cred64.dll

First submission 2024-10-16 20:49:04

File details

File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 1255.0 KB (1285120 bytes)
Compile time: 2024-08-15 09:45:11
MD5: 86d2400fe6cf41987dc3d7431cbc1279
SHA1: 6a1af13d077f9632535c5d8ec5294e2c2a34cb71
SHA256: 9da058418bf15b7a1611c7009c7b5fb43f549e0e3de0eeba84322ee5ede5b734
Import Hash : 3eb70f83441fc8632e81bd6eb89f424d
Sections 7 .text .rdata .data .pdata _RDATA .rsrc .reloc
Directories 5 import export resource debug relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 51/78 VT report date: 2024-09-23 04:27:53
Malware Type 2 trojan spyware
Threat Type 3 zusy stealer convagent

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://amoamoxxx.org/h9fmdW5/Plugins/cred64.dll VirusTotal Report amoamoxxx.org VirusTotal Report 2024-10-16 20:49:04

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0xfbaa8 1031168 a840bffca3aa9d244ddad8b5a2cb1ee94224edf8 95b0ca45986997ca6e3d9d43ef686d83
.rdata 0xfd000 0x2ce02 184320 b31c15b7b72a0b8dbdca09f7a67776f1b0e2970e e3f6e8e5c5a7d6cba62cd22f7e70b4aa
.data 0x12a000 0xbbac 17408 a78813eb452a3ea2733051f72437b458f0703625 eab9f520f4edf8588a5524e594081081
.pdata 0x136000 0xad70 44544 f7bf372e9d55055dfc74c6e34864c03a2e465225 ac4b6f9dfef8e2d4f003bfdd9578f011
_RDATA 0x141000 0x94 512 f614a0b55af015a86a724f9a265c569786aed260 830a5ca5b68ce0d267a64e5736f6792f
.rsrc 0x142000 0xf8 512 6f2aee814106277dae3a8e6b3254dde0bfde7fc7 193fc41b7ab2ce83170d116dba1ce3ac
.reloc 0x143000 0x15f4 5632 8f10d79e5d1eaa682e767e31680031046bad09d3 467aa201641c83407780105210404d90

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x142060 145

Anti debug functions 10

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringA
OutputDebugStringW
Process32FirstW
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

XML
FileZilla\sitemanager.xml
Psi\profiles\default\accounts.xml
\.purple\accounts.xml
.purple\accounts.xml
Library
mscoree.dll
KERNEL32.dll
bcrypt.dll
ADVAPI32.dll
SHELL32.dll
WININET.dll
Crypt32.dll
STEALERDLL.dll
nss3.dll

Strings analysis - Possible IPs found 1

3.8.7.4

Import functions

PE Exports 2 suspicious

Function Address
Main 0x1800c0c40
Save 0x180005d80
Name Latest seen MD5
cred64.dll 2024-07-15 20:36:02 b9bccd35addce48384491a98e1b89eb5
cred64.dll 2024-07-29 00:14:02 d4944b1c2a2636220b189ab9b8dbbc00
cred64.dll 2024-08-28 07:05:02 4a4527a3ecf33ac8dc86e12681abf97b
cred64.dll 2024-10-16 20:45:03 d936bcd060924a3ea77c08a9fe550990
cred64.dll 2024-10-16 20:46:04 9bafe5c5cfe47a1ed2e15f2748986d92
cred64.dll 2024-10-16 20:47:03 1b32cdb682dc2b89bab7263aa4f1f08b
cred64.dll 2024-10-16 20:48:02 304e7afdf32dbcbdce75b6366103abcb