MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bebdaba9f180c6a34000e35386d3c7a7d31e280089b797adf6df0ca5a770be8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Citadel

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	bebdaba9f180c6a34000e35386d3c7a7d31e280089b797adf6df0ca5a770be8f
SHA3-384 hash:	30cc03eabb6181f0cf94629a31df33a9958c8e6309e42714842e77394c82f809e6fa881c0e6446935ecec55a239b6f76
SHA1 hash:	71cbf8fd11733cda4e4b44ece5c7c3bda68c022b
MD5 hash:	4c4a0f6eaa5cd3ba365fa8fceb3f17c6
humanhash:	beryllium-sierra-triple-iowa
File name:	VGM + ISF + invoice+packing list.scr
Download:	download sample
Signature	Citadel Create hunting rule
File size:	944'640 bytes
First seen:	2021-01-12 07:23:41 UTC
Last seen:	2021-01-12 08:54:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:yG4KuRgAnD1HdrFT6t1DDOiDEdBk+iNN2Oi9jP56r:yG4KuRLnD5zY1DCdBkJNN2Vi
Threatray	24 similar samples on MalwareBazaar
TLSH	06158C618B929751D7AC27FE2411006127E5CF75F3E8EB68ED8970B26F76A2801FD1C2
Reporter	abuse_ch
Tags:	Citadel scr

abuse_ch

Malspam distributing unidentified malware:

HELO: mail.jetmails.xyz
Sending IP: 5.189.220.165
From: "Jennifer Chen <Jennifer.Chen@chrobinson.com>" <admin@jetmails.xyz>
Subject: S/O# 0822 cut off; 01/18 <AMEND> s/o# N085 Cut off:01/22 聯船期詢問
Attachment: VGM + ISF + invoice+packing list.zip (contains "VGM + ISF + invoice+packing list.scr")

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

VGM + ISF + invoice+packing list.scr

Verdict:

Suspicious activity

Analysis date:

2021-01-12 08:10:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8723f4ea-3f72-453c-b7cc-758abcd6aaf2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/111426/

Detection(s):

SecuriteInfo.com.Generic.HEUR.QVM03.0.8D7D.Malware.Gen.6298.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching the default Windows debugger (dwwin.exe)

Result

Threat name:

Atmos Citadel

Detection:

malicious

Classification:

bank.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/578746

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with function prologues

Overwrites Windows DLL code with PUSH RET codes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Atmos Banker

Yara detected Citadel

Behaviour

Behavior Graph:

Download SVG

Detection:

citadel

Link:

https://mwdb.cert.pl/sample/bebdaba9f180c6a34000e35386d3c7a7d31e280089b797adf6df0ca5a770be8f/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x262xkprqddkgqaa4njynu6hu7jr4kaarg3zplpw34gklj3qx2hq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210112-kn564f16a2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

d5b8af91cb95d4b7a74f97fce805767bcadc3e201b3d7195569aa67d4ed92940

MD5 hash:

4f20f3a2fe09f185a0163e8a84adf4d9

SHA1 hash:

3c7efb0499411c313e1f7fd191daa7a48bdcd64c

Detections:

win_citadel_auto

Link:

https://www.unpac.me/results/b0952c02-30fe-4bce-b873-2c4be46ec99a/

SH256 hash:

296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5

MD5 hash:

4cf24d41a7882216740280e3294cb853

SHA1 hash:

6bcb31d3dc0a7d71da1067a628168664202769a4

Link:

https://www.unpac.me/results/b0952c02-30fe-4bce-b873-2c4be46ec99a/

SH256 hash:

0397e0fb50b10f0a3a85c22a58d1fa22dfe9b2f3a4ecd343328b4815b5924c9e

MD5 hash:

a4dbb9f96cd20ac1f1119f37982bb92e

SHA1 hash:

083ca93b90eb07e63d9902ab4e3d5fd18dba8750

Link:

https://www.unpac.me/results/b0952c02-30fe-4bce-b873-2c4be46ec99a/

SH256 hash:

73875e35cca8aaf3cb36f49101d98b2da45a7391e5fddb696c362d621fb084da

MD5 hash:

a74b823117228d01b339b6556cefaf68

SHA1 hash:

a8302ef12cf2b82c921297f12d9784292165a5f9

Detections:

win_citadel_auto

Link:

https://www.unpac.me/results/b0952c02-30fe-4bce-b873-2c4be46ec99a/

SH256 hash:

bebdaba9f180c6a34000e35386d3c7a7d31e280089b797adf6df0ca5a770be8f

MD5 hash:

4c4a0f6eaa5cd3ba365fa8fceb3f17c6

SHA1 hash:

71cbf8fd11733cda4e4b44ece5c7c3bda68c022b

Link:

https://www.unpac.me/results/b0952c02-30fe-4bce-b873-2c4be46ec99a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/bebdaba9f180c6a34000e35386d3c7a7d31e280089b797adf6df0ca5a770be8f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Citadel

zip 4c776a5373d0ef3f69ce8c73a4a3e1175b1cc492eadebd03dd05efef35c4f093

Citadel

exe bebdaba9f180c6a34000e35386d3c7a7d31e280089b797adf6df0ca5a770be8f

(this sample)

Dropped by

MD5 68f02e714aee5ef4a7d59edd0b8fce4a

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 4c776a5373d0ef3f69ce8c73a4a3e1175b1cc492eadebd03dd05efef35c4f093

Cape

https://www.capesandbox.com/analysis/111426/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample