DigitalSide Threat Intel

cred.dll

First submission 2024-10-16 21:17:02

File details

File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 1059.5 KB (1084928 bytes)
Compile time: 2024-02-19 22:01:37
MD5: 13c5fbf7e0d1ea910bf55a32a877217f
SHA1: 94c4ead19fe2a1460991a93ef0cb68f8af6affab
SHA256: 3d0614fc19ceaa2d1deb3c1a58b12a60d104815d16dcb1c1859d82bff56fa09d
Import Hash : 213cc311d974657ce4f52e13b2302f94
Sections 5 .text .rdata .data .rsrc .reloc
Directories 5 import export resource debug relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 48/77 VT report date: 2024-05-06 08:31:15
Malware Type 3 trojan downloader virus
Threat Type 3 amadey stealer lazy

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://185.11.61.121/h8s9k20gnb2/Plugins/cred.dll VirusTotal Report 185.11.61.121 VirusTotal Report 2024-10-16 21:17:02

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0xe3ee8 933888 49f5391dbe25c7c177b19ccea1ea04d96eca2806 f0286f699c61b6f05877940ec4dc4129
.rdata 0xe5000 0x1aeb2 110592 516f869b7ae8e825e24d6e9f837a28b2e066a4b1 90974e9e5a65eaaf53464e79006932d6
.data 0x100000 0x8eec 11264 60d8ea6c8ef177b41e631f8a7834e3209526a4d3 af0a6469ec938920e5a33ed8a8cbfd8d
.rsrc 0x109000 0xf8 512 559dd1af6be9b7f0e774e38607b61734b83898f4 ac715e79d7a1c770f83f459c3488063f
.reloc 0x10a000 0x6a38 27648 f14ddf5fb51a8c4dad87aa3ca06b87eca6478876 c7aa27898786c5fd08f520932c8c037b

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x109060 145

Packers detected 1

Borland Delphi 3.0 (???)

Anti debug functions 10

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringA
OutputDebugStringW
Process32FirstW
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

XML
Psi\profiles\default\accounts.xml
FileZilla\sitemanager.xml
\.purple\accounts.xml
.purple\accounts.xml
Library
mscoree.dll
KERNEL32.dll
ADVAPI32.dll
SHELL32.dll
WININET.dll
Crypt32.dll
STEALERDLL.dll
nss3.dll
bcrypt.dll

Strings analysis - Possible IPs found 1

3.8.7.4

Import functions

Function Address Souspicious Anti Debug
BCryptOpenAlgorithmProvider 0x100e52d0
BCryptSetProperty 0x100e52d4
BCryptGenerateSymmetricKey 0x100e52d8
BCryptDecrypt 0x100e52dc
Function Address Souspicious Anti Debug
HttpOpenRequestA 0x100e52a0
InternetReadFile 0x100e52a4
InternetConnectA 0x100e52a8
HttpSendRequestA 0x100e52ac
InternetCloseHandle 0x100e52b0
InternetOpenA 0x100e52b4
HttpAddRequestHeadersA 0x100e52b8
HttpSendRequestExW 0x100e52bc
HttpEndRequestA 0x100e52c0
InternetOpenW 0x100e52c4
InternetWriteFile 0x100e52c8
Function Address Souspicious Anti Debug
CryptUnprotectData 0x100e5038
Function Address Souspicious Anti Debug
SHFileOperationA 0x100e5294
SHGetFolderPathA 0x100e5298
Function Address Souspicious Anti Debug
GetFullPathNameA 0x100e5040
SetEndOfFile 0x100e5044
UnlockFileEx 0x100e5048
GetTempPathW 0x100e504c
CreateMutexW 0x100e5050
WaitForSingleObject 0x100e5054
CreateFileW 0x100e5058
GetFileAttributesW 0x100e505c
GetCurrentThreadId 0x100e5060
UnmapViewOfFile 0x100e5064
HeapValidate 0x100e5068
HeapSize 0x100e506c
MultiByteToWideChar 0x100e5070
Sleep 0x100e5074
GetTempPathA 0x100e5078
FormatMessageW 0x100e507c
GetDiskFreeSpaceA 0x100e5080
GetLastError 0x100e5084
GetFileAttributesA 0x100e5088
GetFileAttributesExW 0x100e508c
OutputDebugStringW 0x100e5090
CreateFileA 0x100e5094
LoadLibraryA 0x100e5098
WaitForSingleObjectEx 0x100e509c
DeleteFileA 0x100e50a0
DeleteFileW 0x100e50a4
HeapReAlloc 0x100e50a8
CloseHandle 0x100e50ac
GetSystemInfo 0x100e50b0
LoadLibraryW 0x100e50b4
HeapAlloc 0x100e50b8
HeapCompact 0x100e50bc
HeapDestroy 0x100e50c0
UnlockFile 0x100e50c4
GetProcAddress 0x100e50c8
CreateFileMappingA 0x100e50cc
LocalFree 0x100e50d0
LockFileEx 0x100e50d4
GetFileSize 0x100e50d8
DeleteCriticalSection 0x100e50dc
GetCurrentProcessId 0x100e50e0
GetProcessHeap 0x100e50e4
SystemTimeToFileTime 0x100e50e8
FreeLibrary 0x100e50ec
WideCharToMultiByte 0x100e50f0
GetSystemTimeAsFileTime 0x100e50f4
GetSystemTime 0x100e50f8
FormatMessageA 0x100e50fc
CreateFileMappingW 0x100e5100
MapViewOfFile 0x100e5104
QueryPerformanceCounter 0x100e5108
GetTickCount 0x100e510c
FlushFileBuffers 0x100e5110
SetHandleInformation 0x100e5114
FindFirstFileA 0x100e5118
Wow64DisableWow64FsRedirection 0x100e511c
K32GetModuleFileNameExW 0x100e5120
FindNextFileA 0x100e5124
CreatePipe 0x100e5128
PeekNamedPipe 0x100e512c
lstrlenA 0x100e5130
FindClose 0x100e5134
GetCurrentDirectoryA 0x100e5138
lstrcatA 0x100e513c
OpenProcess 0x100e5140
SetCurrentDirectoryA 0x100e5144
CreateToolhelp32Snapshot 0x100e5148
ProcessIdToSessionId 0x100e514c
CopyFileA 0x100e5150
Wow64RevertWow64FsRedirection 0x100e5154
Process32NextW 0x100e5158
Process32FirstW 0x100e515c
CreateThread 0x100e5160
CreateProcessA 0x100e5164
CreateDirectoryA 0x100e5168
ReadConsoleW 0x100e516c
InitializeCriticalSection 0x100e5170
LeaveCriticalSection 0x100e5174
LockFile 0x100e5178
OutputDebugStringA 0x100e517c
GetDiskFreeSpaceW 0x100e5180
WriteFile 0x100e5184
GetFullPathNameW 0x100e5188
EnterCriticalSection 0x100e518c
HeapFree 0x100e5190
HeapCreate 0x100e5194
TryEnterCriticalSection 0x100e5198
ReadFile 0x100e519c
AreFileApisANSI 0x100e51a0
SetFilePointer 0x100e51a4
SetFilePointerEx 0x100e51a8
GetConsoleMode 0x100e51ac
GetConsoleCP 0x100e51b0
SetEnvironmentVariableW 0x100e51b4
FreeEnvironmentStringsW 0x100e51b8
GetEnvironmentStringsW 0x100e51bc
GetCommandLineW 0x100e51c0
GetCommandLineA 0x100e51c4
GetOEMCP 0x100e51c8
GetACP 0x100e51cc
IsValidCodePage 0x100e51d0
FindNextFileW 0x100e51d4
FindFirstFileExW 0x100e51d8
SetStdHandle 0x100e51dc
GetCurrentDirectoryW 0x100e51e0
GetStdHandle 0x100e51e4
GetTimeZoneInformation 0x100e51e8
UnhandledExceptionFilter 0x100e51ec
SetUnhandledExceptionFilter 0x100e51f0
GetCurrentProcess 0x100e51f4
TerminateProcess 0x100e51f8
IsProcessorFeaturePresent 0x100e51fc
IsDebuggerPresent 0x100e5200
GetStartupInfoW 0x100e5204
GetModuleHandleW 0x100e5208
InitializeSListHead 0x100e520c
SetLastError 0x100e5210
InitializeCriticalSectionAndSpinCount 0x100e5214
SwitchToThread 0x100e5218
TlsAlloc 0x100e521c
TlsGetValue 0x100e5220
TlsSetValue 0x100e5224
TlsFree 0x100e5228
EncodePointer 0x100e522c
DecodePointer 0x100e5230
GetCPInfo 0x100e5234
CompareStringW 0x100e5238
LCMapStringW 0x100e523c
GetLocaleInfoW 0x100e5240
GetStringTypeW 0x100e5244
RaiseException 0x100e5248
InterlockedFlushSList 0x100e524c
RtlUnwind 0x100e5250
LoadLibraryExW 0x100e5254
ExitThread 0x100e5258
FreeLibraryAndExitThread 0x100e525c
GetModuleHandleExW 0x100e5260
GetDriveTypeW 0x100e5264
GetFileInformationByHandle 0x100e5268
GetFileType 0x100e526c
SystemTimeToTzSpecificLocalTime 0x100e5270
FileTimeToSystemTime 0x100e5274
ExitProcess 0x100e5278
GetModuleFileNameW 0x100e527c
IsValidLocale 0x100e5280
GetUserDefaultLCID 0x100e5284
EnumSystemLocalesW 0x100e5288
WriteConsoleW 0x100e528c
Function Address Souspicious Anti Debug
GetUserNameA 0x100e5000
RegEnumValueW 0x100e5004
RegEnumKeyA 0x100e5008
RegCloseKey 0x100e500c
RegQueryInfoKeyW 0x100e5010
RegOpenKeyA 0x100e5014
RegQueryValueExA 0x100e5018
GetSidSubAuthorityCount 0x100e501c
GetSidSubAuthority 0x100e5020
RegOpenKeyExA 0x100e5024
RegEnumKeyExW 0x100e5028
LookupAccountNameA 0x100e502c
GetSidIdentifierAuthority 0x100e5030

PE Exports 2 suspicious

Function Address
Main 0x100b1240
Save 0x10004570

Related files by ImpHash 6 213cc311d974657ce4f52e13b2302f94

Name Latest seen MD5
cred.dll 2024-07-21 09:03:01 765ad3b71d73ed1ae9e4fb004876837e
cred.dll 2024-07-29 00:15:02 d696e4ee5dac5d3e4b5073359224fcdc
cred.dll 2024-10-16 21:00:02 b3d199fd9fa4a18f08d4aa9e17181869
cred.dll 2024-10-16 21:18:02 16ab3210260ec2df7ffc2292e9ad4abb
cred.dll 2024-10-16 21:19:03 0961bd2ba614e84e0b9b93444179fb07
cred.dll 2024-10-16 21:20:03 7c5bea5cda7a89450f82fa18497a0191