ScreenShot
| Created | 2024.08.07 10:00 | Machine | s1_win7_x6401 |
| Filename | cred.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 2fb39d6664f6b415124cf2368db92fb4 | ||
| sha256 | 50704a4c96617c3ffa7b51e573df72061ca6798a19caeafbecd07dd64ef53a0c | ||
| ssdeep | 24576:0uPGDp7ea1ntX8tzz3kLYF9WHYND9PJlfEC05ar3uJK+t/1:anVoA9JKW/1 | ||
| imphash | 213cc311d974657ce4f52e13b2302f94 | ||
| impfuzzy | 96:ZZtu7Ze6BF1V5g4ufc0aR6xRCtO2Jk9vFfR00Dk:Ttu7Z3Fwa29nDk | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (3cnts) ?
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO HTTP Request to a *.top domain
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO HTTP Request to a *.top domain
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x100e5038 CryptUnprotectData
KERNEL32.dll
0x100e5040 GetFullPathNameA
0x100e5044 SetEndOfFile
0x100e5048 UnlockFileEx
0x100e504c GetTempPathW
0x100e5050 CreateMutexW
0x100e5054 WaitForSingleObject
0x100e5058 CreateFileW
0x100e505c GetFileAttributesW
0x100e5060 GetCurrentThreadId
0x100e5064 UnmapViewOfFile
0x100e5068 HeapValidate
0x100e506c HeapSize
0x100e5070 MultiByteToWideChar
0x100e5074 Sleep
0x100e5078 GetTempPathA
0x100e507c FormatMessageW
0x100e5080 GetDiskFreeSpaceA
0x100e5084 GetLastError
0x100e5088 GetFileAttributesA
0x100e508c GetFileAttributesExW
0x100e5090 OutputDebugStringW
0x100e5094 CreateFileA
0x100e5098 LoadLibraryA
0x100e509c WaitForSingleObjectEx
0x100e50a0 DeleteFileA
0x100e50a4 DeleteFileW
0x100e50a8 HeapReAlloc
0x100e50ac CloseHandle
0x100e50b0 GetSystemInfo
0x100e50b4 LoadLibraryW
0x100e50b8 HeapAlloc
0x100e50bc HeapCompact
0x100e50c0 HeapDestroy
0x100e50c4 UnlockFile
0x100e50c8 GetProcAddress
0x100e50cc CreateFileMappingA
0x100e50d0 LocalFree
0x100e50d4 LockFileEx
0x100e50d8 GetFileSize
0x100e50dc DeleteCriticalSection
0x100e50e0 GetCurrentProcessId
0x100e50e4 GetProcessHeap
0x100e50e8 SystemTimeToFileTime
0x100e50ec FreeLibrary
0x100e50f0 WideCharToMultiByte
0x100e50f4 GetSystemTimeAsFileTime
0x100e50f8 GetSystemTime
0x100e50fc FormatMessageA
0x100e5100 CreateFileMappingW
0x100e5104 MapViewOfFile
0x100e5108 QueryPerformanceCounter
0x100e510c GetTickCount
0x100e5110 FlushFileBuffers
0x100e5114 SetHandleInformation
0x100e5118 FindFirstFileA
0x100e511c Wow64DisableWow64FsRedirection
0x100e5120 K32GetModuleFileNameExW
0x100e5124 FindNextFileA
0x100e5128 CreatePipe
0x100e512c PeekNamedPipe
0x100e5130 lstrlenA
0x100e5134 FindClose
0x100e5138 GetCurrentDirectoryA
0x100e513c lstrcatA
0x100e5140 OpenProcess
0x100e5144 SetCurrentDirectoryA
0x100e5148 CreateToolhelp32Snapshot
0x100e514c ProcessIdToSessionId
0x100e5150 CopyFileA
0x100e5154 Wow64RevertWow64FsRedirection
0x100e5158 Process32NextW
0x100e515c Process32FirstW
0x100e5160 CreateThread
0x100e5164 CreateProcessA
0x100e5168 CreateDirectoryA
0x100e516c ReadConsoleW
0x100e5170 InitializeCriticalSection
0x100e5174 LeaveCriticalSection
0x100e5178 LockFile
0x100e517c OutputDebugStringA
0x100e5180 GetDiskFreeSpaceW
0x100e5184 WriteFile
0x100e5188 GetFullPathNameW
0x100e518c EnterCriticalSection
0x100e5190 HeapFree
0x100e5194 HeapCreate
0x100e5198 TryEnterCriticalSection
0x100e519c ReadFile
0x100e51a0 AreFileApisANSI
0x100e51a4 SetFilePointer
0x100e51a8 SetFilePointerEx
0x100e51ac GetConsoleMode
0x100e51b0 GetConsoleCP
0x100e51b4 SetEnvironmentVariableW
0x100e51b8 FreeEnvironmentStringsW
0x100e51bc GetEnvironmentStringsW
0x100e51c0 GetCommandLineW
0x100e51c4 GetCommandLineA
0x100e51c8 GetOEMCP
0x100e51cc GetACP
0x100e51d0 IsValidCodePage
0x100e51d4 FindNextFileW
0x100e51d8 FindFirstFileExW
0x100e51dc SetStdHandle
0x100e51e0 GetCurrentDirectoryW
0x100e51e4 GetStdHandle
0x100e51e8 GetTimeZoneInformation
0x100e51ec UnhandledExceptionFilter
0x100e51f0 SetUnhandledExceptionFilter
0x100e51f4 GetCurrentProcess
0x100e51f8 TerminateProcess
0x100e51fc IsProcessorFeaturePresent
0x100e5200 IsDebuggerPresent
0x100e5204 GetStartupInfoW
0x100e5208 GetModuleHandleW
0x100e520c InitializeSListHead
0x100e5210 SetLastError
0x100e5214 InitializeCriticalSectionAndSpinCount
0x100e5218 SwitchToThread
0x100e521c TlsAlloc
0x100e5220 TlsGetValue
0x100e5224 TlsSetValue
0x100e5228 TlsFree
0x100e522c EncodePointer
0x100e5230 DecodePointer
0x100e5234 GetCPInfo
0x100e5238 CompareStringW
0x100e523c LCMapStringW
0x100e5240 GetLocaleInfoW
0x100e5244 GetStringTypeW
0x100e5248 RaiseException
0x100e524c InterlockedFlushSList
0x100e5250 RtlUnwind
0x100e5254 LoadLibraryExW
0x100e5258 ExitThread
0x100e525c FreeLibraryAndExitThread
0x100e5260 GetModuleHandleExW
0x100e5264 GetDriveTypeW
0x100e5268 GetFileInformationByHandle
0x100e526c GetFileType
0x100e5270 SystemTimeToTzSpecificLocalTime
0x100e5274 FileTimeToSystemTime
0x100e5278 ExitProcess
0x100e527c GetModuleFileNameW
0x100e5280 IsValidLocale
0x100e5284 GetUserDefaultLCID
0x100e5288 EnumSystemLocalesW
0x100e528c WriteConsoleW
ADVAPI32.dll
0x100e5000 GetUserNameA
0x100e5004 RegEnumValueW
0x100e5008 RegEnumKeyA
0x100e500c RegCloseKey
0x100e5010 RegQueryInfoKeyW
0x100e5014 RegOpenKeyA
0x100e5018 RegQueryValueExA
0x100e501c GetSidSubAuthorityCount
0x100e5020 GetSidSubAuthority
0x100e5024 RegOpenKeyExA
0x100e5028 RegEnumKeyExW
0x100e502c LookupAccountNameA
0x100e5030 GetSidIdentifierAuthority
SHELL32.dll
0x100e5294 SHFileOperationA
0x100e5298 SHGetFolderPathA
WININET.dll
0x100e52a0 HttpOpenRequestA
0x100e52a4 InternetReadFile
0x100e52a8 InternetConnectA
0x100e52ac HttpSendRequestA
0x100e52b0 InternetCloseHandle
0x100e52b4 InternetOpenA
0x100e52b8 HttpAddRequestHeadersA
0x100e52bc HttpSendRequestExW
0x100e52c0 HttpEndRequestA
0x100e52c4 InternetOpenW
0x100e52c8 InternetWriteFile
crypt.dll
0x100e52d0 BCryptOpenAlgorithmProvider
0x100e52d4 BCryptSetProperty
0x100e52d8 BCryptGenerateSymmetricKey
0x100e52dc BCryptDecrypt
EAT(Export Address Table) Library
0x100b1100 Main
0x100045c0 Save
CRYPT32.dll
0x100e5038 CryptUnprotectData
KERNEL32.dll
0x100e5040 GetFullPathNameA
0x100e5044 SetEndOfFile
0x100e5048 UnlockFileEx
0x100e504c GetTempPathW
0x100e5050 CreateMutexW
0x100e5054 WaitForSingleObject
0x100e5058 CreateFileW
0x100e505c GetFileAttributesW
0x100e5060 GetCurrentThreadId
0x100e5064 UnmapViewOfFile
0x100e5068 HeapValidate
0x100e506c HeapSize
0x100e5070 MultiByteToWideChar
0x100e5074 Sleep
0x100e5078 GetTempPathA
0x100e507c FormatMessageW
0x100e5080 GetDiskFreeSpaceA
0x100e5084 GetLastError
0x100e5088 GetFileAttributesA
0x100e508c GetFileAttributesExW
0x100e5090 OutputDebugStringW
0x100e5094 CreateFileA
0x100e5098 LoadLibraryA
0x100e509c WaitForSingleObjectEx
0x100e50a0 DeleteFileA
0x100e50a4 DeleteFileW
0x100e50a8 HeapReAlloc
0x100e50ac CloseHandle
0x100e50b0 GetSystemInfo
0x100e50b4 LoadLibraryW
0x100e50b8 HeapAlloc
0x100e50bc HeapCompact
0x100e50c0 HeapDestroy
0x100e50c4 UnlockFile
0x100e50c8 GetProcAddress
0x100e50cc CreateFileMappingA
0x100e50d0 LocalFree
0x100e50d4 LockFileEx
0x100e50d8 GetFileSize
0x100e50dc DeleteCriticalSection
0x100e50e0 GetCurrentProcessId
0x100e50e4 GetProcessHeap
0x100e50e8 SystemTimeToFileTime
0x100e50ec FreeLibrary
0x100e50f0 WideCharToMultiByte
0x100e50f4 GetSystemTimeAsFileTime
0x100e50f8 GetSystemTime
0x100e50fc FormatMessageA
0x100e5100 CreateFileMappingW
0x100e5104 MapViewOfFile
0x100e5108 QueryPerformanceCounter
0x100e510c GetTickCount
0x100e5110 FlushFileBuffers
0x100e5114 SetHandleInformation
0x100e5118 FindFirstFileA
0x100e511c Wow64DisableWow64FsRedirection
0x100e5120 K32GetModuleFileNameExW
0x100e5124 FindNextFileA
0x100e5128 CreatePipe
0x100e512c PeekNamedPipe
0x100e5130 lstrlenA
0x100e5134 FindClose
0x100e5138 GetCurrentDirectoryA
0x100e513c lstrcatA
0x100e5140 OpenProcess
0x100e5144 SetCurrentDirectoryA
0x100e5148 CreateToolhelp32Snapshot
0x100e514c ProcessIdToSessionId
0x100e5150 CopyFileA
0x100e5154 Wow64RevertWow64FsRedirection
0x100e5158 Process32NextW
0x100e515c Process32FirstW
0x100e5160 CreateThread
0x100e5164 CreateProcessA
0x100e5168 CreateDirectoryA
0x100e516c ReadConsoleW
0x100e5170 InitializeCriticalSection
0x100e5174 LeaveCriticalSection
0x100e5178 LockFile
0x100e517c OutputDebugStringA
0x100e5180 GetDiskFreeSpaceW
0x100e5184 WriteFile
0x100e5188 GetFullPathNameW
0x100e518c EnterCriticalSection
0x100e5190 HeapFree
0x100e5194 HeapCreate
0x100e5198 TryEnterCriticalSection
0x100e519c ReadFile
0x100e51a0 AreFileApisANSI
0x100e51a4 SetFilePointer
0x100e51a8 SetFilePointerEx
0x100e51ac GetConsoleMode
0x100e51b0 GetConsoleCP
0x100e51b4 SetEnvironmentVariableW
0x100e51b8 FreeEnvironmentStringsW
0x100e51bc GetEnvironmentStringsW
0x100e51c0 GetCommandLineW
0x100e51c4 GetCommandLineA
0x100e51c8 GetOEMCP
0x100e51cc GetACP
0x100e51d0 IsValidCodePage
0x100e51d4 FindNextFileW
0x100e51d8 FindFirstFileExW
0x100e51dc SetStdHandle
0x100e51e0 GetCurrentDirectoryW
0x100e51e4 GetStdHandle
0x100e51e8 GetTimeZoneInformation
0x100e51ec UnhandledExceptionFilter
0x100e51f0 SetUnhandledExceptionFilter
0x100e51f4 GetCurrentProcess
0x100e51f8 TerminateProcess
0x100e51fc IsProcessorFeaturePresent
0x100e5200 IsDebuggerPresent
0x100e5204 GetStartupInfoW
0x100e5208 GetModuleHandleW
0x100e520c InitializeSListHead
0x100e5210 SetLastError
0x100e5214 InitializeCriticalSectionAndSpinCount
0x100e5218 SwitchToThread
0x100e521c TlsAlloc
0x100e5220 TlsGetValue
0x100e5224 TlsSetValue
0x100e5228 TlsFree
0x100e522c EncodePointer
0x100e5230 DecodePointer
0x100e5234 GetCPInfo
0x100e5238 CompareStringW
0x100e523c LCMapStringW
0x100e5240 GetLocaleInfoW
0x100e5244 GetStringTypeW
0x100e5248 RaiseException
0x100e524c InterlockedFlushSList
0x100e5250 RtlUnwind
0x100e5254 LoadLibraryExW
0x100e5258 ExitThread
0x100e525c FreeLibraryAndExitThread
0x100e5260 GetModuleHandleExW
0x100e5264 GetDriveTypeW
0x100e5268 GetFileInformationByHandle
0x100e526c GetFileType
0x100e5270 SystemTimeToTzSpecificLocalTime
0x100e5274 FileTimeToSystemTime
0x100e5278 ExitProcess
0x100e527c GetModuleFileNameW
0x100e5280 IsValidLocale
0x100e5284 GetUserDefaultLCID
0x100e5288 EnumSystemLocalesW
0x100e528c WriteConsoleW
ADVAPI32.dll
0x100e5000 GetUserNameA
0x100e5004 RegEnumValueW
0x100e5008 RegEnumKeyA
0x100e500c RegCloseKey
0x100e5010 RegQueryInfoKeyW
0x100e5014 RegOpenKeyA
0x100e5018 RegQueryValueExA
0x100e501c GetSidSubAuthorityCount
0x100e5020 GetSidSubAuthority
0x100e5024 RegOpenKeyExA
0x100e5028 RegEnumKeyExW
0x100e502c LookupAccountNameA
0x100e5030 GetSidIdentifierAuthority
SHELL32.dll
0x100e5294 SHFileOperationA
0x100e5298 SHGetFolderPathA
WININET.dll
0x100e52a0 HttpOpenRequestA
0x100e52a4 InternetReadFile
0x100e52a8 InternetConnectA
0x100e52ac HttpSendRequestA
0x100e52b0 InternetCloseHandle
0x100e52b4 InternetOpenA
0x100e52b8 HttpAddRequestHeadersA
0x100e52bc HttpSendRequestExW
0x100e52c0 HttpEndRequestA
0x100e52c4 InternetOpenW
0x100e52c8 InternetWriteFile
crypt.dll
0x100e52d0 BCryptOpenAlgorithmProvider
0x100e52d4 BCryptSetProperty
0x100e52d8 BCryptGenerateSymmetricKey
0x100e52dc BCryptDecrypt
EAT(Export Address Table) Library
0x100b1100 Main
0x100045c0 Save