ScreenShot
| Created | 2025.01.22 17:06 | Machine | s1_win7_x6401 |
| Filename | cred.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 57 detected (Common, Amadey, Malicious, score, Ghanarava, Lazy, Unsafe, Save, confidence, 100%, GenusT, EECW, Attribute, HighConfidence, high confidence, BotX, Zusy, fkkb, ktyzru, CLASSIC, AGEN, Nymaim, R002C0DAK25, Steal, Detected, Multiverze, ABTrojan, OLWD, Artemis, PasswordStealer, GdSda, Gencirc, susgen) | ||
| md5 | fd8df0fc2168cb8c7959afaffa4d8031 | ||
| sha256 | 50f6ef79d5f5ba167a875bbf1438b8ff42a46ac5537127bb5a51f87bdc611620 | ||
| ssdeep | 24576:QWBhVxYlZdJCTgmP/xEcCJnDOEl5woFNEa1mXu5iPajrVT1jH:QWBhPYrpoCpmX2pjXjH | ||
| imphash | aca6f08ee5befa37be16bac4bc315573 | ||
| impfuzzy | 96:ZZtu7Ze6BF1V5g4ufc0aR6xsCtnXnzJ779v8sEw0Dk:Ttu7Z3FwaQ9uDk | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 57 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x100e7038 CryptUnprotectData
KERNEL32.dll
0x100e7040 GetFullPathNameA
0x100e7044 SetEndOfFile
0x100e7048 UnlockFileEx
0x100e704c GetTempPathW
0x100e7050 CreateMutexW
0x100e7054 WaitForSingleObject
0x100e7058 CreateFileW
0x100e705c GetFileAttributesW
0x100e7060 GetCurrentThreadId
0x100e7064 UnmapViewOfFile
0x100e7068 HeapValidate
0x100e706c HeapSize
0x100e7070 MultiByteToWideChar
0x100e7074 Sleep
0x100e7078 GetTempPathA
0x100e707c FormatMessageW
0x100e7080 GetDiskFreeSpaceA
0x100e7084 GetLastError
0x100e7088 GetFileAttributesA
0x100e708c GetFileAttributesExW
0x100e7090 OutputDebugStringW
0x100e7094 CreateFileA
0x100e7098 LoadLibraryA
0x100e709c WaitForSingleObjectEx
0x100e70a0 DeleteFileA
0x100e70a4 DeleteFileW
0x100e70a8 HeapReAlloc
0x100e70ac CloseHandle
0x100e70b0 GetSystemInfo
0x100e70b4 LoadLibraryW
0x100e70b8 HeapAlloc
0x100e70bc HeapCompact
0x100e70c0 HeapDestroy
0x100e70c4 UnlockFile
0x100e70c8 GetProcAddress
0x100e70cc CreateFileMappingA
0x100e70d0 LocalFree
0x100e70d4 LockFileEx
0x100e70d8 GetFileSize
0x100e70dc DeleteCriticalSection
0x100e70e0 GetCurrentProcessId
0x100e70e4 GetProcessHeap
0x100e70e8 SystemTimeToFileTime
0x100e70ec FreeLibrary
0x100e70f0 WideCharToMultiByte
0x100e70f4 GetSystemTimeAsFileTime
0x100e70f8 GetSystemTime
0x100e70fc FormatMessageA
0x100e7100 CreateFileMappingW
0x100e7104 MapViewOfFile
0x100e7108 QueryPerformanceCounter
0x100e710c GetTickCount
0x100e7110 FlushFileBuffers
0x100e7114 SetHandleInformation
0x100e7118 FindFirstFileA
0x100e711c Wow64DisableWow64FsRedirection
0x100e7120 K32GetModuleFileNameExW
0x100e7124 FindNextFileA
0x100e7128 CreatePipe
0x100e712c PeekNamedPipe
0x100e7130 lstrlenA
0x100e7134 FindClose
0x100e7138 GetCurrentDirectoryA
0x100e713c lstrcatA
0x100e7140 OpenProcess
0x100e7144 SetCurrentDirectoryA
0x100e7148 CreateToolhelp32Snapshot
0x100e714c ProcessIdToSessionId
0x100e7150 CopyFileA
0x100e7154 Wow64RevertWow64FsRedirection
0x100e7158 Process32NextW
0x100e715c Process32FirstW
0x100e7160 CreateThread
0x100e7164 CreateProcessA
0x100e7168 CreateDirectoryA
0x100e716c ReadConsoleW
0x100e7170 InitializeCriticalSection
0x100e7174 LeaveCriticalSection
0x100e7178 LockFile
0x100e717c OutputDebugStringA
0x100e7180 GetDiskFreeSpaceW
0x100e7184 WriteFile
0x100e7188 GetFullPathNameW
0x100e718c EnterCriticalSection
0x100e7190 HeapFree
0x100e7194 HeapCreate
0x100e7198 TryEnterCriticalSection
0x100e719c ReadFile
0x100e71a0 AreFileApisANSI
0x100e71a4 SetFilePointer
0x100e71a8 SetFilePointerEx
0x100e71ac GetFileSizeEx
0x100e71b0 GetConsoleMode
0x100e71b4 GetConsoleOutputCP
0x100e71b8 SetEnvironmentVariableW
0x100e71bc FreeEnvironmentStringsW
0x100e71c0 GetEnvironmentStringsW
0x100e71c4 GetCommandLineW
0x100e71c8 GetCommandLineA
0x100e71cc GetOEMCP
0x100e71d0 GetACP
0x100e71d4 IsValidCodePage
0x100e71d8 FindNextFileW
0x100e71dc FindFirstFileExW
0x100e71e0 SetStdHandle
0x100e71e4 GetCurrentDirectoryW
0x100e71e8 GetStdHandle
0x100e71ec GetTimeZoneInformation
0x100e71f0 UnhandledExceptionFilter
0x100e71f4 SetUnhandledExceptionFilter
0x100e71f8 GetCurrentProcess
0x100e71fc TerminateProcess
0x100e7200 IsProcessorFeaturePresent
0x100e7204 IsDebuggerPresent
0x100e7208 GetStartupInfoW
0x100e720c GetModuleHandleW
0x100e7210 InitializeSListHead
0x100e7214 LCMapStringEx
0x100e7218 InitializeCriticalSectionEx
0x100e721c EncodePointer
0x100e7220 DecodePointer
0x100e7224 CompareStringEx
0x100e7228 GetCPInfo
0x100e722c GetStringTypeW
0x100e7230 RaiseException
0x100e7234 InterlockedFlushSList
0x100e7238 RtlUnwind
0x100e723c SetLastError
0x100e7240 InitializeCriticalSectionAndSpinCount
0x100e7244 TlsAlloc
0x100e7248 TlsGetValue
0x100e724c TlsSetValue
0x100e7250 TlsFree
0x100e7254 LoadLibraryExW
0x100e7258 ExitThread
0x100e725c FreeLibraryAndExitThread
0x100e7260 GetModuleHandleExW
0x100e7264 GetDriveTypeW
0x100e7268 GetFileInformationByHandle
0x100e726c GetFileType
0x100e7270 SystemTimeToTzSpecificLocalTime
0x100e7274 FileTimeToSystemTime
0x100e7278 ExitProcess
0x100e727c GetModuleFileNameW
0x100e7280 CompareStringW
0x100e7284 LCMapStringW
0x100e7288 GetLocaleInfoW
0x100e728c IsValidLocale
0x100e7290 GetUserDefaultLCID
0x100e7294 EnumSystemLocalesW
0x100e7298 WriteConsoleW
ADVAPI32.dll
0x100e7000 GetSidSubAuthority
0x100e7004 RegEnumValueW
0x100e7008 RegEnumKeyA
0x100e700c RegCloseKey
0x100e7010 RegQueryInfoKeyW
0x100e7014 RegOpenKeyA
0x100e7018 RegQueryValueExA
0x100e701c GetSidSubAuthorityCount
0x100e7020 RegOpenKeyExA
0x100e7024 GetUserNameA
0x100e7028 RegEnumKeyExW
0x100e702c LookupAccountNameA
0x100e7030 GetSidIdentifierAuthority
SHELL32.dll
0x100e72a0 SHFileOperationA
0x100e72a4 SHGetFolderPathA
WININET.dll
0x100e72ac HttpOpenRequestA
0x100e72b0 InternetReadFile
0x100e72b4 InternetConnectA
0x100e72b8 HttpSendRequestA
0x100e72bc InternetCloseHandle
0x100e72c0 InternetOpenA
0x100e72c4 HttpAddRequestHeadersA
0x100e72c8 HttpSendRequestExW
0x100e72cc HttpEndRequestA
0x100e72d0 InternetOpenW
0x100e72d4 InternetWriteFile
crypt.dll
0x100e72dc BCryptOpenAlgorithmProvider
0x100e72e0 BCryptSetProperty
0x100e72e4 BCryptGenerateSymmetricKey
0x100e72e8 BCryptDecrypt
EAT(Export Address Table) Library
0x100b2050 Main
0x100045c0 Save
CRYPT32.dll
0x100e7038 CryptUnprotectData
KERNEL32.dll
0x100e7040 GetFullPathNameA
0x100e7044 SetEndOfFile
0x100e7048 UnlockFileEx
0x100e704c GetTempPathW
0x100e7050 CreateMutexW
0x100e7054 WaitForSingleObject
0x100e7058 CreateFileW
0x100e705c GetFileAttributesW
0x100e7060 GetCurrentThreadId
0x100e7064 UnmapViewOfFile
0x100e7068 HeapValidate
0x100e706c HeapSize
0x100e7070 MultiByteToWideChar
0x100e7074 Sleep
0x100e7078 GetTempPathA
0x100e707c FormatMessageW
0x100e7080 GetDiskFreeSpaceA
0x100e7084 GetLastError
0x100e7088 GetFileAttributesA
0x100e708c GetFileAttributesExW
0x100e7090 OutputDebugStringW
0x100e7094 CreateFileA
0x100e7098 LoadLibraryA
0x100e709c WaitForSingleObjectEx
0x100e70a0 DeleteFileA
0x100e70a4 DeleteFileW
0x100e70a8 HeapReAlloc
0x100e70ac CloseHandle
0x100e70b0 GetSystemInfo
0x100e70b4 LoadLibraryW
0x100e70b8 HeapAlloc
0x100e70bc HeapCompact
0x100e70c0 HeapDestroy
0x100e70c4 UnlockFile
0x100e70c8 GetProcAddress
0x100e70cc CreateFileMappingA
0x100e70d0 LocalFree
0x100e70d4 LockFileEx
0x100e70d8 GetFileSize
0x100e70dc DeleteCriticalSection
0x100e70e0 GetCurrentProcessId
0x100e70e4 GetProcessHeap
0x100e70e8 SystemTimeToFileTime
0x100e70ec FreeLibrary
0x100e70f0 WideCharToMultiByte
0x100e70f4 GetSystemTimeAsFileTime
0x100e70f8 GetSystemTime
0x100e70fc FormatMessageA
0x100e7100 CreateFileMappingW
0x100e7104 MapViewOfFile
0x100e7108 QueryPerformanceCounter
0x100e710c GetTickCount
0x100e7110 FlushFileBuffers
0x100e7114 SetHandleInformation
0x100e7118 FindFirstFileA
0x100e711c Wow64DisableWow64FsRedirection
0x100e7120 K32GetModuleFileNameExW
0x100e7124 FindNextFileA
0x100e7128 CreatePipe
0x100e712c PeekNamedPipe
0x100e7130 lstrlenA
0x100e7134 FindClose
0x100e7138 GetCurrentDirectoryA
0x100e713c lstrcatA
0x100e7140 OpenProcess
0x100e7144 SetCurrentDirectoryA
0x100e7148 CreateToolhelp32Snapshot
0x100e714c ProcessIdToSessionId
0x100e7150 CopyFileA
0x100e7154 Wow64RevertWow64FsRedirection
0x100e7158 Process32NextW
0x100e715c Process32FirstW
0x100e7160 CreateThread
0x100e7164 CreateProcessA
0x100e7168 CreateDirectoryA
0x100e716c ReadConsoleW
0x100e7170 InitializeCriticalSection
0x100e7174 LeaveCriticalSection
0x100e7178 LockFile
0x100e717c OutputDebugStringA
0x100e7180 GetDiskFreeSpaceW
0x100e7184 WriteFile
0x100e7188 GetFullPathNameW
0x100e718c EnterCriticalSection
0x100e7190 HeapFree
0x100e7194 HeapCreate
0x100e7198 TryEnterCriticalSection
0x100e719c ReadFile
0x100e71a0 AreFileApisANSI
0x100e71a4 SetFilePointer
0x100e71a8 SetFilePointerEx
0x100e71ac GetFileSizeEx
0x100e71b0 GetConsoleMode
0x100e71b4 GetConsoleOutputCP
0x100e71b8 SetEnvironmentVariableW
0x100e71bc FreeEnvironmentStringsW
0x100e71c0 GetEnvironmentStringsW
0x100e71c4 GetCommandLineW
0x100e71c8 GetCommandLineA
0x100e71cc GetOEMCP
0x100e71d0 GetACP
0x100e71d4 IsValidCodePage
0x100e71d8 FindNextFileW
0x100e71dc FindFirstFileExW
0x100e71e0 SetStdHandle
0x100e71e4 GetCurrentDirectoryW
0x100e71e8 GetStdHandle
0x100e71ec GetTimeZoneInformation
0x100e71f0 UnhandledExceptionFilter
0x100e71f4 SetUnhandledExceptionFilter
0x100e71f8 GetCurrentProcess
0x100e71fc TerminateProcess
0x100e7200 IsProcessorFeaturePresent
0x100e7204 IsDebuggerPresent
0x100e7208 GetStartupInfoW
0x100e720c GetModuleHandleW
0x100e7210 InitializeSListHead
0x100e7214 LCMapStringEx
0x100e7218 InitializeCriticalSectionEx
0x100e721c EncodePointer
0x100e7220 DecodePointer
0x100e7224 CompareStringEx
0x100e7228 GetCPInfo
0x100e722c GetStringTypeW
0x100e7230 RaiseException
0x100e7234 InterlockedFlushSList
0x100e7238 RtlUnwind
0x100e723c SetLastError
0x100e7240 InitializeCriticalSectionAndSpinCount
0x100e7244 TlsAlloc
0x100e7248 TlsGetValue
0x100e724c TlsSetValue
0x100e7250 TlsFree
0x100e7254 LoadLibraryExW
0x100e7258 ExitThread
0x100e725c FreeLibraryAndExitThread
0x100e7260 GetModuleHandleExW
0x100e7264 GetDriveTypeW
0x100e7268 GetFileInformationByHandle
0x100e726c GetFileType
0x100e7270 SystemTimeToTzSpecificLocalTime
0x100e7274 FileTimeToSystemTime
0x100e7278 ExitProcess
0x100e727c GetModuleFileNameW
0x100e7280 CompareStringW
0x100e7284 LCMapStringW
0x100e7288 GetLocaleInfoW
0x100e728c IsValidLocale
0x100e7290 GetUserDefaultLCID
0x100e7294 EnumSystemLocalesW
0x100e7298 WriteConsoleW
ADVAPI32.dll
0x100e7000 GetSidSubAuthority
0x100e7004 RegEnumValueW
0x100e7008 RegEnumKeyA
0x100e700c RegCloseKey
0x100e7010 RegQueryInfoKeyW
0x100e7014 RegOpenKeyA
0x100e7018 RegQueryValueExA
0x100e701c GetSidSubAuthorityCount
0x100e7020 RegOpenKeyExA
0x100e7024 GetUserNameA
0x100e7028 RegEnumKeyExW
0x100e702c LookupAccountNameA
0x100e7030 GetSidIdentifierAuthority
SHELL32.dll
0x100e72a0 SHFileOperationA
0x100e72a4 SHGetFolderPathA
WININET.dll
0x100e72ac HttpOpenRequestA
0x100e72b0 InternetReadFile
0x100e72b4 InternetConnectA
0x100e72b8 HttpSendRequestA
0x100e72bc InternetCloseHandle
0x100e72c0 InternetOpenA
0x100e72c4 HttpAddRequestHeadersA
0x100e72c8 HttpSendRequestExW
0x100e72cc HttpEndRequestA
0x100e72d0 InternetOpenW
0x100e72d4 InternetWriteFile
crypt.dll
0x100e72dc BCryptOpenAlgorithmProvider
0x100e72e0 BCryptSetProperty
0x100e72e4 BCryptGenerateSymmetricKey
0x100e72e8 BCryptDecrypt
EAT(Export Address Table) Library
0x100b2050 Main
0x100045c0 Save