General

  • Target

    citadel_1.1.0.0.vir

  • Size

    401KB

  • Sample

    200719-3rnfybhh2j

  • MD5

    5abefe1af6518c5daccbe0833b75858b

  • SHA1

    0bc40dc4b0d380b42b2bfbd89eedfc9669be9367

  • SHA256

    fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d

  • SHA512

    e4cb2d745533dc2dd4efd360d7bebf8f5cbebe4572130d0e874e021629b2d58d43fd05f7b146d60e6b87bc16b7be7e86b69bf6dcb1c984fcb9251c6f1613f28f

Score
8/10

Malware Config

Targets

    • Target

      citadel_1.1.0.0.vir

    • Size

      401KB

    • MD5

      5abefe1af6518c5daccbe0833b75858b

    • SHA1

      0bc40dc4b0d380b42b2bfbd89eedfc9669be9367

    • SHA256

      fcce249643f7fe240695fdbc393b54a543fa4a49942b56ad8aad6f219c4f896d

    • SHA512

      e4cb2d745533dc2dd4efd360d7bebf8f5cbebe4572130d0e874e021629b2d58d43fd05f7b146d60e6b87bc16b7be7e86b69bf6dcb1c984fcb9251c6f1613f28f

    Score
    8/10
    • Executes dropped EXE

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

Tasks