ScreenShot
Created | 2024.11.01 09:22 | Machine | s1_win7_x6401 |
Filename | cred64.dll | ||
Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 54 detected (Convagent, Malicious, score, Emotet, Zusy, Unsafe, confidence, 100%, Attribute, HighConfidence, high confidence, BotX, TrojanPSW, PmswK9jgQcH, nwhwy, SpyBot, Detected, Kryptik, Eldorado, R672848, Artemis, Chgt, R002H0CIA24, Gencirc, pDc8R8bXD6g, Multiverze) | ||
md5 | 609b797441d054c5b5585b6464ad31b6 | ||
sha256 | c8d58a19af87f3b4cb46e229407db645c972d4213e30d0bb1853d5f585db044f | ||
ssdeep | 24576:Vjm1sk9lP6nWZJaIOo/QHtH9YZ0yNJW+6J7Vb:m96nWerAQHB9yjWz1 | ||
imphash | 3eb70f83441fc8632e81bd6eb89f424d | ||
impfuzzy | 96:ZZtu7Ze6BF1V5g4uAc0aR6x5xtO8Bg99vFzOoQTk:Ttu7Z3F5am+9gTk |
Network IP location
Signature (22cnts)
Level | Description |
---|---|
danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
watch | Attempts to access Bitcoin/ALTCoin wallets |
watch | Communicates with host for which no DNS query was performed |
watch | Harvests credentials from local FTP client softwares |
watch | Harvests information related to installed instant messenger clients |
watch | The process powershell.exe wrote an executable file to disk |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Steals private information from local Internet browsers |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | This executable has a PDB path |
info | Tries to locate where the browsers are installed |
info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsDLL | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x1800fd070 CryptUnprotectData
KERNEL32.dll
0x1800fd080 GetFullPathNameA
0x1800fd088 SetEndOfFile
0x1800fd090 UnlockFileEx
0x1800fd098 GetTempPathW
0x1800fd0a0 CreateMutexW
0x1800fd0a8 WaitForSingleObject
0x1800fd0b0 CreateFileW
0x1800fd0b8 GetFileAttributesW
0x1800fd0c0 GetCurrentThreadId
0x1800fd0c8 UnmapViewOfFile
0x1800fd0d0 HeapValidate
0x1800fd0d8 HeapSize
0x1800fd0e0 MultiByteToWideChar
0x1800fd0e8 Sleep
0x1800fd0f0 GetTempPathA
0x1800fd0f8 FormatMessageW
0x1800fd100 GetDiskFreeSpaceA
0x1800fd108 GetLastError
0x1800fd110 GetFileAttributesA
0x1800fd118 GetFileAttributesExW
0x1800fd120 OutputDebugStringW
0x1800fd128 CreateFileA
0x1800fd130 LoadLibraryA
0x1800fd138 WaitForSingleObjectEx
0x1800fd140 DeleteFileA
0x1800fd148 DeleteFileW
0x1800fd150 HeapReAlloc
0x1800fd158 CloseHandle
0x1800fd160 GetSystemInfo
0x1800fd168 LoadLibraryW
0x1800fd170 HeapAlloc
0x1800fd178 HeapCompact
0x1800fd180 HeapDestroy
0x1800fd188 UnlockFile
0x1800fd190 GetProcAddress
0x1800fd198 CreateFileMappingA
0x1800fd1a0 LocalFree
0x1800fd1a8 LockFileEx
0x1800fd1b0 GetFileSize
0x1800fd1b8 DeleteCriticalSection
0x1800fd1c0 GetCurrentProcessId
0x1800fd1c8 GetProcessHeap
0x1800fd1d0 SystemTimeToFileTime
0x1800fd1d8 FreeLibrary
0x1800fd1e0 WideCharToMultiByte
0x1800fd1e8 GetSystemTimeAsFileTime
0x1800fd1f0 GetSystemTime
0x1800fd1f8 FormatMessageA
0x1800fd200 CreateFileMappingW
0x1800fd208 MapViewOfFile
0x1800fd210 QueryPerformanceCounter
0x1800fd218 GetTickCount
0x1800fd220 FlushFileBuffers
0x1800fd228 SetHandleInformation
0x1800fd230 FindFirstFileA
0x1800fd238 Wow64DisableWow64FsRedirection
0x1800fd240 K32GetModuleFileNameExW
0x1800fd248 FindNextFileA
0x1800fd250 CreatePipe
0x1800fd258 PeekNamedPipe
0x1800fd260 lstrlenA
0x1800fd268 FindClose
0x1800fd270 GetCurrentDirectoryA
0x1800fd278 lstrcatA
0x1800fd280 OpenProcess
0x1800fd288 SetCurrentDirectoryA
0x1800fd290 CreateToolhelp32Snapshot
0x1800fd298 ProcessIdToSessionId
0x1800fd2a0 CopyFileA
0x1800fd2a8 Wow64RevertWow64FsRedirection
0x1800fd2b0 Process32NextW
0x1800fd2b8 Process32FirstW
0x1800fd2c0 CreateThread
0x1800fd2c8 CreateProcessA
0x1800fd2d0 CreateDirectoryA
0x1800fd2d8 WriteConsoleW
0x1800fd2e0 InitializeCriticalSection
0x1800fd2e8 LeaveCriticalSection
0x1800fd2f0 LockFile
0x1800fd2f8 OutputDebugStringA
0x1800fd300 GetDiskFreeSpaceW
0x1800fd308 WriteFile
0x1800fd310 GetFullPathNameW
0x1800fd318 EnterCriticalSection
0x1800fd320 HeapFree
0x1800fd328 HeapCreate
0x1800fd330 TryEnterCriticalSection
0x1800fd338 ReadFile
0x1800fd340 AreFileApisANSI
0x1800fd348 SetFilePointer
0x1800fd350 ReadConsoleW
0x1800fd358 SetFilePointerEx
0x1800fd360 GetConsoleMode
0x1800fd368 GetConsoleCP
0x1800fd370 SetEnvironmentVariableW
0x1800fd378 FreeEnvironmentStringsW
0x1800fd380 GetEnvironmentStringsW
0x1800fd388 GetCommandLineW
0x1800fd390 GetCommandLineA
0x1800fd398 GetOEMCP
0x1800fd3a0 GetACP
0x1800fd3a8 IsValidCodePage
0x1800fd3b0 FindNextFileW
0x1800fd3b8 FindFirstFileExW
0x1800fd3c0 SetStdHandle
0x1800fd3c8 GetCurrentDirectoryW
0x1800fd3d0 RtlCaptureContext
0x1800fd3d8 RtlLookupFunctionEntry
0x1800fd3e0 RtlVirtualUnwind
0x1800fd3e8 UnhandledExceptionFilter
0x1800fd3f0 SetUnhandledExceptionFilter
0x1800fd3f8 GetCurrentProcess
0x1800fd400 TerminateProcess
0x1800fd408 IsProcessorFeaturePresent
0x1800fd410 IsDebuggerPresent
0x1800fd418 GetStartupInfoW
0x1800fd420 GetModuleHandleW
0x1800fd428 InitializeSListHead
0x1800fd430 SetLastError
0x1800fd438 InitializeCriticalSectionAndSpinCount
0x1800fd440 SwitchToThread
0x1800fd448 TlsAlloc
0x1800fd450 TlsGetValue
0x1800fd458 TlsSetValue
0x1800fd460 TlsFree
0x1800fd468 EncodePointer
0x1800fd470 DecodePointer
0x1800fd478 GetCPInfo
0x1800fd480 CompareStringW
0x1800fd488 LCMapStringW
0x1800fd490 GetLocaleInfoW
0x1800fd498 GetStringTypeW
0x1800fd4a0 RtlUnwindEx
0x1800fd4a8 RtlPcToFileHeader
0x1800fd4b0 RaiseException
0x1800fd4b8 InterlockedFlushSList
0x1800fd4c0 LoadLibraryExW
0x1800fd4c8 ExitThread
0x1800fd4d0 FreeLibraryAndExitThread
0x1800fd4d8 GetModuleHandleExW
0x1800fd4e0 GetDriveTypeW
0x1800fd4e8 GetFileInformationByHandle
0x1800fd4f0 GetFileType
0x1800fd4f8 SystemTimeToTzSpecificLocalTime
0x1800fd500 FileTimeToSystemTime
0x1800fd508 ExitProcess
0x1800fd510 GetModuleFileNameW
0x1800fd518 IsValidLocale
0x1800fd520 GetUserDefaultLCID
0x1800fd528 EnumSystemLocalesW
0x1800fd530 GetTimeZoneInformation
0x1800fd538 GetStdHandle
ADVAPI32.dll
0x1800fd000 GetSidSubAuthorityCount
0x1800fd008 RegEnumValueW
0x1800fd010 RegEnumKeyA
0x1800fd018 RegCloseKey
0x1800fd020 RegQueryInfoKeyW
0x1800fd028 RegOpenKeyA
0x1800fd030 RegQueryValueExA
0x1800fd038 GetSidIdentifierAuthority
0x1800fd040 GetSidSubAuthority
0x1800fd048 GetUserNameA
0x1800fd050 RegEnumKeyExW
0x1800fd058 LookupAccountNameA
0x1800fd060 RegOpenKeyExA
SHELL32.dll
0x1800fd548 SHGetFolderPathA
0x1800fd550 SHFileOperationA
WININET.dll
0x1800fd560 HttpOpenRequestA
0x1800fd568 InternetWriteFile
0x1800fd570 InternetReadFile
0x1800fd578 InternetConnectA
0x1800fd580 HttpSendRequestA
0x1800fd588 InternetCloseHandle
0x1800fd590 InternetOpenA
0x1800fd598 HttpAddRequestHeadersA
0x1800fd5a0 HttpSendRequestExW
0x1800fd5a8 HttpEndRequestA
0x1800fd5b0 InternetOpenW
crypt.dll
0x1800fd5c0 BCryptOpenAlgorithmProvider
0x1800fd5c8 BCryptSetProperty
0x1800fd5d0 BCryptGenerateSymmetricKey
0x1800fd5d8 BCryptDecrypt
EAT(Export Address Table) Library
0x1800c0c40 Main
0x180005d80 Save
CRYPT32.dll
0x1800fd070 CryptUnprotectData
KERNEL32.dll
0x1800fd080 GetFullPathNameA
0x1800fd088 SetEndOfFile
0x1800fd090 UnlockFileEx
0x1800fd098 GetTempPathW
0x1800fd0a0 CreateMutexW
0x1800fd0a8 WaitForSingleObject
0x1800fd0b0 CreateFileW
0x1800fd0b8 GetFileAttributesW
0x1800fd0c0 GetCurrentThreadId
0x1800fd0c8 UnmapViewOfFile
0x1800fd0d0 HeapValidate
0x1800fd0d8 HeapSize
0x1800fd0e0 MultiByteToWideChar
0x1800fd0e8 Sleep
0x1800fd0f0 GetTempPathA
0x1800fd0f8 FormatMessageW
0x1800fd100 GetDiskFreeSpaceA
0x1800fd108 GetLastError
0x1800fd110 GetFileAttributesA
0x1800fd118 GetFileAttributesExW
0x1800fd120 OutputDebugStringW
0x1800fd128 CreateFileA
0x1800fd130 LoadLibraryA
0x1800fd138 WaitForSingleObjectEx
0x1800fd140 DeleteFileA
0x1800fd148 DeleteFileW
0x1800fd150 HeapReAlloc
0x1800fd158 CloseHandle
0x1800fd160 GetSystemInfo
0x1800fd168 LoadLibraryW
0x1800fd170 HeapAlloc
0x1800fd178 HeapCompact
0x1800fd180 HeapDestroy
0x1800fd188 UnlockFile
0x1800fd190 GetProcAddress
0x1800fd198 CreateFileMappingA
0x1800fd1a0 LocalFree
0x1800fd1a8 LockFileEx
0x1800fd1b0 GetFileSize
0x1800fd1b8 DeleteCriticalSection
0x1800fd1c0 GetCurrentProcessId
0x1800fd1c8 GetProcessHeap
0x1800fd1d0 SystemTimeToFileTime
0x1800fd1d8 FreeLibrary
0x1800fd1e0 WideCharToMultiByte
0x1800fd1e8 GetSystemTimeAsFileTime
0x1800fd1f0 GetSystemTime
0x1800fd1f8 FormatMessageA
0x1800fd200 CreateFileMappingW
0x1800fd208 MapViewOfFile
0x1800fd210 QueryPerformanceCounter
0x1800fd218 GetTickCount
0x1800fd220 FlushFileBuffers
0x1800fd228 SetHandleInformation
0x1800fd230 FindFirstFileA
0x1800fd238 Wow64DisableWow64FsRedirection
0x1800fd240 K32GetModuleFileNameExW
0x1800fd248 FindNextFileA
0x1800fd250 CreatePipe
0x1800fd258 PeekNamedPipe
0x1800fd260 lstrlenA
0x1800fd268 FindClose
0x1800fd270 GetCurrentDirectoryA
0x1800fd278 lstrcatA
0x1800fd280 OpenProcess
0x1800fd288 SetCurrentDirectoryA
0x1800fd290 CreateToolhelp32Snapshot
0x1800fd298 ProcessIdToSessionId
0x1800fd2a0 CopyFileA
0x1800fd2a8 Wow64RevertWow64FsRedirection
0x1800fd2b0 Process32NextW
0x1800fd2b8 Process32FirstW
0x1800fd2c0 CreateThread
0x1800fd2c8 CreateProcessA
0x1800fd2d0 CreateDirectoryA
0x1800fd2d8 WriteConsoleW
0x1800fd2e0 InitializeCriticalSection
0x1800fd2e8 LeaveCriticalSection
0x1800fd2f0 LockFile
0x1800fd2f8 OutputDebugStringA
0x1800fd300 GetDiskFreeSpaceW
0x1800fd308 WriteFile
0x1800fd310 GetFullPathNameW
0x1800fd318 EnterCriticalSection
0x1800fd320 HeapFree
0x1800fd328 HeapCreate
0x1800fd330 TryEnterCriticalSection
0x1800fd338 ReadFile
0x1800fd340 AreFileApisANSI
0x1800fd348 SetFilePointer
0x1800fd350 ReadConsoleW
0x1800fd358 SetFilePointerEx
0x1800fd360 GetConsoleMode
0x1800fd368 GetConsoleCP
0x1800fd370 SetEnvironmentVariableW
0x1800fd378 FreeEnvironmentStringsW
0x1800fd380 GetEnvironmentStringsW
0x1800fd388 GetCommandLineW
0x1800fd390 GetCommandLineA
0x1800fd398 GetOEMCP
0x1800fd3a0 GetACP
0x1800fd3a8 IsValidCodePage
0x1800fd3b0 FindNextFileW
0x1800fd3b8 FindFirstFileExW
0x1800fd3c0 SetStdHandle
0x1800fd3c8 GetCurrentDirectoryW
0x1800fd3d0 RtlCaptureContext
0x1800fd3d8 RtlLookupFunctionEntry
0x1800fd3e0 RtlVirtualUnwind
0x1800fd3e8 UnhandledExceptionFilter
0x1800fd3f0 SetUnhandledExceptionFilter
0x1800fd3f8 GetCurrentProcess
0x1800fd400 TerminateProcess
0x1800fd408 IsProcessorFeaturePresent
0x1800fd410 IsDebuggerPresent
0x1800fd418 GetStartupInfoW
0x1800fd420 GetModuleHandleW
0x1800fd428 InitializeSListHead
0x1800fd430 SetLastError
0x1800fd438 InitializeCriticalSectionAndSpinCount
0x1800fd440 SwitchToThread
0x1800fd448 TlsAlloc
0x1800fd450 TlsGetValue
0x1800fd458 TlsSetValue
0x1800fd460 TlsFree
0x1800fd468 EncodePointer
0x1800fd470 DecodePointer
0x1800fd478 GetCPInfo
0x1800fd480 CompareStringW
0x1800fd488 LCMapStringW
0x1800fd490 GetLocaleInfoW
0x1800fd498 GetStringTypeW
0x1800fd4a0 RtlUnwindEx
0x1800fd4a8 RtlPcToFileHeader
0x1800fd4b0 RaiseException
0x1800fd4b8 InterlockedFlushSList
0x1800fd4c0 LoadLibraryExW
0x1800fd4c8 ExitThread
0x1800fd4d0 FreeLibraryAndExitThread
0x1800fd4d8 GetModuleHandleExW
0x1800fd4e0 GetDriveTypeW
0x1800fd4e8 GetFileInformationByHandle
0x1800fd4f0 GetFileType
0x1800fd4f8 SystemTimeToTzSpecificLocalTime
0x1800fd500 FileTimeToSystemTime
0x1800fd508 ExitProcess
0x1800fd510 GetModuleFileNameW
0x1800fd518 IsValidLocale
0x1800fd520 GetUserDefaultLCID
0x1800fd528 EnumSystemLocalesW
0x1800fd530 GetTimeZoneInformation
0x1800fd538 GetStdHandle
ADVAPI32.dll
0x1800fd000 GetSidSubAuthorityCount
0x1800fd008 RegEnumValueW
0x1800fd010 RegEnumKeyA
0x1800fd018 RegCloseKey
0x1800fd020 RegQueryInfoKeyW
0x1800fd028 RegOpenKeyA
0x1800fd030 RegQueryValueExA
0x1800fd038 GetSidIdentifierAuthority
0x1800fd040 GetSidSubAuthority
0x1800fd048 GetUserNameA
0x1800fd050 RegEnumKeyExW
0x1800fd058 LookupAccountNameA
0x1800fd060 RegOpenKeyExA
SHELL32.dll
0x1800fd548 SHGetFolderPathA
0x1800fd550 SHFileOperationA
WININET.dll
0x1800fd560 HttpOpenRequestA
0x1800fd568 InternetWriteFile
0x1800fd570 InternetReadFile
0x1800fd578 InternetConnectA
0x1800fd580 HttpSendRequestA
0x1800fd588 InternetCloseHandle
0x1800fd590 InternetOpenA
0x1800fd598 HttpAddRequestHeadersA
0x1800fd5a0 HttpSendRequestExW
0x1800fd5a8 HttpEndRequestA
0x1800fd5b0 InternetOpenW
crypt.dll
0x1800fd5c0 BCryptOpenAlgorithmProvider
0x1800fd5c8 BCryptSetProperty
0x1800fd5d0 BCryptGenerateSymmetricKey
0x1800fd5d8 BCryptDecrypt
EAT(Export Address Table) Library
0x1800c0c40 Main
0x180005d80 Save