MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb5f1bfcdfa6db5211196411e6b6291f284e3c2ee3404ca9608805f282f87640. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Citadel


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb5f1bfcdfa6db5211196411e6b6291f284e3c2ee3404ca9608805f282f87640
SHA3-384 hash: 8ffa040e29d8e4b9b8cbbbeb2735f5ebf679f3ac3b03a6a5c7a5ac13a981d6981203fd00fb46dea98645b242ab5ce25d
SHA1 hash: be03886a396523eb7c48197ee5bb16750f1d1c2e
MD5 hash: 552ad9935fadd8be0674b1d6b85524b2
humanhash: oklahoma-bulldog-delta-georgia
File name:eb5f1bfcdfa6db5211196411e6b6291f284e3c2ee3404ca9608805f282f87640
Download: download sample
Signature Citadel
Create hunting rule
File size:524'288 bytes
First seen:2020-11-11 11:23:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 49b6d59f9f467a2c7ab9af11438fb7e0 (4 x Citadel)
ssdeep 6144:YzAGTqj7MFVYND1Er1M4dm54h11WzlJTrRv76RYJN1tLMjOPkd9jT:YK7MLYdKJM4dC40/IKlLMkU9f
Threatray 20 similar samples on MalwareBazaar
TLSH BEB4E1EF7124ADE0DD4DE8F4A4B4477D224BACCDE6474E131960B99B91F26520CBB8B0
Reporter seifreed
Tags:Citadel

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Remcos-7647284-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb5f1bfcdfa6db5211196411e6b6291f284e3c2ee3404ca9608805f282f87640/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 11:27:12 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nprx7g7u3nveeizmqi6nnrjd4ue4pbo4naezklarac7faxyozaa._file
Verdict:
malicious
Similar samples:
0e870ae38822a23ec2dbc955c7d749b44ffad06338feccf6b6427cc1d4ee228a
Citadel
27b86c92d6a04f4074462098e1ea9c0142816b66667effecb36ccde317458166
Citadel
2b123fa8f08714a93a01db03bdf4ecd31d268d5d279900b9c67fec861c2bc11c
Citadel
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d
Citadel
371b9214f60a70c81ec1756d284e8028ff7603498341ecb7fa5cc09f3b10043e
Citadel
76494ca680d605eca75201ecf6c87bf1c6070c640e95bf3acfd633ac529a8487
Citadel
b1e971ba689623d9fbc5befb741a9d9e046515a0c05d0adc27a165471bc6303d
Citadel
b68844095af181c139ed272cb04e830f803770518ad9dd78cb789e8f4571b4c3
Citadel
f5a286e7a4f4fbdfa37f541dd0e7561038883a315139a4a7cf508f2490a81b76
Citadel
fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d
Citadel
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201111-zlbz8bmy6n/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
eb5f1bfcdfa6db5211196411e6b6291f284e3c2ee3404ca9608805f282f87640
MD5 hash:
552ad9935fadd8be0674b1d6b85524b2
SHA1 hash:
be03886a396523eb7c48197ee5bb16750f1d1c2e
Link:
https://www.unpac.me/results/2594b57f-4486-421a-9641-08d6f10c45d4/
SH256 hash:
ddc57833c2ce8f0fdfb7535e52d25bdb350dca81241df03391f9f4d7e41d3cc7
MD5 hash:
00649e3bf27995a9fcd494bc0d0203f4
SHA1 hash:
acb044f4df9be917530758a857c399dc3564976e
Link:
https://www.unpac.me/results/2594b57f-4486-421a-9641-08d6f10c45d4/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Atmos_Malware
Create hunting rule
Author:xylitol@temari.fr
Description:Generic Spyware.Citadel.Atmos Signature
Reference:http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Rule name:Atmos_Packed_Malware
Create hunting rule
Author:xylitol@temari.fr
Description:Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer
Reference:http://www.xylibox.com/2016/02/citadel-0011-atmos.html
Rule name:citadel13xy
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Citadel 1.5.x.y trojan banker
Rule name:win_citadel_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments