GetModuleFileNameW
0x1800e9510 IsValidLocale
0x1800e9518 GetUserDefaultLCID
0x1800e9520 EnumSystemLocalesW
0x1800e9528 GetTimeZoneInformation
0x1800e9530 GetStdHandle
ADVAPI32.dll
0x1800e9000 RegQueryValueExA
0x1800e9008 RegEnumValueW
0x1800e9010 RegEnumKeyA
0x1800e9018 RegCloseKey
0x1800e9020 RegQueryInfoKeyW
0x1800e9028 RegOpenKeyA
0x1800e9030 RegOpenKeyExA
0x1800e9038 GetSidSubAuthorityCount
0x1800e9040 GetSidSubAuthority
0x1800e9048 GetUserNameA
0x1800e9050 LookupAccountNameA
0x1800e9058 GetSidIdentifierAuthority
SHELL32.dll
0x1800e9540 SHGetFolderPathA
0x1800e9548 SHFileOperationA
WININET.dll
0x1800e9558 HttpOpenRequestA
0x1800e9560 InternetWriteFile
0x1800e9568 InternetReadFile
0x1800e9570 InternetConnectA
0x1800e9578 HttpSendRequestA
0x1800e9580 InternetCloseHandle
0x1800e9588 InternetOpenA
0x1800e9590 HttpAddRequestHeadersA
0x1800e9598 HttpSendRequestExW
0x1800e95a0 HttpEndRequestA
0x1800e95a8 InternetOpenW
crypt.dll
0x1800e95b8 BCryptOpenAlgorithmProvider
0x1800e95c0 BCryptSetProperty
0x1800e95c8 BCryptGenerateSymmetricKey
0x1800e95d0 BCryptDecrypt
EAT(Export Address Table) Library
0x1800b7620 Main
0x180004660 Save
CRYPT32.dll
0x1800e9068 CryptUnprotectData
KERNEL32.dll
0x1800e9078 SetFilePointer
0x1800e9080 GetFullPathNameA
0x1800e9088 SetEndOfFile
0x1800e9090 UnlockFileEx
0x1800e9098 GetTempPathW
0x1800e90a0 CreateMutexW
0x1800e90a8 WaitForSingleObject
0x1800e90b0 CreateFileW
0x1800e90b8 GetFileAttributesW
0x1800e90c0 GetCurrentThreadId
0x1800e90c8 UnmapViewOfFile
0x1800e90d0 HeapValidate
0x1800e90d8 HeapSize
0x1800e90e0 MultiByteToWideChar
0x1800e90e8 Sleep
0x1800e90f0 GetTempPathA
0x1800e90f8 FormatMessageW
0x1800e9100 GetDiskFreeSpaceA
0x1800e9108 GetLastError
0x1800e9110 GetFileAttributesA
0x1800e9118 GetFileAttributesExW
0x1800e9120 OutputDebugStringW
0x1800e9128 CreateFileA
0x1800e9130 LoadLibraryA
0x1800e9138 WaitForSingleObjectEx
0x1800e9140 DeleteFileA
0x1800e9148 DeleteFileW
0x1800e9150 HeapReAlloc
0x1800e9158 CloseHandle
0x1800e9160 GetSystemInfo
0x1800e9168 LoadLibraryW
0x1800e9170 HeapAlloc
0x1800e9178 HeapCompact
0x1800e9180 HeapDestroy
0x1800e9188 UnlockFile
0x1800e9190 GetProcAddress
0x1800e9198 CreateFileMappingA
0x1800e91a0 LocalFree
0x1800e91a8 LockFileEx
0x1800e91b0 GetFileSize
0x1800e91b8 DeleteCriticalSection
0x1800e91c0 GetCurrentProcessId
0x1800e91c8 GetProcessHeap
0x1800e91d0 SystemTimeToFileTime
0x1800e91d8 FreeLibrary
0x1800e91e0 WideCharToMultiByte
0x1800e91e8 GetSystemTimeAsFileTime
0x1800e91f0 GetSystemTime
0x1800e91f8 FormatMessageA
0x1800e9200 CreateFileMappingW
0x1800e9208 MapViewOfFile
0x1800e9210 QueryPerformanceCounter
0x1800e9218 GetTickCount
0x1800e9220 FlushFileBuffers
0x1800e9228 SetHandleInformation
0x1800e9230 FindFirstFileA
0x1800e9238 Wow64DisableWow64FsRedirection
0x1800e9240 K32GetModuleFileNameExW
0x1800e9248 FindNextFileA
0x1800e9250 CreatePipe
0x1800e9258 PeekNamedPipe
0x1800e9260 lstrlenA
0x1800e9268 FindClose
0x1800e9270 GetCurrentDirectoryA
0x1800e9278 lstrcatA
0x1800e9280 OpenProcess
0x1800e9288 SetCurrentDirectoryA
0x1800e9290 CreateToolhelp32Snapshot
0x1800e9298 ProcessIdToSessionId
0x1800e92a0 CopyFileA
0x1800e92a8 Wow64RevertWow64FsRedirection
0x1800e92b0 Process32NextW
0x1800e92b8 Process32FirstW
0x1800e92c0 CreateThread
0x1800e92c8 CreateProcessA
0x1800e92d0 CreateDirectoryA
0x1800e92d8 WriteConsoleW
0x1800e92e0 LeaveCriticalSection
0x1800e92e8 LockFile
0x1800e92f0 OutputDebugStringA
0x1800e92f8 GetDiskFreeSpaceW
0x1800e9300 WriteFile
0x1800e9308 GetFullPathNameW
0x1800e9310 EnterCriticalSection
0x1800e9318 HeapFree
0x1800e9320 HeapCreate
0x1800e9328 TryEnterCriticalSection
0x1800e9330 ReadFile
0x1800e9338 AreFileApisANSI
0x1800e9340 InitializeCriticalSection
0x1800e9348 ReadConsoleW
0x1800e9350 SetFilePointerEx
0x1800e9358 GetConsoleMode
0x1800e9360 GetConsoleCP
0x1800e9368 SetEnvironmentVariableW
0x1800e9370 FreeEnvironmentStringsW
0x1800e9378 GetEnvironmentStringsW
0x1800e9380 GetCommandLineW
0x1800e9388 GetCommandLineA
0x1800e9390 GetOEMCP
0x1800e9398 GetACP
0x1800e93a0 IsValidCodePage
0x1800e93a8 FindNextFileW
0x1800e93b0 FindFirstFileExW
0x1800e93b8 SetStdHandle
0x1800e93c0 GetCurrentDirectoryW
0x1800e93c8 RtlCaptureContext
0x1800e93d0 RtlLookupFunctionEntry
0x1800e93d8 RtlVirtualUnwind
0x1800e93e0 IsDebuggerPresent
0x1800e93e8 UnhandledExceptionFilter
0x1800e93f0 SetUnhandledExceptionFilter
0x1800e93f8 GetStartupInfoW
0x1800e9400 IsProcessorFeaturePresent
0x1800e9408 GetModuleHandleW
0x1800e9410 InitializeSListHead
0x1800e9418 SetLastError
0x1800e9420 InitializeCriticalSectionAndSpinCount
0x1800e9428 SwitchToThread
0x1800e9430 TlsAlloc
0x1800e9438 TlsGetValue
0x1800e9440 TlsSetValue
0x1800e9448 TlsFree
0x1800e9450 EncodePointer
0x1800e9458 DecodePointer
0x1800e9460 GetCPInfo
0x1800e9468 CompareStringW
0x1800e9470 LCMapStringW
0x1800e9478 GetLocaleInfoW
0x1800e9480 GetStringTypeW
0x1800e9488 RtlUnwindEx
0x1800e9490 RtlPcToFileHeader
0x1800e9498 RaiseException
0x1800e94a0 InterlockedFlushSList
0x1800e94a8 LoadLibraryExW
0x1800e94b0 ExitThread
0x1800e94b8 FreeLibraryAndExitThread
0x1800e94c0 GetModuleHandleExW
0x1800e94c8 GetDriveTypeW
0x1800e94d0 GetFileInformationByHandle
0x1800e94d8 GetFileType
0x1800e94e0 SystemTimeToTzSpecificLocalTime
0x1800e94e8 FileTimeToSystemTime
0x1800e94f0 GetCurrentProcess
0x1800e94f8 TerminateProcess
0x1800e9500 ExitProcess
0x1800e9508 GetModuleFileNameW
0x1800e9510 IsValidLocale
0x1800e9518 GetUserDefaultLCID
0x1800e9520 EnumSystemLocalesW
0x1800e9528 GetTimeZoneInformation
0x1800e9530 GetStdHandle
ADVAPI32.dll
0x1800e9000 RegQueryValueExA
0x1800e9008 RegEnumValueW
0x1800e9010 RegEnumKeyA
0x1800e9018 RegCloseKey
0x1800e9020 RegQueryInfoKeyW
0x1800e9028 RegOpenKeyA
0x1800e9030 RegOpenKeyExA
0x1800e9038 GetSidSubAuthorityCount
0x1800e9040 GetSidSubAuthority
0x1800e9048 GetUserNameA
0x1800e9050 LookupAccountNameA
0x1800e9058 GetSidIdentifierAuthority
SHELL32.dll
0x1800e9540 SHGetFolderPathA
0x1800e9548 SHFileOperationA
WININET.dll
0x1800e9558 HttpOpenRequestA
0x1800e9560 InternetWriteFile
0x1800e9568 InternetReadFile
0x1800e9570 InternetConnectA
0x1800e9578 HttpSendRequestA
0x1800e9580 InternetCloseHandle
0x1800e9588 InternetOpenA
0x1800e9590 HttpAddRequestHeadersA
0x1800e9598 HttpSendRequestExW
0x1800e95a0 HttpEndRequestA
0x1800e95a8 InternetOpenW
crypt.dll
0x1800e95b8 BCryptOpenAlgorithmProvider
0x1800e95c0 BCryptSetProperty
0x1800e95c8 BCryptGenerateSymmetricKey
0x1800e95d0 BCryptDecrypt
EAT(Export Address Table) Library
0x1800b7620 Main
0x180004660 Save