Overview

overview

10

Static

static

3

Celestial.exe

windows7-x64

10

Celestial.exe

windows10-2004-x64

10

Resubmissions

10-03-2024 12:51

240310-p3s1esda29 10

10-03-2024 12:46

240310-pz2hdsch63 10

Analysis

  • max time kernel
    63s
  • max time network
    71s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2024 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Celestial.exe

  • Size

    273KB

  • MD5

    7ca6a26751bd7ad90ffc2843f040117c

  • SHA1

    5c2be81194456480f952d674c0513959eab0ceda

  • SHA256

    c13b27db146974839ceeb088132e55627944f9a230392e4f8661749586a3626a

  • SHA512

    0f16bbf19913c4c09a13ea48325a3751311941b2d6b11a70a97737628c53bd58b8009fa9439e3b0ce66ef0e46dc420a6535b2d8803cbf6669d024c3c4ea3b896

  • SSDEEP

    6144:Of+BLtABPD7sBi/0QNE44FCpHoafTy/lI1D0NiJ:essK44FCpO61DzJ

Score
10/10
44caliberspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Celestial.exe
    "C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4252
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1108
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5108

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\44\Process.txt
        Filesize

        1KB

        MD5

        6156f4f7d2f8b93a06570ab0248984b5

        SHA1

        f94a7878718b1fab5e047e2bf94e08899a8a4c5b

        SHA256

        ea962c3597976991f745a51b0f7d59ed206b619710a91dc244c58de241f1908c

        SHA512

        470aaa57e601950f43fc82ad29bd5f666e215f68d899e73c16aaa3ad80c840c4afc1751f73f45fd2678bde033c0356b0269256570655323fe63e83d1334f51d7

        Download Submit

      • memory/4252-0-0x000002850E460000-0x000002850E4AA000-memory.dmp

        Filesize

        296KB

        Download

      • memory/4252-28-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4252-29-0x0000028510070000-0x0000028510080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4252-132-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4252-135-0x00007FFE89DA0000-0x00007FFE8A861000-memory.dmp

        Filesize

        10.8MB

        Download