MAR-10322463.r1.v1
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
US-CERT
2021-02-11T11:25:05-05:00
BMachine
134
7.1.0
celastradepro_win_installer_1.00.00.msi
9827840
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {A3B40756-2C9C-4167-9296-5DD2DAF7973E}, Number of Words: 2, Subject: CelasTradePro, Author: CELAS LLC, Name of Creating Application: Advanced Installer 14.5.2 build 83143, Template: ;1033, Comments: This installer database contains the logic and data required to install CelasTradePro., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5
9e740241ca2acdc79f30ad2c3f50990a
SHA1
0c5e4cec03d2eea2b1dd5356fe05de64a0278cd6
SHA256
6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69
SHA512
dd02c1e717c2556b64d261f04c5a8add7dcc2f3ad267507d883ba68c7e4cf827136edce517aab055dfa02d8569a5779eb1fc24fb0b7c6bb3447d45e2802726e5
SSDEEP
196608:s80YaAWH7ICcfRLdq81w920W+ZP6g2DsjW1TIZfxgNu1DZNJQfIYizTrh50:sPUWHECcfBdR1w9NWqSg2DsK1TmfxgiD
7.973409
Characterized_By
Downloaded_From
Contains
Contains
Figure 1
celasllc.com
Characterized_By
Related_To
Downloaded_To
Related_To
Downloaded_To
celasllc.com/checkupdate.php
Whois for celasllc.com had the following information in August 2018:
IP Address: 185.142.236.213
Registrant Name: John Broox
Registrant Organization:
Registrant Street: 2141 S Archer Ave
Registrant City: Chicago
Registrant State/Province: Illinois
Registrant Postal Code: 60601
Registrant Country: US
Registrant Phone: +1.8133205751
Registrant Email: johnbroox200@gmail.com
Name server: 1a7ea920.bitcoin-dns.hosting
Name Server: a8332f3a.bitcoin-dns.hosting
Name Server: ad636824.bitcoin-dns.hosting
Name Server: c358ea2d.bitcoin-dns.hosting
Created: May 29, 2018
Expires: May 29, 2019
Updated: Sep 9, 2018
Figure 2
CelasTradePro.exe
2517160
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
45eb8f06c5f732e8dde8e9318d8b2392
SHA1
d4583cba9034a3068f8106b5013d37d7bdd46f38
SHA256
a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765
SHA512
6536a7b0767828bb95f6f33a4e465fec48fc474b4f919bc878e02966f82f900fbaa6e2f9d7bc1dffa28bbe35f94ee6b9a570902843dfd35a8c9d1405ac130039
SSDEEP
49152:TrxfUhMyK0lq3Z8SC8Q1ZZmpwi0qEdz+7WGSVOr:PxfU60lqiV1UL
Microsoft Visual C++ ?.?
6.852284
6
2018-06-17 20:17:48-04:00
1024
MD5
724cd82da1ca0a93b9d171923d149ce9
2.738571
Celas LLC
Celas Bitcoin Trader
1.0.0.0
Celas Bitcoin Trader
Copyright (C) 2018 CELAS LLC
CelasTradePro.exe
CelasTradePro
1.0.0.0
.text
1152000
6.244241
MD5
4909abcdca48f01dd7d44d7b6035deef
.rdata
1076224
6.842683
MD5
88f7c98251537ffd1f94935b8c134b9a
.data
9728
4.517533
MD5
0e102f466e9e6893970e2fd96c8b3fce
.rsrc
110592
3.737298
MD5
87a4b3b57b1b37d19870a4f1c9577374
.reloc
162304
6.385957
MD5
a6d8c9855dc4334bb35c95a1e0518a9d
Contained_Within
Characterized_By
Characterized_By
Figure 3
Figure 4
Updater.exe
173224
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
b054a7382adf6b774b15f52d971f3799
SHA1
b4d43cd2d81d17dec523915c0fc61b4b29e62c58
SHA256
bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb
SHA512
7c307a2ed0e6e483a0f3e7161ff0433e6bd498ab0b14b5359a938554999b076c4143a766b96c05dc0b949948cac97d81534ceb1300d02276ec90e2c1162383a9
SSDEEP
1536:XN9cIi98pUYi7tIP+arPg1ssvpoOJwtFT6BxdYIHs/5mBS0LiF:99clzLPPBoOJwWBxdYlxySr
Microsoft Visual C++ ?.?
4.980364
6
2018-06-15 06:56:27-04:00
1024
MD5
2c879beba343ce37c06647fb37be983e
2.572659
.text
38912
6.556738
MD5
4da943f482631027a2152c6f336055af
.rdata
10240
4.87559
MD5
0b7c67c806051953aa6addc2771a20eb
.data
4096
2.272665
MD5
49f73fd786fe23fbc68635fbf76b63a3
.rsrc
109568
3.715817
MD5
7a96caced6b43d719b90f6e332ad12f3
.reloc
4096
4.127553
MD5
8aacf0cff202d7d74c04f938df61e45f
Characterized_By
Characterized_By
Contained_Within
Figure 5
Figure 6
celastradepro_mac_installer_1.00.00.dmg
15020544
DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 29336 sectors, extended partition table (last)
MD5
48ded52752de9f9b73c6bf9ae81cb429
SHA1
1e8a2f1f751e5a9931bca5710b4f304798d665dc
SHA256
d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04
SHA512
4c4e4445638ace360c82be741e634601bd1beaf980cdc02523484cc7f161b57015f325708ce72d9a2496f3b5bf2d05df5133aee0d1c375b76b23e6a660436d0f
SSDEEP
393216:0naJ/9SL/uXRs1q5wxrCAveZZXFdklxkBSY6bzLZaM:bJ/9SLQRwqSrCAS5klxPY6bXZx
7.71037
Characterized_By
Characterized_By
Downloaded_From
Contains
Contains
Figure 7
Figure 8
developed on pure C++ Qt and OpenSSL.
String_APPLICATION_TITLE=Qt Bitcoin Trader
julyighor@gmail.com (note: Ighor July is one of the developers of QT Bitcoin Trader)
--End similarities--
The strings also reference the name “John Broox” as the author of CelasTradePro.
While the CelasTradePro application is likely a modification of QT Bitcoin Trader, the legitimate QT Bitcoin Trader DMG for OSX does not contain the postinstall script nor the plist file which creates a LaunchDaemon. When ran, only QTBitcoinTrader will be installed, and no additional programs will be created, installed, or launched.
The CelasTradePro DMG contains the CelasTradePro OSX executable (the modified version of QT Bitcoin Trader) as well as the additional Updater OSX executable not included with the original QT Bitcoin Trader.]]>
CelasTradePro
3544560
Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE>
MD5
4eedb2df53597a15fd48b726d85517f0
SHA1
a60ece7673fa415abe1fb97ac60e19ee446858b1
SHA256
c0c2239138b9bc659b5bddd8f49fa3f3074b65df8f3a2f639f7c632d2306af70
SHA512
853c85760576919bc59aee901663057a0bfd5a286345cc7464f61e7bdfdebfeb2148401597ae037bbf052c052112cb37c34924b2876383c920d17b908f0e3a85
SSDEEP
49152:bvzxIgxauUDh0Dh6jQIRfzOQo14GNoiZPw6YBoOBzRK8IA1LGqBKta9w35wwlRoJ:3xuwhRIR2LPZPwX1vbL9BgwseMzio
6.559908
Contained_Within
Characterized_By
Figure 9
Updater
50320
Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE>
MD5
aeee54a81032a6321a39566f96c822f5
SHA1
53aa0971eb5d53ed242764ebfc89ad591a5211b2
SHA256
5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0
SHA512
9e9abc2c824df20249df9161ad830af2a3d01867089eed23d5985445e34120238881ac3cfd9529bf27588c36f2a17533a4bda8fce8c91949360c236b60852fb0
SSDEEP
768:A4yOeE/pwi8Aea02PG2mG1oAK+g7mj78yfgum0+mifm:GOeE/pwFs02pvg7mj7bfgum0hi
5.010104
Contained_Within
Characterized_By
Characterized_By
Figure 10
Figure 11
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
9e740241ca2acdc79f30ad2c3f50990a
SHA1
0c5e4cec03d2eea2b1dd5356fe05de64a0278cd6
SHA256
6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69
NCCIC
2021-02-12T17:37:29+00:00
Malicious Domain
Domain Watchlist
celasllc.com
NCCIC
2021-02-12T17:37:29+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
45eb8f06c5f732e8dde8e9318d8b2392
SHA1
d4583cba9034a3068f8106b5013d37d7bdd46f38
SHA256
a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765
NCCIC
2021-02-12T17:37:30+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
b054a7382adf6b774b15f52d971f3799
SHA1
b4d43cd2d81d17dec523915c0fc61b4b29e62c58
SHA256
bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb
NCCIC
2021-02-12T17:37:30+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
48ded52752de9f9b73c6bf9ae81cb429
SHA1
1e8a2f1f751e5a9931bca5710b4f304798d665dc
SHA256
d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04
NCCIC
2021-02-12T17:37:30+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
4eedb2df53597a15fd48b726d85517f0
SHA1
a60ece7673fa415abe1fb97ac60e19ee446858b1
SHA256
c0c2239138b9bc659b5bddd8f49fa3f3074b65df8f3a2f639f7c632d2306af70
NCCIC
2021-02-12T17:37:30+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
aeee54a81032a6321a39566f96c822f5
SHA1
53aa0971eb5d53ed242764ebfc89ad591a5211b2
SHA256
5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0
NCCIC
2021-02-12T17:37:30+00:00
MAEC Characterization of 9e740241ca2acdc79f30ad2c3f50990a
Symantec
Trojan.Dropper
Microsoft Security Essentials
Trojan:Win32/Letdater
Sophos
Troj/NukeSped-X
Comodo
Malware
TrendMicro House Call
Trojan.BC27BA50
TrendMicro
Trojan.BC27BA50
Ahnlab
MSI/Installer
Quick Heal
OLE.MSI.Agent.39994.GC
dropper
trojan
command-and-control
MAEC Characterization of 45eb8f06c5f732e8dde8e9318d8b2392
Sophos
Mal/BadCert-Gen
MAEC Characterization of b054a7382adf6b774b15f52d971f3799
ClamAV
Win.Spyware.Fallchill-6663754-2
McAfee
Generic trojan.d
K7
Riskware ( 0040eff71 )
Systweak
trojan.agent
Symantec
Trojan Horse
Zillya!
Downloader.Agent.Win32.365188
Antiy
Trojan[Downloader]/Win32.Agent
BitDefender
Trojan.GenericKD.40404380
Microsoft Security Essentials
Trojan:Win32/Letdater
Sophos
Troj/NukeSped-Y
Comodo
Malware
TrendMicro House Call
Trojan.BC27BA50
TrendMicro
Trojan.BC27BA50
Emsisoft
Trojan.GenericKD.40404380 (B)
Avira
TR/Dldr.Agent.jlhae
VirusBlokAda
TrojanDownloader.Agent
Ahnlab
Malware/Win32.Generic
ESET
Win32/TrojanDownloader.NukeSped.E trojan
NANOAV
Trojan.Win32.Letscool.fflqoo
Lavasoft
Trojan.GenericKD.40404380
Ikarus
Trojan-Downloader.Agent
downloader
loader
spyware
MAEC Characterization of 48ded52752de9f9b73c6bf9ae81cb429
McAfee
OSX/Lazarus.a
Symantec
OSX.Dropper
Antiy
Trojan/OSX.Lazarus
Comodo
Malware
TrendMicro House Call
OSX_APPLEJEUS.A
TrendMicro
OSX_APPLEJEUS.A
Avira
OSX/Lazarus.A
ESET
OSX/TrojanDownloader.NukeSped.A trojan
Vir.IT eXplorer
OSX.Lazarus.ASM
Ikarus
Trojan.OSX.Lazarus
MAEC Characterization of 4eedb2df53597a15fd48b726d85517f0
ClamAV
Osx.Malware.Agent-7408161-0
McAfee
OSX/Lazarus.f
Symantec
OSX.Malcol.2
Zillya!
Trojan.MAC.OSX.89
Antiy
Trojan/OSX.Lazarus
BitDefender
Trojan.MAC.Lazarus.B
Sophos
OSX/Lazarus-D
Emsisoft
Trojan.MAC.Lazarus.B (B)
Avira
OSX/Lazarus.dplva
Ahnlab
OSX/Agent.3544560
ESET
a variant of Generik.IWGLIQC trojan
Lavasoft
Trojan.MAC.Lazarus.B
Ikarus
OSX.Lazarus
MAEC Characterization of aeee54a81032a6321a39566f96c822f5
ClamAV
Osx.Malware.Agent-9667647-0
Symantec
OSX.Trojan.Gen
Zillya!
Downloader.NukeSped.OSX.1
Antiy
Trojan/OSX.Lazarus
BitDefender
Trojan.MAC.Lazarus
Microsoft Security Essentials
Backdoor:MacOS/AppleJeus.A
Sophos
OSX/Lazarus-D
Comodo
Malware
TrendMicro House Call
OSX_LAZARUS.A
TrendMicro
OSX_LAZARUS.A
Emsisoft
Trojan.MAC.Lazarus (B)
Avira
VBS/Dldr.Formac.npwdq
Ahnlab
OSX/Agent.50320
ESET
a variant of OSX/TrojanDownloader.NukeSped.A trojan
NANOAV
Trojan.Mac.Mlw.fhnynm
Lavasoft
Trojan.MAC.Lazarus
Ikarus
Trojan.MAC.Lazarus
backdoor
10322463.r1.v1
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected