MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence File information Yara Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d
SHA3-384 hash: 32248b1cce2cddec933fcd6c219295e12a9b6aed2631457e2f12f65aa58910c6c86293018e637374a220c0f4030d0af8
SHA1 hash: 0bc40dc4b0d380b42b2bfbd89eedfc9669be9367
MD5 hash: 5abefe1af6518c5daccbe0833b75858b
humanhash: video-carolina-zebra-hot
File name:citadel_1.1.0.0.vir
Download: download sample
Signature ZeuS
File size:410'624 bytes
First seen:2020-07-19 19:24:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f38cd28b7f29cd01055751e8877b6e6
ssdeep 6144:tjwpUMJiu6Kzm0Hd5kR8HU4yUmASecgLQs:xwpUciu6PWO8HUGTp
TLSH AE94D047699C5193C8416930F8A8D8E7221A7C1C6BA9A77B3354FFA23339DD62474F23
Reporter @tildedennis
Tags:Citadel ZeuS


Twitter
@tildedennis
citadel version 1.1.0.0

Intelligence

File Origin
# of uploads :
1
# of downloads :
18
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28150/
Detection(s):
SecuriteInfo.com.Win32.VBCrypt.21493.13385.UNOFFICIAL
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
ZeusVM
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390177
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247270 Sample: citadel_1.1.0.0.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 4 other signatures 2->60 9 citadel_1.1.0.0.exe 1 2->9         started        process3 dnsIp4 40 1.1.0.0 CLOUDFLARENETUS China 9->40 70 Detected unpacking (changes PE section rights) 9->70 72 Detected unpacking (overwrites its own PE header) 9->72 74 Drops batch files with force delete cmd (self deletion) 9->74 13 citadel_1.1.0.0.exe 7 9->13         started        signatures5 process6 file7 36 C:\Users\user\AppData\Roaming\...\oqesd.exe, PE32 13->36 dropped 38 C:\Users\user\AppData\...\tmpc39e950f.bat, DOS 13->38 dropped 76 Overwrites Windows DLL code with PUSH RET codes 13->76 78 Overwrites code with function prologues 13->78 17 oqesd.exe 1 13->17         started        20 cmd.exe 1 13->20         started        signatures8 process9 signatures10 46 Antivirus detection for dropped file 17->46 48 Detected unpacking (changes PE section rights) 17->48 50 Detected unpacking (overwrites its own PE header) 17->50 52 3 other signatures 17->52 22 oqesd.exe 17->22         started        25 conhost.exe 20->25         started        process11 signatures12 62 Injects code into the Windows Explorer (explorer.exe) 22->62 64 Overwrites Windows DLL code with PUSH RET codes 22->64 66 Overwrites code with function prologues 22->66 68 4 other signatures 22->68 27 svchost.exe 22->27 injected 30 TRzQmRxxMfjhQPeCOGDnNmXv.exe 22->30 injected 32 TRzQmRxxMfjhQPeCOGDnNmXv.exe 22->32 injected 34 19 other processes 22->34 process13 dnsIp14 42 92.123.29.59, 443, 49699 AKAMAI-ASUS European Union 27->42 44 92.123.7.210, 49698, 80 AKAMAI-ASUS European Union 27->44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d/
Threat name:
Win32.Trojan.Zbot
Status:
Malicious
First seen:
2013-10-10 09:09:00 UTC
AV detection:
22 of 25 (88.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence evasion
Link:
https://tria.ge/reports/200719-3rnfybhh2j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Identifies Wine through registry keys
Loads dropped DLL
Deletes itself
Identifies Wine through registry keys
Executes dropped EXE
Executes dropped EXE
AV coverage:
87.14%
AV detections:
61 / 70
Link:
https://www.virustotal.com/gui/file/fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d/detection/f-fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d-1578640395
Threat name:
Unknown
Score:
1.00

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/citadel/
Cape
Cape
https://www.capesandbox.com/analysis/28150/

Comments