MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 371b9214f60a70c81ec1756d284e8028ff7603498341ecb7fa5cc09f3b10043e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 371b9214f60a70c81ec1756d284e8028ff7603498341ecb7fa5cc09f3b10043e
SHA3-384 hash: efc8cfc00f538ad7df81ed531ff092d8c72ad83890b8e8ddd263131cd52889821b7e21a3276f8b6a19d91c78320430ed
SHA1 hash: 6a31f670e6b91d246ff88d073d6c0b0cde9e9300
MD5 hash: b7f755dc5616bbf10f6d11a276c88c98
humanhash: video-arkansas-harry-uranus
File name:citadel_1.2.0.0b.vir
Download: download sample
Signature ZeuS
File size:218'112 bytes
First seen:2020-07-19 16:49:17 UTC
Last seen:2020-07-19 19:12:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5d8129e568e0c072279cf2d88392e5bc
ssdeep 3072:8VflxS0aSESBwG0dmhZ8A3YVt+AYJcLoAvyPWjtxrrSYEbHeDOk5BcNlqH+:8V/SXSjBwbdmhsUA8cQwrwbHxkcq
TLSH 9F2401B9DE4A9523CB4D17349A24A4D57F2C72ED0B2245BF1E008DFCA253A844DE939F
Reporter @tildedennis
Tags:Citadel ZeuS


Twitter
@tildedennis
citadel version 1.2.0.0b

Intelligence


File Origin
# of uploads :
3
# of downloads :
20
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Threat name:
Win32.Spyware.Zbot
Status:
Malicious
First seen:
2013-10-20 20:57:00 UTC
AV detection:
21 of 25 (84.00%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks installed software on the system
Adds Run key to start application
Checks installed software on the system
Adds Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments