MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7eb4a2c6d47c2ccacb61cb12856dd370b4497b4e578b38eeb7922dadca8243d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: c7eb4a2c6d47c2ccacb61cb12856dd370b4497b4e578b38eeb7922dadca8243d
SHA3-384 hash: 98d471427e954aeee62e9fdf3522d297f59570b3e36924790ef24b4171e84fff4a76077052fa4a26927f084ef2a6e721
SHA1 hash: 29e38e09d8467a467d757041b55026c3459a5784
MD5 hash: 561d3809ad4daaec662f96d4c3d8fa24
humanhash: jupiter-cat-social-april
File name:satan_1.0.0.13.vir
Download: download sample
Signature n/a
File size:94'951 bytes
First seen:2020-07-19 19:30:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2d9cf6fbc084fa7bfd9038b211abfedb
ssdeep 1536:RXQG62iVvemNYKRuzcb3Lkaw2dTwvrWUsaB4YKFT5odElg:xrhiVVYKRucNndTwvyU/IIKlg
TLSH 1893BF0ABE4E4D75FFAD18315C34F235467E5C36B0247B83EBE90E6538A3760A5A8742
Reporter @tildedennis
Tags:satan


Twitter
@tildedennis
satan version 1.0.0.13

Intelligence


File Origin
# of uploads :
1
# of downloads :
17
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247344 Sample: satan_1.0.0.13.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 6 other signatures 2->59 9 satan_1.0.0.13.exe 3 2->9         started        process3 dnsIp4 51 1.0.0.13 CLOUDFLARENETUS Australia 9->51 41 C:\Users\user\AppData\Roaming\...\toiwa.exe, PE32+ 9->41 dropped 43 C:\Users\user\AppData\...\tmp_6cda8f43.bat, DOS 9->43 dropped 71 Contains functionality to encrypt and move a file in one function 9->71 73 Drops batch files with force delete cmd (self deletion) 9->73 14 toiwa.exe 9->14         started        17 cmd.exe 1 9->17         started        file5 signatures6 process7 signatures8 75 Antivirus detection for dropped file 14->75 77 Contains functionality to encrypt and move a file in one function 14->77 79 Machine Learning detection for dropped file 14->79 81 6 other signatures 14->81 19 explorer.exe 4 12 14->19 injected 23 svchost.exe 14->23 injected 25 ctfmon.exe 14->25 injected 29 10 other processes 14->29 27 conhost.exe 17->27         started        process9 dnsIp10 45 jf257u3x3titgwb3.onion.pw 19->45 47 pixie.porkbun.com 44.227.65.245, 49715, 49716, 49718 AMAZON-02US United States 19->47 61 May disable shadow drive data (uses vssadmin) 19->61 63 Creates autostart registry keys with suspicious names 19->63 65 Deletes shadow drive data (may be related to ransomware) 19->65 69 4 other signatures 19->69 31 vssadmin.exe 1 19->31         started        33 toiwa.exe 19->33         started        35 toiwa.exe 19->35         started        37 SearchUI.exe 19->37 injected 49 92.123.7.210, 49698, 80 AKAMAI-ASUS European Union 23->49 67 Contains functionality to encrypt and move a file in one function 23->67 signatures11 process12 process13 39 conhost.exe 31->39         started       
Threat name:
Win32.Trojan.Filecoder
Status:
Malicious
First seen:
2017-02-24 07:09:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
ransomware persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies service
Adds Run key to start application
Checks whether UAC is enabled
Adds Run key to start application
Loads dropped DLL
Deletes itself
Executes dropped EXE
Executes dropped EXE
Deletes shadow copies
Deletes shadow copies
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments