Overview
overview
7Static
static
7Celestial ...al.exe
windows10-2004-x64
7Celestial ...er.exe
windows10-2004-x64
7Celestial ...or.dll
windows10-2004-x64
1Celestial ...pf.dll
windows10-2004-x64
1Celestial ...ib.dll
windows10-2004-x64
1Celestial ...et.dll
windows10-2004-x64
1Celestial ...6c.dll
windows10-2004-x64
1Celestial ...8c.dll
windows10-2004-x64
1Celestial ...sm.exe
windows10-2004-x64
1Celestial .../d.exe
windows10-2004-x64
Celestial ...ow.dll
windows10-2004-x64
1Celestial ...eo.dll
windows10-2004-x64
1Celestial ...ip.dll
windows10-2004-x64
1Celestial ...GI.dll
windows10-2004-x64
1Celestial ...11.dll
windows10-2004-x64
1Celestial ...D9.dll
windows10-2004-x64
1Celestial ...DX.dll
windows10-2004-x64
1Celestial .../m.exe
windows10-2004-x64
1Celestial ...sig.py
windows10-2004-x64
3Celestial ...ib.dll
windows10-2004-x64
1Celestial ...ib.dll
windows10-2004-x64
1Celestial ...er.exe
windows10-2004-x64
1Celestial ...rt.bat
windows10-2004-x64
1Celestial ...art.sh
windows10-2004-x64
3Analysis
-
max time kernel
35s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 14:57
Behavioral task
behavioral1
Sample
Celestial Rat/Celestial.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
Celestial Rat/CelestialPatcher.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Celestial Rat/IconExtractor.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
Celestial Rat/Notifications.Wpf.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Celestial Rat/Vestris.ResourceLib.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
Celestial Rat/WinMM.Net.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Celestial Rat/data/6c.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Celestial Rat/data/8c.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Celestial Rat/data/asm.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
Celestial Rat/data/d.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Celestial Rat/data/libs/AForge.Video.DirectShow.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
Celestial Rat/data/libs/AForge.Video.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Celestial Rat/data/libs/DotNetZip.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Celestial Rat/data/libs/SharpDX.DXGI.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Celestial Rat/data/libs/SharpDX.Direct3D11.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Celestial Rat/data/libs/SharpDX.Direct3D9.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Celestial Rat/data/libs/SharpDX.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
Celestial Rat/data/payload/m.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Celestial Rat/data/payload/sig.py
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
Celestial Rat/dnlib.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Celestial Rat/scripts/ClipperLib.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
Celestial Rat/server/Server.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Celestial Rat/server/start.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
Celestial Rat/server/start.sh
Resource
win10v2004-20240611-en
windows10-2004-x64
General
-
Target
Celestial Rat/Celestial.exe
-
Size
9.4MB
-
MD5
86cae458b120a8c8f336d30590cc3c4f
-
SHA1
68f0a11a37c01f79db978ef19c03ee9c3457a6db
-
SHA256
4a9d64583260db1c1e4ff7d763341a1ab2bdf1d6e840dd622efad07da12a1d32
-
SHA512
489eb0bc1d465c713e4670a2743499ed256bd535332e211fd37f900f3d4a707c35d9dbee391e33d07eb4a9421f4312f74ecaf924f0b86ddecfe4190186093dbb
-
SSDEEP
196608:8o/0CasEDPZ2lB54SY3KTBRYIzH7IXB0wnlnmELgaJitOsFo:8o/TTAPcf5Bqa3zzH7IB00nn4OsFo
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/4680-1-0x000001C4B86C0000-0x000001C4B9C00000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4680 Celestial.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1724 taskmgr.exe Token: SeSystemProfilePrivilege 1724 taskmgr.exe Token: SeCreateGlobalPrivilege 1724 taskmgr.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe 1724 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Celestial Rat\Celestial.exe"C:\Users\Admin\AppData\Local\Temp\Celestial Rat\Celestial.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4680
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1724