MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa84cc4fd2150d0dd0986943e8567dca381c47c69b29673e8ba120d922fcced3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Citadel


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa84cc4fd2150d0dd0986943e8567dca381c47c69b29673e8ba120d922fcced3
SHA3-384 hash: 5f42226876f08d25272aa884c1ac36fd0568fe1257ca13a62ca377585fb4c028f57a52c7cbf717e5bd0dc233c8071adf
SHA1 hash: d74ed2840f0fc67d632890ff471a71dcfb859726
MD5 hash: 85d23cbcf8d86be8a0d0e4633e24b94a
humanhash: jig-johnny-foxtrot-bacon
File name:aa84cc4fd2150d0dd0986943e8567dca381c47c69b29673e8ba120d922fcced3.bin
Download: download sample
Signature Citadel
Create hunting rule
File size:912'172 bytes
First seen:2023-12-13 02:16:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 45e32db5371a83c22f83161834883d6e (1 x Citadel)
ssdeep 24576:wfna/BVJITZ+9zlmSzFpIS+1Ao4T1oUwaCDnbbXTy2:wfud0KzlmSzFWS+1Y6UPCTbbu2
Threatray 10 similar samples on MalwareBazaar
TLSH T1D1150173BBD000B6CAB21134972A6735AAFEAD305775E747E3D00E446E76DA28A35313
TrID 26.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.0% (.SCR) Windows screen saver (13097/50/3)
16.8% (.EXE) Win64 Executable (generic) (10523/12/4)
10.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon e096b22b2baa8ef0 (1 x Citadel)
Reporter tildedennis
Tags:Citadel exe


Avatar
tildedennis
citadel version 1.3.5.1

Intelligence

File Origin
# of uploads :
1
# of downloads :
440
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467083/
Detection(s):
SecuriteInfo.com.ADSPY.Maxifiles.M.1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Moving a file to the %temp% directory
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware keylogger lolbin lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6579141f3636548f374d5b3d/reports/2e9bce38-2a4a-4336-b111-0c477437d74d/overview
Verdict:
Malicious
Labled as:
Trojan.Autoit
Link:
https://www.hybrid-analysis.com/sample/aa84cc4fd2150d0dd0986943e8567dca381c47c69b29673e8ba120d922fcced3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zeus
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee154ccb-3012-48a2-8694-3774c71158c5
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1361156
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1361156 Sample: TjfD2jS95W.exe Startdate: 13/12/2023 Architecture: WINDOWS Score: 72 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 9 TjfD2jS95W.exe 8 2->9         started        process3 file4 24 C:\Users\user\AppData\Local\Temp\dXCKeJ.exe, PE32 9->24 dropped 30 Contains functionality to modify clipboard data 9->30 13 cmd.exe 1 9->13         started        signatures5 process6 process7 15 dXCKeJ.exe 13->15         started        18 conhost.exe 13->18         started        signatures8 32 Contains functionality to inject code into remote processes 15->32 34 Writes to foreign memory regions 15->34 36 Contains functionality to modify clipboard data 15->36 38 Sample uses process hollowing technique 15->38 20 svchost.exe 15->20         started        process9 process10 22 WerFault.exe 2 20->22         started       
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aa84cc4fd2150d0dd0986943e8567dca381c47c69b29673e8ba120d922fcced3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa84cc4fd2150d0dd0986943e8567dca381c47c69b29673e8ba120d922fcced3/
Threat name:
Win32.Trojan.Beeldeb
Create hunting rule
Status:
Malicious
First seen:
2015-02-12 00:15:00 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vkcmyt6scugq3ueynfb6qvt5zi4byr6gtmuwopulueqnsix4z3jq._file
Verdict:
unknown
Similar samples:
2b69b50bcff621d3f3878cd38f266cd2c9af5378176243169387d800dd134a8b
Citadel
40658c01ceae863527a537006f788fa5459cde7d636669713a41778898c901d5
Citadel
4138d92e4af5e1c1b49d654c8a55c5c759261e2d4108c6ef6b4308f9ba8b0355
Citadel
42bc22524f9003dedef04edfb674937489c1a3f546d43fd844f8b667fd9ee2ba
Citadel
49444feec95481546d0376dfbb73e3bdf91159798996811c5b63384cdbd387f1
Citadel
7b7245d707b747e2b341a8b1b990ffa477ef156a435ccad9aaf5b90ffa8505d7
Citadel
88e1ff19ead3bf708c163725a5866a4cbb44963ab6ab9a7d75b27dd49833f636
Citadel
97c69287c207370326199647238fd3578c061df19768ae3181e8aa20b9b87100
Citadel
e6b479d322b542ec16f5a90faa7946784c9804028ad9dc7133afe7574d41c13e
Citadel
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence upx
Link:
https://tria.ge/reports/231213-cqpq1sefgr/
Behaviour
Modifies Internet Explorer settings
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
1f798b2bc8cd2fef6c10b20342668be4379a92102cf8b4190054e6cbf3494337
MD5 hash:
c682eece384f7d9164de4403367ffd91
SHA1 hash:
9b1d13a996a15a6585a55447b8776490bba9b00e
Detections:
win_citadel_auto
Create hunting rule
win_citadel_g0
Create hunting rule
Link:
https://www.unpac.me/results/0e061ae9-fb80-4c73-8063-670fe875c7e6/
SH256 hash:
9ee2b0f67f2b0b1f41c902085caad30c478269d9bce600001bfc80dd727c4bed
MD5 hash:
035082c035ae66697bb3f1b55563e59d
SHA1 hash:
c642a08bf629ff1426b99feb2a98b65e617d4157
Link:
https://www.unpac.me/results/0e061ae9-fb80-4c73-8063-670fe875c7e6/
SH256 hash:
75192813e1fcefed89502f8863527a0382cd91f4f672503c30799a5ccf8d2492
MD5 hash:
cd6a7843526f7343fd46d0913f206aeb
SHA1 hash:
59a12a0d40e65faa68eff6f2e06a0d2b687b7560
Link:
https://www.unpac.me/results/0e061ae9-fb80-4c73-8063-670fe875c7e6/
SH256 hash:
0e0f129ec15e88e209352d1cb7819d45a0dbba87a1d2912ccfcdc84b83e759b7
MD5 hash:
09c88ab873a7b8ddb34fa7492f9b0668
SHA1 hash:
6bf8602dd0c123c653aaf1ee4dbb09371fedce70
Link:
https://www.unpac.me/results/0e061ae9-fb80-4c73-8063-670fe875c7e6/
SH256 hash:
aa84cc4fd2150d0dd0986943e8567dca381c47c69b29673e8ba120d922fcced3
MD5 hash:
85d23cbcf8d86be8a0d0e4633e24b94a
SHA1 hash:
d74ed2840f0fc67d632890ff471a71dcfb859726
Link:
https://www.unpac.me/results/0e061ae9-fb80-4c73-8063-670fe875c7e6/
Malware family:
Citadel
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa84cc4fd215/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa84cc4fd2150d0dd0986943e8567dca381c47c69b29673e8ba120d922fcced3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/citadel/
Cape
Cape
https://www.capesandbox.com/analysis/467083/

Comments