General
-
Target
citadel_3.1.0.0.vir
-
Size
307KB
-
Sample
200719-4twkr22ebs
-
MD5
3d3ef329a4d920735fbc6c56d2a15691
-
SHA1
74c7c9c8470ea55c04ee3c7fe168793ee32d4686
-
SHA256
1ec347934db2ded3a012479882732bfb3cdc85b0d4b2911e3402c1fa693a2235
-
SHA512
0e2d88ef2f8f8d1a65f63473e89c345cb73630efa5c717e7a8f721ae8703077d651ee66ee4756c4a4d6e6e1a007c6246b007c20689be195763353bcb7654c9ed
Static task
static1
Behavioral task
behavioral1
Sample
citadel_3.1.0.0.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
citadel_3.1.0.0.vir.exe
Resource
win10
Malware Config
Targets
-
-
Target
citadel_3.1.0.0.vir
-
Size
307KB
-
MD5
3d3ef329a4d920735fbc6c56d2a15691
-
SHA1
74c7c9c8470ea55c04ee3c7fe168793ee32d4686
-
SHA256
1ec347934db2ded3a012479882732bfb3cdc85b0d4b2911e3402c1fa693a2235
-
SHA512
0e2d88ef2f8f8d1a65f63473e89c345cb73630efa5c717e7a8f721ae8703077d651ee66ee4756c4a4d6e6e1a007c6246b007c20689be195763353bcb7654c9ed
Score8/10-
Executes dropped EXE
-
Deletes itself
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-