9f9723c5ff4ec1b7f08eb2005632b8b1

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2020-Jul-09 01:05:28
Detected languages English - United States
FileDescription Windows Credential Manager
FileVersion 6.1.7600.16385
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename Credential.dll
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7600.16385

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Info Interesting strings found in the binary: Contains domain names:
  • dalailamatrustindia.ddns.net
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
  • LoadLibraryExW
 Can access the registry:
  • RegCloseKey
  • RegSetValueExW
  • RegCreateKeyW
  • RegOpenKeyW
  • RegQueryValueExW
 Possibly launches other programs:
  • CreateProcessW
 Can create temporary files:
  • CreateFileW
  • GetTempPathW
 Leverages the raw socket API to access the Internet:
  • #115
  • GetAddrInfoW
  • FreeAddrInfoW
  • #116
  • #19
  • #4
  • #21
  • #16
  • #3
  • #9
  • #23
 Enumerates local disk drives:
  • GetVolumeInformationW
  • GetDriveTypeW
  • GetLogicalDriveStringsW
Malicious VirusTotal score: 48/71 (Scanned on 2020-11-19 05:58:23) Elastic: malicious (high confidence)
MicroWorld-eScan: Trojan.GenericKD.43597666
FireEye: Trojan.GenericKD.43597666
McAfee: RDN/Generic PWS.y
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
Sangfor: Malware
K7AntiVirus: Password-Stealer ( 0056c0851 )
BitDefender: Trojan.GenericKD.43597666
K7GW: Password-Stealer ( 0056c0851 )
CrowdStrike: win/malicious_confidence_100% (W)
Arcabit: Trojan.Generic.D2993F62
TrendMicro: TROJ_GEN.R002C0PH920
Cyren: W32/Trojan.JXSX-1977
Symantec: Trojan Horse
Avast: Win32:Trojan-gen
Kaspersky: HEUR:Trojan.Win32.APosT.gen
Alibaba: TrojanPSW:Win32/Generic.1f535b62
NANO-Antivirus: Trojan.Win32.Generic.hvsquv
ViRobot: Trojan.Win32.S.Agent.118784.DMF
AegisLab: Trojan.Multi.Generic.4!c
Tencent: Win32.Trojan.Generic.Hxqd
Ad-Aware: Trojan.GenericKD.43597666
Sophos: Troj/Agent-BFNL
Comodo: Malware@#3i3wuv5vhw1nu
F-Secure: Trojan.TR/PSW.Agent.wpzys
Zillya: Trojan.Agent.Win32.1358709
Invincea: Mal/Generic-R + Troj/Agent-BFNL
McAfee-GW-Edition: Generic trojan.ku
Emsisoft: Trojan.GenericKD.43597666 (B)
Webroot: W32.Trojan.Gen
Avira: TR/PSW.Agent.wpzys
MAX: malware (ai score=100)
Microsoft: Trojan:Win32/CryptInject.SBR!MSR
ZoneAlarm: HEUR:Trojan.Win32.APosT.gen
GData: Trojan.GenericKD.43597666
Cynet: Malicious (score: 85)
AhnLab-V3: Trojan/Win32.Stealer.C4191896
BitDefenderTheta: Gen:NN.ZedlaF.34634.hy8@auMSP7ni
ALYac: Trojan.Agent.Sepulcher
VBA32: Trojan.Ymacco
ESET-NOD32: a variant of Win32/PSW.Agent.OKI
TrendMicro-HouseCall: TROJ_GEN.R002C0PH920
Ikarus: Trojan.Crypt
Fortinet: W32/Agent.OKI!tr.pws
AVG: Win32:Trojan-gen
Paloalto: generic.ml
Qihoo-360: Generic/HEUR/QVM30.2.1F83.Malware.Gen

Hashes

MD5 9f9723c5ff4ec1b7f08eb2005632b8b1
SHA1 e47a821ef85d722f01f10adff227f45552e4ec73
SHA256 e89614e3b0430d706bef2d1f13b30b43e5c53db9a477e2ff60ef5464e1e9add4
SHA3 b8d44b51ffb002032666bd8e864a77451fe9f45ecaec8c2b4b3ccc6e8e1bc396
SSDeep 3072:Z3EKsekGvHowEu//WfW0JTtLVbZDe6n7KSNM:REKsekco0/2WEgCu/
Imports Hash e1d6ba3c39f15ec6f83afb0fc539bfd7

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 6
TimeDateStamp 2020-Jul-09 01:05:28
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x13800
SizeOfInitializedData 0x9e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00004A39 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x15000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x23000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 ae212276396f2655a5900aee57dad2ef
SHA1 146642e03720f7635271171b8eed49c0f2a747ab
SHA256 4d4676c3af301ad0e0b035d2d4d0ba6940f30a38f0d596ba3654a99239b5b211
SHA3 e0a03a8a01f6ab56cbb46e8b051edb3117d83374b869da92cb34e09eae67f299
VirtualSize 0x136e4
VirtualAddress 0x1000
SizeOfRawData 0x13800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.66453

.rdata

MD5 f9dd7c13cc63c85fab409cb219b75f1d
SHA1 c978cf74cb0ff62f2275d83df33dcca948265e0f
SHA256 3acaf6a2791ddd2cb946cdf4609c875cb73fc3e2c72efa19baebbb1b8c327baa
SHA3 523dd46ccc01548b5600e92a95cdc762dc3bd5bf7ff82774fb9a4c27b73e6ce3
VirtualSize 0x70ac
VirtualAddress 0x15000
SizeOfRawData 0x7200
PointerToRawData 0x13c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.33822

.data

MD5 77566daa8f961d08ad2d2859eacbc276
SHA1 453e9a724aa6fa7c969fecc65df7391f85ec310b
SHA256 24e6cee046419bffc19373e36cd4cb4e33d0a4d2b1768cf1e72e93f751d70734
SHA3 ad5a58ebecdc2de99b85a98397fcb331aa315484826fcb0b43bbe22664609f50
VirtualSize 0x12fc
VirtualAddress 0x1d000
SizeOfRawData 0xa00
PointerToRawData 0x1ae00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.43418

.gfids

MD5 d265f877930e9bf626ad63a63f6c1c06
SHA1 e8112eff03204731488618850e7e941f45dda8b7
SHA256 c7d82fb079accffea6263a3eb0ae8eac8f7d2fd57f4ba9eef83088bbb66e544b
SHA3 c5089faaf1b37caaa2acb89e1948868df4128412f787b432b32619ec94ae5228
VirtualSize 0xd4
VirtualAddress 0x1f000
SizeOfRawData 0x200
PointerToRawData 0x1b800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.69352

.rsrc

MD5 e9e06f4ec16414c4d5d97fa1132702ac
SHA1 3a2f785e5ab3761fc08e82685a7353d823cc2ed1
SHA256 38786628ad8521e19e95b1fa360b385629e7436a583f2e3d90db1054cccecca8
SHA3 6696c4bc82609c744f03b3d5a3882c0a1afc4746fa39c7dcfa70525bbc2bf911
VirtualSize 0x358
VirtualAddress 0x20000
SizeOfRawData 0x400
PointerToRawData 0x1ba00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.88952

.reloc

MD5 c8e0319fb9dfd0d8a9259552b016e564
SHA1 813811998a696812336879772ceb3f7747c36082
SHA256 acb513c6a570b84b7a46ef69dbe292cb7e812d55005945481861df5fe64cc196
SHA3 3a260bbb876a8eaa34ea870f05ddcde6aba8b1c3ced8c5c3db5e1bb0ef580288
VirtualSize 0x1188
VirtualAddress 0x21000
SizeOfRawData 0x1200
PointerToRawData 0x1be00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.50209

Imports

KERNEL32.dll lstrcpyW
GetTickCount
CreateEventW
CloseHandle
WaitForSingleObject
ResetEvent
SetEvent
GetSystemInfo
GlobalMemoryStatusEx
GetComputerNameW
GetComputerNameExW
GetACP
GetOEMCP
GetPriorityClass
GetCurrentProcess
GetThreadPriority
GetCurrentThread
SetPriorityClass
SetThreadPriority
QueryPerformanceFrequency
QueryPerformanceCounter
LoadLibraryW
GetProcAddress
FreeLibrary
GetModuleHandleW
GetNativeSystemInfo
CreateFileW
DeleteCriticalSection
SetFilePointerEx
ReadFile
WriteFile
DeleteFileW
GetTempPathW
GetCurrentThreadId
GetDiskFreeSpaceExW
GetVolumeInformationW
GetDriveTypeW
GetLogicalDriveStringsW
GetFileAttributesExW
FindFirstFileW
FindNextFileW
FindClose
GetFileSize
TerminateProcess
GetStdHandle
CreatePipe
SetStdHandle
DuplicateHandle
CreateProcessW
WriteConsoleW
FlushFileBuffers
GetConsoleMode
GetConsoleCP
DecodePointer
RaiseException
GetLastError
Sleep
InitializeCriticalSectionEx
GetModuleFileNameW
OutputDebugStringA
GetFileSizeEx
lstrlenW
GetProcessHeap
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
IsValidCodePage
FindNextFileA
FindFirstFileExA
HeapReAlloc
HeapSize
IsDebuggerPresent
OutputDebugStringW
EnterCriticalSection
LeaveCriticalSection
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
InterlockedFlushSList
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
RtlUnwind
CreateThread
ExitThread
ResumeThread
FreeLibraryAndExitThread
GetModuleHandleExW
ExitProcess
GetModuleFileNameA
MultiByteToWideChar
WideCharToMultiByte
HeapFree
HeapAlloc
GetFileType
GetStringTypeW
LCMapStringW
USER32.dll CharLowerW
CharUpperW
wsprintfW
ADVAPI32.dll RegCloseKey
RegSetValueExW
RegCreateKeyW
RegOpenKeyW
RegQueryValueExW
ole32.dll CoCreateGuid
SHLWAPI.dll StrStrW
StrCmpW
StrCpyW
WS2_32.dll #115
GetAddrInfoW
FreeAddrInfoW
#116
#19
#4
#21
#16
#3
#9
#23

Delayed Imports

GetObjectCount

Ordinal 1
Address 0x185e

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x2f4
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.49181
MD5 3a9536e1e6130cd1b4eae4361684419e
SHA1 d3c4cc8d24b519b0da942cfbeccb116dfaec0e4d
SHA256 bc12a166ca54b29e54e11a70a2af9758a6e6416172fa2efaa7dd32b80930939e
SHA3 d932fb5270cb7f2b4772ac4dd4f4c0a0ab69d2f321f5481a4aeac35004f7bce4

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.1.7600.16385
ProductVersion 6.1.7600.16385
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
FileDescription Windows Credential Manager
FileVersion (#2) 6.1.7600.16385
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename Credential.dll
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 6.1.7600.16385
Resource LangID English - United States

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2020-Jul-09 01:05:28
Version 0.0
SizeofData 748
AddressOfRawData 0x1ad9c
PointerToRawData 0x1999c

IMAGE_DEBUG_TYPE_ILTCG

Characteristics 0
TimeDateStamp 2020-Jul-09 01:05:28
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

Load Configuration

Size 0x5c
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1001d008
SEHandlerTable 0x1001ad90
SEHandlerCount 3

RICH Header

XOR Key 0x9f7efff7
Unmarked objects 0
241 (40116) 9
243 (40116) 120
242 (40116) 24
ASM objects (VS2015 UPD3 build 24123) 18
C++ objects (VS2015 UPD3 build 24123) 27
C objects (VS2015 UPD3 build 24123) 16
C++ objects (23013) 2
Imports (65501) 15
Total imports 149
265 (VS2015 UPD3.1 build 24215) 9
Exports (VS2015 UPD3.1 build 24215) 1
Resource objects (VS2015 UPD3 build 24210) 1
Linker (VS2015 UPD3.1 build 24215) 1

Errors

<-- -->