ScreenShot
Created | 2024.11.13 14:24 | Machine | s1_win7_x6401 |
Filename | cred64.dll | ||
Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 51 detected (Malicious, score, Lazy, Unsafe, confidence, 100%, Attribute, HighConfidence, high confidence, BotX, Zusy, fkbm, TrojanPSW, Amadey, ktjhtr, AULsNMzBVWP, dxdck, Detected, ABTrojan, JZWO, R672848, Artemis, PasswordStealer, GdSda, Gencirc, susgen) | ||
md5 | 6f25f0506bf49fe7f35686ed1f8fef4a | ||
sha256 | 532182c6dcf52d5ce0bc271e94b13e83019fd8d09afdc5e68d985a092b250203 | ||
ssdeep | 24576:Usd+7fzBMqZjh2sntUcCy8LfunZzW8IFHcDVh1QhHAO:U3BHjh2OZ80ZzHIF85L | ||
imphash | 9227c7c1cd406670b52768efa2eb5e71 | ||
impfuzzy | 96:ZZtu7Ze6BF1V5g4uAc0aR6xExtnXnlBga79v8QRDTk:Ttu7Z3F5anN9jTk |
Network IP location
Signature (22cnts)
Level | Description |
---|---|
danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
watch | Attempts to access Bitcoin/ALTCoin wallets |
watch | Communicates with host for which no DNS query was performed |
watch | Harvests credentials from local FTP client softwares |
watch | Harvests information related to installed instant messenger clients |
watch | The process powershell.exe wrote an executable file to disk |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Steals private information from local Internet browsers |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | This executable has a PDB path |
info | Tries to locate where the browsers are installed |
info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsDLL | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x1800fb070 CryptUnprotectData
KERNEL32.dll
0x1800fb080 GetFullPathNameA
0x1800fb088 SetEndOfFile
0x1800fb090 UnlockFileEx
0x1800fb098 GetTempPathW
0x1800fb0a0 CreateMutexW
0x1800fb0a8 WaitForSingleObject
0x1800fb0b0 CreateFileW
0x1800fb0b8 GetFileAttributesW
0x1800fb0c0 GetCurrentThreadId
0x1800fb0c8 UnmapViewOfFile
0x1800fb0d0 HeapValidate
0x1800fb0d8 HeapSize
0x1800fb0e0 MultiByteToWideChar
0x1800fb0e8 Sleep
0x1800fb0f0 GetTempPathA
0x1800fb0f8 FormatMessageW
0x1800fb100 GetDiskFreeSpaceA
0x1800fb108 GetLastError
0x1800fb110 GetFileAttributesA
0x1800fb118 GetFileAttributesExW
0x1800fb120 OutputDebugStringW
0x1800fb128 CreateFileA
0x1800fb130 LoadLibraryA
0x1800fb138 WaitForSingleObjectEx
0x1800fb140 DeleteFileA
0x1800fb148 DeleteFileW
0x1800fb150 HeapReAlloc
0x1800fb158 CloseHandle
0x1800fb160 GetSystemInfo
0x1800fb168 LoadLibraryW
0x1800fb170 HeapAlloc
0x1800fb178 HeapCompact
0x1800fb180 HeapDestroy
0x1800fb188 UnlockFile
0x1800fb190 GetProcAddress
0x1800fb198 CreateFileMappingA
0x1800fb1a0 LocalFree
0x1800fb1a8 LockFileEx
0x1800fb1b0 GetFileSize
0x1800fb1b8 DeleteCriticalSection
0x1800fb1c0 GetCurrentProcessId
0x1800fb1c8 GetProcessHeap
0x1800fb1d0 SystemTimeToFileTime
0x1800fb1d8 FreeLibrary
0x1800fb1e0 WideCharToMultiByte
0x1800fb1e8 GetSystemTimeAsFileTime
0x1800fb1f0 GetSystemTime
0x1800fb1f8 FormatMessageA
0x1800fb200 CreateFileMappingW
0x1800fb208 MapViewOfFile
0x1800fb210 QueryPerformanceCounter
0x1800fb218 GetTickCount
0x1800fb220 FlushFileBuffers
0x1800fb228 SetHandleInformation
0x1800fb230 FindFirstFileA
0x1800fb238 Wow64DisableWow64FsRedirection
0x1800fb240 K32GetModuleFileNameExW
0x1800fb248 FindNextFileA
0x1800fb250 CreatePipe
0x1800fb258 PeekNamedPipe
0x1800fb260 lstrlenA
0x1800fb268 FindClose
0x1800fb270 GetCurrentDirectoryA
0x1800fb278 lstrcatA
0x1800fb280 OpenProcess
0x1800fb288 SetCurrentDirectoryA
0x1800fb290 CreateToolhelp32Snapshot
0x1800fb298 ProcessIdToSessionId
0x1800fb2a0 CopyFileA
0x1800fb2a8 Wow64RevertWow64FsRedirection
0x1800fb2b0 Process32NextW
0x1800fb2b8 Process32FirstW
0x1800fb2c0 CreateThread
0x1800fb2c8 CreateProcessA
0x1800fb2d0 CreateDirectoryA
0x1800fb2d8 WriteConsoleW
0x1800fb2e0 InitializeCriticalSection
0x1800fb2e8 LeaveCriticalSection
0x1800fb2f0 LockFile
0x1800fb2f8 OutputDebugStringA
0x1800fb300 GetDiskFreeSpaceW
0x1800fb308 WriteFile
0x1800fb310 GetFullPathNameW
0x1800fb318 EnterCriticalSection
0x1800fb320 HeapFree
0x1800fb328 HeapCreate
0x1800fb330 TryEnterCriticalSection
0x1800fb338 ReadFile
0x1800fb340 AreFileApisANSI
0x1800fb348 SetFilePointer
0x1800fb350 ReadConsoleW
0x1800fb358 SetFilePointerEx
0x1800fb360 GetConsoleMode
0x1800fb368 GetConsoleOutputCP
0x1800fb370 SetEnvironmentVariableW
0x1800fb378 FreeEnvironmentStringsW
0x1800fb380 GetEnvironmentStringsW
0x1800fb388 GetCommandLineW
0x1800fb390 GetCommandLineA
0x1800fb398 GetOEMCP
0x1800fb3a0 GetACP
0x1800fb3a8 IsValidCodePage
0x1800fb3b0 FindNextFileW
0x1800fb3b8 FindFirstFileExW
0x1800fb3c0 SetStdHandle
0x1800fb3c8 GetCurrentDirectoryW
0x1800fb3d0 RtlCaptureContext
0x1800fb3d8 RtlLookupFunctionEntry
0x1800fb3e0 RtlVirtualUnwind
0x1800fb3e8 UnhandledExceptionFilter
0x1800fb3f0 SetUnhandledExceptionFilter
0x1800fb3f8 GetCurrentProcess
0x1800fb400 TerminateProcess
0x1800fb408 IsProcessorFeaturePresent
0x1800fb410 IsDebuggerPresent
0x1800fb418 GetStartupInfoW
0x1800fb420 GetModuleHandleW
0x1800fb428 InitializeSListHead
0x1800fb430 LCMapStringEx
0x1800fb438 InitializeCriticalSectionEx
0x1800fb440 EncodePointer
0x1800fb448 DecodePointer
0x1800fb450 CompareStringEx
0x1800fb458 GetCPInfo
0x1800fb460 GetStringTypeW
0x1800fb468 RtlUnwindEx
0x1800fb470 RtlPcToFileHeader
0x1800fb478 RaiseException
0x1800fb480 InterlockedFlushSList
0x1800fb488 SetLastError
0x1800fb490 InitializeCriticalSectionAndSpinCount
0x1800fb498 TlsAlloc
0x1800fb4a0 TlsGetValue
0x1800fb4a8 TlsSetValue
0x1800fb4b0 TlsFree
0x1800fb4b8 LoadLibraryExW
0x1800fb4c0 ExitThread
0x1800fb4c8 FreeLibraryAndExitThread
0x1800fb4d0 GetModuleHandleExW
0x1800fb4d8 GetDriveTypeW
0x1800fb4e0 GetFileInformationByHandle
0x1800fb4e8 GetFileType
0x1800fb4f0 SystemTimeToTzSpecificLocalTime
0x1800fb4f8 FileTimeToSystemTime
0x1800fb500 ExitProcess
0x1800fb508 GetModuleFileNameW
0x1800fb510 CompareStringW
0x1800fb518 LCMapStringW
0x1800fb520 GetLocaleInfoW
0x1800fb528 IsValidLocale
0x1800fb530 GetUserDefaultLCID
0x1800fb538 EnumSystemLocalesW
0x1800fb540 GetTimeZoneInformation
0x1800fb548 GetStdHandle
ADVAPI32.dll
0x1800fb000 RegQueryValueExA
0x1800fb008 RegEnumValueW
0x1800fb010 RegEnumKeyA
0x1800fb018 RegCloseKey
0x1800fb020 RegQueryInfoKeyW
0x1800fb028 RegOpenKeyA
0x1800fb030 RegOpenKeyExA
0x1800fb038 GetSidSubAuthorityCount
0x1800fb040 GetSidSubAuthority
0x1800fb048 GetUserNameA
0x1800fb050 RegEnumKeyExW
0x1800fb058 LookupAccountNameA
0x1800fb060 GetSidIdentifierAuthority
SHELL32.dll
0x1800fb558 SHGetFolderPathA
0x1800fb560 SHFileOperationA
WININET.dll
0x1800fb570 HttpOpenRequestA
0x1800fb578 InternetWriteFile
0x1800fb580 InternetReadFile
0x1800fb588 InternetConnectA
0x1800fb590 HttpSendRequestA
0x1800fb598 InternetCloseHandle
0x1800fb5a0 InternetOpenA
0x1800fb5a8 HttpAddRequestHeadersA
0x1800fb5b0 HttpSendRequestExW
0x1800fb5b8 HttpEndRequestA
0x1800fb5c0 InternetOpenW
crypt.dll
0x1800fb5d0 BCryptOpenAlgorithmProvider
0x1800fb5d8 BCryptSetProperty
0x1800fb5e0 BCryptGenerateSymmetricKey
0x1800fb5e8 BCryptDecrypt
EAT(Export Address Table) Library
0x1800bdc00 Main
0x180005690 Save
CRYPT32.dll
0x1800fb070 CryptUnprotectData
KERNEL32.dll
0x1800fb080 GetFullPathNameA
0x1800fb088 SetEndOfFile
0x1800fb090 UnlockFileEx
0x1800fb098 GetTempPathW
0x1800fb0a0 CreateMutexW
0x1800fb0a8 WaitForSingleObject
0x1800fb0b0 CreateFileW
0x1800fb0b8 GetFileAttributesW
0x1800fb0c0 GetCurrentThreadId
0x1800fb0c8 UnmapViewOfFile
0x1800fb0d0 HeapValidate
0x1800fb0d8 HeapSize
0x1800fb0e0 MultiByteToWideChar
0x1800fb0e8 Sleep
0x1800fb0f0 GetTempPathA
0x1800fb0f8 FormatMessageW
0x1800fb100 GetDiskFreeSpaceA
0x1800fb108 GetLastError
0x1800fb110 GetFileAttributesA
0x1800fb118 GetFileAttributesExW
0x1800fb120 OutputDebugStringW
0x1800fb128 CreateFileA
0x1800fb130 LoadLibraryA
0x1800fb138 WaitForSingleObjectEx
0x1800fb140 DeleteFileA
0x1800fb148 DeleteFileW
0x1800fb150 HeapReAlloc
0x1800fb158 CloseHandle
0x1800fb160 GetSystemInfo
0x1800fb168 LoadLibraryW
0x1800fb170 HeapAlloc
0x1800fb178 HeapCompact
0x1800fb180 HeapDestroy
0x1800fb188 UnlockFile
0x1800fb190 GetProcAddress
0x1800fb198 CreateFileMappingA
0x1800fb1a0 LocalFree
0x1800fb1a8 LockFileEx
0x1800fb1b0 GetFileSize
0x1800fb1b8 DeleteCriticalSection
0x1800fb1c0 GetCurrentProcessId
0x1800fb1c8 GetProcessHeap
0x1800fb1d0 SystemTimeToFileTime
0x1800fb1d8 FreeLibrary
0x1800fb1e0 WideCharToMultiByte
0x1800fb1e8 GetSystemTimeAsFileTime
0x1800fb1f0 GetSystemTime
0x1800fb1f8 FormatMessageA
0x1800fb200 CreateFileMappingW
0x1800fb208 MapViewOfFile
0x1800fb210 QueryPerformanceCounter
0x1800fb218 GetTickCount
0x1800fb220 FlushFileBuffers
0x1800fb228 SetHandleInformation
0x1800fb230 FindFirstFileA
0x1800fb238 Wow64DisableWow64FsRedirection
0x1800fb240 K32GetModuleFileNameExW
0x1800fb248 FindNextFileA
0x1800fb250 CreatePipe
0x1800fb258 PeekNamedPipe
0x1800fb260 lstrlenA
0x1800fb268 FindClose
0x1800fb270 GetCurrentDirectoryA
0x1800fb278 lstrcatA
0x1800fb280 OpenProcess
0x1800fb288 SetCurrentDirectoryA
0x1800fb290 CreateToolhelp32Snapshot
0x1800fb298 ProcessIdToSessionId
0x1800fb2a0 CopyFileA
0x1800fb2a8 Wow64RevertWow64FsRedirection
0x1800fb2b0 Process32NextW
0x1800fb2b8 Process32FirstW
0x1800fb2c0 CreateThread
0x1800fb2c8 CreateProcessA
0x1800fb2d0 CreateDirectoryA
0x1800fb2d8 WriteConsoleW
0x1800fb2e0 InitializeCriticalSection
0x1800fb2e8 LeaveCriticalSection
0x1800fb2f0 LockFile
0x1800fb2f8 OutputDebugStringA
0x1800fb300 GetDiskFreeSpaceW
0x1800fb308 WriteFile
0x1800fb310 GetFullPathNameW
0x1800fb318 EnterCriticalSection
0x1800fb320 HeapFree
0x1800fb328 HeapCreate
0x1800fb330 TryEnterCriticalSection
0x1800fb338 ReadFile
0x1800fb340 AreFileApisANSI
0x1800fb348 SetFilePointer
0x1800fb350 ReadConsoleW
0x1800fb358 SetFilePointerEx
0x1800fb360 GetConsoleMode
0x1800fb368 GetConsoleOutputCP
0x1800fb370 SetEnvironmentVariableW
0x1800fb378 FreeEnvironmentStringsW
0x1800fb380 GetEnvironmentStringsW
0x1800fb388 GetCommandLineW
0x1800fb390 GetCommandLineA
0x1800fb398 GetOEMCP
0x1800fb3a0 GetACP
0x1800fb3a8 IsValidCodePage
0x1800fb3b0 FindNextFileW
0x1800fb3b8 FindFirstFileExW
0x1800fb3c0 SetStdHandle
0x1800fb3c8 GetCurrentDirectoryW
0x1800fb3d0 RtlCaptureContext
0x1800fb3d8 RtlLookupFunctionEntry
0x1800fb3e0 RtlVirtualUnwind
0x1800fb3e8 UnhandledExceptionFilter
0x1800fb3f0 SetUnhandledExceptionFilter
0x1800fb3f8 GetCurrentProcess
0x1800fb400 TerminateProcess
0x1800fb408 IsProcessorFeaturePresent
0x1800fb410 IsDebuggerPresent
0x1800fb418 GetStartupInfoW
0x1800fb420 GetModuleHandleW
0x1800fb428 InitializeSListHead
0x1800fb430 LCMapStringEx
0x1800fb438 InitializeCriticalSectionEx
0x1800fb440 EncodePointer
0x1800fb448 DecodePointer
0x1800fb450 CompareStringEx
0x1800fb458 GetCPInfo
0x1800fb460 GetStringTypeW
0x1800fb468 RtlUnwindEx
0x1800fb470 RtlPcToFileHeader
0x1800fb478 RaiseException
0x1800fb480 InterlockedFlushSList
0x1800fb488 SetLastError
0x1800fb490 InitializeCriticalSectionAndSpinCount
0x1800fb498 TlsAlloc
0x1800fb4a0 TlsGetValue
0x1800fb4a8 TlsSetValue
0x1800fb4b0 TlsFree
0x1800fb4b8 LoadLibraryExW
0x1800fb4c0 ExitThread
0x1800fb4c8 FreeLibraryAndExitThread
0x1800fb4d0 GetModuleHandleExW
0x1800fb4d8 GetDriveTypeW
0x1800fb4e0 GetFileInformationByHandle
0x1800fb4e8 GetFileType
0x1800fb4f0 SystemTimeToTzSpecificLocalTime
0x1800fb4f8 FileTimeToSystemTime
0x1800fb500 ExitProcess
0x1800fb508 GetModuleFileNameW
0x1800fb510 CompareStringW
0x1800fb518 LCMapStringW
0x1800fb520 GetLocaleInfoW
0x1800fb528 IsValidLocale
0x1800fb530 GetUserDefaultLCID
0x1800fb538 EnumSystemLocalesW
0x1800fb540 GetTimeZoneInformation
0x1800fb548 GetStdHandle
ADVAPI32.dll
0x1800fb000 RegQueryValueExA
0x1800fb008 RegEnumValueW
0x1800fb010 RegEnumKeyA
0x1800fb018 RegCloseKey
0x1800fb020 RegQueryInfoKeyW
0x1800fb028 RegOpenKeyA
0x1800fb030 RegOpenKeyExA
0x1800fb038 GetSidSubAuthorityCount
0x1800fb040 GetSidSubAuthority
0x1800fb048 GetUserNameA
0x1800fb050 RegEnumKeyExW
0x1800fb058 LookupAccountNameA
0x1800fb060 GetSidIdentifierAuthority
SHELL32.dll
0x1800fb558 SHGetFolderPathA
0x1800fb560 SHFileOperationA
WININET.dll
0x1800fb570 HttpOpenRequestA
0x1800fb578 InternetWriteFile
0x1800fb580 InternetReadFile
0x1800fb588 InternetConnectA
0x1800fb590 HttpSendRequestA
0x1800fb598 InternetCloseHandle
0x1800fb5a0 InternetOpenA
0x1800fb5a8 HttpAddRequestHeadersA
0x1800fb5b0 HttpSendRequestExW
0x1800fb5b8 HttpEndRequestA
0x1800fb5c0 InternetOpenW
crypt.dll
0x1800fb5d0 BCryptOpenAlgorithmProvider
0x1800fb5d8 BCryptSetProperty
0x1800fb5e0 BCryptGenerateSymmetricKey
0x1800fb5e8 BCryptDecrypt
EAT(Export Address Table) Library
0x1800bdc00 Main
0x180005690 Save