Analysis Report executable.4080.exe

Overview

General Information

Sample Name: executable.4080.exe
Analysis ID: 358585
MD5: 9b6886089b69bc227e48accb63231096
SHA1: 3794deb61672f08dcd4997b18780d3a0b81340fb
SHA256: f7c242fef888f7129e510c5a2c2a9a3ada69891304017e93a235cd3148d0dde4
Infos:

Most interesting Screenshot:

Detection

Citadel
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Citadel
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May initialize a security null descriptor
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: executable.4080.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: executable.4080.exe Virustotal: Detection: 84% Perma Link
Source: executable.4080.exe ReversingLabs: Detection: 82%
Machine Learning detection for sample
Source: executable.4080.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.1.executable.4080.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.2.executable.4080.exe.400000.0.unpack Avira: Label: TR/Spy.Gen
Source: 0.0.executable.4080.exe.400000.0.unpack Avira: Label: TR/Spy.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040B74D CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_0040B74D

Compliance:

barindex
Uses 32bit PE files
Source: executable.4080.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Spreading:

barindex
Contains functionality to enumerate network shares
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00408C33 GetFileAttributesExW,LoadLibraryA,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,ReadProcessMemory,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW, 0_2_00408C33
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040B41D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_0040B41D
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040B4D8 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_0040B4D8
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040AC31 CreateFileW,HeapAlloc,WaitForSingleObject,InternetReadFile,WriteFile,FlushFileBuffers,CloseHandle, 0_2_0040AC31
Source: executable.4080.exe String found in binary or memory: http://www.google.com/webhp
Source: executable.4080.exe String found in binary or memory: http://www.google.com/webhpbccerts

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Citadel
Source: Yara match File source: executable.4080.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.197550286.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: executable.4080.exe PID: 5424, type: MEMORY
Source: Yara match File source: 0.2.executable.4080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.executable.4080.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00412C03 GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock, 0_2_00412C03
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00412AC1 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage, 0_2_00412AC1

E-Banking Fraud:

barindex
Yara detected Citadel
Source: Yara match File source: executable.4080.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.198011061.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.197550286.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: executable.4080.exe PID: 5424, type: MEMORY
Source: Yara match File source: 0.2.executable.4080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.executable.4080.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: executable.4080.exe PID: 5424, type: MEMORY Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_
Contains functionality to call native functions
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040344C NtQueryInformationProcess,CloseHandle,NtCreateThread, 0_2_0040344C
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00404CCE NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,TranslateMessage,GetClipboardData,PFXImportCertStore, 0_2_00404CCE
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_004034F6 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle, 0_2_004034F6
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040F61D LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_0040F61D
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00415300 InitiateSystemShutdownExW,ExitWindowsEx, 0_2_00415300
Detected potential crypto function
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040C570 0_2_0040C570
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040B65A 0_2_0040B65A
Uses 32bit PE files
Source: executable.4080.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: Process Memory Space: executable.4080.exe PID: 5424, type: MEMORY Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0
Source: classification engine Classification label: mal80.bank.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0041267A CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore, 0_2_0041267A
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_004127BF CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore, 0_2_004127BF
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040F3C3 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_0040F3C3
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040F36F CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle, 0_2_0040F36F
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0041000E CoCreateInstance, 0_2_0041000E
Source: executable.4080.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\executable.4080.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: executable.4080.exe Virustotal: Detection: 84%
Source: executable.4080.exe ReversingLabs: Detection: 82%

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00411408 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary, 0_2_00411408
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00408610 push ss; ret 0_2_00408798
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00405841 HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,StrStrIW,StrStrIW,StrStrIW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW, 0_2_00405841
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040540A HeapAlloc,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileStringW,HeapAlloc,GetPrivateProfileStringW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileStringW, 0_2_0040540A

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00411408 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary, 0_2_00411408

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\executable.4080.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\executable.4080.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\executable.4080.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\executable.4080.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\executable.4080.exe API coverage: 2.1 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040B41D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW, 0_2_0040B41D
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040B4D8 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose, 0_2_0040B4D8

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00404CCE NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,TranslateMessage,GetClipboardData,PFXImportCertStore, 0_2_00404CCE
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00404ACF VirtualProtectEx 000000FF,0774C084,0000001E,00407798,00407798 0_2_00404ACF
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00411408 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary, 0_2_00411408
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040EBCB mov edx, dword ptr fs:[00000030h] 0_2_0040EBCB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040779B HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,GetLengthSid,GetCurrentProcessId, 0_2_0040779B
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040DB47 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, 0_2_0040DB47
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0041280F PFXImportCertStore,GetSystemTime, 0_2_0041280F
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00411A9D GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW, 0_2_00411A9D
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_00409921 GetTimeZoneInformation, 0_2_00409921
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040F810 GetVersionExW,GetNativeSystemInfo, 0_2_0040F810

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May initialize a security null descriptor
Source: executable.4080.exe Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040CC51 HeapAlloc,socket,bind,closesocket, 0_2_0040CC51
Source: C:\Users\user\Desktop\executable.4080.exe Code function: 0_2_0040C961 socket,bind,listen,closesocket, 0_2_0040C961
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358585 Sample: executable.4080.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 80 8 Malicious sample detected (through community Yara rule) 2->8 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 2 other signatures 2->14 5 executable.4080.exe 2->5         started        process3 signatures4 16 Found evasive API chain (may stop execution after checking mutex) 5->16
No contacted IP infos