ScreenShot
| Created | 2023.12.06 12:26 | Machine | s1_win7_x6403 |
| Filename | cred64.dll | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (AIDetectMalware, Nymaim, Zusy, Vnvt, malicious, confidence, 100%, TrojanPSW, Amadey, Attribute, HighConfidence, high confidence, ccav, PWSX, Bnhl, sbcuh, R002C0DL423, Detected, score, ai score=83, unsafe, GdSda, PmswK9jgQcH, susgen) | ||
| md5 | 1afaa1fcda6635e17dce5b5bf27f3c79 | ||
| sha256 | 47285ebb39fa6bad4510a3a4a768edf8e9d440f29e8ed1bc9bfe5ebe8a329db9 | ||
| ssdeep | 24576:XxY0oT6nngQZvBH0rInUFh8f1cF616zXpaIm:nnngQ7UrIUFhzEAA | ||
| imphash | 3eb70f83441fc8632e81bd6eb89f424d | ||
| impfuzzy | 96:ZZtu7Ze6BF1V5g4uAc0aR6x5xtO8Bg99vFzOoQTk:Ttu7Z3F5am+9gTk | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x1800f7070 CryptUnprotectData
KERNEL32.dll
0x1800f7080 GetFullPathNameA
0x1800f7088 SetEndOfFile
0x1800f7090 UnlockFileEx
0x1800f7098 GetTempPathW
0x1800f70a0 CreateMutexW
0x1800f70a8 WaitForSingleObject
0x1800f70b0 CreateFileW
0x1800f70b8 GetFileAttributesW
0x1800f70c0 GetCurrentThreadId
0x1800f70c8 UnmapViewOfFile
0x1800f70d0 HeapValidate
0x1800f70d8 HeapSize
0x1800f70e0 MultiByteToWideChar
0x1800f70e8 Sleep
0x1800f70f0 GetTempPathA
0x1800f70f8 FormatMessageW
0x1800f7100 GetDiskFreeSpaceA
0x1800f7108 GetLastError
0x1800f7110 GetFileAttributesA
0x1800f7118 GetFileAttributesExW
0x1800f7120 OutputDebugStringW
0x1800f7128 CreateFileA
0x1800f7130 LoadLibraryA
0x1800f7138 WaitForSingleObjectEx
0x1800f7140 DeleteFileA
0x1800f7148 DeleteFileW
0x1800f7150 HeapReAlloc
0x1800f7158 CloseHandle
0x1800f7160 GetSystemInfo
0x1800f7168 LoadLibraryW
0x1800f7170 HeapAlloc
0x1800f7178 HeapCompact
0x1800f7180 HeapDestroy
0x1800f7188 UnlockFile
0x1800f7190 GetProcAddress
0x1800f7198 CreateFileMappingA
0x1800f71a0 LocalFree
0x1800f71a8 LockFileEx
0x1800f71b0 GetFileSize
0x1800f71b8 DeleteCriticalSection
0x1800f71c0 GetCurrentProcessId
0x1800f71c8 GetProcessHeap
0x1800f71d0 SystemTimeToFileTime
0x1800f71d8 FreeLibrary
0x1800f71e0 WideCharToMultiByte
0x1800f71e8 GetSystemTimeAsFileTime
0x1800f71f0 GetSystemTime
0x1800f71f8 FormatMessageA
0x1800f7200 CreateFileMappingW
0x1800f7208 MapViewOfFile
0x1800f7210 QueryPerformanceCounter
0x1800f7218 GetTickCount
0x1800f7220 FlushFileBuffers
0x1800f7228 SetHandleInformation
0x1800f7230 FindFirstFileA
0x1800f7238 Wow64DisableWow64FsRedirection
0x1800f7240 K32GetModuleFileNameExW
0x1800f7248 FindNextFileA
0x1800f7250 CreatePipe
0x1800f7258 PeekNamedPipe
0x1800f7260 lstrlenA
0x1800f7268 FindClose
0x1800f7270 GetCurrentDirectoryA
0x1800f7278 lstrcatA
0x1800f7280 OpenProcess
0x1800f7288 SetCurrentDirectoryA
0x1800f7290 CreateToolhelp32Snapshot
0x1800f7298 ProcessIdToSessionId
0x1800f72a0 CopyFileA
0x1800f72a8 Wow64RevertWow64FsRedirection
0x1800f72b0 Process32NextW
0x1800f72b8 Process32FirstW
0x1800f72c0 CreateThread
0x1800f72c8 CreateProcessA
0x1800f72d0 CreateDirectoryA
0x1800f72d8 WriteConsoleW
0x1800f72e0 InitializeCriticalSection
0x1800f72e8 LeaveCriticalSection
0x1800f72f0 LockFile
0x1800f72f8 OutputDebugStringA
0x1800f7300 GetDiskFreeSpaceW
0x1800f7308 WriteFile
0x1800f7310 GetFullPathNameW
0x1800f7318 EnterCriticalSection
0x1800f7320 HeapFree
0x1800f7328 HeapCreate
0x1800f7330 TryEnterCriticalSection
0x1800f7338 ReadFile
0x1800f7340 AreFileApisANSI
0x1800f7348 SetFilePointer
0x1800f7350 ReadConsoleW
0x1800f7358 SetFilePointerEx
0x1800f7360 GetConsoleMode
0x1800f7368 GetConsoleCP
0x1800f7370 SetEnvironmentVariableW
0x1800f7378 FreeEnvironmentStringsW
0x1800f7380 GetEnvironmentStringsW
0x1800f7388 GetCommandLineW
0x1800f7390 GetCommandLineA
0x1800f7398 GetOEMCP
0x1800f73a0 GetACP
0x1800f73a8 IsValidCodePage
0x1800f73b0 FindNextFileW
0x1800f73b8 FindFirstFileExW
0x1800f73c0 SetStdHandle
0x1800f73c8 GetCurrentDirectoryW
0x1800f73d0 RtlCaptureContext
0x1800f73d8 RtlLookupFunctionEntry
0x1800f73e0 RtlVirtualUnwind
0x1800f73e8 UnhandledExceptionFilter
0x1800f73f0 SetUnhandledExceptionFilter
0x1800f73f8 GetCurrentProcess
0x1800f7400 TerminateProcess
0x1800f7408 IsProcessorFeaturePresent
0x1800f7410 IsDebuggerPresent
0x1800f7418 GetStartupInfoW
0x1800f7420 GetModuleHandleW
0x1800f7428 InitializeSListHead
0x1800f7430 SetLastError
0x1800f7438 InitializeCriticalSectionAndSpinCount
0x1800f7440 SwitchToThread
0x1800f7448 TlsAlloc
0x1800f7450 TlsGetValue
0x1800f7458 TlsSetValue
0x1800f7460 TlsFree
0x1800f7468 EncodePointer
0x1800f7470 DecodePointer
0x1800f7478 GetCPInfo
0x1800f7480 CompareStringW
0x1800f7488 LCMapStringW
0x1800f7490 GetLocaleInfoW
0x1800f7498 GetStringTypeW
0x1800f74a0 RtlUnwindEx
0x1800f74a8 RtlPcToFileHeader
0x1800f74b0 RaiseException
0x1800f74b8 InterlockedFlushSList
0x1800f74c0 LoadLibraryExW
0x1800f74c8 ExitThread
0x1800f74d0 FreeLibraryAndExitThread
0x1800f74d8 GetModuleHandleExW
0x1800f74e0 GetDriveTypeW
0x1800f74e8 GetFileInformationByHandle
0x1800f74f0 GetFileType
0x1800f74f8 SystemTimeToTzSpecificLocalTime
0x1800f7500 FileTimeToSystemTime
0x1800f7508 ExitProcess
0x1800f7510 GetModuleFileNameW
0x1800f7518 IsValidLocale
0x1800f7520 GetUserDefaultLCID
0x1800f7528 EnumSystemLocalesW
0x1800f7530 GetTimeZoneInformation
0x1800f7538 GetStdHandle
ADVAPI32.dll
0x1800f7000 GetSidSubAuthorityCount
0x1800f7008 RegEnumValueW
0x1800f7010 RegEnumKeyA
0x1800f7018 RegCloseKey
0x1800f7020 RegQueryInfoKeyW
0x1800f7028 RegOpenKeyA
0x1800f7030 RegQueryValueExA
0x1800f7038 GetSidIdentifierAuthority
0x1800f7040 GetSidSubAuthority
0x1800f7048 GetUserNameA
0x1800f7050 RegEnumKeyExW
0x1800f7058 LookupAccountNameA
0x1800f7060 RegOpenKeyExA
SHELL32.dll
0x1800f7548 SHGetFolderPathA
0x1800f7550 SHFileOperationA
WININET.dll
0x1800f7560 HttpOpenRequestA
0x1800f7568 InternetWriteFile
0x1800f7570 InternetReadFile
0x1800f7578 InternetConnectA
0x1800f7580 HttpSendRequestA
0x1800f7588 InternetCloseHandle
0x1800f7590 InternetOpenA
0x1800f7598 HttpAddRequestHeadersA
0x1800f75a0 HttpSendRequestExW
0x1800f75a8 HttpEndRequestA
0x1800f75b0 InternetOpenW
crypt.dll
0x1800f75c0 BCryptOpenAlgorithmProvider
0x1800f75c8 BCryptSetProperty
0x1800f75d0 BCryptGenerateSymmetricKey
0x1800f75d8 BCryptDecrypt
EAT(Export Address Table) Library
0x1800bbf50 Main
0x180004e40 Save
CRYPT32.dll
0x1800f7070 CryptUnprotectData
KERNEL32.dll
0x1800f7080 GetFullPathNameA
0x1800f7088 SetEndOfFile
0x1800f7090 UnlockFileEx
0x1800f7098 GetTempPathW
0x1800f70a0 CreateMutexW
0x1800f70a8 WaitForSingleObject
0x1800f70b0 CreateFileW
0x1800f70b8 GetFileAttributesW
0x1800f70c0 GetCurrentThreadId
0x1800f70c8 UnmapViewOfFile
0x1800f70d0 HeapValidate
0x1800f70d8 HeapSize
0x1800f70e0 MultiByteToWideChar
0x1800f70e8 Sleep
0x1800f70f0 GetTempPathA
0x1800f70f8 FormatMessageW
0x1800f7100 GetDiskFreeSpaceA
0x1800f7108 GetLastError
0x1800f7110 GetFileAttributesA
0x1800f7118 GetFileAttributesExW
0x1800f7120 OutputDebugStringW
0x1800f7128 CreateFileA
0x1800f7130 LoadLibraryA
0x1800f7138 WaitForSingleObjectEx
0x1800f7140 DeleteFileA
0x1800f7148 DeleteFileW
0x1800f7150 HeapReAlloc
0x1800f7158 CloseHandle
0x1800f7160 GetSystemInfo
0x1800f7168 LoadLibraryW
0x1800f7170 HeapAlloc
0x1800f7178 HeapCompact
0x1800f7180 HeapDestroy
0x1800f7188 UnlockFile
0x1800f7190 GetProcAddress
0x1800f7198 CreateFileMappingA
0x1800f71a0 LocalFree
0x1800f71a8 LockFileEx
0x1800f71b0 GetFileSize
0x1800f71b8 DeleteCriticalSection
0x1800f71c0 GetCurrentProcessId
0x1800f71c8 GetProcessHeap
0x1800f71d0 SystemTimeToFileTime
0x1800f71d8 FreeLibrary
0x1800f71e0 WideCharToMultiByte
0x1800f71e8 GetSystemTimeAsFileTime
0x1800f71f0 GetSystemTime
0x1800f71f8 FormatMessageA
0x1800f7200 CreateFileMappingW
0x1800f7208 MapViewOfFile
0x1800f7210 QueryPerformanceCounter
0x1800f7218 GetTickCount
0x1800f7220 FlushFileBuffers
0x1800f7228 SetHandleInformation
0x1800f7230 FindFirstFileA
0x1800f7238 Wow64DisableWow64FsRedirection
0x1800f7240 K32GetModuleFileNameExW
0x1800f7248 FindNextFileA
0x1800f7250 CreatePipe
0x1800f7258 PeekNamedPipe
0x1800f7260 lstrlenA
0x1800f7268 FindClose
0x1800f7270 GetCurrentDirectoryA
0x1800f7278 lstrcatA
0x1800f7280 OpenProcess
0x1800f7288 SetCurrentDirectoryA
0x1800f7290 CreateToolhelp32Snapshot
0x1800f7298 ProcessIdToSessionId
0x1800f72a0 CopyFileA
0x1800f72a8 Wow64RevertWow64FsRedirection
0x1800f72b0 Process32NextW
0x1800f72b8 Process32FirstW
0x1800f72c0 CreateThread
0x1800f72c8 CreateProcessA
0x1800f72d0 CreateDirectoryA
0x1800f72d8 WriteConsoleW
0x1800f72e0 InitializeCriticalSection
0x1800f72e8 LeaveCriticalSection
0x1800f72f0 LockFile
0x1800f72f8 OutputDebugStringA
0x1800f7300 GetDiskFreeSpaceW
0x1800f7308 WriteFile
0x1800f7310 GetFullPathNameW
0x1800f7318 EnterCriticalSection
0x1800f7320 HeapFree
0x1800f7328 HeapCreate
0x1800f7330 TryEnterCriticalSection
0x1800f7338 ReadFile
0x1800f7340 AreFileApisANSI
0x1800f7348 SetFilePointer
0x1800f7350 ReadConsoleW
0x1800f7358 SetFilePointerEx
0x1800f7360 GetConsoleMode
0x1800f7368 GetConsoleCP
0x1800f7370 SetEnvironmentVariableW
0x1800f7378 FreeEnvironmentStringsW
0x1800f7380 GetEnvironmentStringsW
0x1800f7388 GetCommandLineW
0x1800f7390 GetCommandLineA
0x1800f7398 GetOEMCP
0x1800f73a0 GetACP
0x1800f73a8 IsValidCodePage
0x1800f73b0 FindNextFileW
0x1800f73b8 FindFirstFileExW
0x1800f73c0 SetStdHandle
0x1800f73c8 GetCurrentDirectoryW
0x1800f73d0 RtlCaptureContext
0x1800f73d8 RtlLookupFunctionEntry
0x1800f73e0 RtlVirtualUnwind
0x1800f73e8 UnhandledExceptionFilter
0x1800f73f0 SetUnhandledExceptionFilter
0x1800f73f8 GetCurrentProcess
0x1800f7400 TerminateProcess
0x1800f7408 IsProcessorFeaturePresent
0x1800f7410 IsDebuggerPresent
0x1800f7418 GetStartupInfoW
0x1800f7420 GetModuleHandleW
0x1800f7428 InitializeSListHead
0x1800f7430 SetLastError
0x1800f7438 InitializeCriticalSectionAndSpinCount
0x1800f7440 SwitchToThread
0x1800f7448 TlsAlloc
0x1800f7450 TlsGetValue
0x1800f7458 TlsSetValue
0x1800f7460 TlsFree
0x1800f7468 EncodePointer
0x1800f7470 DecodePointer
0x1800f7478 GetCPInfo
0x1800f7480 CompareStringW
0x1800f7488 LCMapStringW
0x1800f7490 GetLocaleInfoW
0x1800f7498 GetStringTypeW
0x1800f74a0 RtlUnwindEx
0x1800f74a8 RtlPcToFileHeader
0x1800f74b0 RaiseException
0x1800f74b8 InterlockedFlushSList
0x1800f74c0 LoadLibraryExW
0x1800f74c8 ExitThread
0x1800f74d0 FreeLibraryAndExitThread
0x1800f74d8 GetModuleHandleExW
0x1800f74e0 GetDriveTypeW
0x1800f74e8 GetFileInformationByHandle
0x1800f74f0 GetFileType
0x1800f74f8 SystemTimeToTzSpecificLocalTime
0x1800f7500 FileTimeToSystemTime
0x1800f7508 ExitProcess
0x1800f7510 GetModuleFileNameW
0x1800f7518 IsValidLocale
0x1800f7520 GetUserDefaultLCID
0x1800f7528 EnumSystemLocalesW
0x1800f7530 GetTimeZoneInformation
0x1800f7538 GetStdHandle
ADVAPI32.dll
0x1800f7000 GetSidSubAuthorityCount
0x1800f7008 RegEnumValueW
0x1800f7010 RegEnumKeyA
0x1800f7018 RegCloseKey
0x1800f7020 RegQueryInfoKeyW
0x1800f7028 RegOpenKeyA
0x1800f7030 RegQueryValueExA
0x1800f7038 GetSidIdentifierAuthority
0x1800f7040 GetSidSubAuthority
0x1800f7048 GetUserNameA
0x1800f7050 RegEnumKeyExW
0x1800f7058 LookupAccountNameA
0x1800f7060 RegOpenKeyExA
SHELL32.dll
0x1800f7548 SHGetFolderPathA
0x1800f7550 SHFileOperationA
WININET.dll
0x1800f7560 HttpOpenRequestA
0x1800f7568 InternetWriteFile
0x1800f7570 InternetReadFile
0x1800f7578 InternetConnectA
0x1800f7580 HttpSendRequestA
0x1800f7588 InternetCloseHandle
0x1800f7590 InternetOpenA
0x1800f7598 HttpAddRequestHeadersA
0x1800f75a0 HttpSendRequestExW
0x1800f75a8 HttpEndRequestA
0x1800f75b0 InternetOpenW
crypt.dll
0x1800f75c0 BCryptOpenAlgorithmProvider
0x1800f75c8 BCryptSetProperty
0x1800f75d0 BCryptGenerateSymmetricKey
0x1800f75d8 BCryptDecrypt
EAT(Export Address Table) Library
0x1800bbf50 Main
0x180004e40 Save