MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79e49f532968d8b8ffa58e61e72135d2faf6e7384733f1e6386c9169d746138a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence File information Yara Comments

SHA256 hash:	79e49f532968d8b8ffa58e61e72135d2faf6e7384733f1e6386c9169d746138a
SHA3-384 hash:	4747c90bb1cca1ca9c30d7e1bcc5250e33475f4cfad287ab903c30ed19662ac98f537ab24734777f3f888f5995b944b8
SHA1 hash:	281ebe3a7201cad3de816f8479a5bb51d36874b6
MD5 hash:	86bef096503952ba633b67c711d3bbf9
humanhash:	kentucky-mountain-pizza-one
File name:	citadel_1.3.5.0.vir
Download:	download sample
Signature	ZeuS
File size:	253'952 bytes
First seen:	2020-07-19 19:23:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	82b05c0993cf8c4f58853b8bddf605b8
ssdeep	3072:OFldDkSYCdcaB2UZthZPB2dDIKAHGQE1vikKhpEJaF2gxiN1Fuexw/Pj92/K98pE:OxD00chUZtywQ9Khp7Ouex0V98psNk
TLSH	DB44F18071529A7BC8F5C2FA58BF4E498535AD090F0164CB77D41F4E6AF82D2AF3522B
Reporter	@tildedennis
Tags:	Citadel ZeuS

@tildedennis

citadel version 1.3.5.0

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Mail intelligence

No data

Vendor Threat Intelligence

Detection:

Zeus

Link:

https://www.capesandbox.com/analysis/28138/

Detection(s):

SecuriteInfo.com.Generic_r.BHP.21362.2106.18750.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending an HTTP GET request

Creating a file in the %temp% subdirectories

Reading critical registry keys

Creating a file

Deleting a recently created file

Reading Telegram data

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a TCP request to an infection source

Stealing user critical data

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/390141

Behaviour

Behavior Graph:

Download SVG

Detection:

citadel

Link:

https://mwdb.cert.pl/sample/79e49f532968d8b8ffa58e61e72135d2faf6e7384733f1e6386c9169d746138a/

Threat name:

Win32.Trojan.Zbot

Status:

Malicious

First seen:

2012-09-24 20:16:00 UTC

AV detection:

21 of 25 (84.00%)

Threat level

5/5

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200719-vackyqt2q2/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

AV coverage:

87.50%

AV detections:

63 / 72

Link:

https://www.virustotal.com/gui/file/79e49f532968d8b8ffa58e61e72135d2faf6e7384733f1e6386c9169d746138a/detection/f-79e49f532968d8b8ffa58e61e72135d2faf6e7384733f1e6386c9169d746138a-1578640258

Threat name:

Unknown

Score:

1.00

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://zeusmuseum.com/citadel/

Cape

https://www.capesandbox.com/analysis/28138/

Comments

Login required

You need to login to in order to write a comment. Login with your Twitter account.

No comments found for this malware sample