Loading ...

Play interactive tourEdit tour

Analysis Report citadel_1.3.3.3.vir

Overview

General Information

Sample Name:citadel_1.3.3.3.vir (renamed file extension from vir to exe)
Analysis ID:247208
MD5:50854eb699adde84c0106ac46d7859e5
SHA1:24e47df1ca6df385e6ee7e47ae3ba3efee8713f5
SHA256:deb51e50b4628567f8690316317083aa337b10d9a23cbbf5d8a21b6d6e8e194f

Most interesting Screenshot:

Detection

ZeusVM
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected ZeusVM e-Banking Trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Contains VNC / remote desktop functionality (version string found)
Machine Learning detection for sample
PE file has a writeable .text section
Antivirus or Machine Learning detection for unpacked file
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Internet Provider seen in connection with other malware
May initialize a security null descriptor
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Program does not show much activity (idle)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Startup

  • System is w10x64
  • citadel_1.3.3.3.exe (PID: 5148 cmdline: 'C:\Users\user\Desktop\citadel_1.3.3.3.exe' MD5: 50854EB699ADDE84C0106AC46D7859E5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.771080116.0000000000400000.00000040.00020000.sdmpcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x75cc:$c: %BOTID%
  • 0x75d4:$d: %BOTNET%
  • 0x6b24:$e: cit_video.module
  • 0x1898:$ggurl: http://www.google.com/webhp
Process Memory Space: citadel_1.3.3.3.exe PID: 5148citadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x2bb2:$c: %BOTID%
  • 0x6c27:$c: %BOTID%
  • 0x93a7:$c: %BOTID%
  • 0x9580:$c: %BOTID%
  • 0x2bda:$d: %BOTNET%
  • 0x6c14:$d: %BOTNET%
  • 0x93bb:$d: %BOTNET%
  • 0x9587:$d: %BOTNET%
  • 0x1cdb:$e: cit_video.module
  • 0x8971:$e: cit_video.module
  • 0x8ba8:$e: cit_video.module
  • 0x80f:$ggurl: http://www.google.com/webhp
  • 0x5ce1:$ggurl: http://www.google.com/webhp
  • 0x7c8f:$ggurl: http://www.google.com/webhp
  • 0x7cdf:$ggurl: http://www.google.com/webhp

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.citadel_1.3.3.3.exe.400000.0.raw.unpackcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x75cc:$c: %BOTID%
  • 0x75d4:$d: %BOTNET%
  • 0x6b24:$e: cit_video.module
  • 0x1898:$ggurl: http://www.google.com/webhp
0.2.citadel_1.3.3.3.exe.400000.0.unpackcitadel13xyCitadel 1.5.x.y trojan bankerJean-Philippe Teissier / @Jipe_
  • 0x69cc:$c: %BOTID%
  • 0x69d4:$d: %BOTNET%
  • 0x5f24:$e: cit_video.module
  • 0xc98:$ggurl: http://www.google.com/webhp

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: citadel_1.3.3.3.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: citadel_1.3.3.3.exeVirustotal: Detection: 87%Perma Link
Source: citadel_1.3.3.3.exeMetadefender: Detection: 71%Perma Link
Source: citadel_1.3.3.3.exeReversingLabs: Detection: 92%
Machine Learning detection for sampleShow sources
Source: citadel_1.3.3.3.exeJoe Sandbox ML: detected
Source: 0.2.citadel_1.3.3.3.exe.a70000.2.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.2.citadel_1.3.3.3.exe.400000.0.unpackAvira: Label: TR/Kazy.MK
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_004293CE CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00414D8C CryptUnprotectData,LocalFree,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0041918D GetFileAttributesExW,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042ECDC FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042ED97 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042A401 GetModuleHandleW,GetProcAddress,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,lstrlenW,lstrcpynW,lstrcpynW,lstrcpynW,
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00422860 EnterCriticalSection,LeaveCriticalSection,InternetReadFileExA,
Source: citadel_1.3.3.3.exeString found in binary or memory: http://www.google.com/webhp
Source: citadel_1.3.3.3.exe, 00000000.00000002.771080116.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.google.com/webhpbcS:(ML;;NW;;;LW)
Source: citadel_1.3.3.3.exe, 00000000.00000002.771080116.0000000000400000.00000040.00020000.sdmpString found in binary or memory: https://-%BOTID%%BOTNET%HTTP/1.0HostContent-Lengthhttp://User-AgentRefererContent-TypeAuthorization
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0041CA06 ExitProcess,GetFileAttributesExW,CreateProcessAsUserA,CreateProcessAsUserW,PlaySoundA,PlaySoundW,HttpOpenRequestW,HttpOpenRequestA,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,HttpEndRequestA,HttpEndRequestW,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetSetFilePointer,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0041E51B EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

E-Banking Fraud:

barindex
Detected ZeusVM e-Banking TrojanShow sources
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0041F94F lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0040A1CC OpenDesktopW,CreateDesktopW,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityInfo,LocalFree,

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.771080116.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: citadel_1.3.3.3.exe PID: 5148, type: MEMORYMatched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0.2.citadel_1.3.3.3.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Source: 0.2.citadel_1.3.3.3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
PE file has a writeable .text sectionShow sources
Source: citadel_1.3.3.3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0041C818 CreateProcessAsUserA,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_004110F9 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0041B317 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00410F1B ExitWindowsEx,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_004298E9
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0040EC6F
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00405C93
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042BD71
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00407694
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A018AF
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A0416A
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A03957
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A013C4
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A02DA8
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A045B4
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A0205D
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A04A70
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A023A7
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A02361
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A05438
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A0444D
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A02DA4
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A01DB0
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A02DE0
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A05566
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A02698
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00A05710
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeSection loaded: uyduhkjhdkjhkwwdfgg.dll
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeSection loaded: uyduhkjhdkjhkwwdfgg.dll
Source: 00000000.00000002.771080116.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: Process Memory Space: citadel_1.3.3.3.exe PID: 5148, type: MEMORYMatched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0.2.citadel_1.3.3.3.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: 0.2.citadel_1.3.3.3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0040C946 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0040CABB CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042A652 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0041832A CreateToolhelp32Snapshot,Process32FirstW,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_004148AC CoCreateInstance,CoCreateInstance,CoCreateInstance,
Source: citadel_1.3.3.3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: citadel_1.3.3.3.exeVirustotal: Detection: 87%
Source: citadel_1.3.3.3.exeMetadefender: Detection: 71%
Source: citadel_1.3.3.3.exeReversingLabs: Detection: 92%
Source: citadel_1.3.3.3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: L:\mqxfVPScw\bgfuSool\IhxwxpevtvKgD\AQQOdsnkpNr\nCbowEsgdado.pdbG24_KKWNMYD4_IP0_OMRU_O4Y4W_HBWU2_Z9J4WPG_1ITV_DZBRGW9_EZ5Q53OYJ2_QM0VPJDV2_W73M_P24YX5691_FI1BE7Z_4ICZCPP79_7XYTPIWA6_CR1_Z88KQV1I_7H121900IQT_SQ8_ZU16XIDW_0IPAQ_UN3ABB5_DTLB_N17XFB_MV3R_XFWLV_ADC945S source: citadel_1.3.3.3.exe
Source: Binary string: L:\mqxfVPScw\bgfuSool\IhxwxpevtvKgD\AQQOdsnkpNr\nCbowEsgdado.pdb source: citadel_1.3.3.3.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeUnpacked PE file: 0.2.citadel_1.3.3.3.exe.400000.0.unpack .text:EW;.itab:W;.etab:R;.input:W;.data:W;.rsrc:W;.reloc:R; vs .text:ER;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeUnpacked PE file: 0.2.citadel_1.3.3.3.exe.400000.0.unpack
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042B063 LoadLibraryA,GetProcAddress,FreeLibrary,
Source: citadel_1.3.3.3.exeStatic PE information: section name: .itab
Source: citadel_1.3.3.3.exeStatic PE information: section name: .etab
Source: citadel_1.3.3.3.exeStatic PE information: section name: .input
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_004065E9 push cs; iretd
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_004065B3 push cs; ret
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00405F1D push es; iretd
Source: initial sampleStatic PE information: section name: .text entropy: 6.86742796425
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0040A327 LoadLibraryA,LoadLibraryA,GetProcAddress,OutputDebugStringA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exe TID: 2444Thread sleep count: 80 > 30
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00410341 GetKeyboardLayoutList followed by cmp: cmp ecx, 08h and CTI: jc 0041037Dh country: Greek (el)
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_00410341 GetKeyboardLayoutList followed by cmp: cmp edx, eax and CTI: jl 00410377h
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042ECDC FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042ED97 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042A401 GetModuleHandleW,GetProcAddress,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,lstrlenW,lstrcpynW,lstrcpynW,lstrcpynW,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042B063 LoadLibraryA,GetProcAddress,FreeLibrary,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0041002B mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_004103AB CreateThread,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042C63B InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042087A GetLocalTime,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0040C8EA GetUserNameExW,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_004281AF GetTimeZoneInformation,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0040D81D GetVersionExW,GetNativeSystemInfo,
Source: citadel_1.3.3.3.exeBinary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

barindex
Contains VNC / remote desktop functionality (version string found)Show sources
Source: citadel_1.3.3.3.exeString found in binary or memory: RFB 003.003
Source: citadel_1.3.3.3.exeString found in binary or memory: RFB 003.003
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042C160 socket,bind,listen,closesocket,
Source: C:\Users\user\Desktop\citadel_1.3.3.3.exeCode function: 0_2_0042C46C socket,bind,closesocket,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API1Create Account1Valid Accounts1Software Packing22Input Capture11System Time Discovery2Remote File Copy1Input Capture11Data Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaGraphical User Interface1Valid Accounts1Access Token Manipulation11Obfuscated Files or Information2Network SniffingAccount Discovery1Remote Desktop Protocol1Clipboard Data1Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationApplication Shimming1Application Shimming1Valid Accounts1Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedRemote Access Tools1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation11Account ManipulationSystem Information Discovery13Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceInstall Root Certificate1Brute ForceNetwork Share Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionVirtualization/Sandbox Evasion1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryProcess Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.