Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2020-Jul-09 01:05:28 |
Detected languages |
English - United States
|
FileDescription | Windows Credential Manager |
FileVersion | 6.1.7600.16385 |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | Credential.dll |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 6.1.7600.16385 |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Info | Interesting strings found in the binary: |
Contains domain names:
|
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 48/71 (Scanned on 2020-11-19 05:58:23) |
Elastic:
malicious (high confidence)
MicroWorld-eScan: Trojan.GenericKD.43597666 FireEye: Trojan.GenericKD.43597666 McAfee: RDN/Generic PWS.y Cylance: Unsafe VIPRE: Trojan.Win32.Generic!BT Sangfor: Malware K7AntiVirus: Password-Stealer ( 0056c0851 ) BitDefender: Trojan.GenericKD.43597666 K7GW: Password-Stealer ( 0056c0851 ) CrowdStrike: win/malicious_confidence_100% (W) Arcabit: Trojan.Generic.D2993F62 TrendMicro: TROJ_GEN.R002C0PH920 Cyren: W32/Trojan.JXSX-1977 Symantec: Trojan Horse Avast: Win32:Trojan-gen Kaspersky: HEUR:Trojan.Win32.APosT.gen Alibaba: TrojanPSW:Win32/Generic.1f535b62 NANO-Antivirus: Trojan.Win32.Generic.hvsquv ViRobot: Trojan.Win32.S.Agent.118784.DMF AegisLab: Trojan.Multi.Generic.4!c Tencent: Win32.Trojan.Generic.Hxqd Ad-Aware: Trojan.GenericKD.43597666 Sophos: Troj/Agent-BFNL Comodo: Malware@#3i3wuv5vhw1nu F-Secure: Trojan.TR/PSW.Agent.wpzys Zillya: Trojan.Agent.Win32.1358709 Invincea: Mal/Generic-R + Troj/Agent-BFNL McAfee-GW-Edition: Generic trojan.ku Emsisoft: Trojan.GenericKD.43597666 (B) Webroot: W32.Trojan.Gen Avira: TR/PSW.Agent.wpzys MAX: malware (ai score=100) Microsoft: Trojan:Win32/CryptInject.SBR!MSR ZoneAlarm: HEUR:Trojan.Win32.APosT.gen GData: Trojan.GenericKD.43597666 Cynet: Malicious (score: 85) AhnLab-V3: Trojan/Win32.Stealer.C4191896 BitDefenderTheta: Gen:NN.ZedlaF.34634.hy8@auMSP7ni ALYac: Trojan.Agent.Sepulcher VBA32: Trojan.Ymacco ESET-NOD32: a variant of Win32/PSW.Agent.OKI TrendMicro-HouseCall: TROJ_GEN.R002C0PH920 Ikarus: Trojan.Crypt Fortinet: W32/Agent.OKI!tr.pws AVG: Win32:Trojan-gen Paloalto: generic.ml Qihoo-360: Generic/HEUR/QVM30.2.1F83.Malware.Gen |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x110 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 6 |
TimeDateStamp | 2020-Jul-09 01:05:28 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x13800 |
SizeOfInitializedData | 0x9e00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00004A39 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x15000 |
ImageBase | 0x10000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.0 |
ImageVersion | 0.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x23000 |
SizeOfHeaders | 0x400 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
lstrcpyW
GetTickCount CreateEventW CloseHandle WaitForSingleObject ResetEvent SetEvent GetSystemInfo GlobalMemoryStatusEx GetComputerNameW GetComputerNameExW GetACP GetOEMCP GetPriorityClass GetCurrentProcess GetThreadPriority GetCurrentThread SetPriorityClass SetThreadPriority QueryPerformanceFrequency QueryPerformanceCounter LoadLibraryW GetProcAddress FreeLibrary GetModuleHandleW GetNativeSystemInfo CreateFileW DeleteCriticalSection SetFilePointerEx ReadFile WriteFile DeleteFileW GetTempPathW GetCurrentThreadId GetDiskFreeSpaceExW GetVolumeInformationW GetDriveTypeW GetLogicalDriveStringsW GetFileAttributesExW FindFirstFileW FindNextFileW FindClose GetFileSize TerminateProcess GetStdHandle CreatePipe SetStdHandle DuplicateHandle CreateProcessW WriteConsoleW FlushFileBuffers GetConsoleMode GetConsoleCP DecodePointer RaiseException GetLastError Sleep InitializeCriticalSectionEx GetModuleFileNameW OutputDebugStringA GetFileSizeEx lstrlenW GetProcessHeap FreeEnvironmentStringsW GetEnvironmentStringsW GetCommandLineW GetCommandLineA GetCPInfo IsValidCodePage FindNextFileA FindFirstFileExA HeapReAlloc HeapSize IsDebuggerPresent OutputDebugStringW EnterCriticalSection LeaveCriticalSection UnhandledExceptionFilter SetUnhandledExceptionFilter IsProcessorFeaturePresent GetStartupInfoW GetCurrentProcessId GetSystemTimeAsFileTime InitializeSListHead InterlockedFlushSList SetLastError InitializeCriticalSectionAndSpinCount TlsAlloc TlsGetValue TlsSetValue TlsFree LoadLibraryExW RtlUnwind CreateThread ExitThread ResumeThread FreeLibraryAndExitThread GetModuleHandleExW ExitProcess GetModuleFileNameA MultiByteToWideChar WideCharToMultiByte HeapFree HeapAlloc GetFileType GetStringTypeW LCMapStringW |
---|---|
USER32.dll |
CharLowerW
CharUpperW wsprintfW |
ADVAPI32.dll |
RegCloseKey
RegSetValueExW RegCreateKeyW RegOpenKeyW RegQueryValueExW |
ole32.dll |
CoCreateGuid
|
SHLWAPI.dll |
StrStrW
StrCmpW StrCpyW |
WS2_32.dll |
#115
GetAddrInfoW FreeAddrInfoW #116 #19 #4 #21 #16 #3 #9 #23 |
Ordinal | 1 |
---|---|
Address | 0x185e |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.1.7600.16385 |
ProductVersion | 6.1.7600.16385 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
FileDescription | Windows Credential Manager |
FileVersion (#2) | 6.1.7600.16385 |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | Credential.dll |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 6.1.7600.16385 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2020-Jul-09 01:05:28 |
Version | 0.0 |
SizeofData | 748 |
AddressOfRawData | 0x1ad9c |
PointerToRawData | 0x1999c |
Characteristics |
0
|
---|---|
TimeDateStamp | 2020-Jul-09 01:05:28 |
Version | 0.0 |
SizeofData | 0 |
AddressOfRawData | 0 |
PointerToRawData | 0 |
Size | 0x5c |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x1001d008 |
SEHandlerTable | 0x1001ad90 |
SEHandlerCount | 3 |
XOR Key | 0x9f7efff7 |
---|---|
Unmarked objects | 0 |
241 (40116) | 9 |
243 (40116) | 120 |
242 (40116) | 24 |
ASM objects (VS2015 UPD3 build 24123) | 18 |
C++ objects (VS2015 UPD3 build 24123) | 27 |
C objects (VS2015 UPD3 build 24123) | 16 |
C++ objects (23013) | 2 |
Imports (65501) | 15 |
Total imports | 149 |
265 (VS2015 UPD3.1 build 24215) | 9 |
Exports (VS2015 UPD3.1 build 24215) | 1 |
Resource objects (VS2015 UPD3 build 24210) | 1 |
Linker (VS2015 UPD3.1 build 24215) | 1 |