MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
SHA3-384 hash: 9b20ac1fb40601017e483f7bf35617f1c8a62fd8f65d2434b1af6e2c7e672828ad344ac2a93aa8f7559368400a5344bd
SHA1 hash: c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
MD5 hash: c9c341eaf04c89933ed28cbc2739d325
humanhash: speaker-hamper-solar-robin
File name:satan.bin
Download: download sample
File size:189'337 bytes
First seen:2021-08-13 08:59:38 UTC
Last seen:2021-08-17 04:52:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 65e9607e6f28a7852bb41a6e2e439a92 (1 x ZeuS, 1 x Satan)
ssdeep 3072:H8SIBtQnE7OhssdWJ5jy392aCmCbBq0ryEbh/Wl7hqU6Q4NJ15xgDbvSY5thfRb3:c7qvhssdu5jyYaCmCQVE6hqUI5sb9Rb3
Threatray 6 similar samples on MalwareBazaar
TLSH T11B04F17CB5005DE9E75E2237DAA5BCBC03B70911E98A58C551D87F8221F33B5FE42A0A
Reporter milannshrestga
Tags:exe Ransom.Satan

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
satan.zip
Verdict:
Malicious activity
Analysis date:
2021-05-23 08:50:19 UTC
Tags:
trojan ransomware satan
Link:
https://app.any.run/tasks/f244379c-ec2c-4cd5-bd06-59dee60e10ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178942/
Detection(s):
Win.Ransomware.Satan-5713061-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process by context flags manipulation
Deleting volume shadow copies
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Satan
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71419209-f09d-439b-80b1-2e84674c7a11
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832265
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to encrypt and move a file in one function
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (overwrites its own PE header)
Drops batch files with force delete cmd (self deletion)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses TOR for connection hidding
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 464693 Sample: satan.bin Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 51 6pi3jrqjbssfh6gu.onion.pw 2->51 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities 2->67 69 6 other signatures 2->69 12 satan.exe 2->12         started        signatures3 process4 signatures5 81 Detected unpacking (overwrites its own PE header) 12->81 83 Contains functionality to encrypt and move a file in one function 12->83 85 Drops batch files with force delete cmd (self deletion) 12->85 87 2 other signatures 12->87 15 satan.exe 3 12->15         started        process6 file7 47 C:\Users\user\AppData\Roaming\...\abfub.exe, PE32+ 15->47 dropped 49 C:\Users\user\AppData\...\tmp_2e755b83.bat, DOS 15->49 dropped 18 abfub.exe 15->18         started        21 cmd.exe 1 15->21         started        process8 signatures9 55 Antivirus detection for dropped file 18->55 57 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->57 59 Contains functionality to encrypt and move a file in one function 18->59 61 3 other signatures 18->61 23 abfub.exe 18->23         started        26 conhost.exe 21->26         started        process10 signatures11 73 Injects code into the Windows Explorer (explorer.exe) 23->73 75 Writes to foreign memory regions 23->75 77 Allocates memory in foreign processes 23->77 79 2 other signatures 23->79 28 explorer.exe 1 23->28 injected 32 svchost.exe 23->32 injected 34 sihost.exe 23->34 injected 36 5 other processes 23->36 process12 dnsIp13 53 6pi3jrqjbssfh6gu.onion.pw 28->53 89 System process connects to network (likely due to code injection or exploit) 28->89 91 May disable shadow drive data (uses vssadmin) 28->91 93 Creates autostart registry keys with suspicious names 28->93 97 5 other signatures 28->97 38 dllhost.exe 28->38 injected 41 vssadmin.exe 1 28->41         started        43 ShellExperienceHost.exe 28->43 injected 95 Contains functionality to encrypt and move a file in one function 32->95 signatures14 process15 signatures16 71 Hides threads from debuggers 38->71 45 conhost.exe 41->45         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7/
Threat name:
Win32.Ransomware.Natasa
Create hunting rule
Status:
Malicious
First seen:
2017-05-21 22:47:55 UTC
File Type:
PE (Exe)
AV detection:
45 of 47 (95.74%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3b73775e3999fa2a73354e2f9073ae52c61f2aa4ed348b0889f3c85653cf1145
3cfac63b3fe9bfb358097541453facb33be788e142f10f7ee04f30f68e2a2c61
5036daccd356ba9794957dc02668b903e2779eb2865aa2cf6605c8cb9f639da6
84dd7afbfc63272eea2c55b6d079ef1897971516e3a7359aa932fec10ea6d4b6
c7eb4a2c6d47c2ccacb61cb12856dd370b4497b4e578b38eeb7922dadca8243d
ed84a7185bd3decfe9104fa3f6dad24bb0a0ff27a1a792a05ef0f2b010bf7b9b
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/210813-gj3xy1zcpj/
Behaviour
Interacts with shadow copies
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
Deletes shadow copies
Unpacked files
SH256 hash:
8b822e2a3a47148fed001fb283c749ecd53ca18246cfed9b5ee6d3ddaa0d3400
MD5 hash:
6604e02df8b1c9e4f5821f081df03a80
SHA1 hash:
30fabaa51bbb2ecf5de0aef1a1f67d39a9bf57b1
Link:
https://www.unpac.me/results/bb36ca5b-405b-462e-b73e-90ec77ba10ca/
SH256 hash:
1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
MD5 hash:
c9c341eaf04c89933ed28cbc2739d325
SHA1 hash:
c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
Link:
https://www.unpac.me/results/bb36ca5b-405b-462e-b73e-90ec77ba10ca/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1a0a2fd546e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/d54d0083-6293-48fe-8497-ebd738a4167f/#
  
Delivery method
Multiple
Cape
Cape
https://www.capesandbox.com/analysis/178942/

Comments