ScreenShot
| Created | 2024.08.11 14:30 | Machine | s1_win7_x6401 |
| Filename | cred.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 60 detected (AIDetectMalware, Amadey, malicious, high confidence, score, Zusy, Unsafe, Vvh6, GenusT, DXAH, Attribute, HighConfidence, Artemis, BotX, SpyBot, keolwc, 1tQNmVJHBpU, AGEN, R002C0DH724, Steal, ajjd, Detected, ai score=83, RDAB, R642802, ZedlaF, av4@a0TKKNli, Floxif, FileInfector, GdSda, Gencirc, H1DlmMuxAtE, susgen, confidence, 100%) | ||
| md5 | e4b1979dd4d6f2bf3d6668506ffe80e6 | ||
| sha256 | 61c9087a7bd89e6c7b25399f7dcaa95c27f1ede854a79aa47729b4f777d8bb8c | ||
| ssdeep | 24576:mmHdWn/tHJ6V/b+nygNPoPOzmyt0z8n+C3gl6dy/nJQ+bO3q3C:UobUKtbOa3C | ||
| imphash | 213cc311d974657ce4f52e13b2302f94 | ||
| impfuzzy | 96:ZZtu7Ze6BF1V5g4ufc0aR6xRCtO2Jk9vFfR00Dk:Ttu7Z3Fwa29nDk | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks if process is being debugged by a debugger |
| info | Tries to locate where the browsers are installed |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x100e1038 CryptUnprotectData
KERNEL32.dll
0x100e1040 GetFullPathNameA
0x100e1044 SetEndOfFile
0x100e1048 UnlockFileEx
0x100e104c GetTempPathW
0x100e1050 CreateMutexW
0x100e1054 WaitForSingleObject
0x100e1058 CreateFileW
0x100e105c GetFileAttributesW
0x100e1060 GetCurrentThreadId
0x100e1064 UnmapViewOfFile
0x100e1068 HeapValidate
0x100e106c HeapSize
0x100e1070 MultiByteToWideChar
0x100e1074 Sleep
0x100e1078 GetTempPathA
0x100e107c FormatMessageW
0x100e1080 GetDiskFreeSpaceA
0x100e1084 GetLastError
0x100e1088 GetFileAttributesA
0x100e108c GetFileAttributesExW
0x100e1090 OutputDebugStringW
0x100e1094 CreateFileA
0x100e1098 LoadLibraryA
0x100e109c WaitForSingleObjectEx
0x100e10a0 DeleteFileA
0x100e10a4 DeleteFileW
0x100e10a8 HeapReAlloc
0x100e10ac CloseHandle
0x100e10b0 GetSystemInfo
0x100e10b4 LoadLibraryW
0x100e10b8 HeapAlloc
0x100e10bc HeapCompact
0x100e10c0 HeapDestroy
0x100e10c4 UnlockFile
0x100e10c8 GetProcAddress
0x100e10cc CreateFileMappingA
0x100e10d0 LocalFree
0x100e10d4 LockFileEx
0x100e10d8 GetFileSize
0x100e10dc DeleteCriticalSection
0x100e10e0 GetCurrentProcessId
0x100e10e4 GetProcessHeap
0x100e10e8 SystemTimeToFileTime
0x100e10ec FreeLibrary
0x100e10f0 WideCharToMultiByte
0x100e10f4 GetSystemTimeAsFileTime
0x100e10f8 GetSystemTime
0x100e10fc FormatMessageA
0x100e1100 CreateFileMappingW
0x100e1104 MapViewOfFile
0x100e1108 QueryPerformanceCounter
0x100e110c GetTickCount
0x100e1110 FlushFileBuffers
0x100e1114 SetHandleInformation
0x100e1118 FindFirstFileA
0x100e111c Wow64DisableWow64FsRedirection
0x100e1120 K32GetModuleFileNameExW
0x100e1124 FindNextFileA
0x100e1128 CreatePipe
0x100e112c PeekNamedPipe
0x100e1130 lstrlenA
0x100e1134 FindClose
0x100e1138 GetCurrentDirectoryA
0x100e113c lstrcatA
0x100e1140 OpenProcess
0x100e1144 SetCurrentDirectoryA
0x100e1148 CreateToolhelp32Snapshot
0x100e114c ProcessIdToSessionId
0x100e1150 CopyFileA
0x100e1154 Wow64RevertWow64FsRedirection
0x100e1158 Process32NextW
0x100e115c Process32FirstW
0x100e1160 CreateThread
0x100e1164 CreateProcessA
0x100e1168 CreateDirectoryA
0x100e116c ReadConsoleW
0x100e1170 InitializeCriticalSection
0x100e1174 LeaveCriticalSection
0x100e1178 LockFile
0x100e117c OutputDebugStringA
0x100e1180 GetDiskFreeSpaceW
0x100e1184 WriteFile
0x100e1188 GetFullPathNameW
0x100e118c EnterCriticalSection
0x100e1190 HeapFree
0x100e1194 HeapCreate
0x100e1198 TryEnterCriticalSection
0x100e119c ReadFile
0x100e11a0 AreFileApisANSI
0x100e11a4 SetFilePointer
0x100e11a8 SetFilePointerEx
0x100e11ac GetConsoleMode
0x100e11b0 GetConsoleCP
0x100e11b4 SetEnvironmentVariableW
0x100e11b8 FreeEnvironmentStringsW
0x100e11bc GetEnvironmentStringsW
0x100e11c0 GetCommandLineW
0x100e11c4 GetCommandLineA
0x100e11c8 GetOEMCP
0x100e11cc GetACP
0x100e11d0 IsValidCodePage
0x100e11d4 FindNextFileW
0x100e11d8 FindFirstFileExW
0x100e11dc SetStdHandle
0x100e11e0 GetCurrentDirectoryW
0x100e11e4 GetStdHandle
0x100e11e8 GetTimeZoneInformation
0x100e11ec UnhandledExceptionFilter
0x100e11f0 SetUnhandledExceptionFilter
0x100e11f4 GetCurrentProcess
0x100e11f8 TerminateProcess
0x100e11fc IsProcessorFeaturePresent
0x100e1200 IsDebuggerPresent
0x100e1204 GetStartupInfoW
0x100e1208 GetModuleHandleW
0x100e120c InitializeSListHead
0x100e1210 SetLastError
0x100e1214 InitializeCriticalSectionAndSpinCount
0x100e1218 SwitchToThread
0x100e121c TlsAlloc
0x100e1220 TlsGetValue
0x100e1224 TlsSetValue
0x100e1228 TlsFree
0x100e122c EncodePointer
0x100e1230 DecodePointer
0x100e1234 GetCPInfo
0x100e1238 CompareStringW
0x100e123c LCMapStringW
0x100e1240 GetLocaleInfoW
0x100e1244 GetStringTypeW
0x100e1248 RaiseException
0x100e124c InterlockedFlushSList
0x100e1250 RtlUnwind
0x100e1254 LoadLibraryExW
0x100e1258 ExitThread
0x100e125c FreeLibraryAndExitThread
0x100e1260 GetModuleHandleExW
0x100e1264 GetDriveTypeW
0x100e1268 GetFileInformationByHandle
0x100e126c GetFileType
0x100e1270 SystemTimeToTzSpecificLocalTime
0x100e1274 FileTimeToSystemTime
0x100e1278 ExitProcess
0x100e127c GetModuleFileNameW
0x100e1280 IsValidLocale
0x100e1284 GetUserDefaultLCID
0x100e1288 EnumSystemLocalesW
0x100e128c WriteConsoleW
ADVAPI32.dll
0x100e1000 GetUserNameA
0x100e1004 RegEnumValueW
0x100e1008 RegEnumKeyA
0x100e100c RegCloseKey
0x100e1010 RegQueryInfoKeyW
0x100e1014 RegOpenKeyA
0x100e1018 RegQueryValueExA
0x100e101c GetSidSubAuthorityCount
0x100e1020 GetSidSubAuthority
0x100e1024 RegOpenKeyExA
0x100e1028 RegEnumKeyExW
0x100e102c LookupAccountNameA
0x100e1030 GetSidIdentifierAuthority
SHELL32.dll
0x100e1294 SHFileOperationA
0x100e1298 SHGetFolderPathA
WININET.dll
0x100e12a0 HttpOpenRequestA
0x100e12a4 InternetReadFile
0x100e12a8 InternetConnectA
0x100e12ac HttpSendRequestA
0x100e12b0 InternetCloseHandle
0x100e12b4 InternetOpenA
0x100e12b8 HttpAddRequestHeadersA
0x100e12bc HttpSendRequestExW
0x100e12c0 HttpEndRequestA
0x100e12c4 InternetOpenW
0x100e12c8 InternetWriteFile
crypt.dll
0x100e12d0 BCryptOpenAlgorithmProvider
0x100e12d4 BCryptSetProperty
0x100e12d8 BCryptGenerateSymmetricKey
0x100e12dc BCryptDecrypt
EAT(Export Address Table) Library
0x100ad5f0 Main
0x10004450 Save
CRYPT32.dll
0x100e1038 CryptUnprotectData
KERNEL32.dll
0x100e1040 GetFullPathNameA
0x100e1044 SetEndOfFile
0x100e1048 UnlockFileEx
0x100e104c GetTempPathW
0x100e1050 CreateMutexW
0x100e1054 WaitForSingleObject
0x100e1058 CreateFileW
0x100e105c GetFileAttributesW
0x100e1060 GetCurrentThreadId
0x100e1064 UnmapViewOfFile
0x100e1068 HeapValidate
0x100e106c HeapSize
0x100e1070 MultiByteToWideChar
0x100e1074 Sleep
0x100e1078 GetTempPathA
0x100e107c FormatMessageW
0x100e1080 GetDiskFreeSpaceA
0x100e1084 GetLastError
0x100e1088 GetFileAttributesA
0x100e108c GetFileAttributesExW
0x100e1090 OutputDebugStringW
0x100e1094 CreateFileA
0x100e1098 LoadLibraryA
0x100e109c WaitForSingleObjectEx
0x100e10a0 DeleteFileA
0x100e10a4 DeleteFileW
0x100e10a8 HeapReAlloc
0x100e10ac CloseHandle
0x100e10b0 GetSystemInfo
0x100e10b4 LoadLibraryW
0x100e10b8 HeapAlloc
0x100e10bc HeapCompact
0x100e10c0 HeapDestroy
0x100e10c4 UnlockFile
0x100e10c8 GetProcAddress
0x100e10cc CreateFileMappingA
0x100e10d0 LocalFree
0x100e10d4 LockFileEx
0x100e10d8 GetFileSize
0x100e10dc DeleteCriticalSection
0x100e10e0 GetCurrentProcessId
0x100e10e4 GetProcessHeap
0x100e10e8 SystemTimeToFileTime
0x100e10ec FreeLibrary
0x100e10f0 WideCharToMultiByte
0x100e10f4 GetSystemTimeAsFileTime
0x100e10f8 GetSystemTime
0x100e10fc FormatMessageA
0x100e1100 CreateFileMappingW
0x100e1104 MapViewOfFile
0x100e1108 QueryPerformanceCounter
0x100e110c GetTickCount
0x100e1110 FlushFileBuffers
0x100e1114 SetHandleInformation
0x100e1118 FindFirstFileA
0x100e111c Wow64DisableWow64FsRedirection
0x100e1120 K32GetModuleFileNameExW
0x100e1124 FindNextFileA
0x100e1128 CreatePipe
0x100e112c PeekNamedPipe
0x100e1130 lstrlenA
0x100e1134 FindClose
0x100e1138 GetCurrentDirectoryA
0x100e113c lstrcatA
0x100e1140 OpenProcess
0x100e1144 SetCurrentDirectoryA
0x100e1148 CreateToolhelp32Snapshot
0x100e114c ProcessIdToSessionId
0x100e1150 CopyFileA
0x100e1154 Wow64RevertWow64FsRedirection
0x100e1158 Process32NextW
0x100e115c Process32FirstW
0x100e1160 CreateThread
0x100e1164 CreateProcessA
0x100e1168 CreateDirectoryA
0x100e116c ReadConsoleW
0x100e1170 InitializeCriticalSection
0x100e1174 LeaveCriticalSection
0x100e1178 LockFile
0x100e117c OutputDebugStringA
0x100e1180 GetDiskFreeSpaceW
0x100e1184 WriteFile
0x100e1188 GetFullPathNameW
0x100e118c EnterCriticalSection
0x100e1190 HeapFree
0x100e1194 HeapCreate
0x100e1198 TryEnterCriticalSection
0x100e119c ReadFile
0x100e11a0 AreFileApisANSI
0x100e11a4 SetFilePointer
0x100e11a8 SetFilePointerEx
0x100e11ac GetConsoleMode
0x100e11b0 GetConsoleCP
0x100e11b4 SetEnvironmentVariableW
0x100e11b8 FreeEnvironmentStringsW
0x100e11bc GetEnvironmentStringsW
0x100e11c0 GetCommandLineW
0x100e11c4 GetCommandLineA
0x100e11c8 GetOEMCP
0x100e11cc GetACP
0x100e11d0 IsValidCodePage
0x100e11d4 FindNextFileW
0x100e11d8 FindFirstFileExW
0x100e11dc SetStdHandle
0x100e11e0 GetCurrentDirectoryW
0x100e11e4 GetStdHandle
0x100e11e8 GetTimeZoneInformation
0x100e11ec UnhandledExceptionFilter
0x100e11f0 SetUnhandledExceptionFilter
0x100e11f4 GetCurrentProcess
0x100e11f8 TerminateProcess
0x100e11fc IsProcessorFeaturePresent
0x100e1200 IsDebuggerPresent
0x100e1204 GetStartupInfoW
0x100e1208 GetModuleHandleW
0x100e120c InitializeSListHead
0x100e1210 SetLastError
0x100e1214 InitializeCriticalSectionAndSpinCount
0x100e1218 SwitchToThread
0x100e121c TlsAlloc
0x100e1220 TlsGetValue
0x100e1224 TlsSetValue
0x100e1228 TlsFree
0x100e122c EncodePointer
0x100e1230 DecodePointer
0x100e1234 GetCPInfo
0x100e1238 CompareStringW
0x100e123c LCMapStringW
0x100e1240 GetLocaleInfoW
0x100e1244 GetStringTypeW
0x100e1248 RaiseException
0x100e124c InterlockedFlushSList
0x100e1250 RtlUnwind
0x100e1254 LoadLibraryExW
0x100e1258 ExitThread
0x100e125c FreeLibraryAndExitThread
0x100e1260 GetModuleHandleExW
0x100e1264 GetDriveTypeW
0x100e1268 GetFileInformationByHandle
0x100e126c GetFileType
0x100e1270 SystemTimeToTzSpecificLocalTime
0x100e1274 FileTimeToSystemTime
0x100e1278 ExitProcess
0x100e127c GetModuleFileNameW
0x100e1280 IsValidLocale
0x100e1284 GetUserDefaultLCID
0x100e1288 EnumSystemLocalesW
0x100e128c WriteConsoleW
ADVAPI32.dll
0x100e1000 GetUserNameA
0x100e1004 RegEnumValueW
0x100e1008 RegEnumKeyA
0x100e100c RegCloseKey
0x100e1010 RegQueryInfoKeyW
0x100e1014 RegOpenKeyA
0x100e1018 RegQueryValueExA
0x100e101c GetSidSubAuthorityCount
0x100e1020 GetSidSubAuthority
0x100e1024 RegOpenKeyExA
0x100e1028 RegEnumKeyExW
0x100e102c LookupAccountNameA
0x100e1030 GetSidIdentifierAuthority
SHELL32.dll
0x100e1294 SHFileOperationA
0x100e1298 SHGetFolderPathA
WININET.dll
0x100e12a0 HttpOpenRequestA
0x100e12a4 InternetReadFile
0x100e12a8 InternetConnectA
0x100e12ac HttpSendRequestA
0x100e12b0 InternetCloseHandle
0x100e12b4 InternetOpenA
0x100e12b8 HttpAddRequestHeadersA
0x100e12bc HttpSendRequestExW
0x100e12c0 HttpEndRequestA
0x100e12c4 InternetOpenW
0x100e12c8 InternetWriteFile
crypt.dll
0x100e12d0 BCryptOpenAlgorithmProvider
0x100e12d4 BCryptSetProperty
0x100e12d8 BCryptGenerateSymmetricKey
0x100e12dc BCryptDecrypt
EAT(Export Address Table) Library
0x100ad5f0 Main
0x10004450 Save