MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZeuS


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d
SHA3-384 hash: 32248b1cce2cddec933fcd6c219295e12a9b6aed2631457e2f12f65aa58910c6c86293018e637374a220c0f4030d0af8
SHA1 hash: 0bc40dc4b0d380b42b2bfbd89eedfc9669be9367
MD5 hash: 5abefe1af6518c5daccbe0833b75858b
humanhash: video-carolina-zebra-hot
File name:citadel_1.1.0.0.vir
Download: download sample
Signature ZeuS
Create hunting rule
File size:410'624 bytes
First seen:2020-07-19 19:24:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f38cd28b7f29cd01055751e8877b6e6 (1 x ZeuS)
ssdeep 6144:tjwpUMJiu6Kzm0Hd5kR8HU4yUmASecgLQs:xwpUciu6PWO8HUGTp
Threatray 109 similar samples on MalwareBazaar
TLSH AE94D047699C5193C8416930F8A8D8E7221A7C1C6BA9A77B3354FFA23339DD62474F23
Reporter @tildedennis
Tags:Citadel ZeuS


Twitter
@tildedennis
citadel version 1.1.0.0

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28150/
Detection(s):
SecuriteInfo.com.Win32.VBCrypt.21493.13385.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
ZeusVM
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390177
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247270 Sample: citadel_1.1.0.0.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 4 other signatures 2->60 9 citadel_1.1.0.0.exe 1 2->9         started        process3 dnsIp4 40 1.1.0.0 CLOUDFLARENETUS China 9->40 70 Detected unpacking (changes PE section rights) 9->70 72 Detected unpacking (overwrites its own PE header) 9->72 74 Drops batch files with force delete cmd (self deletion) 9->74 13 citadel_1.1.0.0.exe 7 9->13         started        signatures5 process6 file7 36 C:\Users\user\AppData\Roaming\...\oqesd.exe, PE32 13->36 dropped 38 C:\Users\user\AppData\...\tmpc39e950f.bat, DOS 13->38 dropped 76 Overwrites Windows DLL code with PUSH RET codes 13->76 78 Overwrites code with function prologues 13->78 17 oqesd.exe 1 13->17         started        20 cmd.exe 1 13->20         started        signatures8 process9 signatures10 46 Antivirus detection for dropped file 17->46 48 Detected unpacking (changes PE section rights) 17->48 50 Detected unpacking (overwrites its own PE header) 17->50 52 3 other signatures 17->52 22 oqesd.exe 17->22         started        25 conhost.exe 20->25         started        process11 signatures12 62 Injects code into the Windows Explorer (explorer.exe) 22->62 64 Overwrites Windows DLL code with PUSH RET codes 22->64 66 Overwrites code with function prologues 22->66 68 4 other signatures 22->68 27 svchost.exe 22->27 injected 30 TRzQmRxxMfjhQPeCOGDnNmXv.exe 22->30 injected 32 TRzQmRxxMfjhQPeCOGDnNmXv.exe 22->32 injected 34 19 other processes 22->34 process13 dnsIp14 42 92.123.29.59, 443, 49699 AKAMAI-ASUS European Union 27->42 44 92.123.7.210, 49698, 80 AKAMAI-ASUS European Union 27->44
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d/
Threat name:
Win32.Trojan.Zeus
Create hunting rule
Status:
Malicious
First seen:
2013-10-10 09:09:00 UTC
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1ec347934db2ded3a012479882732bfb3cdc85b0d4b2911e3402c1fa693a2235
ZeuS
27b86c92d6a04f4074462098e1ea9c0142816b66667effecb36ccde317458166
ZeuS
2b123fa8f08714a93a01db03bdf4ecd31d268d5d279900b9c67fec861c2bc11c
ZeuS
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d
ZeuS
371b9214f60a70c81ec1756d284e8028ff7603498341ecb7fa5cc09f3b10043e
ZeuS
51bc210eb085de493839d64fb12c5dddfeb856a8f590587222e42dd6f6118bc1
ZeuS
76494ca680d605eca75201ecf6c87bf1c6070c640e95bf3acfd633ac529a8487
ZeuS
b1e971ba689623d9fbc5befb741a9d9e046515a0c05d0adc27a165471bc6303d
ZeuS
b68844095af181c139ed272cb04e830f803770518ad9dd78cb789e8f4571b4c3
ZeuS
d83e3f5b248bc0b1676bb081cd50e8df0dd600f4b9253465aa6ed63f263cfd19
ZeuS
+ 99 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence evasion
Link:
https://tria.ge/reports/200719-3rnfybhh2j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Identifies Wine through registry keys
Loads dropped DLL
Deletes itself
Identifies Wine through registry keys
Executes dropped EXE
Executes dropped EXE
AV coverage:
87.14%
AV detections:
61 / 70
Link:
https://www.virustotal.com/gui/file/fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d/detection/f-fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d-1578640395
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/citadel/
Cape
Cape
https://www.capesandbox.com/analysis/28150/

Comments