Malware reverse – RAT backdoor

Hello again.
After a few tested files, I found something good to analyze.
On hacking or warez forums, you find a lot of infected files.
Today I analyzed a program used by hackers to hide their viruses. A program that combines two files, and in use one is visible and the other runs hidden.

Although the one who posted the software announced it is a cracked version, it still seems strange that the name is Celeste instead of Celesty, and the details are completely missing.

After a brief analysis I realized that the software already contains two files and both executables, that is, exactly what the Celest software should do.

The executables seem to be the Celesty software and something called Encrypt and if we remember the role of the binder, we understand that Celesty will appear on the screen and Encrypt will be hidden.

Analyzed in more detail, we can see that Celest’s resources are exactly the two hidden files.

OK. If you think things have become complicated … wait a little longer.
Moving to more advanced techniques, I’ve been able to discover what’s going on beyond that first downloadable software.
Do you remember how it all started?
A .rar file … An .exe extracted from it … Two hidden files.
Now look at my reverse malware folder!

Quite interesting!

I double click as a victim and let the executables do what they want.
Now that everything seems quiet, I can see that the file OrcusWatchdog does not want to stop, even if you can stop it “Keep alive” it brings it back to life.

Okay, let’s see what’s going on.
Celest_Binder looked ok at first, but what it brings with it is not good for the computer.
Drops executables files:

OrcusWatchdog.exe
CELESTY.EXE
ENCRYPT.EXE
svchost_.exe
sbziixqt.dll
RESD05E.tmp

ENCRYPT file

Creates fake process: Users\vchost\svchost.exe

Creates new process: AppData\OrcusWatchdog.exe

Writes data to a remote process:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

OrcusWatchdog
Playng with:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config

svchost_

Contains ability to manipulate the desktop.
Password stealing functions.
Recording the keyboard strokes.

So, let’s not mess up so much, I can tell you it’s a *remote administration tool that can do the following:

Control

Basic information about the client (operating system, language, privileges, path, ip address, …)
Uninstall, Kill, Make Admin
Computer

Get a lot of information about the client’s pc
Categories: Operating System, System, Bios, Hardware (Processor, Videocard), Software, Network (local addresses, geo location data), Drives

Passwords

Recover passwords from famous applications (Google Chrome, Mozilla Firefox, FileZilla, Internet Explorer, JDownloader, Opera, Thunderbird, WinSCP, Pidgin, …)
Recover cookies from webbrowsers (Google Chrome, Mozilla Firefox, Yandex)
File Explorer

Interface like the Windows file explorer
Download, rename, create or remove files and directories
Download directly to the server
Execute files with arguments, verbs and other settings
Show properties of files (size, dates, details like size of a picture or bitrate of a video) and calculate hash values (MD5, SHA1, SHA256, SHA512)
Upload files
Open Console here
Go back/forward
Pinned folders of the client’s system are directly added to the tree view (Dropbox, OneDrive, Creative Cloud Files, etc.)
Support for special folders like the recycle bin
Search for files in the current folder
Enter path directly or select the path with autocomplete and drop down

Programs

Receive all installed programs
Start uninstaller of a program
Open path in File Explorer

… and a lot *more!
That’s the situation!
Things are not as you want and do not forget!
When something is free, you are not the customer but the product!

Have fun & Stay Safe!!!

*Orcus Remote Admin