MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b73775e3999fa2a73354e2f9073ae52c61f2aa4ed348b0889f3c85653cf1145. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 3b73775e3999fa2a73354e2f9073ae52c61f2aa4ed348b0889f3c85653cf1145
SHA3-384 hash: f9289e9e77b43d5ed2ed1e6afb257d229907abb3e89081b50ee93d68f003f3c702f941c7fd19f8e16e8a4491091e115f
SHA1 hash: 2f887e570c13f5dc204230a05774adba6ad3004c
MD5 hash: 5e2ed2f916fc4291ffd2f58334a966bc
humanhash: bakerloo-east-august-connecticut
File name:satan_1.0.0.16.vir
Download: download sample
Signature n/a
File size:189'339 bytes
First seen:2020-07-19 19:34:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 65e9607e6f28a7852bb41a6e2e439a92
ssdeep 3072:HzIBtQnE7OhssdWJ5jy392aCmCbBqeJ/nwiDuFjU0EVloOUpWKQztRl39ESk23Ki:Wqvhssdu5jyYaCmCQeJ/wiejU0MoOTKy
TLSH BD04E17D79005CBAE66F1277D9D6BCBC03770D21EA4658C6A1F82F8624B3361FE52502
Reporter @tildedennis
Tags:satan


Twitter
@tildedennis
satan version 1.0.0.16

Intelligence


File Origin
# of uploads :
1
# of downloads :
19
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Sending a TCP request to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247381 Sample: satan_1.0.0.16.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 7 other signatures 2->69 11 satan_1.0.0.16.exe 2->11         started        process3 dnsIp4 53 1.0.0.16 CLOUDFLARENETUS Australia 11->53 93 Detected unpacking (overwrites its own PE header) 11->93 95 Contains functionality to encrypt and move a file in one function 11->95 97 Drops batch files with force delete cmd (self deletion) 11->97 99 2 other signatures 11->99 15 satan_1.0.0.16.exe 3 11->15         started        signatures5 process6 file7 49 C:\Users\user\AppData\Roaming\...\epetw.exe, PE32+ 15->49 dropped 51 C:\Users\user\AppData\...\tmp_78242bd3.bat, DOS 15->51 dropped 18 epetw.exe 15->18         started        21 cmd.exe 1 15->21         started        process8 signatures9 71 Antivirus detection for dropped file 18->71 73 Detected unpacking (overwrites its own PE header) 18->73 75 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->75 77 4 other signatures 18->77 23 epetw.exe 18->23         started        26 conhost.exe 21->26         started        process10 signatures11 85 Injects code into the Windows Explorer (explorer.exe) 23->85 87 Writes to foreign memory regions 23->87 89 Allocates memory in foreign processes 23->89 91 3 other signatures 23->91 28 explorer.exe 4 12 23->28 injected 32 svchost.exe 23->32 injected 34 sihost.exe 23->34 injected 36 10 other processes 23->36 process12 dnsIp13 55 xhj4hypdsb3jozwn.onion.pw 28->55 57 pixie.porkbun.com 44.227.65.245, 49721, 49722, 49723 AMAZON-02US United States 28->57 101 May disable shadow drive data (uses vssadmin) 28->101 103 Creates autostart registry keys with suspicious names 28->103 105 Deletes shadow drive data (may be related to ransomware) 28->105 109 4 other signatures 28->109 38 epetw.exe 28->38         started        41 vssadmin.exe 1 28->41         started        43 SearchUI.exe 28->43 injected 59 2.17.179.193, 443, 49698 AKAMAI-ASUS European Union 32->59 61 84.53.167.113, 49699, 80 AKAMAI-ASUS European Union 32->61 107 Contains functionality to encrypt and move a file in one function 32->107 signatures14 process15 signatures16 79 Modifies the context of a thread in another process (thread injection) 38->79 81 Hides threads from debuggers 38->81 83 Injects a PE file into a foreign processes 38->83 45 epetw.exe 38->45         started        47 conhost.exe 41->47         started        process17
Threat name:
Win32.Trojan.Nasan
Status:
Malicious
First seen:
2017-02-27 08:10:25 UTC
AV detection:
31 of 31 (100.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
ransomware persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Interacts with shadow copies
Suspicious use of UnmapMainImage
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Modifies service
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies service
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Adds Run key to start application
Adds Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Deletes shadow copies
Deletes shadow copies
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments