DigitalSide Threat Intel

cred64.dll

First submission 2024-10-16 20:48:02

File details

File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 1255.5 KB (1285632 bytes)
Compile time: 2024-02-19 22:01:41
MD5: 304e7afdf32dbcbdce75b6366103abcb
SHA1: 5a2fd2e2fbd458a8492d18f234a9478bb913bbdd
SHA256: b233f3010c7766641225a26b6a8e2df599310ab6595b1bc686b164ba508b568d
Import Hash : 3eb70f83441fc8632e81bd6eb89f424d
Sections 7 .text .rdata .data .pdata _RDATA .rsrc .reloc
Directories 5 import export resource debug relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 56/79 VT report date: 2024-07-25 18:01:05
Malware Type 1 trojan
Threat Type 3 zusy stealer amadey

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://185.11.61.121/h8s9k20gnb2/Plugins/cred64.dll VirusTotal Report 185.11.61.121 VirusTotal Report 2024-10-16 20:48:02

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0xfbef8 1032192 84c7150e0801b7543188893bd9095f908be4fddb b4bcd44dec35a2daca9326b5ce77cbd8
.rdata 0xfd000 0x2cde2 183808 81913c8f8ca8cb4cf04f81f6cbea045694c37901 725eea317c8a72eb17ce2bf9c99f5131
.data 0x12a000 0xbb4c 17408 47a8e09010ed26ceb5914b328a4315a37347ef35 02bd6deb3afde973ccfa6f7be4b2468d
.pdata 0x136000 0xad28 44544 9fed2f75f906a8594145647903a6b0df9c5af120 a752966eb97c2d784e038894a37a13ef
_RDATA 0x141000 0x94 512 2d5ae0778d2ca9620bb763074e3551a0ae51c087 a5995913394631ab4f6ef283137b5c9d
.rsrc 0x142000 0xf8 512 6f2aee814106277dae3a8e6b3254dde0bfde7fc7 193fc41b7ab2ce83170d116dba1ce3ac
.reloc 0x143000 0x15f4 5632 ce84cdd3862451ee4c82d22aa290a14e260840bf 6b255962cbf9942cc97cd613f7352d10

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x142060 145

Anti debug functions 10

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringA
OutputDebugStringW
Process32FirstW
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

XML
FileZilla\sitemanager.xml
Psi\profiles\default\accounts.xml
\.purple\accounts.xml
.purple\accounts.xml
Library
mscoree.dll
KERNEL32.dll
bcrypt.dll
ADVAPI32.dll
SHELL32.dll
WININET.dll
Crypt32.dll
STEALERDLL.dll
nss3.dll

Strings analysis - Possible IPs found 1

3.8.7.4

Import functions

Function Address Souspicious Anti Debug
BCryptOpenAlgorithmProvider 0x1800fd5c0
BCryptSetProperty 0x1800fd5c8
BCryptGenerateSymmetricKey 0x1800fd5d0
BCryptDecrypt 0x1800fd5d8
Function Address Souspicious Anti Debug
HttpOpenRequestA 0x1800fd560
InternetWriteFile 0x1800fd568
InternetReadFile 0x1800fd570
InternetConnectA 0x1800fd578
HttpSendRequestA 0x1800fd580
InternetCloseHandle 0x1800fd588
InternetOpenA 0x1800fd590
HttpAddRequestHeadersA 0x1800fd598
HttpSendRequestExW 0x1800fd5a0
HttpEndRequestA 0x1800fd5a8
InternetOpenW 0x1800fd5b0
Function Address Souspicious Anti Debug
CryptUnprotectData 0x1800fd070
Function Address Souspicious Anti Debug
SHGetFolderPathA 0x1800fd548
SHFileOperationA 0x1800fd550
Function Address Souspicious Anti Debug
GetFullPathNameA 0x1800fd080
SetEndOfFile 0x1800fd088
UnlockFileEx 0x1800fd090
GetTempPathW 0x1800fd098
CreateMutexW 0x1800fd0a0
WaitForSingleObject 0x1800fd0a8
CreateFileW 0x1800fd0b0
GetFileAttributesW 0x1800fd0b8
GetCurrentThreadId 0x1800fd0c0
UnmapViewOfFile 0x1800fd0c8
HeapValidate 0x1800fd0d0
HeapSize 0x1800fd0d8
MultiByteToWideChar 0x1800fd0e0
Sleep 0x1800fd0e8
GetTempPathA 0x1800fd0f0
FormatMessageW 0x1800fd0f8
GetDiskFreeSpaceA 0x1800fd100
GetLastError 0x1800fd108
GetFileAttributesA 0x1800fd110
GetFileAttributesExW 0x1800fd118
OutputDebugStringW 0x1800fd120
CreateFileA 0x1800fd128
LoadLibraryA 0x1800fd130
WaitForSingleObjectEx 0x1800fd138
DeleteFileA 0x1800fd140
DeleteFileW 0x1800fd148
HeapReAlloc 0x1800fd150
CloseHandle 0x1800fd158
GetSystemInfo 0x1800fd160
LoadLibraryW 0x1800fd168
HeapAlloc 0x1800fd170
HeapCompact 0x1800fd178
HeapDestroy 0x1800fd180
UnlockFile 0x1800fd188
GetProcAddress 0x1800fd190
CreateFileMappingA 0x1800fd198
LocalFree 0x1800fd1a0
LockFileEx 0x1800fd1a8
GetFileSize 0x1800fd1b0
DeleteCriticalSection 0x1800fd1b8
GetCurrentProcessId 0x1800fd1c0
GetProcessHeap 0x1800fd1c8
SystemTimeToFileTime 0x1800fd1d0
FreeLibrary 0x1800fd1d8
WideCharToMultiByte 0x1800fd1e0
GetSystemTimeAsFileTime 0x1800fd1e8
GetSystemTime 0x1800fd1f0
FormatMessageA 0x1800fd1f8
CreateFileMappingW 0x1800fd200
MapViewOfFile 0x1800fd208
QueryPerformanceCounter 0x1800fd210
GetTickCount 0x1800fd218
FlushFileBuffers 0x1800fd220
SetHandleInformation 0x1800fd228
FindFirstFileA 0x1800fd230
Wow64DisableWow64FsRedirection 0x1800fd238
K32GetModuleFileNameExW 0x1800fd240
FindNextFileA 0x1800fd248
CreatePipe 0x1800fd250
PeekNamedPipe 0x1800fd258
lstrlenA 0x1800fd260
FindClose 0x1800fd268
GetCurrentDirectoryA 0x1800fd270
lstrcatA 0x1800fd278
OpenProcess 0x1800fd280
SetCurrentDirectoryA 0x1800fd288
CreateToolhelp32Snapshot 0x1800fd290
ProcessIdToSessionId 0x1800fd298
CopyFileA 0x1800fd2a0
Wow64RevertWow64FsRedirection 0x1800fd2a8
Process32NextW 0x1800fd2b0
Process32FirstW 0x1800fd2b8
CreateThread 0x1800fd2c0
CreateProcessA 0x1800fd2c8
CreateDirectoryA 0x1800fd2d0
WriteConsoleW 0x1800fd2d8
InitializeCriticalSection 0x1800fd2e0
LeaveCriticalSection 0x1800fd2e8
LockFile 0x1800fd2f0
OutputDebugStringA 0x1800fd2f8
GetDiskFreeSpaceW 0x1800fd300
WriteFile 0x1800fd308
GetFullPathNameW 0x1800fd310
EnterCriticalSection 0x1800fd318
HeapFree 0x1800fd320
HeapCreate 0x1800fd328
TryEnterCriticalSection 0x1800fd330
ReadFile 0x1800fd338
AreFileApisANSI 0x1800fd340
SetFilePointer 0x1800fd348
ReadConsoleW 0x1800fd350
SetFilePointerEx 0x1800fd358
GetConsoleMode 0x1800fd360
GetConsoleCP 0x1800fd368
SetEnvironmentVariableW 0x1800fd370
FreeEnvironmentStringsW 0x1800fd378
GetEnvironmentStringsW 0x1800fd380
GetCommandLineW 0x1800fd388
GetCommandLineA 0x1800fd390
GetOEMCP 0x1800fd398
GetACP 0x1800fd3a0
IsValidCodePage 0x1800fd3a8
FindNextFileW 0x1800fd3b0
FindFirstFileExW 0x1800fd3b8
SetStdHandle 0x1800fd3c0
GetCurrentDirectoryW 0x1800fd3c8
RtlCaptureContext 0x1800fd3d0
RtlLookupFunctionEntry 0x1800fd3d8
RtlVirtualUnwind 0x1800fd3e0
UnhandledExceptionFilter 0x1800fd3e8
SetUnhandledExceptionFilter 0x1800fd3f0
GetCurrentProcess 0x1800fd3f8
TerminateProcess 0x1800fd400
IsProcessorFeaturePresent 0x1800fd408
IsDebuggerPresent 0x1800fd410
GetStartupInfoW 0x1800fd418
GetModuleHandleW 0x1800fd420
InitializeSListHead 0x1800fd428
SetLastError 0x1800fd430
InitializeCriticalSectionAndSpinCount 0x1800fd438
SwitchToThread 0x1800fd440
TlsAlloc 0x1800fd448
TlsGetValue 0x1800fd450
TlsSetValue 0x1800fd458
TlsFree 0x1800fd460
EncodePointer 0x1800fd468
DecodePointer 0x1800fd470
GetCPInfo 0x1800fd478
CompareStringW 0x1800fd480
LCMapStringW 0x1800fd488
GetLocaleInfoW 0x1800fd490
GetStringTypeW 0x1800fd498
RtlUnwindEx 0x1800fd4a0
RtlPcToFileHeader 0x1800fd4a8
RaiseException 0x1800fd4b0
InterlockedFlushSList 0x1800fd4b8
LoadLibraryExW 0x1800fd4c0
ExitThread 0x1800fd4c8
FreeLibraryAndExitThread 0x1800fd4d0
GetModuleHandleExW 0x1800fd4d8
GetDriveTypeW 0x1800fd4e0
GetFileInformationByHandle 0x1800fd4e8
GetFileType 0x1800fd4f0
SystemTimeToTzSpecificLocalTime 0x1800fd4f8
FileTimeToSystemTime 0x1800fd500
ExitProcess 0x1800fd508
GetModuleFileNameW 0x1800fd510
IsValidLocale 0x1800fd518
GetUserDefaultLCID 0x1800fd520
EnumSystemLocalesW 0x1800fd528
GetTimeZoneInformation 0x1800fd530
GetStdHandle 0x1800fd538
Function Address Souspicious Anti Debug
GetSidSubAuthorityCount 0x1800fd000
RegEnumValueW 0x1800fd008
RegEnumKeyA 0x1800fd010
RegCloseKey 0x1800fd018
RegQueryInfoKeyW 0x1800fd020
RegOpenKeyA 0x1800fd028
RegQueryValueExA 0x1800fd030
GetSidIdentifierAuthority 0x1800fd038
GetSidSubAuthority 0x1800fd040
GetUserNameA 0x1800fd048
RegEnumKeyExW 0x1800fd050
LookupAccountNameA 0x1800fd058
RegOpenKeyExA 0x1800fd060

PE Exports 2 suspicious

Function Address
Main 0x1800c11f0
Save 0x180005cf0

Related files by ImpHash 7 3eb70f83441fc8632e81bd6eb89f424d

Name Latest seen MD5
cred64.dll 2024-07-15 20:36:02 b9bccd35addce48384491a98e1b89eb5
cred64.dll 2024-07-29 00:14:02 d4944b1c2a2636220b189ab9b8dbbc00
cred64.dll 2024-08-28 07:05:02 4a4527a3ecf33ac8dc86e12681abf97b
cred64.dll 2024-10-16 20:45:03 d936bcd060924a3ea77c08a9fe550990
cred64.dll 2024-10-16 20:46:04 9bafe5c5cfe47a1ed2e15f2748986d92
cred64.dll 2024-10-16 20:47:03 1b32cdb682dc2b89bab7263aa4f1f08b
cred64.dll 2024-10-16 20:49:04 86d2400fe6cf41987dc3d7431cbc1279