ScreenShot
| Created | 2025.03.10 10:11 | Machine | s1_win7_x6401 |
| Filename | cred64.dll | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 50 detected (Malicious, score, TrojanPWS, Zusy, Unsafe, Save, confidence, 100%, GenusT, EPRA, Attribute, HighConfidence, high confidence, BotX, flka, TrojanPSW, 79I7EMKuNSC, tdlvq, Detected, Etset, Kryptik, Eldorado, R684665, Artemis, PasswordStealer, Chgt, R002H0CC825, Szfl) | ||
| md5 | 3f6c5625fc83f2db9559554f6d1ce3f2 | ||
| sha256 | 080ea1d225c77364abb02fbb1b65e9693654242ecc5c91f34c531ecf363a2f4c | ||
| ssdeep | 24576:CrR0NaOy0mK9yCksn6JCc2YkxfUyamitsDw+mLRaSOnW:CkHmiyCkhh2Bamituw+U86 | ||
| imphash | 3f175edea93fa7a76a78004d12de2235 | ||
| impfuzzy | 96:ZZtu7Ze6BF1V5g4uAc0aR6x0xtnXnlBga79v8QRDTk:Ttu7Z3F5a1N9jTk | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
CRYPT32.dll
0x1800fe070 CryptUnprotectData
KERNEL32.dll
0x1800fe080 GetFullPathNameA
0x1800fe088 SetEndOfFile
0x1800fe090 UnlockFileEx
0x1800fe098 GetTempPathW
0x1800fe0a0 CreateMutexW
0x1800fe0a8 WaitForSingleObject
0x1800fe0b0 CreateFileW
0x1800fe0b8 GetFileAttributesW
0x1800fe0c0 GetCurrentThreadId
0x1800fe0c8 UnmapViewOfFile
0x1800fe0d0 HeapValidate
0x1800fe0d8 HeapSize
0x1800fe0e0 MultiByteToWideChar
0x1800fe0e8 Sleep
0x1800fe0f0 GetTempPathA
0x1800fe0f8 FormatMessageW
0x1800fe100 GetDiskFreeSpaceA
0x1800fe108 GetLastError
0x1800fe110 GetFileAttributesA
0x1800fe118 GetFileAttributesExW
0x1800fe120 OutputDebugStringW
0x1800fe128 CreateFileA
0x1800fe130 LoadLibraryA
0x1800fe138 WaitForSingleObjectEx
0x1800fe140 DeleteFileA
0x1800fe148 DeleteFileW
0x1800fe150 HeapReAlloc
0x1800fe158 CloseHandle
0x1800fe160 GetSystemInfo
0x1800fe168 LoadLibraryW
0x1800fe170 HeapAlloc
0x1800fe178 HeapCompact
0x1800fe180 HeapDestroy
0x1800fe188 UnlockFile
0x1800fe190 GetProcAddress
0x1800fe198 CreateFileMappingA
0x1800fe1a0 LocalFree
0x1800fe1a8 LockFileEx
0x1800fe1b0 GetFileSize
0x1800fe1b8 DeleteCriticalSection
0x1800fe1c0 GetCurrentProcessId
0x1800fe1c8 GetProcessHeap
0x1800fe1d0 SystemTimeToFileTime
0x1800fe1d8 FreeLibrary
0x1800fe1e0 WideCharToMultiByte
0x1800fe1e8 GetSystemTimeAsFileTime
0x1800fe1f0 GetSystemTime
0x1800fe1f8 FormatMessageA
0x1800fe200 CreateFileMappingW
0x1800fe208 MapViewOfFile
0x1800fe210 QueryPerformanceCounter
0x1800fe218 GetTickCount
0x1800fe220 FlushFileBuffers
0x1800fe228 SetHandleInformation
0x1800fe230 FindFirstFileA
0x1800fe238 Wow64DisableWow64FsRedirection
0x1800fe240 K32GetModuleFileNameExW
0x1800fe248 FindNextFileA
0x1800fe250 CreatePipe
0x1800fe258 PeekNamedPipe
0x1800fe260 lstrlenA
0x1800fe268 FindClose
0x1800fe270 GetCurrentDirectoryA
0x1800fe278 lstrcatA
0x1800fe280 OpenProcess
0x1800fe288 SetCurrentDirectoryA
0x1800fe290 CreateToolhelp32Snapshot
0x1800fe298 ProcessIdToSessionId
0x1800fe2a0 CopyFileA
0x1800fe2a8 Wow64RevertWow64FsRedirection
0x1800fe2b0 Process32NextW
0x1800fe2b8 Process32FirstW
0x1800fe2c0 CreateThread
0x1800fe2c8 CreateProcessA
0x1800fe2d0 CreateDirectoryA
0x1800fe2d8 WriteConsoleW
0x1800fe2e0 InitializeCriticalSection
0x1800fe2e8 LeaveCriticalSection
0x1800fe2f0 LockFile
0x1800fe2f8 OutputDebugStringA
0x1800fe300 GetDiskFreeSpaceW
0x1800fe308 WriteFile
0x1800fe310 GetFullPathNameW
0x1800fe318 EnterCriticalSection
0x1800fe320 HeapFree
0x1800fe328 HeapCreate
0x1800fe330 TryEnterCriticalSection
0x1800fe338 ReadFile
0x1800fe340 AreFileApisANSI
0x1800fe348 SetFilePointer
0x1800fe350 ReadConsoleW
0x1800fe358 SetFilePointerEx
0x1800fe360 GetFileSizeEx
0x1800fe368 GetConsoleMode
0x1800fe370 GetConsoleOutputCP
0x1800fe378 SetEnvironmentVariableW
0x1800fe380 FreeEnvironmentStringsW
0x1800fe388 GetEnvironmentStringsW
0x1800fe390 GetCommandLineW
0x1800fe398 GetCommandLineA
0x1800fe3a0 GetOEMCP
0x1800fe3a8 GetACP
0x1800fe3b0 IsValidCodePage
0x1800fe3b8 FindNextFileW
0x1800fe3c0 FindFirstFileExW
0x1800fe3c8 SetStdHandle
0x1800fe3d0 GetCurrentDirectoryW
0x1800fe3d8 RtlCaptureContext
0x1800fe3e0 RtlLookupFunctionEntry
0x1800fe3e8 RtlVirtualUnwind
0x1800fe3f0 UnhandledExceptionFilter
0x1800fe3f8 SetUnhandledExceptionFilter
0x1800fe400 GetCurrentProcess
0x1800fe408 TerminateProcess
0x1800fe410 IsProcessorFeaturePresent
0x1800fe418 IsDebuggerPresent
0x1800fe420 GetStartupInfoW
0x1800fe428 GetModuleHandleW
0x1800fe430 InitializeSListHead
0x1800fe438 LCMapStringEx
0x1800fe440 InitializeCriticalSectionEx
0x1800fe448 EncodePointer
0x1800fe450 DecodePointer
0x1800fe458 CompareStringEx
0x1800fe460 GetCPInfo
0x1800fe468 GetStringTypeW
0x1800fe470 RtlUnwindEx
0x1800fe478 RtlPcToFileHeader
0x1800fe480 RaiseException
0x1800fe488 InterlockedFlushSList
0x1800fe490 SetLastError
0x1800fe498 InitializeCriticalSectionAndSpinCount
0x1800fe4a0 TlsAlloc
0x1800fe4a8 TlsGetValue
0x1800fe4b0 TlsSetValue
0x1800fe4b8 TlsFree
0x1800fe4c0 LoadLibraryExW
0x1800fe4c8 ExitThread
0x1800fe4d0 FreeLibraryAndExitThread
0x1800fe4d8 GetModuleHandleExW
0x1800fe4e0 GetDriveTypeW
0x1800fe4e8 GetFileInformationByHandle
0x1800fe4f0 GetFileType
0x1800fe4f8 SystemTimeToTzSpecificLocalTime
0x1800fe500 FileTimeToSystemTime
0x1800fe508 ExitProcess
0x1800fe510 GetModuleFileNameW
0x1800fe518 CompareStringW
0x1800fe520 LCMapStringW
0x1800fe528 GetLocaleInfoW
0x1800fe530 IsValidLocale
0x1800fe538 GetUserDefaultLCID
0x1800fe540 EnumSystemLocalesW
0x1800fe548 GetTimeZoneInformation
0x1800fe550 GetStdHandle
ADVAPI32.dll
0x1800fe000 RegQueryValueExA
0x1800fe008 RegEnumValueW
0x1800fe010 RegEnumKeyA
0x1800fe018 RegCloseKey
0x1800fe020 RegQueryInfoKeyW
0x1800fe028 RegOpenKeyA
0x1800fe030 RegOpenKeyExA
0x1800fe038 GetSidSubAuthorityCount
0x1800fe040 GetSidSubAuthority
0x1800fe048 GetUserNameA
0x1800fe050 RegEnumKeyExW
0x1800fe058 LookupAccountNameA
0x1800fe060 GetSidIdentifierAuthority
SHELL32.dll
0x1800fe560 SHGetFolderPathA
0x1800fe568 SHFileOperationA
WININET.dll
0x1800fe578 HttpOpenRequestA
0x1800fe580 InternetWriteFile
0x1800fe588 InternetReadFile
0x1800fe590 InternetConnectA
0x1800fe598 HttpSendRequestA
0x1800fe5a0 InternetCloseHandle
0x1800fe5a8 InternetOpenA
0x1800fe5b0 HttpAddRequestHeadersA
0x1800fe5b8 HttpSendRequestExW
0x1800fe5c0 HttpEndRequestA
0x1800fe5c8 InternetOpenW
crypt.dll
0x1800fe5d8 BCryptOpenAlgorithmProvider
0x1800fe5e0 BCryptSetProperty
0x1800fe5e8 BCryptGenerateSymmetricKey
0x1800fe5f0 BCryptDecrypt
EAT(Export Address Table) Library
0x1800bfda0 Main
0x1800056d0 Save
CRYPT32.dll
0x1800fe070 CryptUnprotectData
KERNEL32.dll
0x1800fe080 GetFullPathNameA
0x1800fe088 SetEndOfFile
0x1800fe090 UnlockFileEx
0x1800fe098 GetTempPathW
0x1800fe0a0 CreateMutexW
0x1800fe0a8 WaitForSingleObject
0x1800fe0b0 CreateFileW
0x1800fe0b8 GetFileAttributesW
0x1800fe0c0 GetCurrentThreadId
0x1800fe0c8 UnmapViewOfFile
0x1800fe0d0 HeapValidate
0x1800fe0d8 HeapSize
0x1800fe0e0 MultiByteToWideChar
0x1800fe0e8 Sleep
0x1800fe0f0 GetTempPathA
0x1800fe0f8 FormatMessageW
0x1800fe100 GetDiskFreeSpaceA
0x1800fe108 GetLastError
0x1800fe110 GetFileAttributesA
0x1800fe118 GetFileAttributesExW
0x1800fe120 OutputDebugStringW
0x1800fe128 CreateFileA
0x1800fe130 LoadLibraryA
0x1800fe138 WaitForSingleObjectEx
0x1800fe140 DeleteFileA
0x1800fe148 DeleteFileW
0x1800fe150 HeapReAlloc
0x1800fe158 CloseHandle
0x1800fe160 GetSystemInfo
0x1800fe168 LoadLibraryW
0x1800fe170 HeapAlloc
0x1800fe178 HeapCompact
0x1800fe180 HeapDestroy
0x1800fe188 UnlockFile
0x1800fe190 GetProcAddress
0x1800fe198 CreateFileMappingA
0x1800fe1a0 LocalFree
0x1800fe1a8 LockFileEx
0x1800fe1b0 GetFileSize
0x1800fe1b8 DeleteCriticalSection
0x1800fe1c0 GetCurrentProcessId
0x1800fe1c8 GetProcessHeap
0x1800fe1d0 SystemTimeToFileTime
0x1800fe1d8 FreeLibrary
0x1800fe1e0 WideCharToMultiByte
0x1800fe1e8 GetSystemTimeAsFileTime
0x1800fe1f0 GetSystemTime
0x1800fe1f8 FormatMessageA
0x1800fe200 CreateFileMappingW
0x1800fe208 MapViewOfFile
0x1800fe210 QueryPerformanceCounter
0x1800fe218 GetTickCount
0x1800fe220 FlushFileBuffers
0x1800fe228 SetHandleInformation
0x1800fe230 FindFirstFileA
0x1800fe238 Wow64DisableWow64FsRedirection
0x1800fe240 K32GetModuleFileNameExW
0x1800fe248 FindNextFileA
0x1800fe250 CreatePipe
0x1800fe258 PeekNamedPipe
0x1800fe260 lstrlenA
0x1800fe268 FindClose
0x1800fe270 GetCurrentDirectoryA
0x1800fe278 lstrcatA
0x1800fe280 OpenProcess
0x1800fe288 SetCurrentDirectoryA
0x1800fe290 CreateToolhelp32Snapshot
0x1800fe298 ProcessIdToSessionId
0x1800fe2a0 CopyFileA
0x1800fe2a8 Wow64RevertWow64FsRedirection
0x1800fe2b0 Process32NextW
0x1800fe2b8 Process32FirstW
0x1800fe2c0 CreateThread
0x1800fe2c8 CreateProcessA
0x1800fe2d0 CreateDirectoryA
0x1800fe2d8 WriteConsoleW
0x1800fe2e0 InitializeCriticalSection
0x1800fe2e8 LeaveCriticalSection
0x1800fe2f0 LockFile
0x1800fe2f8 OutputDebugStringA
0x1800fe300 GetDiskFreeSpaceW
0x1800fe308 WriteFile
0x1800fe310 GetFullPathNameW
0x1800fe318 EnterCriticalSection
0x1800fe320 HeapFree
0x1800fe328 HeapCreate
0x1800fe330 TryEnterCriticalSection
0x1800fe338 ReadFile
0x1800fe340 AreFileApisANSI
0x1800fe348 SetFilePointer
0x1800fe350 ReadConsoleW
0x1800fe358 SetFilePointerEx
0x1800fe360 GetFileSizeEx
0x1800fe368 GetConsoleMode
0x1800fe370 GetConsoleOutputCP
0x1800fe378 SetEnvironmentVariableW
0x1800fe380 FreeEnvironmentStringsW
0x1800fe388 GetEnvironmentStringsW
0x1800fe390 GetCommandLineW
0x1800fe398 GetCommandLineA
0x1800fe3a0 GetOEMCP
0x1800fe3a8 GetACP
0x1800fe3b0 IsValidCodePage
0x1800fe3b8 FindNextFileW
0x1800fe3c0 FindFirstFileExW
0x1800fe3c8 SetStdHandle
0x1800fe3d0 GetCurrentDirectoryW
0x1800fe3d8 RtlCaptureContext
0x1800fe3e0 RtlLookupFunctionEntry
0x1800fe3e8 RtlVirtualUnwind
0x1800fe3f0 UnhandledExceptionFilter
0x1800fe3f8 SetUnhandledExceptionFilter
0x1800fe400 GetCurrentProcess
0x1800fe408 TerminateProcess
0x1800fe410 IsProcessorFeaturePresent
0x1800fe418 IsDebuggerPresent
0x1800fe420 GetStartupInfoW
0x1800fe428 GetModuleHandleW
0x1800fe430 InitializeSListHead
0x1800fe438 LCMapStringEx
0x1800fe440 InitializeCriticalSectionEx
0x1800fe448 EncodePointer
0x1800fe450 DecodePointer
0x1800fe458 CompareStringEx
0x1800fe460 GetCPInfo
0x1800fe468 GetStringTypeW
0x1800fe470 RtlUnwindEx
0x1800fe478 RtlPcToFileHeader
0x1800fe480 RaiseException
0x1800fe488 InterlockedFlushSList
0x1800fe490 SetLastError
0x1800fe498 InitializeCriticalSectionAndSpinCount
0x1800fe4a0 TlsAlloc
0x1800fe4a8 TlsGetValue
0x1800fe4b0 TlsSetValue
0x1800fe4b8 TlsFree
0x1800fe4c0 LoadLibraryExW
0x1800fe4c8 ExitThread
0x1800fe4d0 FreeLibraryAndExitThread
0x1800fe4d8 GetModuleHandleExW
0x1800fe4e0 GetDriveTypeW
0x1800fe4e8 GetFileInformationByHandle
0x1800fe4f0 GetFileType
0x1800fe4f8 SystemTimeToTzSpecificLocalTime
0x1800fe500 FileTimeToSystemTime
0x1800fe508 ExitProcess
0x1800fe510 GetModuleFileNameW
0x1800fe518 CompareStringW
0x1800fe520 LCMapStringW
0x1800fe528 GetLocaleInfoW
0x1800fe530 IsValidLocale
0x1800fe538 GetUserDefaultLCID
0x1800fe540 EnumSystemLocalesW
0x1800fe548 GetTimeZoneInformation
0x1800fe550 GetStdHandle
ADVAPI32.dll
0x1800fe000 RegQueryValueExA
0x1800fe008 RegEnumValueW
0x1800fe010 RegEnumKeyA
0x1800fe018 RegCloseKey
0x1800fe020 RegQueryInfoKeyW
0x1800fe028 RegOpenKeyA
0x1800fe030 RegOpenKeyExA
0x1800fe038 GetSidSubAuthorityCount
0x1800fe040 GetSidSubAuthority
0x1800fe048 GetUserNameA
0x1800fe050 RegEnumKeyExW
0x1800fe058 LookupAccountNameA
0x1800fe060 GetSidIdentifierAuthority
SHELL32.dll
0x1800fe560 SHGetFolderPathA
0x1800fe568 SHFileOperationA
WININET.dll
0x1800fe578 HttpOpenRequestA
0x1800fe580 InternetWriteFile
0x1800fe588 InternetReadFile
0x1800fe590 InternetConnectA
0x1800fe598 HttpSendRequestA
0x1800fe5a0 InternetCloseHandle
0x1800fe5a8 InternetOpenA
0x1800fe5b0 HttpAddRequestHeadersA
0x1800fe5b8 HttpSendRequestExW
0x1800fe5c0 HttpEndRequestA
0x1800fe5c8 InternetOpenW
crypt.dll
0x1800fe5d8 BCryptOpenAlgorithmProvider
0x1800fe5e0 BCryptSetProperty
0x1800fe5e8 BCryptGenerateSymmetricKey
0x1800fe5f0 BCryptDecrypt
EAT(Export Address Table) Library
0x1800bfda0 Main
0x1800056d0 Save