Report - cred.dll

Generic Malware Malicious Library UPX Antivirus PE File DLL PE32 OS Processor Check
ScreenShot
Created 2024.10.28 10:19 Machine s1_win7_x6403
Filename cred.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
4
Behavior Score
9.0
ZERO API file : clean
VT API (file) 33 detected (AIDetectMalware, Malicious, score, Lazy, Unsafe, confidence, Attribute, HighConfidence, high confidence, Amadey, BotX, Zusy, Convagent, AGEN, Steal, Detected, Genetic)
md5 921b0badeaffee860310e6755769337e
sha256 c9914b4ab252e782b73ab0a3efad386444ba8a8059167adcb0675968da2df36f
ssdeep 24576:KNFxrUgNQWcPb72kXGWjVcwBlTd8DKT/VSMsCdTzHpgaym9:KNFxogmf2scG1Tzcm9
imphash 7e8b0331b68a47254f7000efd39b30a8
impfuzzy 96:ZZtu7Ze6BF1V5g4ufc0aR6xsCtnXnzJ779v8sEw0Dk:Ttu7Z3FwaC9uDk
  Network IP location

Signature (20cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 33 AntiVirus engines on VirusTotal as malicious
watch Attempts to access Bitcoin/ALTCoin wallets
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (9cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
185.215.113.217 Unknown 185.215.113.217 clean

Suricata ids

PE API

IAT(Import Address Table) Library

CRYPT32.dll
 0x100e4038 CryptUnprotectData
KERNEL32.dll
 0x100e4040 GetFullPathNameA
 0x100e4044 SetEndOfFile
 0x100e4048 UnlockFileEx
 0x100e404c GetTempPathW
 0x100e4050 CreateMutexW
 0x100e4054 WaitForSingleObject
 0x100e4058 CreateFileW
 0x100e405c GetFileAttributesW
 0x100e4060 GetCurrentThreadId
 0x100e4064 UnmapViewOfFile
 0x100e4068 HeapValidate
 0x100e406c HeapSize
 0x100e4070 MultiByteToWideChar
 0x100e4074 Sleep
 0x100e4078 GetTempPathA
 0x100e407c FormatMessageW
 0x100e4080 GetDiskFreeSpaceA
 0x100e4084 GetLastError
 0x100e4088 GetFileAttributesA
 0x100e408c GetFileAttributesExW
 0x100e4090 OutputDebugStringW
 0x100e4094 CreateFileA
 0x100e4098 LoadLibraryA
 0x100e409c WaitForSingleObjectEx
 0x100e40a0 DeleteFileA
 0x100e40a4 DeleteFileW
 0x100e40a8 HeapReAlloc
 0x100e40ac CloseHandle
 0x100e40b0 GetSystemInfo
 0x100e40b4 LoadLibraryW
 0x100e40b8 HeapAlloc
 0x100e40bc HeapCompact
 0x100e40c0 HeapDestroy
 0x100e40c4 UnlockFile
 0x100e40c8 GetProcAddress
 0x100e40cc CreateFileMappingA
 0x100e40d0 LocalFree
 0x100e40d4 LockFileEx
 0x100e40d8 GetFileSize
 0x100e40dc DeleteCriticalSection
 0x100e40e0 GetCurrentProcessId
 0x100e40e4 GetProcessHeap
 0x100e40e8 SystemTimeToFileTime
 0x100e40ec FreeLibrary
 0x100e40f0 WideCharToMultiByte
 0x100e40f4 GetSystemTimeAsFileTime
 0x100e40f8 GetSystemTime
 0x100e40fc FormatMessageA
 0x100e4100 CreateFileMappingW
 0x100e4104 MapViewOfFile
 0x100e4108 QueryPerformanceCounter
 0x100e410c GetTickCount
 0x100e4110 FlushFileBuffers
 0x100e4114 SetHandleInformation
 0x100e4118 FindFirstFileA
 0x100e411c Wow64DisableWow64FsRedirection
 0x100e4120 K32GetModuleFileNameExW
 0x100e4124 FindNextFileA
 0x100e4128 CreatePipe
 0x100e412c PeekNamedPipe
 0x100e4130 lstrlenA
 0x100e4134 FindClose
 0x100e4138 GetCurrentDirectoryA
 0x100e413c lstrcatA
 0x100e4140 OpenProcess
 0x100e4144 SetCurrentDirectoryA
 0x100e4148 CreateToolhelp32Snapshot
 0x100e414c ProcessIdToSessionId
 0x100e4150 CopyFileA
 0x100e4154 Wow64RevertWow64FsRedirection
 0x100e4158 Process32NextW
 0x100e415c Process32FirstW
 0x100e4160 CreateThread
 0x100e4164 CreateProcessA
 0x100e4168 CreateDirectoryA
 0x100e416c ReadConsoleW
 0x100e4170 InitializeCriticalSection
 0x100e4174 LeaveCriticalSection
 0x100e4178 LockFile
 0x100e417c OutputDebugStringA
 0x100e4180 GetDiskFreeSpaceW
 0x100e4184 WriteFile
 0x100e4188 GetFullPathNameW
 0x100e418c EnterCriticalSection
 0x100e4190 HeapFree
 0x100e4194 HeapCreate
 0x100e4198 TryEnterCriticalSection
 0x100e419c ReadFile
 0x100e41a0 AreFileApisANSI
 0x100e41a4 SetFilePointer
 0x100e41a8 SetFilePointerEx
 0x100e41ac GetConsoleMode
 0x100e41b0 GetConsoleOutputCP
 0x100e41b4 SetEnvironmentVariableW
 0x100e41b8 FreeEnvironmentStringsW
 0x100e41bc GetEnvironmentStringsW
 0x100e41c0 GetCommandLineW
 0x100e41c4 GetCommandLineA
 0x100e41c8 GetOEMCP
 0x100e41cc GetACP
 0x100e41d0 IsValidCodePage
 0x100e41d4 FindNextFileW
 0x100e41d8 FindFirstFileExW
 0x100e41dc SetStdHandle
 0x100e41e0 GetCurrentDirectoryW
 0x100e41e4 GetStdHandle
 0x100e41e8 GetTimeZoneInformation
 0x100e41ec UnhandledExceptionFilter
 0x100e41f0 SetUnhandledExceptionFilter
 0x100e41f4 GetCurrentProcess
 0x100e41f8 TerminateProcess
 0x100e41fc IsProcessorFeaturePresent
 0x100e4200 IsDebuggerPresent
 0x100e4204 GetStartupInfoW
 0x100e4208 GetModuleHandleW
 0x100e420c InitializeSListHead
 0x100e4210 LCMapStringEx
 0x100e4214 InitializeCriticalSectionEx
 0x100e4218 EncodePointer
 0x100e421c DecodePointer
 0x100e4220 CompareStringEx
 0x100e4224 GetCPInfo
 0x100e4228 GetStringTypeW
 0x100e422c RaiseException
 0x100e4230 InterlockedFlushSList
 0x100e4234 RtlUnwind
 0x100e4238 SetLastError
 0x100e423c InitializeCriticalSectionAndSpinCount
 0x100e4240 TlsAlloc
 0x100e4244 TlsGetValue
 0x100e4248 TlsSetValue
 0x100e424c TlsFree
 0x100e4250 LoadLibraryExW
 0x100e4254 ExitThread
 0x100e4258 FreeLibraryAndExitThread
 0x100e425c GetModuleHandleExW
 0x100e4260 GetDriveTypeW
 0x100e4264 GetFileInformationByHandle
 0x100e4268 GetFileType
 0x100e426c SystemTimeToTzSpecificLocalTime
 0x100e4270 FileTimeToSystemTime
 0x100e4274 ExitProcess
 0x100e4278 GetModuleFileNameW
 0x100e427c CompareStringW
 0x100e4280 LCMapStringW
 0x100e4284 GetLocaleInfoW
 0x100e4288 IsValidLocale
 0x100e428c GetUserDefaultLCID
 0x100e4290 EnumSystemLocalesW
 0x100e4294 WriteConsoleW
ADVAPI32.dll
 0x100e4000 GetSidSubAuthority
 0x100e4004 RegEnumValueW
 0x100e4008 RegEnumKeyA
 0x100e400c RegCloseKey
 0x100e4010 RegQueryInfoKeyW
 0x100e4014 RegOpenKeyA
 0x100e4018 RegQueryValueExA
 0x100e401c GetSidSubAuthorityCount
 0x100e4020 RegOpenKeyExA
 0x100e4024 GetUserNameA
 0x100e4028 RegEnumKeyExW
 0x100e402c LookupAccountNameA
 0x100e4030 GetSidIdentifierAuthority
SHELL32.dll
 0x100e429c SHFileOperationA
 0x100e42a0 SHGetFolderPathA
WININET.dll
 0x100e42a8 HttpOpenRequestA
 0x100e42ac InternetReadFile
 0x100e42b0 InternetConnectA
 0x100e42b4 HttpSendRequestA
 0x100e42b8 InternetCloseHandle
 0x100e42bc InternetOpenA
 0x100e42c0 HttpAddRequestHeadersA
 0x100e42c4 HttpSendRequestExW
 0x100e42c8 HttpEndRequestA
 0x100e42cc InternetOpenW
 0x100e42d0 InternetWriteFile
crypt.dll
 0x100e42d8 BCryptOpenAlgorithmProvider
 0x100e42dc BCryptSetProperty
 0x100e42e0 BCryptGenerateSymmetricKey
 0x100e42e4 BCryptDecrypt

EAT(Export Address Table) Library

0x100afc10 Main
0x100045b0 Save


Similarity measure (PE file only) - Checking for service failure