Report - cred64.dll

Generic Malware Malicious Library UPX Antivirus PE File DLL PE64 OS Processor Check
ScreenShot
Created 2024.11.13 14:24 Machine s1_win7_x6401
Filename cred64.dll
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
AI Score
5
Behavior Score
9.6
ZERO API file : clean
VT API (file) 51 detected (Malicious, score, Lazy, Unsafe, confidence, 100%, Attribute, HighConfidence, high confidence, BotX, Zusy, fkbm, TrojanPSW, Amadey, ktjhtr, AULsNMzBVWP, dxdck, Detected, ABTrojan, JZWO, R672848, Artemis, PasswordStealer, GdSda, Gencirc, susgen)
md5 6f25f0506bf49fe7f35686ed1f8fef4a
sha256 532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203
ssdeep 24576:Usd+7fzBMqZjh2sntUcCy8LfunZzW8IFHcDVh1QhHAO:U3BHjh2OZ80ZzHIF85L
imphash 9227c7c1cd406670b52768efa2eb5e71
impfuzzy 96:ZZtu7Ze6BF1V5g4uAc0aR6xExtnXnlBga79v8QRDTk:Ttu7Z3F5anN9jTk
  Network IP location

Signature (22cnts)

Level Description
danger File has been identified by 51 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Attempts to access Bitcoin/ALTCoin wallets
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch The process powershell.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Searches running processes potentially to identify processes for sandbox evasion
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (9cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
185.215.113.209 Unknown 185.215.113.209 clean

Suricata ids

PE API

IAT(Import Address Table) Library

CRYPT32.dll
 0x1800fb070 CryptUnprotectData
KERNEL32.dll
 0x1800fb080 GetFullPathNameA
 0x1800fb088 SetEndOfFile
 0x1800fb090 UnlockFileEx
 0x1800fb098 GetTempPathW
 0x1800fb0a0 CreateMutexW
 0x1800fb0a8 WaitForSingleObject
 0x1800fb0b0 CreateFileW
 0x1800fb0b8 GetFileAttributesW
 0x1800fb0c0 GetCurrentThreadId
 0x1800fb0c8 UnmapViewOfFile
 0x1800fb0d0 HeapValidate
 0x1800fb0d8 HeapSize
 0x1800fb0e0 MultiByteToWideChar
 0x1800fb0e8 Sleep
 0x1800fb0f0 GetTempPathA
 0x1800fb0f8 FormatMessageW
 0x1800fb100 GetDiskFreeSpaceA
 0x1800fb108 GetLastError
 0x1800fb110 GetFileAttributesA
 0x1800fb118 GetFileAttributesExW
 0x1800fb120 OutputDebugStringW
 0x1800fb128 CreateFileA
 0x1800fb130 LoadLibraryA
 0x1800fb138 WaitForSingleObjectEx
 0x1800fb140 DeleteFileA
 0x1800fb148 DeleteFileW
 0x1800fb150 HeapReAlloc
 0x1800fb158 CloseHandle
 0x1800fb160 GetSystemInfo
 0x1800fb168 LoadLibraryW
 0x1800fb170 HeapAlloc
 0x1800fb178 HeapCompact
 0x1800fb180 HeapDestroy
 0x1800fb188 UnlockFile
 0x1800fb190 GetProcAddress
 0x1800fb198 CreateFileMappingA
 0x1800fb1a0 LocalFree
 0x1800fb1a8 LockFileEx
 0x1800fb1b0 GetFileSize
 0x1800fb1b8 DeleteCriticalSection
 0x1800fb1c0 GetCurrentProcessId
 0x1800fb1c8 GetProcessHeap
 0x1800fb1d0 SystemTimeToFileTime
 0x1800fb1d8 FreeLibrary
 0x1800fb1e0 WideCharToMultiByte
 0x1800fb1e8 GetSystemTimeAsFileTime
 0x1800fb1f0 GetSystemTime
 0x1800fb1f8 FormatMessageA
 0x1800fb200 CreateFileMappingW
 0x1800fb208 MapViewOfFile
 0x1800fb210 QueryPerformanceCounter
 0x1800fb218 GetTickCount
 0x1800fb220 FlushFileBuffers
 0x1800fb228 SetHandleInformation
 0x1800fb230 FindFirstFileA
 0x1800fb238 Wow64DisableWow64FsRedirection
 0x1800fb240 K32GetModuleFileNameExW
 0x1800fb248 FindNextFileA
 0x1800fb250 CreatePipe
 0x1800fb258 PeekNamedPipe
 0x1800fb260 lstrlenA
 0x1800fb268 FindClose
 0x1800fb270 GetCurrentDirectoryA
 0x1800fb278 lstrcatA
 0x1800fb280 OpenProcess
 0x1800fb288 SetCurrentDirectoryA
 0x1800fb290 CreateToolhelp32Snapshot
 0x1800fb298 ProcessIdToSessionId
 0x1800fb2a0 CopyFileA
 0x1800fb2a8 Wow64RevertWow64FsRedirection
 0x1800fb2b0 Process32NextW
 0x1800fb2b8 Process32FirstW
 0x1800fb2c0 CreateThread
 0x1800fb2c8 CreateProcessA
 0x1800fb2d0 CreateDirectoryA
 0x1800fb2d8 WriteConsoleW
 0x1800fb2e0 InitializeCriticalSection
 0x1800fb2e8 LeaveCriticalSection
 0x1800fb2f0 LockFile
 0x1800fb2f8 OutputDebugStringA
 0x1800fb300 GetDiskFreeSpaceW
 0x1800fb308 WriteFile
 0x1800fb310 GetFullPathNameW
 0x1800fb318 EnterCriticalSection
 0x1800fb320 HeapFree
 0x1800fb328 HeapCreate
 0x1800fb330 TryEnterCriticalSection
 0x1800fb338 ReadFile
 0x1800fb340 AreFileApisANSI
 0x1800fb348 SetFilePointer
 0x1800fb350 ReadConsoleW
 0x1800fb358 SetFilePointerEx
 0x1800fb360 GetConsoleMode
 0x1800fb368 GetConsoleOutputCP
 0x1800fb370 SetEnvironmentVariableW
 0x1800fb378 FreeEnvironmentStringsW
 0x1800fb380 GetEnvironmentStringsW
 0x1800fb388 GetCommandLineW
 0x1800fb390 GetCommandLineA
 0x1800fb398 GetOEMCP
 0x1800fb3a0 GetACP
 0x1800fb3a8 IsValidCodePage
 0x1800fb3b0 FindNextFileW
 0x1800fb3b8 FindFirstFileExW
 0x1800fb3c0 SetStdHandle
 0x1800fb3c8 GetCurrentDirectoryW
 0x1800fb3d0 RtlCaptureContext
 0x1800fb3d8 RtlLookupFunctionEntry
 0x1800fb3e0 RtlVirtualUnwind
 0x1800fb3e8 UnhandledExceptionFilter
 0x1800fb3f0 SetUnhandledExceptionFilter
 0x1800fb3f8 GetCurrentProcess
 0x1800fb400 TerminateProcess
 0x1800fb408 IsProcessorFeaturePresent
 0x1800fb410 IsDebuggerPresent
 0x1800fb418 GetStartupInfoW
 0x1800fb420 GetModuleHandleW
 0x1800fb428 InitializeSListHead
 0x1800fb430 LCMapStringEx
 0x1800fb438 InitializeCriticalSectionEx
 0x1800fb440 EncodePointer
 0x1800fb448 DecodePointer
 0x1800fb450 CompareStringEx
 0x1800fb458 GetCPInfo
 0x1800fb460 GetStringTypeW
 0x1800fb468 RtlUnwindEx
 0x1800fb470 RtlPcToFileHeader
 0x1800fb478 RaiseException
 0x1800fb480 InterlockedFlushSList
 0x1800fb488 SetLastError
 0x1800fb490 InitializeCriticalSectionAndSpinCount
 0x1800fb498 TlsAlloc
 0x1800fb4a0 TlsGetValue
 0x1800fb4a8 TlsSetValue
 0x1800fb4b0 TlsFree
 0x1800fb4b8 LoadLibraryExW
 0x1800fb4c0 ExitThread
 0x1800fb4c8 FreeLibraryAndExitThread
 0x1800fb4d0 GetModuleHandleExW
 0x1800fb4d8 GetDriveTypeW
 0x1800fb4e0 GetFileInformationByHandle
 0x1800fb4e8 GetFileType
 0x1800fb4f0 SystemTimeToTzSpecificLocalTime
 0x1800fb4f8 FileTimeToSystemTime
 0x1800fb500 ExitProcess
 0x1800fb508 GetModuleFileNameW
 0x1800fb510 CompareStringW
 0x1800fb518 LCMapStringW
 0x1800fb520 GetLocaleInfoW
 0x1800fb528 IsValidLocale
 0x1800fb530 GetUserDefaultLCID
 0x1800fb538 EnumSystemLocalesW
 0x1800fb540 GetTimeZoneInformation
 0x1800fb548 GetStdHandle
ADVAPI32.dll
 0x1800fb000 RegQueryValueExA
 0x1800fb008 RegEnumValueW
 0x1800fb010 RegEnumKeyA
 0x1800fb018 RegCloseKey
 0x1800fb020 RegQueryInfoKeyW
 0x1800fb028 RegOpenKeyA
 0x1800fb030 RegOpenKeyExA
 0x1800fb038 GetSidSubAuthorityCount
 0x1800fb040 GetSidSubAuthority
 0x1800fb048 GetUserNameA
 0x1800fb050 RegEnumKeyExW
 0x1800fb058 LookupAccountNameA
 0x1800fb060 GetSidIdentifierAuthority
SHELL32.dll
 0x1800fb558 SHGetFolderPathA
 0x1800fb560 SHFileOperationA
WININET.dll
 0x1800fb570 HttpOpenRequestA
 0x1800fb578 InternetWriteFile
 0x1800fb580 InternetReadFile
 0x1800fb588 InternetConnectA
 0x1800fb590 HttpSendRequestA
 0x1800fb598 InternetCloseHandle
 0x1800fb5a0 InternetOpenA
 0x1800fb5a8 HttpAddRequestHeadersA
 0x1800fb5b0 HttpSendRequestExW
 0x1800fb5b8 HttpEndRequestA
 0x1800fb5c0 InternetOpenW
crypt.dll
 0x1800fb5d0 BCryptOpenAlgorithmProvider
 0x1800fb5d8 BCryptSetProperty
 0x1800fb5e0 BCryptGenerateSymmetricKey
 0x1800fb5e8 BCryptDecrypt

EAT(Export Address Table) Library

0x1800bdc00 Main
0x180005690 Save


Similarity measure (PE file only) - Checking for service failure