CelesTLSH Malware Scanner

CelesTLSH (pronounced "Celestial-S-H") Malware Scanner is an extension built upon the LimaCharlie platform. Developed by Magonia Research, it scans all files collected by the LimaCharlie binlib extension for signs of known malware and threat actor tools.

How It Works

  1. Active Malware Tracking
    Magonia Research continuously monitors and updates a list of active malware samples and threat actor tools.
  2. File Collection
    The LimaCharlie binlib extension collects unique files from the network it monitors.
  3. TLSH Fuzzy Hashing
    LimaCharlie's binlib extension computes the TLSH (Trend Micro Locality Sensitive Hashing) fuzzy hash of these collected files.
  4. Similarity Comparison
    The CelesTLSH Malware Scanner measures the distance against the TLSH hashes of known malware samples.
    • If the similarity (measured by TLSH distance) is within a user-defined maximum threshold, an alert is generated.
    • This method detects malware even if files are modified to evade traditional signature-based detection.

Limitations and Considerations

While TLSH fuzzy hashing is a powerful technique, it is not infallible.

  • Threat actors may employ code obfuscation or other evasion techniques.
  • However, such modifications increase complexity for attackers and can themselves indicate malicious intent.

CelesTLSH raises the bar for attackers by identifying threats that maintain a high similarity to known malware, even if minor changes are made.

Malware and Tools Tracked

Known Malware Samples

  • AgentTesla
  • Amadey
  • BlackBasta
  • BlackCat
  • BlackMatter
  • Braodo
  • BruteRatel
  • Clop
  • CobaltStrike
  • Conti
  • CryptBot
  • Formbook
  • Gh0stRAT
  • Hive
  • LockBit
  • LummaStealer
  • Metasploit
  • Mirai
  • QuasarRAT
  • RedLineStealer
  • RemcosRAT
  • Sliver
  • SnakeKeylogger
  • Sodinokibi
  • SystemBC
  • Vidar

Attack Tools and Dual-Use Software

  • ACLight
  • AMSI-Bypass
  • BloodHound
  • CrackMapExec
  • Empire
  • LaZagne
  • Mimikatz
  • Nishang
  • PingCastle
  • RustScan
  • ScoutSuite
  • SharpHound
  • Sliver
  • Socat
  • TrevorC2

(This is not a complete list. Magonia Research actively updates the database to track new threats.)

Contact Support

For assistance, questions, or to report issues, please contact our support team:

© 2024 Magonia Research. All rights reserved.