ScreenShot
| Created | 2024.10.21 14:12 | Machine | s1_win7_x6401 |
| Filename | cred.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 49 detected (AIDetectMalware, Amadey, Lazy, Unsafe, Vkni, malicious, confidence, Attribute, HighConfidence, high confidence, BotX, score, fjoi, AGEN, YXEJSZ, Steal, Detected, Wacatac, ABTrojan, SKTQ, Artemis, Genetic, Gencirc) | ||
| md5 | 4e1394044881a2fcd0574aa58f848537 | ||
| sha256 | ae7bc75204474a7f4818a6215ad67727c0377200ca1b1b0b2312e581bb60cb6e | ||
| ssdeep | 24576:LNFxrUgNQWcXbTmjXGW71cwBlTd0DyzzdiM8ldbzHhoqdR:LNFxog2vmLcGMbzJdR | ||
| imphash | 7e8b0331b68a47254f7000efd39b30a8 | ||
| impfuzzy | 96:ZZtu7Ze6BF1V5g4ufc0aR6xsCtnXnzJ779v8sEw0Dk:Ttu7Z3FwaC9uDk | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x100e4038 CryptUnprotectData
KERNEL32.dll
0x100e4040 GetFullPathNameA
0x100e4044 SetEndOfFile
0x100e4048 UnlockFileEx
0x100e404c GetTempPathW
0x100e4050 CreateMutexW
0x100e4054 WaitForSingleObject
0x100e4058 CreateFileW
0x100e405c GetFileAttributesW
0x100e4060 GetCurrentThreadId
0x100e4064 UnmapViewOfFile
0x100e4068 HeapValidate
0x100e406c HeapSize
0x100e4070 MultiByteToWideChar
0x100e4074 Sleep
0x100e4078 GetTempPathA
0x100e407c FormatMessageW
0x100e4080 GetDiskFreeSpaceA
0x100e4084 GetLastError
0x100e4088 GetFileAttributesA
0x100e408c GetFileAttributesExW
0x100e4090 OutputDebugStringW
0x100e4094 CreateFileA
0x100e4098 LoadLibraryA
0x100e409c WaitForSingleObjectEx
0x100e40a0 DeleteFileA
0x100e40a4 DeleteFileW
0x100e40a8 HeapReAlloc
0x100e40ac CloseHandle
0x100e40b0 GetSystemInfo
0x100e40b4 LoadLibraryW
0x100e40b8 HeapAlloc
0x100e40bc HeapCompact
0x100e40c0 HeapDestroy
0x100e40c4 UnlockFile
0x100e40c8 GetProcAddress
0x100e40cc CreateFileMappingA
0x100e40d0 LocalFree
0x100e40d4 LockFileEx
0x100e40d8 GetFileSize
0x100e40dc DeleteCriticalSection
0x100e40e0 GetCurrentProcessId
0x100e40e4 GetProcessHeap
0x100e40e8 SystemTimeToFileTime
0x100e40ec FreeLibrary
0x100e40f0 WideCharToMultiByte
0x100e40f4 GetSystemTimeAsFileTime
0x100e40f8 GetSystemTime
0x100e40fc FormatMessageA
0x100e4100 CreateFileMappingW
0x100e4104 MapViewOfFile
0x100e4108 QueryPerformanceCounter
0x100e410c GetTickCount
0x100e4110 FlushFileBuffers
0x100e4114 SetHandleInformation
0x100e4118 FindFirstFileA
0x100e411c Wow64DisableWow64FsRedirection
0x100e4120 K32GetModuleFileNameExW
0x100e4124 FindNextFileA
0x100e4128 CreatePipe
0x100e412c PeekNamedPipe
0x100e4130 lstrlenA
0x100e4134 FindClose
0x100e4138 GetCurrentDirectoryA
0x100e413c lstrcatA
0x100e4140 OpenProcess
0x100e4144 SetCurrentDirectoryA
0x100e4148 CreateToolhelp32Snapshot
0x100e414c ProcessIdToSessionId
0x100e4150 CopyFileA
0x100e4154 Wow64RevertWow64FsRedirection
0x100e4158 Process32NextW
0x100e415c Process32FirstW
0x100e4160 CreateThread
0x100e4164 CreateProcessA
0x100e4168 CreateDirectoryA
0x100e416c ReadConsoleW
0x100e4170 InitializeCriticalSection
0x100e4174 LeaveCriticalSection
0x100e4178 LockFile
0x100e417c OutputDebugStringA
0x100e4180 GetDiskFreeSpaceW
0x100e4184 WriteFile
0x100e4188 GetFullPathNameW
0x100e418c EnterCriticalSection
0x100e4190 HeapFree
0x100e4194 HeapCreate
0x100e4198 TryEnterCriticalSection
0x100e419c ReadFile
0x100e41a0 AreFileApisANSI
0x100e41a4 SetFilePointer
0x100e41a8 SetFilePointerEx
0x100e41ac GetConsoleMode
0x100e41b0 GetConsoleOutputCP
0x100e41b4 SetEnvironmentVariableW
0x100e41b8 FreeEnvironmentStringsW
0x100e41bc GetEnvironmentStringsW
0x100e41c0 GetCommandLineW
0x100e41c4 GetCommandLineA
0x100e41c8 GetOEMCP
0x100e41cc GetACP
0x100e41d0 IsValidCodePage
0x100e41d4 FindNextFileW
0x100e41d8 FindFirstFileExW
0x100e41dc SetStdHandle
0x100e41e0 GetCurrentDirectoryW
0x100e41e4 GetStdHandle
0x100e41e8 GetTimeZoneInformation
0x100e41ec UnhandledExceptionFilter
0x100e41f0 SetUnhandledExceptionFilter
0x100e41f4 GetCurrentProcess
0x100e41f8 TerminateProcess
0x100e41fc IsProcessorFeaturePresent
0x100e4200 IsDebuggerPresent
0x100e4204 GetStartupInfoW
0x100e4208 GetModuleHandleW
0x100e420c InitializeSListHead
0x100e4210 LCMapStringEx
0x100e4214 InitializeCriticalSectionEx
0x100e4218 EncodePointer
0x100e421c DecodePointer
0x100e4220 CompareStringEx
0x100e4224 GetCPInfo
0x100e4228 GetStringTypeW
0x100e422c RaiseException
0x100e4230 InterlockedFlushSList
0x100e4234 RtlUnwind
0x100e4238 SetLastError
0x100e423c InitializeCriticalSectionAndSpinCount
0x100e4240 TlsAlloc
0x100e4244 TlsGetValue
0x100e4248 TlsSetValue
0x100e424c TlsFree
0x100e4250 LoadLibraryExW
0x100e4254 ExitThread
0x100e4258 FreeLibraryAndExitThread
0x100e425c GetModuleHandleExW
0x100e4260 GetDriveTypeW
0x100e4264 GetFileInformationByHandle
0x100e4268 GetFileType
0x100e426c SystemTimeToTzSpecificLocalTime
0x100e4270 FileTimeToSystemTime
0x100e4274 ExitProcess
0x100e4278 GetModuleFileNameW
0x100e427c CompareStringW
0x100e4280 LCMapStringW
0x100e4284 GetLocaleInfoW
0x100e4288 IsValidLocale
0x100e428c GetUserDefaultLCID
0x100e4290 EnumSystemLocalesW
0x100e4294 WriteConsoleW
ADVAPI32.dll
0x100e4000 GetSidSubAuthority
0x100e4004 RegEnumValueW
0x100e4008 RegEnumKeyA
0x100e400c RegCloseKey
0x100e4010 RegQueryInfoKeyW
0x100e4014 RegOpenKeyA
0x100e4018 RegQueryValueExA
0x100e401c GetSidSubAuthorityCount
0x100e4020 RegOpenKeyExA
0x100e4024 GetUserNameA
0x100e4028 RegEnumKeyExW
0x100e402c LookupAccountNameA
0x100e4030 GetSidIdentifierAuthority
SHELL32.dll
0x100e429c SHFileOperationA
0x100e42a0 SHGetFolderPathA
WININET.dll
0x100e42a8 HttpOpenRequestA
0x100e42ac InternetReadFile
0x100e42b0 InternetConnectA
0x100e42b4 HttpSendRequestA
0x100e42b8 InternetCloseHandle
0x100e42bc InternetOpenA
0x100e42c0 HttpAddRequestHeadersA
0x100e42c4 HttpSendRequestExW
0x100e42c8 HttpEndRequestA
0x100e42cc InternetOpenW
0x100e42d0 InternetWriteFile
crypt.dll
0x100e42d8 BCryptOpenAlgorithmProvider
0x100e42dc BCryptSetProperty
0x100e42e0 BCryptGenerateSymmetricKey
0x100e42e4 BCryptDecrypt
EAT(Export Address Table) Library
0x100afc10 Main
0x100045b0 Save
CRYPT32.dll
0x100e4038 CryptUnprotectData
KERNEL32.dll
0x100e4040 GetFullPathNameA
0x100e4044 SetEndOfFile
0x100e4048 UnlockFileEx
0x100e404c GetTempPathW
0x100e4050 CreateMutexW
0x100e4054 WaitForSingleObject
0x100e4058 CreateFileW
0x100e405c GetFileAttributesW
0x100e4060 GetCurrentThreadId
0x100e4064 UnmapViewOfFile
0x100e4068 HeapValidate
0x100e406c HeapSize
0x100e4070 MultiByteToWideChar
0x100e4074 Sleep
0x100e4078 GetTempPathA
0x100e407c FormatMessageW
0x100e4080 GetDiskFreeSpaceA
0x100e4084 GetLastError
0x100e4088 GetFileAttributesA
0x100e408c GetFileAttributesExW
0x100e4090 OutputDebugStringW
0x100e4094 CreateFileA
0x100e4098 LoadLibraryA
0x100e409c WaitForSingleObjectEx
0x100e40a0 DeleteFileA
0x100e40a4 DeleteFileW
0x100e40a8 HeapReAlloc
0x100e40ac CloseHandle
0x100e40b0 GetSystemInfo
0x100e40b4 LoadLibraryW
0x100e40b8 HeapAlloc
0x100e40bc HeapCompact
0x100e40c0 HeapDestroy
0x100e40c4 UnlockFile
0x100e40c8 GetProcAddress
0x100e40cc CreateFileMappingA
0x100e40d0 LocalFree
0x100e40d4 LockFileEx
0x100e40d8 GetFileSize
0x100e40dc DeleteCriticalSection
0x100e40e0 GetCurrentProcessId
0x100e40e4 GetProcessHeap
0x100e40e8 SystemTimeToFileTime
0x100e40ec FreeLibrary
0x100e40f0 WideCharToMultiByte
0x100e40f4 GetSystemTimeAsFileTime
0x100e40f8 GetSystemTime
0x100e40fc FormatMessageA
0x100e4100 CreateFileMappingW
0x100e4104 MapViewOfFile
0x100e4108 QueryPerformanceCounter
0x100e410c GetTickCount
0x100e4110 FlushFileBuffers
0x100e4114 SetHandleInformation
0x100e4118 FindFirstFileA
0x100e411c Wow64DisableWow64FsRedirection
0x100e4120 K32GetModuleFileNameExW
0x100e4124 FindNextFileA
0x100e4128 CreatePipe
0x100e412c PeekNamedPipe
0x100e4130 lstrlenA
0x100e4134 FindClose
0x100e4138 GetCurrentDirectoryA
0x100e413c lstrcatA
0x100e4140 OpenProcess
0x100e4144 SetCurrentDirectoryA
0x100e4148 CreateToolhelp32Snapshot
0x100e414c ProcessIdToSessionId
0x100e4150 CopyFileA
0x100e4154 Wow64RevertWow64FsRedirection
0x100e4158 Process32NextW
0x100e415c Process32FirstW
0x100e4160 CreateThread
0x100e4164 CreateProcessA
0x100e4168 CreateDirectoryA
0x100e416c ReadConsoleW
0x100e4170 InitializeCriticalSection
0x100e4174 LeaveCriticalSection
0x100e4178 LockFile
0x100e417c OutputDebugStringA
0x100e4180 GetDiskFreeSpaceW
0x100e4184 WriteFile
0x100e4188 GetFullPathNameW
0x100e418c EnterCriticalSection
0x100e4190 HeapFree
0x100e4194 HeapCreate
0x100e4198 TryEnterCriticalSection
0x100e419c ReadFile
0x100e41a0 AreFileApisANSI
0x100e41a4 SetFilePointer
0x100e41a8 SetFilePointerEx
0x100e41ac GetConsoleMode
0x100e41b0 GetConsoleOutputCP
0x100e41b4 SetEnvironmentVariableW
0x100e41b8 FreeEnvironmentStringsW
0x100e41bc GetEnvironmentStringsW
0x100e41c0 GetCommandLineW
0x100e41c4 GetCommandLineA
0x100e41c8 GetOEMCP
0x100e41cc GetACP
0x100e41d0 IsValidCodePage
0x100e41d4 FindNextFileW
0x100e41d8 FindFirstFileExW
0x100e41dc SetStdHandle
0x100e41e0 GetCurrentDirectoryW
0x100e41e4 GetStdHandle
0x100e41e8 GetTimeZoneInformation
0x100e41ec UnhandledExceptionFilter
0x100e41f0 SetUnhandledExceptionFilter
0x100e41f4 GetCurrentProcess
0x100e41f8 TerminateProcess
0x100e41fc IsProcessorFeaturePresent
0x100e4200 IsDebuggerPresent
0x100e4204 GetStartupInfoW
0x100e4208 GetModuleHandleW
0x100e420c InitializeSListHead
0x100e4210 LCMapStringEx
0x100e4214 InitializeCriticalSectionEx
0x100e4218 EncodePointer
0x100e421c DecodePointer
0x100e4220 CompareStringEx
0x100e4224 GetCPInfo
0x100e4228 GetStringTypeW
0x100e422c RaiseException
0x100e4230 InterlockedFlushSList
0x100e4234 RtlUnwind
0x100e4238 SetLastError
0x100e423c InitializeCriticalSectionAndSpinCount
0x100e4240 TlsAlloc
0x100e4244 TlsGetValue
0x100e4248 TlsSetValue
0x100e424c TlsFree
0x100e4250 LoadLibraryExW
0x100e4254 ExitThread
0x100e4258 FreeLibraryAndExitThread
0x100e425c GetModuleHandleExW
0x100e4260 GetDriveTypeW
0x100e4264 GetFileInformationByHandle
0x100e4268 GetFileType
0x100e426c SystemTimeToTzSpecificLocalTime
0x100e4270 FileTimeToSystemTime
0x100e4274 ExitProcess
0x100e4278 GetModuleFileNameW
0x100e427c CompareStringW
0x100e4280 LCMapStringW
0x100e4284 GetLocaleInfoW
0x100e4288 IsValidLocale
0x100e428c GetUserDefaultLCID
0x100e4290 EnumSystemLocalesW
0x100e4294 WriteConsoleW
ADVAPI32.dll
0x100e4000 GetSidSubAuthority
0x100e4004 RegEnumValueW
0x100e4008 RegEnumKeyA
0x100e400c RegCloseKey
0x100e4010 RegQueryInfoKeyW
0x100e4014 RegOpenKeyA
0x100e4018 RegQueryValueExA
0x100e401c GetSidSubAuthorityCount
0x100e4020 RegOpenKeyExA
0x100e4024 GetUserNameA
0x100e4028 RegEnumKeyExW
0x100e402c LookupAccountNameA
0x100e4030 GetSidIdentifierAuthority
SHELL32.dll
0x100e429c SHFileOperationA
0x100e42a0 SHGetFolderPathA
WININET.dll
0x100e42a8 HttpOpenRequestA
0x100e42ac InternetReadFile
0x100e42b0 InternetConnectA
0x100e42b4 HttpSendRequestA
0x100e42b8 InternetCloseHandle
0x100e42bc InternetOpenA
0x100e42c0 HttpAddRequestHeadersA
0x100e42c4 HttpSendRequestExW
0x100e42c8 HttpEndRequestA
0x100e42cc InternetOpenW
0x100e42d0 InternetWriteFile
crypt.dll
0x100e42d8 BCryptOpenAlgorithmProvider
0x100e42dc BCryptSetProperty
0x100e42e0 BCryptGenerateSymmetricKey
0x100e42e4 BCryptDecrypt
EAT(Export Address Table) Library
0x100afc10 Main
0x100045b0 Save