win_citadel_auto
YARA-2024-0178
Medium
general
Active
Detects win.citadel.
win_citadel_auto.yar
Valid Syntax
rule win_citadel_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2024-10-31"
version = "1"
description = "Detects win.citadel."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel"
malpedia_rule_date = "20241030"
malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
malpedia_version = "20241030"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { eb0e 6800800000 53 57 }
// n = 4, score = 5100
// eb0e | jmp 0x10
// 6800800000 | push 0x8000
// 53 | push ebx
// 57 | push edi
$sequence_1 = { 03f7 6a0d 5f e8???????? }
// n = 4, score = 5000
// 03f7 | add esi, edi
// 6a0d | push 0xd
// 5f | pop edi
// e8???????? |
$sequence_2 = { 3d00002003 7715 8b4d08 890e 895604 895e0c }
// n = 6, score = 5000
// 3d00002003 | cmp eax, 0x3200000
// 7715 | ja 0x17
// 8b4d08 | mov ecx, dword ptr [ebp + 8]
// 890e | mov dword ptr [esi], ecx
// 895604 | mov dword ptr [esi + 4], edx
// 895e0c | mov dword ptr [esi + 0xc], ebx
$sequence_3 = { ff15???????? 85c0 0f8566010000 57 57 57 57 }
// n = 7, score = 5000
// ff15???????? |
// 85c0 | test eax, eax
// 0f8566010000 | jne 0x16c
// 57 | push edi
// 57 | push edi
// 57 | push edi
// 57 | push edi
$sequence_4 = { 41 66395802 7405 83c002 }
// n = 4, score = 5000
// 41 | inc ecx
// 66395802 | cmp word ptr [eax + 2], bx
// 7405 | je 7
// 83c002 | add eax, 2
$sequence_5 = { 33c9 663918 7507 41 }
// n = 4, score = 5000
// 33c9 | xor ecx, ecx
// 663918 | cmp word ptr [eax], bx
// 7507 | jne 9
// 41 | inc ecx
$sequence_6 = { 50 57 e8???????? 33db 3c01 }
// n = 5, score = 5000
// 50 | push eax
// 57 | push edi
// e8???????? |
// 33db | xor ebx, ebx
// 3c01 | cmp al, 1
$sequence_7 = { a1???????? 57 e8???????? 8945fc 3bc3 }
// n = 5, score = 5000
// a1???????? |
// 57 | push edi
// e8???????? |
// 8945fc | mov dword ptr [ebp - 4], eax
// 3bc3 | cmp eax, ebx
$sequence_8 = { 3ac3 73fa 0fb6c0 8b44c104 e9???????? d0e9 }
// n = 6, score = 3900
// 3ac3 | cmp al, bl
// 73fa | jae 0xfffffffc
// 0fb6c0 | movzx eax, al
// 8b44c104 | mov eax, dword ptr [ecx + eax*8 + 4]
// e9???????? |
// d0e9 | shr cl, 1
$sequence_9 = { 0f85a0000000 33c0 85c0 7409 }
// n = 4, score = 3900
// 0f85a0000000 | jne 0xa6
// 33c0 | xor eax, eax
// 85c0 | test eax, eax
// 7409 | je 0xb
$sequence_10 = { 8a4e01 ffd0 884601 33c0 6689460c }
// n = 5, score = 3900
// 8a4e01 | mov cl, byte ptr [esi + 1]
// ffd0 | call eax
// 884601 | mov byte ptr [esi + 1], al
// 33c0 | xor eax, eax
// 6689460c | mov word ptr [esi + 0xc], ax
$sequence_11 = { fec8 32d0 8ac2 3245fe 85c9 7408 84db }
// n = 7, score = 3900
// fec8 | dec al
// 32d0 | xor dl, al
// 8ac2 | mov al, dl
// 3245fe | xor al, byte ptr [ebp - 2]
// 85c9 | test ecx, ecx
// 7408 | je 0xa
// 84db | test bl, bl
$sequence_12 = { 85c0 740b 8a5608 8a4e02 }
// n = 4, score = 3900
// 85c0 | test eax, eax
// 740b | je 0xd
// 8a5608 | mov dl, byte ptr [esi + 8]
// 8a4e02 | mov cl, byte ptr [esi + 2]
$sequence_13 = { 763c 8a06 2a45ff 8a5602 }
// n = 4, score = 3900
// 763c | jbe 0x3e
// 8a06 | mov al, byte ptr [esi]
// 2a45ff | sub al, byte ptr [ebp - 1]
// 8a5602 | mov dl, byte ptr [esi + 2]
$sequence_14 = { 0fb6c9 8b04c8 eb81 d0e9 }
// n = 4, score = 3900
// 0fb6c9 | movzx ecx, cl
// 8b04c8 | mov eax, dword ptr [eax + ecx*8]
// eb81 | jmp 0xffffff83
// d0e9 | shr cl, 1
$sequence_15 = { e9???????? d0e9 3aca 73fa 0fb6c9 8b04c8 }
// n = 6, score = 3900
// e9???????? |
// d0e9 | shr cl, 1
// 3aca | cmp cl, dl
// 73fa | jae 0xfffffffc
// 0fb6c9 | movzx ecx, cl
// 8b04c8 | mov eax, dword ptr [eax + ecx*8]
condition:
7 of them and filesize < 1236992
}Rule Metadata
author
Felix Bilstein - yara-signator at cocacoding dot com
date
2024-10-31
version
1
description
Detects win.citadel.
info
autogenerated rule brought to you by yara-signator
tool
yara-signator v0.6.0
signator_config
callsandjumps;datarefs;binvalue
malpedia_reference
https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel
malpedia_rule_date
20241030
malpedia_hash
26e26953c49c8efafbf72a38076855d578e0a2e4
malpedia_version
20241030
malpedia_license
CC BY-SA 4.0
malpedia_sharing
TLP:WHITE
String Definitions
{"name":"$sequence_0","value":"{ eb0e 6800800000 53 57 }\n \/\/ n = 4, score = 5100\n \/\/ eb0e | jmp 0x10\n \/\/ 6800800000 | push 0x8000\n \/\/ 53 | push ebx\n \/\/ 57 | push edi"}
{"name":"$sequence_1","value":"{ 03f7 6a0d 5f e8???????? }\n \/\/ n = 4, score = 5000\n \/\/ 03f7 | add esi, edi\n \/\/ 6a0d | push 0xd\n \/\/ 5f | pop edi\n \/\/ e8???????? |"}
{"name":"$sequence_2","value":"{ 3d00002003 7715 8b4d08 890e 895604 895e0c }\n \/\/ n = 6, score = 5000\n \/\/ 3d00002003 | cmp eax, 0x3200000\n \/\/ 7715 | ja 0x17\n \/\/ 8b4d08 | mov ecx, dword ptr [ebp + 8]\n \/\/ 890e | mov dword ptr [esi], ecx\n \/\/ 895604 | mov dword ptr [esi + 4], edx\n \/\/ 895e0c | mov dword ptr [esi + 0xc], ebx"}
{"name":"$sequence_3","value":"{ ff15???????? 85c0 0f8566010000 57 57 57 57 }\n \/\/ n = 7, score = 5000\n \/\/ ff15???????? | \n \/\/ 85c0 | test eax, eax\n \/\/ 0f8566010000 | jne 0x16c\n \/\/ 57 | push edi\n \/\/ 57 | push edi\n \/\/ 57 | push edi\n \/\/ 57 | push edi"}
{"name":"$sequence_4","value":"{ 41 66395802 7405 83c002 }\n \/\/ n = 4, score = 5000\n \/\/ 41 | inc ecx\n \/\/ 66395802 | cmp word ptr [eax + 2], bx\n \/\/ 7405 | je 7\n \/\/ 83c002 | add eax, 2"}
{"name":"$sequence_5","value":"{ 33c9 663918 7507 41 }\n \/\/ n = 4, score = 5000\n \/\/ 33c9 | xor ecx, ecx\n \/\/ 663918 | cmp word ptr [eax], bx\n \/\/ 7507 | jne 9\n \/\/ 41 | inc ecx"}
{"name":"$sequence_6","value":"{ 50 57 e8???????? 33db 3c01 }\n \/\/ n = 5, score = 5000\n \/\/ 50 | push eax\n \/\/ 57 | push edi\n \/\/ e8???????? | \n \/\/ 33db | xor ebx, ebx\n \/\/ 3c01 | cmp al, 1"}
{"name":"$sequence_7","value":"{ a1???????? 57 e8???????? 8945fc 3bc3 }\n \/\/ n = 5, score = 5000\n \/\/ a1???????? | \n \/\/ 57 | push edi\n \/\/ e8???????? | \n \/\/ 8945fc | mov dword ptr [ebp - 4], eax\n \/\/ 3bc3 | cmp eax, ebx"}
{"name":"$sequence_8","value":"{ 3ac3 73fa 0fb6c0 8b44c104 e9???????? d0e9 }\n \/\/ n = 6, score = 3900\n \/\/ 3ac3 | cmp al, bl\n \/\/ 73fa | jae 0xfffffffc\n \/\/ 0fb6c0 | movzx eax, al\n \/\/ 8b44c104 | mov eax, dword ptr [ecx + eax*8 + 4]\n \/\/ e9???????? | \n \/\/ d0e9 | shr cl, 1"}
{"name":"$sequence_9","value":"{ 0f85a0000000 33c0 85c0 7409 }\n \/\/ n = 4, score = 3900\n \/\/ 0f85a0000000 | jne 0xa6\n \/\/ 33c0 | xor eax, eax\n \/\/ 85c0 | test eax, eax\n \/\/ 7409 | je 0xb"}
{"name":"$sequence_10","value":"{ 8a4e01 ffd0 884601 33c0 6689460c }\n \/\/ n = 5, score = 3900\n \/\/ 8a4e01 | mov cl, byte ptr [esi + 1]\n \/\/ ffd0 | call eax\n \/\/ 884601 | mov byte ptr [esi + 1], al\n \/\/ 33c0 | xor eax, eax\n \/\/ 6689460c | mov word ptr [esi + 0xc], ax"}
{"name":"$sequence_11","value":"{ fec8 32d0 8ac2 3245fe 85c9 7408 84db }\n \/\/ n = 7, score = 3900\n \/\/ fec8 | dec al\n \/\/ 32d0 | xor dl, al\n \/\/ 8ac2 | mov al, dl\n \/\/ 3245fe | xor al, byte ptr [ebp - 2]\n \/\/ 85c9 | test ecx, ecx\n \/\/ 7408 | je 0xa\n \/\/ 84db | test bl, bl"}
{"name":"$sequence_12","value":"{ 85c0 740b 8a5608 8a4e02 }\n \/\/ n = 4, score = 3900\n \/\/ 85c0 | test eax, eax\n \/\/ 740b | je 0xd\n \/\/ 8a5608 | mov dl, byte ptr [esi + 8]\n \/\/ 8a4e02 | mov cl, byte ptr [esi + 2]"}
{"name":"$sequence_13","value":"{ 763c 8a06 2a45ff 8a5602 }\n \/\/ n = 4, score = 3900\n \/\/ 763c | jbe 0x3e\n \/\/ 8a06 | mov al, byte ptr [esi]\n \/\/ 2a45ff | sub al, byte ptr [ebp - 1]\n \/\/ 8a5602 | mov dl, byte ptr [esi + 2]"}
{"name":"$sequence_14","value":"{ 0fb6c9 8b04c8 eb81 d0e9 }\n \/\/ n = 4, score = 3900\n \/\/ 0fb6c9 | movzx ecx, cl\n \/\/ 8b04c8 | mov eax, dword ptr [eax + ecx*8]\n \/\/ eb81 | jmp 0xffffff83\n \/\/ d0e9 | shr cl, 1"}
{"name":"$sequence_15","value":"{ e9???????? d0e9 3aca 73fa 0fb6c9 8b04c8 }\n \/\/ n = 6, score = 3900\n \/\/ e9???????? | \n \/\/ d0e9 | shr cl, 1\n \/\/ 3aca | cmp cl, dl\n \/\/ 73fa | jae 0xfffffffc\n \/\/ 0fb6c9 | movzx ecx, cl\n \/\/ 8b04c8 | mov eax, dword ptr [eax + ecx*8]"}
Threat Analysis
This YARA rule is designed to detect general threats.
Severity Level: Medium
The rule uses pattern matching to identify specific byte sequences, strings, or behavioral patterns associated with malicious activity.
Detection Capabilities
- File-based detection for executables and documents
- Memory scanning for running processes
- Network traffic analysis support
Command Line Usage
# Scan a single file yara win_citadel_auto.yar /path/to/suspicious/file # Scan a directory recursively yara -r win_citadel_auto.yar /path/to/directory/ # Scan with metadata output yara -m win_citadel_auto.yar target_file # Scan process memory (Linux) yara win_citadel_auto.yar /proc/[pid]/exe
Integration Examples
Python (yara-python)
import yara
rules = yara.compile(filepath='win_citadel_auto.yar')
matches = rules.match('/path/to/file')
ClamAV Integration
clamscan --yara-rules=win_citadel_auto.yar /path/to/scan
Rule Information
YARA ID
YARA-2024-0178
Repository
Created
August 19, 2025
Last Updated
August 19, 2025
Last Imported
Never
Threat Intelligence
Risk Level
Medium
Category
general
Detection Confidence
Analysis Pending
False Positive Rate
Not Available
Last Seen in Wild
No Data
Related Rules
Export Options
Similar Rules in general
YARA-2023-0001
CRI
Detect_Mimic_Ransomware
Detect_Mimic_Ransomware
YARA-2023-0002
MED
SystemBC_malware
Detect_SystemBC
YARA-2023-0003
MED
detect_catB
detect_CatB_ransomware
YARA-2022-0001
MED
detect_Typhon_Stealer
detect_Typhon_Stealer
YARA-2023-0004
MED
Nosu_stealer
Detect_Nosu_stealer
YARA-2022-0002
MED
detect_Lumma_stealer
detect_Lumma_stealer
YARA-2022-0003
MED
detect_StrelaStealer
detect_StrelaStealer
YARA-2022-0004
MED
detect_silence_Downloader
detect_silence_Downloader