Report - cred.dll

Generic Malware Malicious Library UPX Antivirus PE File DLL PE32 OS Processor Check
ScreenShot
Created 2024.11.08 16:56 Machine s1_win7_x6401
Filename cred.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
4
Behavior Score
9.8
ZERO API
VT API (file) 54 detected (AIDetectMalware, Amadey, Malicious, score, Lazy, Unsafe, confidence, 100%, GenusT, DXAG, Attribute, HighConfidence, high confidence, BotX, Zusy, SpyBot, kqbyea, 1tQNmVJHBpU, AGEN, Steal, ajwj, Detected, Malware@#1qggb0zzlbcny, RDAB, ABTrojan, KEOB, R642802, Artemis, Deyma, Floxif, FileInfector, GdSda, Gencirc)
md5 6bbe66ecb21007341bd878d0c7bdcbe6
sha256 efcdc07eb7a174d31c5162903d790704fbdcd4ae0f7703799da005bb6a77f72a
ssdeep 24576:LuPGDp7e6tvtX8VDz3kLYF9+HYVDdvhFva105T7nuxKeFqk:Z3lQAtxK+qk
imphash 213cc311d974657ce4f52e13b2302f94
impfuzzy 96:ZZtu7Ze6BF1V5g4ufc0aR6xRCtO2Jk9vFfR00Dk:Ttu7Z3Fwa29nDk
  Network IP location

Signature (21cnts)

Level Description
danger File has been identified by 54 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Attempts to access Bitcoin/ALTCoin wallets
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch The process powershell.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (9cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
93.123.109.4 BG Sarnica-Net LTD 93.123.109.4

Suricata ids

PE API

IAT(Import Address Table) Library

CRYPT32.dll
 0x100e5038 CryptUnprotectData
KERNEL32.dll
 0x100e5040 GetFullPathNameA
 0x100e5044 SetEndOfFile
 0x100e5048 UnlockFileEx
 0x100e504c GetTempPathW
 0x100e5050 CreateMutexW
 0x100e5054 WaitForSingleObject
 0x100e5058 CreateFileW
 0x100e505c GetFileAttributesW
 0x100e5060 GetCurrentThreadId
 0x100e5064 UnmapViewOfFile
 0x100e5068 HeapValidate
 0x100e506c HeapSize
 0x100e5070 MultiByteToWideChar
 0x100e5074 Sleep
 0x100e5078 GetTempPathA
 0x100e507c FormatMessageW
 0x100e5080 GetDiskFreeSpaceA
 0x100e5084 GetLastError
 0x100e5088 GetFileAttributesA
 0x100e508c GetFileAttributesExW
 0x100e5090 OutputDebugStringW
 0x100e5094 CreateFileA
 0x100e5098 LoadLibraryA
 0x100e509c WaitForSingleObjectEx
 0x100e50a0 DeleteFileA
 0x100e50a4 DeleteFileW
 0x100e50a8 HeapReAlloc
 0x100e50ac CloseHandle
 0x100e50b0 GetSystemInfo
 0x100e50b4 LoadLibraryW
 0x100e50b8 HeapAlloc
 0x100e50bc HeapCompact
 0x100e50c0 HeapDestroy
 0x100e50c4 UnlockFile
 0x100e50c8 GetProcAddress
 0x100e50cc CreateFileMappingA
 0x100e50d0 LocalFree
 0x100e50d4 LockFileEx
 0x100e50d8 GetFileSize
 0x100e50dc DeleteCriticalSection
 0x100e50e0 GetCurrentProcessId
 0x100e50e4 GetProcessHeap
 0x100e50e8 SystemTimeToFileTime
 0x100e50ec FreeLibrary
 0x100e50f0 WideCharToMultiByte
 0x100e50f4 GetSystemTimeAsFileTime
 0x100e50f8 GetSystemTime
 0x100e50fc FormatMessageA
 0x100e5100 CreateFileMappingW
 0x100e5104 MapViewOfFile
 0x100e5108 QueryPerformanceCounter
 0x100e510c GetTickCount
 0x100e5110 FlushFileBuffers
 0x100e5114 SetHandleInformation
 0x100e5118 FindFirstFileA
 0x100e511c Wow64DisableWow64FsRedirection
 0x100e5120 K32GetModuleFileNameExW
 0x100e5124 FindNextFileA
 0x100e5128 CreatePipe
 0x100e512c PeekNamedPipe
 0x100e5130 lstrlenA
 0x100e5134 FindClose
 0x100e5138 GetCurrentDirectoryA
 0x100e513c lstrcatA
 0x100e5140 OpenProcess
 0x100e5144 SetCurrentDirectoryA
 0x100e5148 CreateToolhelp32Snapshot
 0x100e514c ProcessIdToSessionId
 0x100e5150 CopyFileA
 0x100e5154 Wow64RevertWow64FsRedirection
 0x100e5158 Process32NextW
 0x100e515c Process32FirstW
 0x100e5160 CreateThread
 0x100e5164 CreateProcessA
 0x100e5168 CreateDirectoryA
 0x100e516c ReadConsoleW
 0x100e5170 InitializeCriticalSection
 0x100e5174 LeaveCriticalSection
 0x100e5178 LockFile
 0x100e517c OutputDebugStringA
 0x100e5180 GetDiskFreeSpaceW
 0x100e5184 WriteFile
 0x100e5188 GetFullPathNameW
 0x100e518c EnterCriticalSection
 0x100e5190 HeapFree
 0x100e5194 HeapCreate
 0x100e5198 TryEnterCriticalSection
 0x100e519c ReadFile
 0x100e51a0 AreFileApisANSI
 0x100e51a4 SetFilePointer
 0x100e51a8 SetFilePointerEx
 0x100e51ac GetConsoleMode
 0x100e51b0 GetConsoleCP
 0x100e51b4 SetEnvironmentVariableW
 0x100e51b8 FreeEnvironmentStringsW
 0x100e51bc GetEnvironmentStringsW
 0x100e51c0 GetCommandLineW
 0x100e51c4 GetCommandLineA
 0x100e51c8 GetOEMCP
 0x100e51cc GetACP
 0x100e51d0 IsValidCodePage
 0x100e51d4 FindNextFileW
 0x100e51d8 FindFirstFileExW
 0x100e51dc SetStdHandle
 0x100e51e0 GetCurrentDirectoryW
 0x100e51e4 GetStdHandle
 0x100e51e8 GetTimeZoneInformation
 0x100e51ec UnhandledExceptionFilter
 0x100e51f0 SetUnhandledExceptionFilter
 0x100e51f4 GetCurrentProcess
 0x100e51f8 TerminateProcess
 0x100e51fc IsProcessorFeaturePresent
 0x100e5200 IsDebuggerPresent
 0x100e5204 GetStartupInfoW
 0x100e5208 GetModuleHandleW
 0x100e520c InitializeSListHead
 0x100e5210 SetLastError
 0x100e5214 InitializeCriticalSectionAndSpinCount
 0x100e5218 SwitchToThread
 0x100e521c TlsAlloc
 0x100e5220 TlsGetValue
 0x100e5224 TlsSetValue
 0x100e5228 TlsFree
 0x100e522c EncodePointer
 0x100e5230 DecodePointer
 0x100e5234 GetCPInfo
 0x100e5238 CompareStringW
 0x100e523c LCMapStringW
 0x100e5240 GetLocaleInfoW
 0x100e5244 GetStringTypeW
 0x100e5248 RaiseException
 0x100e524c InterlockedFlushSList
 0x100e5250 RtlUnwind
 0x100e5254 LoadLibraryExW
 0x100e5258 ExitThread
 0x100e525c FreeLibraryAndExitThread
 0x100e5260 GetModuleHandleExW
 0x100e5264 GetDriveTypeW
 0x100e5268 GetFileInformationByHandle
 0x100e526c GetFileType
 0x100e5270 SystemTimeToTzSpecificLocalTime
 0x100e5274 FileTimeToSystemTime
 0x100e5278 ExitProcess
 0x100e527c GetModuleFileNameW
 0x100e5280 IsValidLocale
 0x100e5284 GetUserDefaultLCID
 0x100e5288 EnumSystemLocalesW
 0x100e528c WriteConsoleW
ADVAPI32.dll
 0x100e5000 GetUserNameA
 0x100e5004 RegEnumValueW
 0x100e5008 RegEnumKeyA
 0x100e500c RegCloseKey
 0x100e5010 RegQueryInfoKeyW
 0x100e5014 RegOpenKeyA
 0x100e5018 RegQueryValueExA
 0x100e501c GetSidSubAuthorityCount
 0x100e5020 GetSidSubAuthority
 0x100e5024 RegOpenKeyExA
 0x100e5028 RegEnumKeyExW
 0x100e502c LookupAccountNameA
 0x100e5030 GetSidIdentifierAuthority
SHELL32.dll
 0x100e5294 SHFileOperationA
 0x100e5298 SHGetFolderPathA
WININET.dll
 0x100e52a0 HttpOpenRequestA
 0x100e52a4 InternetReadFile
 0x100e52a8 InternetConnectA
 0x100e52ac HttpSendRequestA
 0x100e52b0 InternetCloseHandle
 0x100e52b4 InternetOpenA
 0x100e52b8 HttpAddRequestHeadersA
 0x100e52bc HttpSendRequestExW
 0x100e52c0 HttpEndRequestA
 0x100e52c4 InternetOpenW
 0x100e52c8 InternetWriteFile
crypt.dll
 0x100e52d0 BCryptOpenAlgorithmProvider
 0x100e52d4 BCryptSetProperty
 0x100e52d8 BCryptGenerateSymmetricKey
 0x100e52dc BCryptDecrypt

EAT(Export Address Table) Library

0x100b1100 Main
0x100045c0 Save


Similarity measure (PE file only) - Checking for service failure