Windows Analysis Report
OatAFVzm15.exe

Overview

General Information

Sample Name:	OatAFVzm15.exe
Analysis ID:	691234
MD5:	b741daeca2edb8d539be2938e5f9490f
SHA1:	4affabf1f09e55a1777fedbe83fc26905943045c
SHA256:	c688c3da0b3fe263e2441f884d47966bb74875c94564e7694aa1c462e5c9435f
Tags:	exezeus2
Infos:

Detection

Citadel

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected Citadel

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

PE file contains an invalid checksum

Checks if the current process is being debugged

Entry point lies outside standard sections

May initialize a security null descriptor

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OatAFVzm15.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: OatAFVzm15.exe	Metadefender: Detection: 56%			Perma Link
Source: OatAFVzm15.exe	ReversingLabs: Detection: 92%

Machine Learning detection for sample

Source: OatAFVzm15.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.OatAFVzm15.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 1.0.OatAFVzm15.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen
Source: 1.0.OatAFVzm15.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 1.0.OatAFVzm15.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen

Uses 32bit PE files

Source: OatAFVzm15.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: OatAFVzm15.exe	String found in binary or memory: http://www.google.com/webhp
Source: OatAFVzm15.exe	String found in binary or memory: http://www.google.com/webhpbcU

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Citadel

Source: Yara match	File source: OatAFVzm15.exe, type: SAMPLE
Source: Yara match	File source: 1.0.OatAFVzm15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.OatAFVzm15.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.OatAFVzm15.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OatAFVzm15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.249623287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.248127496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.644531481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.250108543.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OatAFVzm15.exe PID: 772, type: MEMORYSTR

E-Banking Fraud

Yara detected Citadel

Source: Yara match	File source: OatAFVzm15.exe, type: SAMPLE
Source: Yara match	File source: 1.0.OatAFVzm15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.OatAFVzm15.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.OatAFVzm15.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OatAFVzm15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.249623287.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.248127496.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.644531481.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.250108543.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OatAFVzm15.exe PID: 772, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: OatAFVzm15.exe PID: 772, type: MEMORYSTR

Matched rule: Citadel 1.5.x.y trojan banker Author: Jean-Philippe Teissier / @Jipe_

Uses 32bit PE files

Source: OatAFVzm15.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: Process Memory Space: OatAFVzm15.exe PID: 772, type: MEMORYSTR

Matched rule: citadel13xy date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Citadel 1.5.x.y trojan banker, version = 1.0

One or more processes crash

Source: C:\Users\user\Desktop\OatAFVzm15.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 212

Source: OatAFVzm15.exe	Metadefender: Detection: 56%
Source: OatAFVzm15.exe	ReversingLabs: Detection: 92%

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AB9.tmp

Jump to behavior

Source: C:\Users\user\Desktop\OatAFVzm15.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal76.bank.winEXE@2/4@0/0

Source: unknown	Process created: C:\Users\user\Desktop\OatAFVzm15.exe "C:\Users\user\Desktop\OatAFVzm15.exe"
Source: C:\Users\user\Desktop\OatAFVzm15.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 212

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess772

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

PE file contains an invalid checksum

Source: OatAFVzm15.exe

Static PE information: real checksum: 0x2ea1b should be: 0x5069c

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .data

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\OatAFVzm15.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\OatAFVzm15.exe	Process queried: DebugPort			Jump to behavior

May initialize a security null descriptor

Source: OatAFVzm15.exe, 00000001.00000000.250108543.0000000000401000.00000020.00000001.01000000.00000003.sdmp

Binary or memory string: S:(ML;;NRNWNX;;;LW)SeSecurityPrivilegeS:(ML;CIOI;NRNWNX;;;LW)?O?I?Tcabcabinet.dllFCICreateFCIAddFileFCIFlushCabinetFCIDestroyunknownInstallDateSOFTWARE\Microsoft\Windows NT\CurrentVersionDigitalProductId%s_%08X%08Xfatal_errorbcdfghklmnpqrstvwxzaeiouyGlobal\Local\:d

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	691234
Product:	CloudBasic
Start time:	03:58:55
Start date:	27.08.2022
Sample:	OatAFVzm15.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b741daeca2edb8d539be2938e5f9490f
SHA1:	4affabf1f09e55a1777fedbe83fc26905943045c
SHA256:	c688c3da0b3fe263e2441f884d47966bb74875c94564e7694aa1c462e5c9435f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OatAFVzm15.exe_a26318744316683b0d1fe53934c2b47109f797_532d33bc_179a95d5\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	67ED49590B71E87BC8AEF7FED35BEDA5	17943598405BF7ADEE1A6D940C728B98C7CFFEF5	FFE956B2D85E2C8FABFB8AC382C63DB6D2F283BF7366439F1CE9D7FDD58AB76D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AB9.tmp.dmp	Mini DuMP crash report, 14 streams, Sat Aug 27 10:59:51 2022, 0x1205a4 type	45472289EA981225005104219636EC68	28675A39F6405261955670E64A2092D0699D6B9D	038786401FD022238B42FA9231B7CF4682E150676FF567A892B3CCACF5DA4962
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E06.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	66631305A7D025E8E6DE30003254E753	9BA48BE6C3EA2D67A691F793850901C59A5ACE21	FEA2674FE4A504EFE873738BA4433B61BE9211955148464134B824873AC01B2F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FCC.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2E9D1069FB8B86985BBC56341C8458B5	46C27DD82AA8C2F31EC1BBB149B8D576EA54CA6C	1B4B6082E07DF792F627F9E3E1025B99278F6AB0842669BC1D4CB390FA1ACB96

Windows Analysis Report
OatAFVzm15.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report OatAFVzm15.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
OatAFVzm15.exe