ScreenShot
| Created | 2023.11.02 10:08 | Machine | s1_win7_x6401 |
| Filename | cred64.dll | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 27 detected (malicious, high confidence, Zusy, Artemis, Save, confidence, Attribute, HighConfidence, Amadey, score, Detected, Wacatac, ai score=87, susgen, PWSX) | ||
| md5 | 0111e5a2a49918b9c34cbfbf6380f3f3 | ||
| sha256 | 4643d18bb8be79c2e3178bc3978d201c596ab70a347e8cf1e8fdbe3028d69d7c | ||
| ssdeep | 24576:RAwtSMdHL4+3MQL+RoZk9LZ/zedfjMTUmXbc5Pf8Vd3rsx:Nc+3MQLQoZyZ/zEfc6P0D | ||
| imphash | 8f6370a79dbfb20620081d91ded2b029 | ||
| impfuzzy | 96:ZZtu7Ze6BF1V5g4uAc0aR6x5DtQ8Bg99tFzOoQTk:Ttu7Z3F5a8+7gTk | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x1800f8070 CryptUnprotectData
KERNEL32.dll
0x1800f8080 GetFullPathNameA
0x1800f8088 SetEndOfFile
0x1800f8090 UnlockFileEx
0x1800f8098 GetTempPathW
0x1800f80a0 CreateMutexW
0x1800f80a8 WaitForSingleObject
0x1800f80b0 CreateFileW
0x1800f80b8 GetFileAttributesW
0x1800f80c0 GetCurrentThreadId
0x1800f80c8 UnmapViewOfFile
0x1800f80d0 HeapValidate
0x1800f80d8 HeapSize
0x1800f80e0 MultiByteToWideChar
0x1800f80e8 Sleep
0x1800f80f0 GetTempPathA
0x1800f80f8 FormatMessageW
0x1800f8100 GetDiskFreeSpaceA
0x1800f8108 GetLastError
0x1800f8110 GetFileAttributesA
0x1800f8118 GetFileAttributesExW
0x1800f8120 OutputDebugStringW
0x1800f8128 CreateFileA
0x1800f8130 LoadLibraryA
0x1800f8138 WaitForSingleObjectEx
0x1800f8140 DeleteFileA
0x1800f8148 DeleteFileW
0x1800f8150 HeapReAlloc
0x1800f8158 CloseHandle
0x1800f8160 GetSystemInfo
0x1800f8168 LoadLibraryW
0x1800f8170 HeapAlloc
0x1800f8178 HeapCompact
0x1800f8180 HeapDestroy
0x1800f8188 UnlockFile
0x1800f8190 GetProcAddress
0x1800f8198 CreateFileMappingA
0x1800f81a0 LocalFree
0x1800f81a8 LockFileEx
0x1800f81b0 GetFileSize
0x1800f81b8 DeleteCriticalSection
0x1800f81c0 GetCurrentProcessId
0x1800f81c8 GetProcessHeap
0x1800f81d0 SystemTimeToFileTime
0x1800f81d8 FreeLibrary
0x1800f81e0 WideCharToMultiByte
0x1800f81e8 GetSystemTimeAsFileTime
0x1800f81f0 GetSystemTime
0x1800f81f8 FormatMessageA
0x1800f8200 CreateFileMappingW
0x1800f8208 MapViewOfFile
0x1800f8210 QueryPerformanceCounter
0x1800f8218 GetTickCount
0x1800f8220 FlushFileBuffers
0x1800f8228 SetHandleInformation
0x1800f8230 FindFirstFileA
0x1800f8238 Wow64DisableWow64FsRedirection
0x1800f8240 K32GetModuleFileNameExW
0x1800f8248 FindNextFileA
0x1800f8250 CreatePipe
0x1800f8258 PeekNamedPipe
0x1800f8260 lstrlenA
0x1800f8268 FindClose
0x1800f8270 GetCurrentDirectoryA
0x1800f8278 lstrcatA
0x1800f8280 OpenProcess
0x1800f8288 SetCurrentDirectoryA
0x1800f8290 CreateToolhelp32Snapshot
0x1800f8298 ProcessIdToSessionId
0x1800f82a0 CopyFileA
0x1800f82a8 Wow64RevertWow64FsRedirection
0x1800f82b0 Process32NextW
0x1800f82b8 Process32FirstW
0x1800f82c0 CreateThread
0x1800f82c8 CreateProcessA
0x1800f82d0 CreateDirectoryA
0x1800f82d8 WriteConsoleW
0x1800f82e0 InitializeCriticalSection
0x1800f82e8 LeaveCriticalSection
0x1800f82f0 LockFile
0x1800f82f8 OutputDebugStringA
0x1800f8300 GetDiskFreeSpaceW
0x1800f8308 WriteFile
0x1800f8310 GetFullPathNameW
0x1800f8318 EnterCriticalSection
0x1800f8320 HeapFree
0x1800f8328 HeapCreate
0x1800f8330 TryEnterCriticalSection
0x1800f8338 ReadFile
0x1800f8340 AreFileApisANSI
0x1800f8348 SetFilePointer
0x1800f8350 ReadConsoleW
0x1800f8358 SetFilePointerEx
0x1800f8360 GetConsoleMode
0x1800f8368 GetConsoleCP
0x1800f8370 SetEnvironmentVariableW
0x1800f8378 FreeEnvironmentStringsW
0x1800f8380 GetEnvironmentStringsW
0x1800f8388 GetCommandLineW
0x1800f8390 GetCommandLineA
0x1800f8398 GetOEMCP
0x1800f83a0 GetACP
0x1800f83a8 IsValidCodePage
0x1800f83b0 FindNextFileW
0x1800f83b8 FindFirstFileExW
0x1800f83c0 SetStdHandle
0x1800f83c8 GetCurrentDirectoryW
0x1800f83d0 RtlCaptureContext
0x1800f83d8 RtlLookupFunctionEntry
0x1800f83e0 RtlVirtualUnwind
0x1800f83e8 IsDebuggerPresent
0x1800f83f0 UnhandledExceptionFilter
0x1800f83f8 SetUnhandledExceptionFilter
0x1800f8400 GetStartupInfoW
0x1800f8408 IsProcessorFeaturePresent
0x1800f8410 GetModuleHandleW
0x1800f8418 InitializeSListHead
0x1800f8420 SetLastError
0x1800f8428 InitializeCriticalSectionAndSpinCount
0x1800f8430 SwitchToThread
0x1800f8438 TlsAlloc
0x1800f8440 TlsGetValue
0x1800f8448 TlsSetValue
0x1800f8450 TlsFree
0x1800f8458 EncodePointer
0x1800f8460 DecodePointer
0x1800f8468 GetCPInfo
0x1800f8470 CompareStringW
0x1800f8478 LCMapStringW
0x1800f8480 GetLocaleInfoW
0x1800f8488 GetStringTypeW
0x1800f8490 RtlUnwindEx
0x1800f8498 RtlPcToFileHeader
0x1800f84a0 RaiseException
0x1800f84a8 InterlockedFlushSList
0x1800f84b0 LoadLibraryExW
0x1800f84b8 ExitThread
0x1800f84c0 FreeLibraryAndExitThread
0x1800f84c8 GetModuleHandleExW
0x1800f84d0 GetDriveTypeW
0x1800f84d8 GetFileInformationByHandle
0x1800f84e0 GetFileType
0x1800f84e8 SystemTimeToTzSpecificLocalTime
0x1800f84f0 FileTimeToSystemTime
0x1800f84f8 GetCurrentProcess
0x1800f8500 TerminateProcess
0x1800f8508 ExitProcess
0x1800f8510 GetModuleFileNameW
0x1800f8518 IsValidLocale
0x1800f8520 GetUserDefaultLCID
0x1800f8528 EnumSystemLocalesW
0x1800f8530 GetTimeZoneInformation
0x1800f8538 GetStdHandle
ADVAPI32.dll
0x1800f8000 GetSidSubAuthorityCount
0x1800f8008 RegEnumValueW
0x1800f8010 RegEnumKeyA
0x1800f8018 RegCloseKey
0x1800f8020 RegQueryInfoKeyW
0x1800f8028 RegOpenKeyA
0x1800f8030 RegQueryValueExA
0x1800f8038 GetSidIdentifierAuthority
0x1800f8040 GetSidSubAuthority
0x1800f8048 GetUserNameA
0x1800f8050 RegEnumKeyExW
0x1800f8058 LookupAccountNameA
0x1800f8060 RegOpenKeyExA
SHELL32.dll
0x1800f8548 SHGetFolderPathA
0x1800f8550 SHFileOperationA
WININET.dll
0x1800f8560 HttpOpenRequestA
0x1800f8568 InternetWriteFile
0x1800f8570 InternetReadFile
0x1800f8578 InternetConnectA
0x1800f8580 HttpSendRequestA
0x1800f8588 InternetCloseHandle
0x1800f8590 InternetOpenA
0x1800f8598 HttpAddRequestHeadersA
0x1800f85a0 HttpSendRequestExW
0x1800f85a8 HttpEndRequestA
0x1800f85b0 InternetOpenW
crypt.dll
0x1800f85c0 BCryptOpenAlgorithmProvider
0x1800f85c8 BCryptSetProperty
0x1800f85d0 BCryptGenerateSymmetricKey
0x1800f85d8 BCryptDecrypt
EAT(Export Address Table) Library
0x1800bd600 Main
0x180004d30 Save
CRYPT32.dll
0x1800f8070 CryptUnprotectData
KERNEL32.dll
0x1800f8080 GetFullPathNameA
0x1800f8088 SetEndOfFile
0x1800f8090 UnlockFileEx
0x1800f8098 GetTempPathW
0x1800f80a0 CreateMutexW
0x1800f80a8 WaitForSingleObject
0x1800f80b0 CreateFileW
0x1800f80b8 GetFileAttributesW
0x1800f80c0 GetCurrentThreadId
0x1800f80c8 UnmapViewOfFile
0x1800f80d0 HeapValidate
0x1800f80d8 HeapSize
0x1800f80e0 MultiByteToWideChar
0x1800f80e8 Sleep
0x1800f80f0 GetTempPathA
0x1800f80f8 FormatMessageW
0x1800f8100 GetDiskFreeSpaceA
0x1800f8108 GetLastError
0x1800f8110 GetFileAttributesA
0x1800f8118 GetFileAttributesExW
0x1800f8120 OutputDebugStringW
0x1800f8128 CreateFileA
0x1800f8130 LoadLibraryA
0x1800f8138 WaitForSingleObjectEx
0x1800f8140 DeleteFileA
0x1800f8148 DeleteFileW
0x1800f8150 HeapReAlloc
0x1800f8158 CloseHandle
0x1800f8160 GetSystemInfo
0x1800f8168 LoadLibraryW
0x1800f8170 HeapAlloc
0x1800f8178 HeapCompact
0x1800f8180 HeapDestroy
0x1800f8188 UnlockFile
0x1800f8190 GetProcAddress
0x1800f8198 CreateFileMappingA
0x1800f81a0 LocalFree
0x1800f81a8 LockFileEx
0x1800f81b0 GetFileSize
0x1800f81b8 DeleteCriticalSection
0x1800f81c0 GetCurrentProcessId
0x1800f81c8 GetProcessHeap
0x1800f81d0 SystemTimeToFileTime
0x1800f81d8 FreeLibrary
0x1800f81e0 WideCharToMultiByte
0x1800f81e8 GetSystemTimeAsFileTime
0x1800f81f0 GetSystemTime
0x1800f81f8 FormatMessageA
0x1800f8200 CreateFileMappingW
0x1800f8208 MapViewOfFile
0x1800f8210 QueryPerformanceCounter
0x1800f8218 GetTickCount
0x1800f8220 FlushFileBuffers
0x1800f8228 SetHandleInformation
0x1800f8230 FindFirstFileA
0x1800f8238 Wow64DisableWow64FsRedirection
0x1800f8240 K32GetModuleFileNameExW
0x1800f8248 FindNextFileA
0x1800f8250 CreatePipe
0x1800f8258 PeekNamedPipe
0x1800f8260 lstrlenA
0x1800f8268 FindClose
0x1800f8270 GetCurrentDirectoryA
0x1800f8278 lstrcatA
0x1800f8280 OpenProcess
0x1800f8288 SetCurrentDirectoryA
0x1800f8290 CreateToolhelp32Snapshot
0x1800f8298 ProcessIdToSessionId
0x1800f82a0 CopyFileA
0x1800f82a8 Wow64RevertWow64FsRedirection
0x1800f82b0 Process32NextW
0x1800f82b8 Process32FirstW
0x1800f82c0 CreateThread
0x1800f82c8 CreateProcessA
0x1800f82d0 CreateDirectoryA
0x1800f82d8 WriteConsoleW
0x1800f82e0 InitializeCriticalSection
0x1800f82e8 LeaveCriticalSection
0x1800f82f0 LockFile
0x1800f82f8 OutputDebugStringA
0x1800f8300 GetDiskFreeSpaceW
0x1800f8308 WriteFile
0x1800f8310 GetFullPathNameW
0x1800f8318 EnterCriticalSection
0x1800f8320 HeapFree
0x1800f8328 HeapCreate
0x1800f8330 TryEnterCriticalSection
0x1800f8338 ReadFile
0x1800f8340 AreFileApisANSI
0x1800f8348 SetFilePointer
0x1800f8350 ReadConsoleW
0x1800f8358 SetFilePointerEx
0x1800f8360 GetConsoleMode
0x1800f8368 GetConsoleCP
0x1800f8370 SetEnvironmentVariableW
0x1800f8378 FreeEnvironmentStringsW
0x1800f8380 GetEnvironmentStringsW
0x1800f8388 GetCommandLineW
0x1800f8390 GetCommandLineA
0x1800f8398 GetOEMCP
0x1800f83a0 GetACP
0x1800f83a8 IsValidCodePage
0x1800f83b0 FindNextFileW
0x1800f83b8 FindFirstFileExW
0x1800f83c0 SetStdHandle
0x1800f83c8 GetCurrentDirectoryW
0x1800f83d0 RtlCaptureContext
0x1800f83d8 RtlLookupFunctionEntry
0x1800f83e0 RtlVirtualUnwind
0x1800f83e8 IsDebuggerPresent
0x1800f83f0 UnhandledExceptionFilter
0x1800f83f8 SetUnhandledExceptionFilter
0x1800f8400 GetStartupInfoW
0x1800f8408 IsProcessorFeaturePresent
0x1800f8410 GetModuleHandleW
0x1800f8418 InitializeSListHead
0x1800f8420 SetLastError
0x1800f8428 InitializeCriticalSectionAndSpinCount
0x1800f8430 SwitchToThread
0x1800f8438 TlsAlloc
0x1800f8440 TlsGetValue
0x1800f8448 TlsSetValue
0x1800f8450 TlsFree
0x1800f8458 EncodePointer
0x1800f8460 DecodePointer
0x1800f8468 GetCPInfo
0x1800f8470 CompareStringW
0x1800f8478 LCMapStringW
0x1800f8480 GetLocaleInfoW
0x1800f8488 GetStringTypeW
0x1800f8490 RtlUnwindEx
0x1800f8498 RtlPcToFileHeader
0x1800f84a0 RaiseException
0x1800f84a8 InterlockedFlushSList
0x1800f84b0 LoadLibraryExW
0x1800f84b8 ExitThread
0x1800f84c0 FreeLibraryAndExitThread
0x1800f84c8 GetModuleHandleExW
0x1800f84d0 GetDriveTypeW
0x1800f84d8 GetFileInformationByHandle
0x1800f84e0 GetFileType
0x1800f84e8 SystemTimeToTzSpecificLocalTime
0x1800f84f0 FileTimeToSystemTime
0x1800f84f8 GetCurrentProcess
0x1800f8500 TerminateProcess
0x1800f8508 ExitProcess
0x1800f8510 GetModuleFileNameW
0x1800f8518 IsValidLocale
0x1800f8520 GetUserDefaultLCID
0x1800f8528 EnumSystemLocalesW
0x1800f8530 GetTimeZoneInformation
0x1800f8538 GetStdHandle
ADVAPI32.dll
0x1800f8000 GetSidSubAuthorityCount
0x1800f8008 RegEnumValueW
0x1800f8010 RegEnumKeyA
0x1800f8018 RegCloseKey
0x1800f8020 RegQueryInfoKeyW
0x1800f8028 RegOpenKeyA
0x1800f8030 RegQueryValueExA
0x1800f8038 GetSidIdentifierAuthority
0x1800f8040 GetSidSubAuthority
0x1800f8048 GetUserNameA
0x1800f8050 RegEnumKeyExW
0x1800f8058 LookupAccountNameA
0x1800f8060 RegOpenKeyExA
SHELL32.dll
0x1800f8548 SHGetFolderPathA
0x1800f8550 SHFileOperationA
WININET.dll
0x1800f8560 HttpOpenRequestA
0x1800f8568 InternetWriteFile
0x1800f8570 InternetReadFile
0x1800f8578 InternetConnectA
0x1800f8580 HttpSendRequestA
0x1800f8588 InternetCloseHandle
0x1800f8590 InternetOpenA
0x1800f8598 HttpAddRequestHeadersA
0x1800f85a0 HttpSendRequestExW
0x1800f85a8 HttpEndRequestA
0x1800f85b0 InternetOpenW
crypt.dll
0x1800f85c0 BCryptOpenAlgorithmProvider
0x1800f85c8 BCryptSetProperty
0x1800f85d0 BCryptGenerateSymmetricKey
0x1800f85d8 BCryptDecrypt
EAT(Export Address Table) Library
0x1800bd600 Main
0x180004d30 Save