MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76494ca680d605eca75201ecf6c87bf1c6070c640e95bf3acfd633ac529a8487. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 76494ca680d605eca75201ecf6c87bf1c6070c640e95bf3acfd633ac529a8487
SHA3-384 hash: 253823905f9c4fa8810e41d28a82c22c1d2b3355b5e7973f801ff0a88d0abc69c68b5292851afb64a82b10878692131a
SHA1 hash: c73fec0e884dd8c0605257adcec1ab1153175455
MD5 hash: fb340f7a5dbb81b63198d0637b94fa13
humanhash: jig-paris-quiet-fourteen
File name:citadel_0.0.1.1.vir
Download: download sample
Signature ZeuS
File size:557'568 bytes
First seen:2020-07-19 17:30:54 UTC
Last seen:2020-07-19 19:19:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:ZxU35kJhCd4x5eDouSPwftHBMfimTW8NgDnG+VAaQHE2xebk16HYpO9h6m:3UpkJhCeYouSg4imTWkAG+CEdgA6R
TLSH 24C49D516D1EBEC8F0047231C4B7C06254B0EE7989A6564B37A23E4EB9EB113B8B3F55
Reporter @tildedennis
Tags:Citadel ZeuS


Twitter
@tildedennis
citadel version 0.0.1.1

Intelligence


File Origin
# of uploads :
2
# of downloads :
20
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247148 Sample: citadel_0.0.1.1.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 4 other signatures 2->67 9 citadel_0.0.1.1.exe 3 2->9         started        process3 dnsIp4 59 0.0.1.1 unknown unknown 9->59 45 C:\Users\user\...\citadel_0.0.1.1.exe.log, ASCII 9->45 dropped 83 Drops batch files with force delete cmd (self deletion) 9->83 85 Injects a PE file into a foreign processes 9->85 14 citadel_0.0.1.1.exe 9 9->14         started        18 citadel_0.0.1.1.exe 9->18         started        file5 signatures6 process7 file8 47 C:\Users\user\AppData\...\onutkoobdi.exe, PE32 14->47 dropped 49 C:\Users\user\AppData\...\tmpb15807ab.bat, DOS 14->49 dropped 51 C:\Users\user\AppData\Local\...\tmp4240.tmp, PE32 14->51 dropped 53 C:\Users\user\AppData\Local\...\tmp41A2.tmp, PE32 14->53 dropped 87 Overwrites Windows DLL code with PUSH RET codes 14->87 89 Overwrites code with function prologues 14->89 20 onutkoobdi.exe 3 14->20         started        23 cmd.exe 1 14->23         started        signatures9 process10 signatures11 69 Antivirus detection for dropped file 20->69 71 Machine Learning detection for dropped file 20->71 73 Injects a PE file into a foreign processes 20->73 25 onutkoobdi.exe 2 20->25         started        29 conhost.exe 23->29         started        process12 file13 41 C:\Users\user\AppData\Local\...\tmp6170.tmp, PE32 25->41 dropped 43 C:\Users\user\AppData\Local\...\tmp5E43.tmp, PE32 25->43 dropped 75 Injects code into the Windows Explorer (explorer.exe) 25->75 77 Overwrites Windows DLL code with PUSH RET codes 25->77 79 Overwrites code with function prologues 25->79 81 4 other signatures 25->81 31 dfnfUmIkezpgoFPVkLqEOzGQF.exe 2 2 25->31 injected 34 dfnfUmIkezpgoFPVkLqEOzGQF.exe 25->34 injected 36 dfnfUmIkezpgoFPVkLqEOzGQF.exe 25->36 injected 38 14 other processes 25->38 signatures14 process15 dnsIp16 91 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->91 93 Tries to steal Mail credentials (via file access) 31->93 95 Disables Internet Explorer cookie cleaning (a user can no longer delete cookies) 31->95 101 2 other signatures 31->101 97 Overwrites Windows DLL code with PUSH RET codes 34->97 99 Overwrites code with function prologues 34->99 55 104.108.35.215, 49703, 80 AKAMAI-ASUS United States 38->55 57 104.108.49.57, 443, 49704 AKAMAI-ASUS United States 38->57 signatures17
Threat name:
ByteCode-MSIL.Trojan.Razy
Status:
Suspicious
First seen:
2016-08-03 05:45:47 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Deletes itself
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments