citadel | Triage

Sharing

Copy URL Twitter E-mail

General

Target

citadel
Size

210KB
MD5

b6c0133a9793e452b73cb88dcdd75103
SHA1

9308bb5f86373930064589e3c854c9c79025065f
SHA256

920cbc4aa3c3170fc5888768dcfd36d38a11c586a6275de718698aa4016f80a5
SHA512

862e55953797d95f540fa4283bbd981d58cff7717467fceb6c6a32a91fd0be89e58bfb45bb7f7a64dabc0788a2d5dc3bbe51badaa2702db4a971af71026f659f
SSDEEP

6144:QAatWqqDLlC0jCpy1oy9VoL1oGGPxKQ8B1ljw+VId:QAaxqnlC0jCsoy9VobmKrU+Vy

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
citadel

Files

citadel
.exe windows x86

2dcca74d8785109ab6c911e976994e3b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetLogicalDriveStringsW
HeapFree
CreateDirectoryW
GetProcessHeap
SetFileTime
VirtualQueryEx
WriteFile
Thread32First
WideCharToMultiByte
ReadProcessMemory
HeapDestroy
HeapCreate
lstrcpynW
Thread32Next
ReadFile
GetTimeZoneInformation
CreateFileW
MultiByteToWideChar
lstrlenW
FlushFileBuffers
GetTempPathW
GetFileSizeEx
OpenMutexW
VirtualProtectEx
VirtualAllocEx
GetCurrentProcessId
RemoveDirectoryW
QueryDosDeviceW
FindNextFileW
VirtualProtect
SetFilePointerEx
FileTimeToLocalFileTime
GetVolumeNameForVolumeMountPointW
DeleteFileW
GetFileInformationByHandle
SetFileAttributesW
GetNativeSystemInfo
MoveFileExW
GetUserDefaultUILanguage
GlobalLock
GlobalUnlock
lstrcmpiA
GetThreadContext
SetThreadContext
GetProcessId
SetHandleInformation
CreatePipe
WTSGetActiveConsoleSessionId
TlsGetValue
TlsSetValue
TerminateProcess
GetLocalTime
DuplicateHandle
OpenEventW
GetFileAttributesExW
WaitForMultipleObjects
GetModuleFileNameW
GetVersionExW
GetModuleHandleW
GetComputerNameW
SetErrorMode
GetCommandLineW
SystemTimeToFileTime
HeapAlloc
CreateProcessW
SetEndOfFile
FindFirstFileW
HeapReAlloc
GetTempFileNameW
FileTimeToDosDateTime
GetEnvironmentVariableW
CreateThread
GetCurrentProcess
GetSystemTime
ExitThread
GetTickCount
GetFileTime
WriteProcessMemory
ExitProcess
GetModuleHandleA
LoadLibraryA
VirtualAlloc
GetFileAttributesW
IsBadReadPtr
VirtualFree
Sleep
ResetEvent
EnterCriticalSection
SetLastError
GetLastError
LeaveCriticalSection
InitializeCriticalSection
LocalFree
GetProcAddress
GetPrivateProfileIntW
LoadLibraryW
GetPrivateProfileStringW
FreeLibrary
CreateMutexW
ExpandEnvironmentStringsW
lstrcmpiW
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
VirtualFreeEx
OpenProcess
CreateRemoteThread
ReleaseMutex
TlsFree
CloseHandle
TlsAlloc
GetCurrentThreadId
CreateEventW
CreateFileMappingW
SetThreadPriority
GetCurrentThread
SetEvent
WaitForSingleObject
UnmapViewOfFile
MapViewOfFile
FindClose

user32

IsRectEmpty
GetTopWindow
LoadImageW
MsgWaitForMultipleObjects
WindowFromPoint
CharToOemW
TranslateMessage
GetWindowLongW
CharLowerA
PeekMessageW
CharUpperW
SetWindowLongW
SendMessageTimeoutW
GetWindow
GetMessagePos
MapVirtualKeyW
PostMessageW
GetKeyboardLayoutList
MessageBoxA
ExitWindowsEx
GetSystemMetrics
RegisterClassExA
RegisterWindowMessageW
GetThreadDesktop
GetMessageW
SetKeyboardState
GetSubMenu
DefDlgProcW
DefFrameProcA
OpenInputDesktop
OpenDesktopW
MapWindowPoints
ReleaseCapture
IsWindow
GetCursorPos
SetWindowPos
CreateDesktopW
SetProcessWindowStation
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
CloseDesktop
SetThreadDesktop
OpenWindowStationW
FillRect
DrawEdge
IntersectRect
EqualRect
PrintWindow
EndPaint
GetUpdateRgn
GetWindowDC
BeginPaint
GetUpdateRect
GetDCEx
DrawIcon
GetIconInfo
CharLowerBuffA
GetClipboardData
GetKeyboardState
ToUnicode
GetMessageA
CharLowerW
GetWindowRect
MenuItemFromPoint
GetDC
GetMenu
SetCapture
GetParent
GetWindowInfo
GetClassLongW
GetCapture
SetCursorPos
RegisterClassExW
GetMenuItemRect
TrackPopupMenuEx
SystemParametersInfoW
GetClassNameW
ReleaseDC
GetMenuState
DefWindowProcA
DefMDIChildProcW
SwitchDesktop
GetMenuItemCount
DefDlgProcA
PostThreadMessageW
DefMDIChildProcA
HiliteMenuItem
RegisterClassW
GetUserObjectInformationW
SendMessageW
GetAncestor
GetMenuItemID
PeekMessageA
CallWindowProcA
EndMenu
CallWindowProcW
DefWindowProcW
DefFrameProcW
GetWindowThreadProcessId
RegisterClassA
GetShellWindow
DispatchMessageW

advapi32

GetLengthSid
InitiateSystemShutdownExW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
IsWellKnownSid
CryptGetHashParam
OpenProcessToken
GetSidSubAuthority
CryptAcquireContextW
OpenThreadToken
GetSidSubAuthorityCount
GetTokenInformation
RegCreateKeyExW
CryptReleaseContext
RegQueryValueExW
CreateProcessAsUserW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetNamedSecurityInfoW
LookupPrivilegeValueW
CryptCreateHash
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
SetSecurityDescriptorSacl
CryptDestroyHash
AdjustTokenPrivileges
RegSetValueExW
CryptHashData
ConvertSidToStringSidW
CreateProcessAsUserA
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
EqualSid
SetSecurityInfo
RegDeleteValueW
RegEnumValueW

shlwapi

PathSkipRootW
StrCmpNIW
wvnsprintfA
StrCmpNIA
PathMatchSpecW
PathUnquoteSpacesW
PathAddExtensionW
PathCombineW
SHDeleteKeyW
PathIsURLW
SHDeleteValueW
PathAddBackslashW
PathFindFileNameW
PathIsDirectoryW
wvnsprintfW
UrlUnescapeA
PathRemoveBackslashW
PathRenameExtensionW
PathQuoteSpacesW
StrStrIW
PathRemoveFileSpecW
StrStrIA

shell32

CommandLineToArgvW
ShellExecuteW
SHGetFolderPathW

secur32

GetUserNameExW

ole32

CoSetProxyBlanket
CoUninitialize
CLSIDFromString
StringFromGUID2
CoInitializeSecurity
CoInitialize
CoInitializeEx
CoCreateInstance

gdi32

CreateCompatibleBitmap
SelectObject
DeleteObject
GetDeviceCaps
DeleteDC
GetDIBits
CreateDIBSection
RestoreDC
SaveDC
SetRectRgn
GdiFlush
SetViewportOrgEx
CreateCompatibleDC

ws2_32

listen
send
closesocket
WSASetLastError
freeaddrinfo
socket
bind
recv
inet_addr
getpeername
recvfrom
WSAEventSelect
WSASend
gethostbyname
WSAIoctl
accept
WSAGetLastError
setsockopt
shutdown
getsockname
select
getaddrinfo
WSAStartup
WSAAddressToStringW
connect
sendto

crypt32

PFXExportCertStoreEx
CertDuplicateCertificateContext
CertEnumCertificatesInStore
PFXImportCertStore
CertCloseStore
CertOpenSystemStoreW
CertDeleteCertificateFromStore
CryptUnprotectData

wininet

InternetReadFileExA
InternetReadFile
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpOpenRequestA
InternetSetStatusCallbackA
InternetOpenA
InternetSetOptionA
InternetCrackUrlA
InternetQueryOptionW
InternetConnectA
InternetQueryOptionA
InternetCloseHandle
HttpEndRequestW
HttpSendRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetSetFilePointer
HttpOpenRequestW
InternetQueryDataAvailable
HttpAddRequestHeadersW
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
InternetSetStatusCallbackW

oleaut32

SysFreeString
VariantInit
SysAllocString
VariantClear

netapi32

NetUserEnum
NetApiBufferFree
NetUserGetInfo

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

winmm

waveOutGetVolume
PlaySoundA
PlaySoundW
waveOutSetVolume

Sections

.text
Size: 196KB - Virtual size: 196KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2dcca74d8785109ab6c911e976994e3b

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shlwapi

shell32

secur32

ole32

gdi32

ws2_32

crypt32

wininet

oleaut32

netapi32

version

winmm

Sections

.text Size: 196KB - Virtual size: 196KB

.data Size: 2KB - Virtual size: 10KB

.reloc Size: 8KB - Virtual size: 8KB

.text
Size: 196KB - Virtual size: 196KB

.data
Size: 2KB - Virtual size: 10KB

.reloc
Size: 8KB - Virtual size: 8KB