DigitalSide Threat Intel

cred.dll

First submission 2024-10-16 21:00:02

File details

File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 1059.5 KB (1084928 bytes)
Compile time: 2024-10-09 14:37:09
MD5: b3d199fd9fa4a18f08d4aa9e17181869
SHA1: 5118db1803592b227541b3ac60ca04814a9fd793
SHA256: 21a08e2c8f67a1afeaa420280086d0cfd86b7829e97f2a6a7a362546ad2b6c6d
Import Hash : 213cc311d974657ce4f52e13b2302f94
Sections 5 .text .rdata .data .rsrc .reloc
Directories 5 import export resource debug relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 57/77 VT report date: 2024-10-15 17:04:17
Malware Type 3 trojan downloader spyware
Threat Type 3 amadey lazy stealer

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://78.153.139.168/gfj38cHcw/Plugins/cred.dll VirusTotal Report 78.153.139.168 VirusTotal Report 2024-10-16 21:00:02

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0xe3ee8 933888 656977c8aeeb82adfeb6c76e4303de6455a0eb99 c9996fe87f0d33b0e0ff73a0f7200712
.rdata 0xe5000 0x1aee2 110592 2d86b9b0a4dd8f1ce2d4027bfbe320309c7d8d03 52c6ef92b1232b9246cdcc90009e2725
.data 0x100000 0x8f3c 11264 2a59530251e56b631aead7325344c79c3911ef93 57d5422df62ff375150c6f0773c343fd
.rsrc 0x109000 0xf8 512 559dd1af6be9b7f0e774e38607b61734b83898f4 ac715e79d7a1c770f83f459c3488063f
.reloc 0x10a000 0x6a64 27648 e6be663deff233613367c4a92ad781317ce6c13d d1e47439caacd2f1426cf616beafd71b

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x109060 145

Packers detected 1

Borland Delphi 3.0 (???)

Anti debug functions 10

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringA
OutputDebugStringW
Process32FirstW
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

XML
Psi\profiles\default\accounts.xml
FileZilla\sitemanager.xml
\.purple\accounts.xml
.purple\accounts.xml
Library
mscoree.dll
KERNEL32.dll
ADVAPI32.dll
SHELL32.dll
WININET.dll
Crypt32.dll
STEALERDLL.dll
nss3.dll
bcrypt.dll

Strings analysis - Possible IPs found 1

3.8.7.4

Import functions

Function Address Souspicious Anti Debug
BCryptOpenAlgorithmProvider 0x100e52d0
BCryptSetProperty 0x100e52d4
BCryptGenerateSymmetricKey 0x100e52d8
BCryptDecrypt 0x100e52dc
Function Address Souspicious Anti Debug
HttpOpenRequestA 0x100e52a0
InternetReadFile 0x100e52a4
InternetConnectA 0x100e52a8
HttpSendRequestA 0x100e52ac
InternetCloseHandle 0x100e52b0
InternetOpenA 0x100e52b4
HttpAddRequestHeadersA 0x100e52b8
HttpSendRequestExW 0x100e52bc
HttpEndRequestA 0x100e52c0
InternetOpenW 0x100e52c4
InternetWriteFile 0x100e52c8
Function Address Souspicious Anti Debug
CryptUnprotectData 0x100e5038
Function Address Souspicious Anti Debug
SHFileOperationA 0x100e5294
SHGetFolderPathA 0x100e5298
Function Address Souspicious Anti Debug
GetFullPathNameA 0x100e5040
SetEndOfFile 0x100e5044
UnlockFileEx 0x100e5048
GetTempPathW 0x100e504c
CreateMutexW 0x100e5050
WaitForSingleObject 0x100e5054
CreateFileW 0x100e5058
GetFileAttributesW 0x100e505c
GetCurrentThreadId 0x100e5060
UnmapViewOfFile 0x100e5064
HeapValidate 0x100e5068
HeapSize 0x100e506c
MultiByteToWideChar 0x100e5070
Sleep 0x100e5074
GetTempPathA 0x100e5078
FormatMessageW 0x100e507c
GetDiskFreeSpaceA 0x100e5080
GetLastError 0x100e5084
GetFileAttributesA 0x100e5088
GetFileAttributesExW 0x100e508c
OutputDebugStringW 0x100e5090
CreateFileA 0x100e5094
LoadLibraryA 0x100e5098
WaitForSingleObjectEx 0x100e509c
DeleteFileA 0x100e50a0
DeleteFileW 0x100e50a4
HeapReAlloc 0x100e50a8
CloseHandle 0x100e50ac
GetSystemInfo 0x100e50b0
LoadLibraryW 0x100e50b4
HeapAlloc 0x100e50b8
HeapCompact 0x100e50bc
HeapDestroy 0x100e50c0
UnlockFile 0x100e50c4
GetProcAddress 0x100e50c8
CreateFileMappingA 0x100e50cc
LocalFree 0x100e50d0
LockFileEx 0x100e50d4
GetFileSize 0x100e50d8
DeleteCriticalSection 0x100e50dc
GetCurrentProcessId 0x100e50e0
GetProcessHeap 0x100e50e4
SystemTimeToFileTime 0x100e50e8
FreeLibrary 0x100e50ec
WideCharToMultiByte 0x100e50f0
GetSystemTimeAsFileTime 0x100e50f4
GetSystemTime 0x100e50f8
FormatMessageA 0x100e50fc
CreateFileMappingW 0x100e5100
MapViewOfFile 0x100e5104
QueryPerformanceCounter 0x100e5108
GetTickCount 0x100e510c
FlushFileBuffers 0x100e5110
SetHandleInformation 0x100e5114
FindFirstFileA 0x100e5118
Wow64DisableWow64FsRedirection 0x100e511c
K32GetModuleFileNameExW 0x100e5120
FindNextFileA 0x100e5124
CreatePipe 0x100e5128
PeekNamedPipe 0x100e512c
lstrlenA 0x100e5130
FindClose 0x100e5134
GetCurrentDirectoryA 0x100e5138
lstrcatA 0x100e513c
OpenProcess 0x100e5140
SetCurrentDirectoryA 0x100e5144
CreateToolhelp32Snapshot 0x100e5148
ProcessIdToSessionId 0x100e514c
CopyFileA 0x100e5150
Wow64RevertWow64FsRedirection 0x100e5154
Process32NextW 0x100e5158
Process32FirstW 0x100e515c
CreateThread 0x100e5160
CreateProcessA 0x100e5164
CreateDirectoryA 0x100e5168
ReadConsoleW 0x100e516c
InitializeCriticalSection 0x100e5170
LeaveCriticalSection 0x100e5174
LockFile 0x100e5178
OutputDebugStringA 0x100e517c
GetDiskFreeSpaceW 0x100e5180
WriteFile 0x100e5184
GetFullPathNameW 0x100e5188
EnterCriticalSection 0x100e518c
HeapFree 0x100e5190
HeapCreate 0x100e5194
TryEnterCriticalSection 0x100e5198
ReadFile 0x100e519c
AreFileApisANSI 0x100e51a0
SetFilePointer 0x100e51a4
SetFilePointerEx 0x100e51a8
GetConsoleMode 0x100e51ac
GetConsoleCP 0x100e51b0
SetEnvironmentVariableW 0x100e51b4
FreeEnvironmentStringsW 0x100e51b8
GetEnvironmentStringsW 0x100e51bc
GetCommandLineW 0x100e51c0
GetCommandLineA 0x100e51c4
GetOEMCP 0x100e51c8
GetACP 0x100e51cc
IsValidCodePage 0x100e51d0
FindNextFileW 0x100e51d4
FindFirstFileExW 0x100e51d8
SetStdHandle 0x100e51dc
GetCurrentDirectoryW 0x100e51e0
GetStdHandle 0x100e51e4
GetTimeZoneInformation 0x100e51e8
UnhandledExceptionFilter 0x100e51ec
SetUnhandledExceptionFilter 0x100e51f0
GetCurrentProcess 0x100e51f4
TerminateProcess 0x100e51f8
IsProcessorFeaturePresent 0x100e51fc
IsDebuggerPresent 0x100e5200
GetStartupInfoW 0x100e5204
GetModuleHandleW 0x100e5208
InitializeSListHead 0x100e520c
SetLastError 0x100e5210
InitializeCriticalSectionAndSpinCount 0x100e5214
SwitchToThread 0x100e5218
TlsAlloc 0x100e521c
TlsGetValue 0x100e5220
TlsSetValue 0x100e5224
TlsFree 0x100e5228
EncodePointer 0x100e522c
DecodePointer 0x100e5230
GetCPInfo 0x100e5234
CompareStringW 0x100e5238
LCMapStringW 0x100e523c
GetLocaleInfoW 0x100e5240
GetStringTypeW 0x100e5244
RaiseException 0x100e5248
InterlockedFlushSList 0x100e524c
RtlUnwind 0x100e5250
LoadLibraryExW 0x100e5254
ExitThread 0x100e5258
FreeLibraryAndExitThread 0x100e525c
GetModuleHandleExW 0x100e5260
GetDriveTypeW 0x100e5264
GetFileInformationByHandle 0x100e5268
GetFileType 0x100e526c
SystemTimeToTzSpecificLocalTime 0x100e5270
FileTimeToSystemTime 0x100e5274
ExitProcess 0x100e5278
GetModuleFileNameW 0x100e527c
IsValidLocale 0x100e5280
GetUserDefaultLCID 0x100e5284
EnumSystemLocalesW 0x100e5288
WriteConsoleW 0x100e528c
Function Address Souspicious Anti Debug
GetUserNameA 0x100e5000
RegEnumValueW 0x100e5004
RegEnumKeyA 0x100e5008
RegCloseKey 0x100e500c
RegQueryInfoKeyW 0x100e5010
RegOpenKeyA 0x100e5014
RegQueryValueExA 0x100e5018
GetSidSubAuthorityCount 0x100e501c
GetSidSubAuthority 0x100e5020
RegOpenKeyExA 0x100e5024
RegEnumKeyExW 0x100e5028
LookupAccountNameA 0x100e502c
GetSidIdentifierAuthority 0x100e5030

PE Exports 2 suspicious

Function Address
Main 0x100b1100
Save 0x100045c0

Related files by ImpHash 6 213cc311d974657ce4f52e13b2302f94

Name Latest seen MD5
cred.dll 2024-07-21 09:03:01 765ad3b71d73ed1ae9e4fb004876837e
cred.dll 2024-07-29 00:15:02 d696e4ee5dac5d3e4b5073359224fcdc
cred.dll 2024-10-16 21:17:02 13c5fbf7e0d1ea910bf55a32a877217f
cred.dll 2024-10-16 21:18:02 16ab3210260ec2df7ffc2292e9ad4abb
cred.dll 2024-10-16 21:19:03 0961bd2ba614e84e0b9b93444179fb07
cred.dll 2024-10-16 21:20:03 7c5bea5cda7a89450f82fa18497a0191