MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84dd7afbfc63272eea2c55b6d079ef1897971516e3a7359aa932fec10ea6d4b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 84dd7afbfc63272eea2c55b6d079ef1897971516e3a7359aa932fec10ea6d4b6
SHA3-384 hash: 4607f8192fc373937f1242b927eed9769ff2744060a831f5c710f911691d69c826ebcee28adb15f32ca9a87f7442ef40
SHA1 hash: 7182c6b1f970d882ef7e1c6c4608c43b80b6b381
MD5 hash: b15b72290de91e819900fa1a5b44d149
humanhash: foxtrot-lithium-uranus-jupiter
File name:satan_1.0.0.6.vir
Download: download sample
Signature n/a
File size:191'395 bytes
First seen:2020-07-19 19:25:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23fcb8978dc2fc22e5e045e1f801f35c
ssdeep 3072:2EZPyscSN4qkl5pH6RCfIOfwgtnAVhfGN6xJpQGvR0DUOS3xzdwqoko:2EZP/N4hlyQfIOocnACNSJRJ0eMqXo
TLSH 7A14F2B8F5045DF6FA3E2673DE5578B912BA0C12D58128C692E52FC224B36B2EF07D05
Reporter @tildedennis
Tags:satan


Twitter
@tildedennis
satan version 1.0.0.6

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247275 Sample: satan_1.0.0.6.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 61 Antivirus / Scanner detection for submitted sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 May disable shadow drive data (uses vssadmin) 2->65 67 5 other signatures 2->67 11 satan_1.0.0.6.exe 2->11         started        process3 dnsIp4 53 1.0.0.6 CLOUDFLARENETUS Australia 11->53 91 Detected unpacking (overwrites its own PE header) 11->91 93 Contains functionality to encrypt and move a file in one function 11->93 95 Drops batch files with force delete cmd (self deletion) 11->95 97 3 other signatures 11->97 15 satan_1.0.0.6.exe 3 11->15         started        signatures5 process6 file7 49 C:\Users\user\AppData\Roaming\Faxe\iqwa.exe, PE32+ 15->49 dropped 51 C:\Users\user\AppData\...\tmp_d11ceb8c.bat, DOS 15->51 dropped 18 iqwa.exe 15->18         started        21 cmd.exe 1 15->21         started        process8 signatures9 69 Antivirus detection for dropped file 18->69 71 Detected unpacking (overwrites its own PE header) 18->71 73 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->73 75 7 other signatures 18->75 23 iqwa.exe 18->23         started        26 conhost.exe 21->26         started        process10 signatures11 83 Injects code into the Windows Explorer (explorer.exe) 23->83 85 Writes to foreign memory regions 23->85 87 Allocates memory in foreign processes 23->87 89 3 other signatures 23->89 28 explorer.exe 4 12 23->28 injected 32 svchost.exe 23->32 injected 34 sihost.exe 23->34 injected 36 10 other processes 23->36 process12 dnsIp13 55 k5bmikievzfaw4jj.onion.lu 185.53.178.53, 443, 49719, 49720 TEAMINTERNET-ASDE Germany 28->55 99 May disable shadow drive data (uses vssadmin) 28->99 101 Creates autostart registry keys with suspicious names 28->101 103 Deletes shadow drive data (may be related to ransomware) 28->103 107 4 other signatures 28->107 38 iqwa.exe 28->38         started        41 vssadmin.exe 1 28->41         started        43 SearchUI.exe 28->43 injected 57 92.123.29.59, 443, 49698 AKAMAI-ASUS European Union 32->57 59 92.123.7.210, 49699, 80 AKAMAI-ASUS European Union 32->59 105 Contains functionality to encrypt and move a file in one function 32->105 signatures14 process15 signatures16 77 Modifies the context of a thread in another process (thread injection) 38->77 79 Hides threads from debuggers 38->79 81 Injects a PE file into a foreign processes 38->81 45 iqwa.exe 38->45         started        47 conhost.exe 41->47         started        process17
Threat name:
Win32.Trojan.Injector
Status:
Malicious
First seen:
2017-01-25 19:47:00 UTC
AV detection:
31 of 31 (100.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion ransomware persistence trojan
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Looks for VMWare Tools registry key
Executes dropped EXE
Deletes shadow copies
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments